[Devel] [PATCH vz9 0/6] proc: restrict overmounting of ephemeral entities
Vasileios Almpanis
vasileios.almpanis at virtuozzo.com
Thu Jan 8 12:17:13 MSK 2026
mount08 test of ltp's latest stable expects that we cannot mount
in /proc/<pid>/fd/<nr>. These commits responsible are present in vz10
but missing from vz9 meaning that we could leak mounts for long-running
processes. This in turn means that it's possible to make a task leak
mounts without it's knowledge if the attacker just keeps overmounting
things under /proc/<pid>/fd/<nr>.
Similar things can be said about entries under fdinfo/ and map_files/ so
those are restricted as well.
Christian Brauner (6):
proc: proc_readfd() -> proc_fd_iterate()
proc: proc_readfdinfo() -> proc_fdinfo_iterate()
proc: add proc_splice_unmountable()
proc: block mounting on top of /proc/<pid>/map_files/*
proc: block mounting on top of /proc/<pid>/fd/*
proc: block mounting on top of /proc/<pid>/fdinfo/*
fs/proc/base.c | 4 ++--
fs/proc/fd.c | 16 ++++++++--------
fs/proc/internal.h | 13 +++++++++++++
3 files changed, 23 insertions(+), 10 deletions(-)
--
2.43.0
More information about the Devel
mailing list