Please sign in to comment.
Don't create our own temporary mount point for pivot_root
An attacker could pre-create /tmp/.bubblewrap-$UID and make it a non-directory, non-symlink (in which case mounting our tmpfs would fail, causing denial of service), or make it a symlink under their control (potentially allowing bad things if the protected_symlinks sysctl is not enabled). Instead, temporarily mount the tmpfs on a directory that we are sure exists and is not attacker-controlled. We already rely on /proc to have those properties, so it seems as good a place as any. This doesn't appear to have any impact on our ability to use /proc as either the source or the destination of a bind-mount. Fixes: projectatomic#304 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557 Signed-off-by: Simon McVittie <email@example.com>
- Loading branch information...