[Devel] [PATCH vz9 0/6] proc: restrict overmounting of ephemeral entities
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Jan 9 20:49:19 MSK 2026
Let's run new LTP on vz10 kernel only => no need to fix vz9 kernel.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 1/8/26 10:17, Vasileios Almpanis wrote:
> mount08 test of ltp's latest stable expects that we cannot mount
> in /proc/<pid>/fd/<nr>. These commits responsible are present in vz10
> but missing from vz9 meaning that we could leak mounts for long-running
> processes. This in turn means that it's possible to make a task leak
> mounts without it's knowledge if the attacker just keeps overmounting
> things under /proc/<pid>/fd/<nr>.
>
> Similar things can be said about entries under fdinfo/ and map_files/ so
> those are restricted as well.
>
> Christian Brauner (6):
> proc: proc_readfd() -> proc_fd_iterate()
> proc: proc_readfdinfo() -> proc_fdinfo_iterate()
> proc: add proc_splice_unmountable()
> proc: block mounting on top of /proc/<pid>/map_files/*
> proc: block mounting on top of /proc/<pid>/fd/*
> proc: block mounting on top of /proc/<pid>/fdinfo/*
>
> fs/proc/base.c | 4 ++--
> fs/proc/fd.c | 16 ++++++++--------
> fs/proc/internal.h | 13 +++++++++++++
> 3 files changed, 23 insertions(+), 10 deletions(-)
>
More information about the Devel
mailing list