Jeff Layton <jlayton@xxxxxxxxxx> writes: > On Thu, 19 Nov 2009 09:07:16 -0800 > ebiederm@xxxxxxxxxxxx (Eric W. Biederman) wrote: > >> >> Nacked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> >> >> This is broken. If the referenced file is in a different mount namespace >> the path returned could point to a completely different path in your >> own mount namespace. Even in your own mount namespace this makes the >> proc symlinks racy and not guaranteed to return the file of interest. >> >> I don't see any hope of this approach ever working. >> >> Eric >> > > Then is proc_pid_readlink broken in the same way? proc_pid_readlink has the same deficiencies. The race is fundamental to all readlink operations, the difference is that for normal symlinks it is a don't care, and for proc it is incorrect behavior if you follow the symlink to the wrong file. If you are dealing with a file in a different namespace or a socket what you get back doesn't actually work as a file in your local namespace but that is the best we can do with a pathname, and if you know the context of what is going on readlink is still useful. Adding all of the short comings to followlink that readlink has is a problem, especially as followlink does much better now. At a practical level I think your changes are much easier to exploit than Pavels contrived example. I really don't have any problems with your first patch to proc to add the missing revalidate. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
