Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2932045rwb; Mon, 3 Oct 2022 07:29:10 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5tEbdrv0Y703EbjE1asOpjVYVVwWcxUQ9P3dKsSUgQ81zfuVswxjoAjy2p7twPfd9Q2LEf X-Received: by 2002:a63:a18:0:b0:439:8dd3:c3a8 with SMTP id 24-20020a630a18000000b004398dd3c3a8mr18954215pgk.220.1664807350095; Mon, 03 Oct 2022 07:29:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664807350; cv=none; d=google.com; s=arc-20160816; b=ovWOiAH52MBm+Jh4flLu7LPw75XH/AX//MUkgHh3Vj7nJheidO5/6JUVMr1SLaEVvt lUbzdaOrugRsHB56LOsF1xnUJL4lCmPExLMQREiqVBd5D5/xk37VRidnjLY9EeMRG2fw +wS5Umg8dakZWvzJ6gDhl7ReqMPAg0PMWh5EFNDUb7fmIvfArp+ShA9QuSLv8GYb63E5 QAz1xWgAe+qb51Nv+IbqhpU6jGslvFenF/XYNag/MN6yGgLDKsxvktcUgE5y4ZYCc+16 obhCVtBAd/1Qe9NVUcOarl115eE/NRY5sdCN8wvTwkeacXkirqpNIs6WQKV0LUNMl4kX jjIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=uSZcwHHC6vjA/JyLw1ieYhy+3+qGRvP1/Cpnuvh2KUw=; b=JXbtAbMXwXpIYplv3xC9vjUbB52qImVsvxP44h5gtm7S3D6IpWVugu5M280j35w1Pc rbUEma8RvNj9oXQPM5fWWWxMzOj/WXX8ZOCelYeSVT6LNwvAgVffabvuQ7eoy8oYVwWK Sv+/JvYNwVm0fhHPLQhqv1mDi5Hg61djeEzXiPdNaEaHBZyNfp8Idbp8MVhIdB7t5dD4 ansynvPgm7oHd03pgD0lN1l6i5ul8kNRYt4HuQwHFUi2n4Ftyii74Q5IeV65iDy2ZtnC V8FHMypgcaz7P/UzbwNdrCieVO4qBhzKGvld8S8+K7+PBrN/mxkRBinOu7/QdCA27T3j dWzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=HTJrCHO0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 29-20020a630c5d000000b0043c8ce92ab1si11274376pgm.461.2022.10.03.07.28.56; Mon, 03 Oct 2022 07:29:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=HTJrCHO0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230050AbiJCODk (ORCPT + 99 others); Mon, 3 Oct 2022 10:03:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37610 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229562AbiJCODX (ORCPT ); Mon, 3 Oct 2022 10:03:23 -0400 Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [IPv6:2a03:a000:7:0:5054:ff:fe1c:15ff]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F12F399D1; Mon, 3 Oct 2022 07:03:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=uSZcwHHC6vjA/JyLw1ieYhy+3+qGRvP1/Cpnuvh2KUw=; b=HTJrCHO0kLrNeqZ3agxibv0uu6 CtDzpwSrDn6lnTO2V8gH5zfamvSkoz6Q0t8EK8HFs9mnRPWPj7Z9D6BPvkrFDVUc5/AqGCJtjDRBq d7kv484xDaYotRrMsjaKEq6wGVFbiwUaZeURRmhctrSJ9fW1otINEw/tcV/Fsh2QhXn8zQJ2XgJMA uNoCxvWvziPFq1CIBAy1PasUeLboiljKCG93UO7RWaOZSRuT9yKKJeC2kRpAJIoxKVpvkWVEW8Ueb lQDv4ezy4mbfYzlwaJR98gWrsntqLzlnoBYFIaTPmHRpMkeIAxET6yXHoRnBPZTBVMDsPmsAPat6S M8CkWAog==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.96 #2 (Red Hat Linux)) id 1ofM2B-006SjX-0S; Mon, 03 Oct 2022 14:03:03 +0000 Date: Mon, 3 Oct 2022 15:03:03 +0100 From: Al Viro To: David Laight Cc: "'Eric W. Biederman'" , Linus Torvalds , "linux-kernel@vger.kernel.org" , "netdev@vger.kernel.org" , "Serge E. Hallyn" Subject: Re: [CFT][PATCH] proc: Update /proc/net to point at the accessing threads network namespace Message-ID: References: <871qrt4ymg.fsf@email.froward.int.ebiederm.org> <87ill53igy.fsf_-_@email.froward.int.ebiederm.org> <87a66g25wm.fsf@email.froward.int.ebiederm.org> <9bf5e96b383e4a979618cb0f729cb833@AcuMS.aculab.com> <592405fa149247f58d05a213b8c6f711@AcuMS.aculab.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <592405fa149247f58d05a213b8c6f711@AcuMS.aculab.com> Sender: Al Viro X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 03, 2022 at 09:36:46AM +0000, David Laight wrote: > ... > > * ability to chroot(2) had always been equivalent to ability to undo > > chroot(2). If you want to prevent getting out of there, you need > > (among other things) to prevent the processes to be confined from > > further chroot(2). > > Not always, certainly not historically. Factually incorrect. > chroot() inside a chroot() just constrained you further. What it did was change your root directory. Yes, deeper. And leave your current directory where it had been. Now, recall that chroot does *NOT* affect the interpretation of .. other than in the current root. Which means that attacker doing chdir("/"); chroot(some_existing_directory); chdir(".."); will end up outside of the original chroot environment. This is POSIX-mandated behaviour. Moreover, that is behaviour of historical Unices. Any Unix programmer who tries to use chroot(2) should be aware of that. Ability of making chroot(2) calls means the ability to break out of any chroot you are currently in. > If fchdir() and openat() have broken that it is a serious > problem. Have you even read the mail you'd been replying to? Where had anything in the example given (OK sketched out) to you upthread involve fchdir() or openat()?