On Wed, Apr 29, 2020 at 4:36 PM Vivek Goyal <vgo...@redhat.com> wrote: > > On Wed, Apr 29, 2020 at 02:47:33PM +0200, Miklos Szeredi wrote: > > While it's not possible to escape the proc filesystem through > > lo->proc_self_fd, it is possible to escape to the root of the proc > > filesystem itself through "../..". > > Hi Miklos, > > So this attack will work with some form of *at(lo->proc_self_fd, "../..") > call?
Right. > > > > > Use a temporary mount for opening lo->proc_self_fd, that has it's root at > > /proc/self/fd/, preventing access to the ancestor directories. > > Does this mean that now similar attack can happen using "../.." on tmpdir > fd instead and be able to look at peers of tmpdir. Or it is blocked > due to mount point or something else. No, because tmpdir is detached, the root of that tree will be the directory pointed to by the fd. ".." will just lead to the same directory. Thanks, Miklos
