Al Viro <viro@xxxxxxxxxxxxxxxxxx> writes: > On Wed, Apr 08, 2015 at 06:34:12PM -0500, Eric W. Biederman wrote: >> + if (ancestor) { >> + mark_violated_mounts(dentry, ancestor); >> + mark_violated_mounts(target, ancestor); >> + } > > Umm... Both sides the same way, regardless of whether it's exchange or > move? Looks wrong... I am pretty certain it can cause d_path to become an information leak if we do not. > Look: > > mkdir /tmp/a > mkdir /tmp/b > mkdir /tmp/c > mkdir /tmp/b/c > touch /tmp/a/x > mount --bind /tmp/b /tmp/c > mv /tmp/a/x /tmp/b/c/x > > should that make the vfsmount on /tmp/c violated? And if so, why? If /tmp is a mount point and before the move there was a: touch /tmp/b/c/x And a process opened /tmp/c/c/x. d_path on that file descriptor before __d_move would say: /tmp/c/c/x after the __d_move d_path would say: /tmp/c/a/x Which is bizareely weird in this example, and could potentially be an expolitable information leak in the hands of someone who knew what they were doing. I am not clever enough to take that deleted directory and walk up the tree, so the damage may be limited to seeing the true path on the fileystem. But it just may be that I am dense today. Furthermore all of the relevant changes to the dentry that happen when exchange is true also happen when exchange is false, so I am very reluctant to believe that the non-exchange case is not exploitable by a sufficiently clever individual. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html