RE: [CFT][PATCH] proc: Update /proc/net to point at the accessing threads network namespace

From: David Laight
Date: Mon Oct 03 2022 - 05:43:09 EST

> * ability to chroot(2) had always been equivalent to ability to undo
> chroot(2). If you want to prevent getting out of there, you need
> (among other things) to prevent the processes to be confined from
> further chroot(2).

Not always, certainly not historically.
chroot() inside a chroot() just constrained you further.
If fchdir() and openat() have broken that it is a serious

NetBSD certainly has checks to detect (log and fix)
programs that have (or might) escape from chroots.

unshare() seems to create a 'shadow' inode structure
for the chroot's "/" so at least some of the tests
when following ".." fail to detect it.

I also thought containers relied on the same scheme?
(But I'm too old fashioned to have looked into them!)


Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)