[PATCH review 0/4] Loopback mount escape fixes

Miklos Szeredi miklos at szeredi.hu
Mon Apr 13 12:18:40 UTC 2015

On Thu, Apr 9, 2015 at 1:31 AM, Eric W. Biederman <ebiederm at xmission.com> wrote:
> After the last round of feedback I sat down and played with my fix
> for the fact that a strategically placed rename, ".." on bind mounts
> go up past the root of the bind mount.
> The code better handles the escaped directory returning into it's bind
> mount, and is now roughly a constant factor cost in all cases from what
> the code costs without the fix.
> So I think I have found a better tradeoff between fixing this bug and
> not slowing down path name lookups in the common case.

Maybe I'm missing something, but I see a much simpler fix:

 - When following ".." first just check against the dentry being equal
to the root dentry.

 - If so, then check mount being equal to root mount.

 - If so, then we are fine, found the root.

 - If mount is not root mount, then we either have a bind mount or the
escape scenario. So have a peek at the mount tree to see if we have a
chance of reaching root or not.

  - If yes, then we are fine, continue upward.

  - Otherwise stop here and act like we found root.

This doesn't have to hook into d_move() and will only trigger the
"violated" mode on an very specific and rare case.

I haven't thought about this very hard, but I don't see how the root
dentry could be avoided without first having access to something
outside the root.


More information about the Containers mailing list