On Fri, Apr 12, 2019 at 10:55 AM Michael Weiß <michael.weiss@xxxxxxxxxxxxxxxxxxx> wrote: > > Hi Vivek, > > yes it is, because the path names are in the options and not > in the mount source. I only know overlayfs as kernel filesystem > which uses the options for source pathes, due to obvious reasons. > > On a bind mount the source block device on which the directory > is located will be shown as source, thus there is no information leak > in the mount namespace / chroot there. > > Short example: > > bind mount: > > host: > mount --bind /mnt/test-rootns/ /var/lib/schroot/mount/stable-a73e0370-da3c-4325-aa4c-2585febb65d5/root/test/ > > /dev/mapper/system-root on /var/lib/schroot/mount/stable-a73e0370-da3c-4325-aa4c-2585febb65d5/root/test type ext4 (rw,noatime,errors=remount-ro,user_xattr,barrier=1,data=ordered) > > chroot: > > /dev/mapper/system-root on /root/test type ext4 (rw,noatime,errors=remount-ro,user_xattr,barrier=1,data=ordered) > > overlayfs: > > host: > > overlay on /var/lib/docker/overlay2/9c428ab5204f10fad81dbd6ea21bddad7c3173f1811651c1b37d93f02e5dbb39/merged type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/MXNJRWHBTT3FY7ZLXSZOXZHEDX:/var/lib/docker/overlay2/l/Q5R45CZKDNRTTYJ4RSP6OWYRT2,upperdir=/var/lib/docker/overlay2/9c428ab5204f10fad81dbd6ea21bddad7c3173f1811651c1b37d93f02e5dbb39/diff,workdir=/var/lib/docker/overlay2/9c428ab5204f10fad81dbd6ea21bddad7c3173f1811651c1b37d93f02e5dbb39/work) > > chroot: > > overlay on / type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/MXNJRWHBTT3FY7ZLXSZOXZHEDX:/var/lib/docker/overlay2/l/Q5R45CZKDNRTTYJ4RSP6OWYRT2,upperdir=/var/lib/docker/overlay2/9c428ab5204f10fad81dbd6ea21bddad7c3173f1811651c1b37d93f02e5dbb39/diff,workdir=/var/lib/docker/overlay2/9c428ab5204f10fad81dbd6ea21bddad7c3173f1811651c1b37d93f02e5dbb39/work) > > You know, these options are just strings. It's not a problem to use any strings you like using symlink to avoid leaking paths. Its exactly the same method that docker uses to shorten the mount option args length, for example: cd var/lib/docker/overlay2/9c428ab5204f10fad81dbd6ea21bddad7c3173f1811651c1b37d93f02e5dbb39/ ln -s ../l/MXNJRWHBTT3FY7ZLXSZOXZHEDX l0 ln -s ../l/Q5R45CZKDNRTTYJ4RSP6OWYRT2 l1 mount -t overlay overlay merged/ -olowerdir=l0:l1,upperdir=diff,workdir=work And that's it. I wonder why docker is not that to shorten the argument list instead of the l/XXX symlinks Thanks, Amir.
