Quoting Roman Fiedler (<email address hidden>):
> Also to me. If I understand correctly, code inside e.g. validate_symlink
> is only secure when applied to a non-running container (where any
The code is only run against non-running containers, however the symlinks
can be changed if the container configuration (under the host admin's
control) has two mount entries, the first bind-mounting the attacker's
homedir into the container, and the second mounting to someplace under
the bind-mounted home.
So the TOCTTOU between readlink and openat is a problem. Sigh.
We could re-check the readlink after the openat, but the attacker could
presumably try to very quickly move the link back...
So using destbuf may be better. If the target is also a link, simply
returning EPERM at that point should be ok. We're not trying to support
every possible configuration. The real cases we need to support are
things like /proc/net.
Quoting Roman Fiedler (<email address hidden>):
> Also to me. If I understand correctly, code inside e.g. validate_symlink
> is only secure when applied to a non-running container (where any
The code is only run against non-running containers, however the symlinks
can be changed if the container configuration (under the host admin's
control) has two mount entries, the first bind-mounting the attacker's
homedir into the container, and the second mounting to someplace under
the bind-mounted home.
So the TOCTTOU between readlink and openat is a problem. Sigh.
We could re-check the readlink after the openat, but the attacker could
presumably try to very quickly move the link back...
So using destbuf may be better. If the target is also a link, simply
returning EPERM at that point should be ok. We're not trying to support
every possible configuration. The real cases we need to support are
things like /proc/net.