Re: Safety of resolving untrusted paths with detached mount dirfd

Next message: syzbot: "Re: [syzbot] [bcachefs?] INFO: task hung in bch2_run_recovery_passes"
Previous message: Shawn Lin: "Re: [PATCH 1/2] PCI: dwc: Skip PME_Turn_Off broadcast and L2/L3 transition during suspend if link is not up"
In reply to: David Laight: "Re: Safety of resolving untrusted paths with detached mount dirfd"
Next in thread: Demi Marie Obenour: "Re: Safety of resolving untrusted paths with detached mount dirfd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Aleksa Sarai

Date: Wed Nov 19 2025 - 21:19:00 EST

On 2025-11-19, Alyssa Ross <hi@xxxxxxxxx> wrote:
> Hello,
>
> As we know, it's not safe to use chroot() for resolving untrusted paths
> within some root, as a subdirectory could be moved outside of the
> process root while walking the path[1]. On the other hand,
> LOOKUP_BENEATH is supposed to be robust against this, and going by [2],
> it sounds like resolving with the mount namespace root as dirfd should
> also be.
>
> My question is: would resolving an untrusted path against a detached
> mount root dirfd opened with OPEN_TREE_CLONE (not necessarily a
> filesystem root) also be expected to be robust against traversal issues?
> i.e. can I rely on an untrusted path never resolving to a path that
> isn't under the mount root?

No, if you hit an absolute symlink or use an absolute path it will
resolve to your current->fs->root (mount namespace root or chroot).
However, OPEN_TREE_CLONE will stop ".." from naively stepping out of the
detached bind-mount. If you are dealing with procfs then magic-links can
also jump out.

You can always use RESOLVE_BENEATH or RESOLVE_IN_ROOT in combination
with OPEN_TREE_CLONE.

--
Aleksa Sarai
https://www.cyphar.com/

Attachment: signature.asc
Description: PGP signature