Re: [RFC] Null Namespaces

Next message: Michael Roth: "Re: [PATCH v2 2/6] KVM: selftests: Add a test to verify SEV {en,de}crypt debug ioctls"
Previous message: Barry Song: "Re: [PATCH v5 2/4] mm/zsmalloc: drop pool-&gt;lock from zs_free on 64-bit systems"
In reply to: John Ericson: "Re: [RFC] Null Namespaces"
Next in thread: H. Peter Anvin: "Re: [RFC] Null Namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Al Viro

Date: Wed Jun 24 2026 - 19:12:32 EST

On Wed, Jun 24, 2026 at 06:51:47PM -0400, John Ericson wrote:

> #### Null mount namespace
>
> - requires:
>
> - null root file system: absolute paths don't work.
>
> - null current working directory: relative paths with traditional,
> non-`*at` system calls (and `*at` ones using `AT_FDCWD`) don't work.
>
> - All operations relating to the "ambient" mount tree don't work.
>
> - `*at` operations with a file descriptor do work.

Huh? The last bit looks contradicts the previous one - if you have
an opened directory in a mount from some namespace, those `*at` operations
with that descriptor *will* be seeing the mount tree of that namespace,
whatever the hell is "ambient" supposed to mean. Either that, or you
will be exposing whatever's overmounted in that mount, which is a huge
can of worms.