cyphar
commented
1 week ago With the new mount API, a privileged user can create a private handle with fsopen or open_tree. Since Linux 5.12 (torvalds/linux@ee2e3f50629f), open_tree-based anonymous mounts are completely race-free to use, though they were race free in principle since their inception. This lets us check for overmounts on symlinks with statx (this requires Linux 5.8).
We still can't be sure of the safety for other cases, but this lets us protect against the highest-risk case (a privileged process trying to operate on /proc). We could in principle create a new userns to gain the necessary privileges, but this is not guaranteed to always work, and forking in a multi-threaded process is quite dodgy.
https://github.com/cyphar/filepath-securejoin/pull/13 has an implementation of this, though we would need to expand the features a bit to include re-opening and handling of the other magic-links like /proc/self/exe.
This is something we really need to provide to avoid the attacks we are defending against in #7.