[lxc-devel] LXC security issue - affects all supported releases

Serge Hallyn serge.hallyn at ubuntu.com
Sat Oct 24 02:37:42 UTC 2015


Quoting Thomas Moschny (thomas.moschny at gmail.com):
> 2015-10-02 15:50 GMT+02:00 Serge Hallyn <serge.hallyn at ubuntu.com>:
> > Can you tell me what happens when you do an openat with
> > O_PATH?  Does it simply return < 0?  If so then I think this is all ok.
> 
> As far as I can see, it behaves as if O_PATH wasn't given at all - so
> it doesn't really make a difference whether one "copies" the value of
> O_PATH over from elsewhere, or defines it to 0. Both ways feel hackish
> though. The second openat() call in open_if_safe() should fail anyway,
> so...
> 
> > (since an openat without O_PATH already failed, you shouldn't be allowed
> > to mount on it in this case)
> 
> ... a really clean solution would be to #ifdef that code in
> open_if_safe(), so it compiles cleanly.

Heh, a really clean solution would be a mountfd system call :)

If you can send a patch along the lines of what you'r thinking that
would be great.


More information about the lxc-devel mailing list