Safety of resolving untrusted paths with detached mount dirfd

Next message: Mark Brown: "Re: [PATCH] of/irq: Handle explicit interrupt parent"
Previous message: Steven Rostedt: "Re: [PATCH] unwind: Fix signedness bug in unwind_deferred_request()"
Next in thread: David Laight: "Re: Safety of resolving untrusted paths with detached mount dirfd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alyssa Ross

Date: Wed Nov 19 2025 - 09:25:16 EST

Hello,

As we know, it's not safe to use chroot() for resolving untrusted paths
within some root, as a subdirectory could be moved outside of the
process root while walking the path[1]. On the other hand,
LOOKUP_BENEATH is supposed to be robust against this, and going by [2],
it sounds like resolving with the mount namespace root as dirfd should
also be.

My question is: would resolving an untrusted path against a detached
mount root dirfd opened with OPEN_TREE_CLONE (not necessarily a
filesystem root) also be expected to be robust against traversal issues?
i.e. can I rely on an untrusted path never resolving to a path that
isn't under the mount root?

[1]: https://lore.kernel.org/lkml/CAG48ez30WJhbsro2HOc_DR7V91M+hNFzBP5ogRMZaxbAORvqzg@xxxxxxxxxxxxxx/
[2]: https://lore.kernel.org/lkml/C89D720F-3CC4-4FA9-9CBB-E41A67360A6B@xxxxxxxxxxxxxx/

Attachment: signature.asc
Description: PGP signature