I'm speaking abount fundamental properties of a current versions of union fs. I'm using aufs. But checked unionfs too. Behavior is the same. Did you try to understand a last exploit for docker about ability to read any file of the host file system by program running inside container and why it is possible? In short this was possible because some branches of the container fs was bind mounted. Exploit open any file from this branch and using this fd can open any file of the host file system. "mount -o bind" behave like a kernel symlink because a kernel fd struct refer to the original dnode. Currently any union fs (unionfs and aufs) behave like a multibind mount. I don't know if it possible to write a kernel mode union fs where opened fd do not point to the original dnode.
Bye. 2014-07-18 9:23 GMT+04:00, sf...@users.sourceforge.net <sf...@users.sourceforge.net>: > > Sergey Korshunoff: >> This is the kernel part of the checkpoint/restore which saves/resores >> an application open descriptors. I just checked a openvz 2.6.18 with >> unionfs v1.4 The same problem while a message is differ: > > I am totaly confused. > Are you talking about unionfs? If so, you got perfectly wrong ML. > Still I don't understand what you want to say/ask and what the > problem is. > One thing I am sure is that aufs opens a file on a branch fs but there > is no such file descriptor refering it. Aufs provides a file descriptor > corresponding a file on aufs only. If you see different behaviour on > your system, I'd suggest you to check how you built aufs module, > particulary aufs3-mmap.patch. > Anyway we have agreed that I can ignore you. Good and bye. > > > J. R. Okajima > ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
