From f99c68f1535dea4f1d926d5a91b1b772557743de Mon Sep 17 00:00:00 2001 From: Craig Ringer Date: Mon, 14 Mar 2022 13:35:38 +0800 Subject: [PATCH v1 1/4] Elaborate on /proc/[pid]/root and x-ref it Mention /proc/[pid]/{root,cwd,exe,fds} in mount_namespaces (7) to help users understand how to access the file system tree of a process in different mount namespace and possibly-disjoint chroot. In proc (5) provide a little more detail on how links like /proc/[pid]/root behave when read with readlink (2) vs when resolved via kernel vfs layer path lookup. It can be quite confusing that "readlink /proc/$pid/root" prints "/" so "ls $(readlink /proc/$pid/root)" has the same result as "ls /" but "ls /proc/$pid/root/" actually lists the target pid's root. Signed-off-by: Craig Ringer --- man5/proc.5 | 29 ++++++++++++++++++++++++++++- man7/mount_namespaces.7 | 14 ++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/man5/proc.5 b/man5/proc.5 index c6684620e..2eed160e2 100644 --- a/man5/proc.5 +++ b/man5/proc.5 @@ -658,6 +658,12 @@ are not available if the main thread has already terminated (typically by calling .BR pthread_exit (3)). .IP +If the process is in a chroot and/or a different mount namespace, reading the +symlink path will return the executable path relative to the process's root. +Opening the path within the kernel vfs layer will yield the actual executable +contents even if the path does may not exist within the currently active mount +namespace. +.IP Permission to dereference or read .RB ( readlink (2)) this symbolic link is governed by a ptrace access mode @@ -1830,7 +1836,8 @@ and .IP Note however that this file is not merely a symbolic link. It provides the same view of the filesystem (including namespaces and the -set of per-process mounts) as the process itself. +set of per-process mounts) as the process itself +if dereferenced via the kernel vfs layer. An example illustrates this point. In one terminal, we start a shell in new user and mount namespaces, and in that shell we create some new mounts: @@ -1866,6 +1873,26 @@ sh2# \fBls /usr | wc \-l\fP # /usr in initial NS .EE .in .IP +If the target process is in a different mount namespace +and has a different root, following the +.B /proc/[pid]/root +link directly will resolve paths relative to the target +process's root. But +.BR readlink (2) +will return the root path as seen from within the target process's mount +namespace. Tools that canonicalize paths or resolve symbolic links in +user-space will not be able to see the target process's root. So +.B ls $(realpath /proc/[pid]/root) +will expand to +.B ls / +and print the root of the invoking shell, but +.B ls /proc/[pid]/root/ +will list the contents of +.B / +as seen by [pid]. See +.BR mount_namespaces (7) +for details. +.IP .\" The following was still true as at kernel 2.6.13 In a multithreaded process, the contents of the .I /proc/[pid]/root diff --git a/man7/mount_namespaces.7 b/man7/mount_namespaces.7 index 7725b341f..98bfd864c 100644 --- a/man7/mount_namespaces.7 +++ b/man7/mount_namespaces.7 @@ -75,6 +75,20 @@ and in either mount namespace will not (by default) affect the mount list seen in the other namespace (but see the following discussion of shared subtrees). +.PP +The pseudo-symlinks +.IR /proc/[pid]/exe , +.IR /proc/[pid]/root , +.IR /proc/[pid]/fds , +and +.IR /proc/[pid]/cwd +provide views into the mount namespace of +.IR [pid] +from outside that namespace. +These links provide a way to access the mount namespace seen by another process +- even if its root is disjoint from the current process's root. See +.BR proc (5) +for details and caveats. .\" .SH SHARED SUBTREES After the implementation of mount namespaces was completed, -- 2.34.1