Comment 10 for bug 1476662
Revision history for this message
| Tyler Hicks (tyhicks) wrote Re: [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor | #10 |
On 2015-07-30 18:46:50, Serge Hallyn wrote:
> Yup, that race is there in theory. This appears to be yet another
> reason to push for a 'fdmount/mountat' function. But lacking that I'm
> not sure how we can prevent this.
>
> Do you have any suggestions?
You could split all of the path components up into an array (or however
you want to iterate over them) and then walk each component of the path
like so:
for (component = components[0]; component; component++) {
fd = open(dirfd, component,
fchdir(fd);
close(dirfd);
dirfd = fd;
}
close(fd);
mount(source, ".", ...);