On 2019-03-09, Linus Torvalds wrote: > On Sat, Mar 9, 2019 at 9:26 AM Christian Brauner wrote: > > Aside from that I want to point out that it is non-trivial to do this in > > user space. > > Oh, absolutely agreed. It's easy to do it in the kernel, and doing it > anywhere else ends up having horrible races that the kernel has to > deal with and has long solved anyway. We've seen in the past few years, there are also plenty of CVEs from the container runtime side of things which show that some of these races are also exploitable. Even with some of the most convoluted O_PATH "fd re-opening" trickery, it's incredibly difficult to both scope symlinks inside a container and safely detect cases where you've been tricked by a malicious actor. > I've only seen this (2/5) patch, so I won't comment on the other ones, > but this still makes sense to me. I'll make sure to add you to the series Cc if/when there's a v6. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH