[lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Sep 29 22:46:26 UTC 2014
Quoting Andy Lutomirski (luto at amacapital.net):
> On Mon, Sep 29, 2014 at 2:46 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> I'm not sure that "/" is well-defined. You have oldroot mounted on
Whoa. Seems you're right. I would have expected it to mean precisely
the dentry+vfsmount which I pivot-rooted to. Which have been overmounted,
so umount(/) would umount what's been mounted over them.
> top of newroot, and "/" refers to one of them (presumably oldroot on
> newer kernels, and maybe newroot on older kernels).
So it seems.
>I think that you
> want to unmount oldroot, leaving only newroot mounted. When you call
> umount2, "." reliably refers to oldroot.
Right
> /me wonders whether there's a vulnerability here on new kernels if the
> test were adjusted a bit. mnt_ns oughtn't to be NULL, right?
Wouldn't it be in the older kernels though? That's where mnt_ns ends
up being null. So from 3.8..3.11 an unpriv user (though CLONE_NEWUSER)
can do a pivot_root causing null MNT_NS, and presumably find an interesting
way to dereference it.
> >> I'm currently having trouble finding an old enough box. Can you try
> >> the attached fancier test and see what it prints?
> >
> > Exact same as mine:
> >
> > ubuntu at kvm-p3:~$ sudo ./x
> > pivoted
> > in new root
> > I am 1441
> > root at kvm-p3:/# mount --bind /mnt /mnt
>
> Ah, OK, I completely misunderstood your original email.
>
> If I change umount2 to umount "." instead of "/" in my code, the
> subsequent mount --bind works for me on 3.2.
Same here, so I can push a fix for lxc - thanks!
> FWIW, your test does awful, awful things if I don't do the MS_PRIVATE
> thing on top.
D'oh. Sorry about that.
-serge
More information about the lxc-devel
mailing list