On Wed, Apr 29, 2020 at 4:47 PM Miklos Szeredi <mszer...@redhat.com> wrote: > > On Wed, Apr 29, 2020 at 4:36 PM Vivek Goyal <vgo...@redhat.com> wrote: > > > > On Wed, Apr 29, 2020 at 02:47:33PM +0200, Miklos Szeredi wrote: > > > While it's not possible to escape the proc filesystem through > > > lo->proc_self_fd, it is possible to escape to the root of the proc > > > filesystem itself through "../..". > > > > Hi Miklos, > > > > So this attack will work with some form of *at(lo->proc_self_fd, "../..") > > call? > > Right. > > > > > > > > > Use a temporary mount for opening lo->proc_self_fd, that has it's root at > > > /proc/self/fd/, preventing access to the ancestor directories. > > > > Does this mean that now similar attack can happen using "../.." on tmpdir > > fd instead and be able to look at peers of tmpdir. Or it is blocked > > due to mount point or something else. > > No, because tmpdir is detached, the root of that tree will be the > directory pointed to by the fd. ".." will just lead to the same > directory.
BTW, I would have liked to do this without a temp directory, but apparently the fancy new mount stuff isn't up to this task, or at least I haven't figured out yet. Thanks, Miklos
