[lxc-devel] [PATCH RFC] chroot_into_slave: move tmp-/ before chrooting to it

Serge Hallyn serge.hallyn at ubuntu.com
Mon Oct 6 03:05:51 UTC 2014


Quoting Andrey Wagin (avagin at gmail.com):
> 2014-10-05 8:21 GMT+04:00 Serge Hallyn <serge.hallyn at ubuntu.com>:
> > First, make sure to remount MS_SHARED mounts as MS_SLAVE
> > before doing chroot_into_slave.
> >
> > Then, move-mount our tmp-/ to / before chrooting to it.  This
> > ensures that the new root is mounted on top of "/" rather than
> > on top of our old chroot, which allows chroot escape.
> 
> Looks like this scheme is insecure too. I added chrootbreak2.c to your scripts:
> https://github.com/avagin/pivot_root-vs-rootfs

Ouch, now that's just mean-spirited :)

So what you are doing (iiuc) is lazily unmounting /;  when you setns()
you briefly drop the mntns so that the umount of / can happen, then the
kernel just reattaches you to your former root dentry, which happens to
also match another ns.  I'm impressed that this fails with a simple
pivot_root.  Unlike the other break, this one seems to me like a kernel
bug.  I think the kernel should simply refuse a setns to your own ns.
It seems like begging for weird races or refcount buglets.

-serge


More information about the lxc-devel mailing list