[PATCH review 2/4] vfs: Test for and handle paths that are unreachable from their mnt_root
Eric W. Biederman
ebiederm at xmission.com
Fri Apr 10 02:24:20 UTC 2015
Al Viro <viro at ZenIV.linux.org.uk> writes:
> On Wed, Apr 08, 2015 at 06:32:58PM -0500, Eric W. Biederman wrote:
>> - Add a dentry flag DCACHE_MOUNT_VIOLATED to mark loopback mounts that
>> have had a dentry moved into a directory that does not descend from
>> the mount root dentry.
>> - In mnt_put_root clear DCACHE_MOUNT_VIOLATED.
>> - Add a function path_connected to verify a path.dentry is reachable from
>> path.mnt.mnt_root. AKA rename did not do something nasty to the bind mount.
>> - Disable ".." when a path is not connected during lookup.
>> (Maybe we want to stop ".." at this path instead?)
>> Following .. is not disabled after a transition to /
>> and is never disabled when / is the directory we start
>> with. Because we already limit .. no higher than /
> IDGI. Am I missing something, or you really only set that flag in the
> beginning of the pathwalk? At the bare minimum, you want to treat
> nd_jump_link() the same way, or your protection is trivially defeated by
> using /proc/self/cwd/$PATHNAME instead of $PATHNAME...
nd_jump_link() is definitely an oversight. Doh!
Starting at the root or starting at mount_root of a mount point that
flag is not necessary. As we can obviously walk up as far as it is
possible to go on that mount.
Furthermore legitimize_mnt will fail if a problematic rename happens
during the mount.
The next patch limits what follow_up and follow_nup_rcu can do.
So I have all of the normal operations covered, but I definitely need to
take a second look to see if there are any additional locations like
nd_jump_link where we can jump onto a path in the middle of a mount and
need to test to see if it is connected.
More information about the Containers