[lxc-devel] [PATCH RFC] chroot_into_slave: move tmp-/ before chrooting to it
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Oct 6 03:05:51 UTC 2014
Quoting Andrey Wagin (avagin at gmail.com):
> 2014-10-05 8:21 GMT+04:00 Serge Hallyn <serge.hallyn at ubuntu.com>:
> > First, make sure to remount MS_SHARED mounts as MS_SLAVE
> > before doing chroot_into_slave.
> >
> > Then, move-mount our tmp-/ to / before chrooting to it. This
> > ensures that the new root is mounted on top of "/" rather than
> > on top of our old chroot, which allows chroot escape.
>
> Looks like this scheme is insecure too. I added chrootbreak2.c to your scripts:
> https://github.com/avagin/pivot_root-vs-rootfs
Ouch, now that's just mean-spirited :)
So what you are doing (iiuc) is lazily unmounting /; when you setns()
you briefly drop the mntns so that the umount of / can happen, then the
kernel just reattaches you to your former root dentry, which happens to
also match another ns. I'm impressed that this fails with a simple
pivot_root. Unlike the other break, this one seems to me like a kernel
bug. I think the kernel should simply refuse a setns to your own ns.
It seems like begging for weird races or refcount buglets.
-serge
More information about the lxc-devel
mailing list