From: Al Viro <viro@zeniv.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Christian Brauner <brauner@kernel.org>,
Askar Safin <safinaskar@gmail.com>,
christian@brauner.io, cyphar@cyphar.com, hpa@zytor.com,
jack@suse.cz, linux-fsdevel@vger.kernel.org,
werner@almesberger.net
Subject: Re: [RFC] pivot_root(2) races
Date: Sat, 14 Feb 2026 17:40:30 +0000 [thread overview]
Message-ID: <20260214174030.GT3183987@ZenIV> (raw)
In-Reply-To: <CAHk-=wiG5uhN1F7fxyEiEQdMtK_j8TCd7FoStbCFpNbn8qx7iQ@mail.gmail.com>
On Sat, Feb 14, 2026 at 08:18:55AM -0800, Linus Torvalds wrote:
> On Sat, 14 Feb 2026 at 04:15, Christian Brauner <brauner@kernel.org> wrote:
> >
> > But my point has been: we don't need it anymore.
>
> I don't think that makes much of a difference. We'd still need to have
> pivot_root() around for the legacy case, and I do think we want to
> make sure it can't be used as an attack vector (perhaps not directly,
> but by possibly confusing other people).
>
> Not that you should use containers as security boundaries anyway, but
> I do think the current behavior needs to be limited. Because it's
> dangerous.
>
> Maybe just limiting it by namespace is ok.
>
> Because even if the "white hat" users stop using pivot_root, we'd keep
> it around for legacy - and we want to limit the damage.
Indeed. Let's backtrack a bit:
1) pivot_root() screwing around with root/pwd is unfortunate, but it's not
going away and neither is pivot_root() itself - not for several years,
at the very least.
2) having the set of affected threads limited shouldn't be a problem, as
long as we don't get too enthisiastic about that (relying upon the
assumptions about kernel threads getting picked along with init is
a bad idea, IMO).
3) walking into a container and expecting that mount tree won't get fucked
under you is a Bloody Bad Idea(tm) even without pivot_root() in the mix.
Sure, having pwd changed under you is still nice to avoid, but that's far
from the only thing to be cautious about. That doesn't affect the
desirability of (2).
4) as long as we change pwd and root of _any_ threads that are not aware of
pivot_root() being done, we ought to have that change atomic wrt fork();
if child gets spawned by any such thread, the resulting state should not
depend upon the timinig of fork() vs. pivot_root(). The same goes for
unshare(2) (and while we are at it, in absense of pivot_root(2) and other
mount-related activity a caller of unshare(2) that gets ENOMEM can reasonably
expect their mount tree to remain unchanged).
Does anybody have objections to the above?
next prev parent reply other threads:[~2026-02-14 17:38 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-09 0:34 [RFC] pivot_root(2) races Al Viro
2026-02-09 5:49 ` Linus Torvalds
2026-02-09 5:53 ` H. Peter Anvin
2026-02-09 6:34 ` Al Viro
2026-02-09 6:44 ` Linus Torvalds
2026-02-09 11:53 ` Christian Brauner
2026-02-12 17:17 ` Askar Safin
2026-02-12 19:11 ` Linus Torvalds
2026-02-12 19:31 ` H. Peter Anvin
2026-02-13 9:51 ` Aleksa Sarai
2026-02-13 17:47 ` Askar Safin
2026-02-13 20:27 ` H. Peter Anvin
2026-02-13 20:35 ` H. Peter Anvin
2026-02-13 22:25 ` Al Viro
2026-02-13 23:00 ` H. Peter Anvin
2026-02-13 23:41 ` Al Viro
2026-02-13 23:40 ` H. Peter Anvin
2026-02-14 12:42 ` Christian Brauner
2026-02-15 0:48 ` H. Peter Anvin
2026-02-17 8:37 ` Christian Brauner
2026-02-14 16:20 ` Askar Safin
2026-02-15 0:49 ` H. Peter Anvin
2026-02-13 13:46 ` Aleksa Sarai
2026-02-13 15:03 ` H. Peter Anvin
2026-02-13 17:47 ` Linus Torvalds
2026-02-13 18:27 ` Askar Safin
2026-02-13 18:39 ` Linus Torvalds
2026-02-13 20:00 ` H. Peter Anvin
2026-02-14 15:31 ` Askar Safin
2026-02-15 0:52 ` H. Peter Anvin
2026-02-14 12:15 ` Christian Brauner
2026-02-14 16:18 ` Linus Torvalds
2026-02-14 17:40 ` Al Viro [this message]
2026-02-17 8:35 ` Christian Brauner
2026-02-13 18:42 ` H. Peter Anvin
2026-02-13 20:08 ` H. Peter Anvin
2026-02-12 19:22 ` Al Viro
2026-02-13 17:34 ` Askar Safin
2026-02-13 22:28 ` Al Viro
2026-02-14 16:16 ` Askar Safin
2026-02-12 13:23 ` Askar Safin
2026-02-12 19:25 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260214174030.GT3183987@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=christian@brauner.io \
--cc=cyphar@cyphar.com \
--cc=hpa@zytor.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=safinaskar@gmail.com \
--cc=torvalds@linux-foundation.org \
--cc=werner@almesberger.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox