Skip to content

pathrs: add "hallucination" helpers for SecureJoin magic #4985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

pathrs: add "hallucination" helpers for SecureJoin magic #4985

wants to merge 6 commits into from

Conversation

@cyphar
Copy link
Member

@cyphar cyphar commented Nov 8, 2025

In order to maintain compatibility with previous releases of runc (which
permitted dangling symlinks as path components by permitting
non-existent path components to be treated like real directories) we
have to first do SecureJoin to construct a target path that is
compatible with the old behaviour but has all dangling symlinks (or
other invalid paths like ".." components after non-existent directories)
removed.

This is effectively a more generic verison of commit 3f92552
("rootfs: re-allow dangling symlinks in mount targets") and will let us
remove the need for open-coding SecureJoin workarounds.

Signed-off-by: Aleksa Sarai [email protected]

@cyphar cyphar force-pushed the hallucinated-paths branch 2 times, most recently from d8bfe59 to ca81dcc Compare November 8, 2025 17:49
@cyphar cyphar added the backport/1.4-todo A PR in main branch which needs to backported to release-1.4 label Nov 9, 2025
kolyshkin
kolyshkin reviewed Nov 10, 2025
View reviewed changes
@cyphar cyphar force-pushed the hallucinated-paths branch from ca81dcc to e3c7387 Compare November 11, 2025 04:22
kolyshkin

This comment was marked as off-topic.

Sign in to view

This was referenced Nov 12, 2025
Draft
Closed
@cyphar cyphar force-pushed the hallucinated-paths branch from f9f5b2d to b46dbd1 Compare November 22, 2025 21:16
cyphar and others added 6 commits November 23, 2025 08:36
@cyphar
libcontainer: move CleanPath and StripRoot to internal/pathrs
9f3b057 
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
libct: switch final WithProcfd users to WithProcfdFile
3bfad05 
This probably should've been done as part of commit d40b343
("rootfs: switch to fd-based handling of mountpoint targets") but it
seems I missed them when doing the rest of the conversions.

This also lets us remove utils.WithProcfd entirely, as well as
pathrs.MkdirAllInRoot.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
pathrs: rename MkdirAllInRootOpen -> MkdirAllInRoot
42e14bb 
Now that MkdirAllInRoot has been removed, we can make MkdirAllInRootOpen
less wordy by renaming it to MkdirAllInRoot. This is a non-functional
change.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
pathrs: add "hallucination" helpers for SecureJoin magic
e29b5c2 
In order to maintain compatibility with previous releases of runc (which
permitted dangling symlinks as path components by permitting
non-existent path components to be treated like real directories) we
have to first do SecureJoin to construct a target path that is
compatible with the old behaviour but has all dangling symlinks (or
other invalid paths like ".." components after non-existent directories)
removed.

This is effectively a more generic verison of commit 3f92552
("rootfs: re-allow dangling symlinks in mount targets") and will let us
remove the need for open-coding SecureJoin workarounds.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
pathrs: add MkdirAllParentInRoot helper
33d4af2 
While CreateInRoot supports hallucinating the target path, we do not use
it directly when constructing device inode targets because we need to
have different handling for mknod and bind-mounts.

The solution is to simply have a more generic MkdirAllParentInRoot
helper that MkdirAll's the parent directory of the target path and then
allows the caller to create the trailing component however they like.
(This can be used by CreateInRoot internally as well!)

Signed-off-by: Aleksa Sarai <[email protected]>
@lifubang @cyphar
integration: add some tests for bind mount through dangling symlinks
f99010d 
We intentionally broke this in commit d40b343 ("rootfs: switch to
fd-based handling of mountpoint targets") under the assumption that most
users do not need this feature. Sadly it turns out they do, and so
commit 3f92552 ("rootfs: re-allow dangling symlinks in mount
targets") added a hotfix to re-add this functionality.

This patch adds some much-needed tests for this behaviour, since it
seems we are going to need to keep this for compatibility reasons (at
least until runc v2...).

Co-developed-by: lifubang <[email protected]>
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar cyphar force-pushed the hallucinated-paths branch from b46dbd1 to f99010d Compare November 22, 2025 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kolyshkin kolyshkin kolyshkin approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

backport/1.4-todo A PR in main branch which needs to backported to release-1.4

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cyphar @kolyshkin @lifubang