On Sun, Apr 04, 2021 at 01:34:45PM +0200, Christian Brauner wrote:
> Sorry for not replying to your earlier mail but I've been debugging this
> too. My current theory is that it's related to LOOKUP_ROOT_GRABBED when
> LOOKUP_CACHED is specified _possibly_ with an interaction how
> create_io_thread() is created with CLONE_FS. The reproducer requires you
> either have called pivot_root() or chroot() in order for the failure to
> happen. So I think the fact that we skip legitimize_root() when
> LOOKUP_CACHED is set might figure into this. I can keep digging.
>
> Funny enough I already placed a printk statement into the place you
> wanted one too so I just amended mine. Here's what you get:
>
> If pivot pivot_root() is used before the chroot() you get:
>
> [ 637.464555] AAAA: count(-1) | mnt_mntpoint(/) | mnt->mnt.mnt_root(/) | id(579) | dev(tmpfs)
>
> if you only call chroot, i.e. make the pivot_root() branch a simple
> if (true) you get:
>
> [ 955.206117] AAAA: count(-2) | mnt_mntpoint(/) | mnt->mnt.mnt_root(/) | id(580) | dev(tmpfs)
Very interesting. What happens if you call loop() twice? And now I wonder
whether it's root or cwd, actually... Hmm...
How about this:
fd = open("/proc/self/mountinfo", 0);
mkdir("./newroot/foo", 0777);
mount("./newroot/foo", "./newroot/foo", 0, MS_BIND, NULL);
chroot("./newroot");
chdir("/foo");
while (1) {
static char buf[4096];
int n = read(fd, buf, 4096);
if (n <= 0)
break;
write(1, buf, n);
}
close(fd);
drop_caps();
loop();
as the end of namespace_sandbox_proc(), instead of
chroot("./newroot");
chdir("/");
drop_caps();
loop();
sequence we have there?
> The cat /proc/self/mountinfo is for the id(579) below:
... and it misses the damn thing, since we call it before the mount
in question had been created ;-/ So we'd probably be better off not
trying to be clever and just doing that as explicit (and completely
untested) read-write loop above.
