Re: [RFC] Null Namespaces

Next message: Randy Dunlap: "[PATCH] Docs: SMP: add an SMP docbook chapter"
Previous message: Bradley Morgan: "Re: Fixed tag magic: was: Re: [PATCH v2 1/4] sys_info: add helper for callers that handle all_bt"
In reply to: Al Viro: "Re: [RFC] Null Namespaces"
Next in thread: John Ericson: "Re: [RFC] Null Namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: H. Peter Anvin

Date: Thu Jun 25 2026 - 17:02:22 EST

On 2026-06-24 16:12, Al Viro wrote:
> On Wed, Jun 24, 2026 at 06:51:47PM -0400, John Ericson wrote:
>
>> #### Null mount namespace
>>
>> - requires:
>>
>> - null root file system: absolute paths don't work.
>>
>> - null current working directory: relative paths with traditional,
>> non-`*at` system calls (and `*at` ones using `AT_FDCWD`) don't work.
>>
>> - All operations relating to the "ambient" mount tree don't work.
>>
>> - `*at` operations with a file descriptor do work.
>
> Huh? The last bit looks contradicts the previous one - if you have
> an opened directory in a mount from some namespace, those `*at` operations
> with that descriptor *will* be seeing the mount tree of that namespace,
> whatever the hell is "ambient" supposed to mean. Either that, or you
> will be exposing whatever's overmounted in that mount, which is a huge
> can of worms.

It seems to me that this is really no different *in practice* to having an
empty mount namespace, no? You might still be able to stat("/") and get a
d--------- result, but how does that actually affect anything?

The big thing with a lot of this is that introducing a null case can really
complicate things all over the place, and since this is very likely to be only
a niche use case, it kind of screams to me like it has the potential to become
an attack surface like any other rarely used code in the kernel...

-hpa