[PATCH review 4/4] vfs: Do not allow escaping from bind mounts.

Al Viro viro at ZenIV.linux.org.uk
Fri Apr 10 03:14:57 UTC 2015

On Thu, Apr 09, 2015 at 09:51:11PM -0500, Eric W. Biederman wrote:
> And a process opened /tmp/c/c/x.
> d_path on that file descriptor before __d_move would say:
> /tmp/c/c/x
> after the __d_move d_path would say:
> /tmp/c/a/x

So what?

> Which is bizareely weird in this example, and could potentially be
> an expolitable information leak in the hands of someone who knew
> what they were doing.
> I am not clever enough to take that deleted directory and walk up the
> tree, so the damage may be limited to seeing the true path on the
> fileystem.  But it just may be that I am dense today.
> Furthermore all of the relevant changes to the dentry that happen 
> when exchange is true also happen when exchange is false, so I am very
> reluctant to believe that the non-exchange case is not exploitable by a
> sufficiently clever individual.

	Exploited how?  The same assistant might very well have done
echo "/tmp/c/a/x or whatever else I might want to pass to you" >/tmp/c/c/x
and pass whatever information they wanted _that_ way.

	As it is, you've created one hell of a DoS - *anyone* can poison
any vfsmount covering a subtree if they have access to a containing subtree
somewhere and write permissions on a directory inside and directory outside
of the victim one.

More information about the Containers mailing list