The following lxc commit introduced safe_mount(), which passes fd's as arguments to mount(),
CVE-2015-1335: Protect container mounts against symlinks https://github.com/lxc/lxc/commit/6de26af93d3dd87c8b21a42fdf20f30fa1c1948d Here is the relevant part of the commit, which creates a file descriptor and passes it to mount(). + destfd = open_without_symlink(dest, rootfs); + if (destfd < 0) { + if (srcfd != -1) + close(srcfd); + return destfd; + } + + ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd); + if (ret < 0 || ret > 50) { + if (srcfd != -1) + close(srcfd); + close(destfd); + ERROR("Out of memory"); + return -EINVAL; + } + + ret = mount(mntsrc, destbuf, fstype, flags, data); The strace of mount() shows, strace: mount("/home/ubuntu/test.txt", "/proc/self/fd/16", 0x7ffd4c3f7fdb, MS_BIND, NULL) = -1 EACCES (Permission denied) The mount fails because /proc/self/fd/16, which should point to a file in overlayfs, has an invalid value. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507463 Title: OverlayFS: Wrong mnt_id and path reported in /proc in linux-3.13 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1507463/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
