Skip to content

rootfs: remove /proc/net/dev from allowed overmount list #4817

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 21, 2025
Merged

rootfs: remove /proc/net/dev from allowed overmount list #4817

merged 1 commit into from
Jul 21, 2025

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Jul 20, 2025

This was added in 2ee9cbb ("It's /proc/stat, not /proc/stats") with
no actual justification, and doesn't really make much sense on further
inspection:

  • /proc/net is a symlink to "self/net", which means that /proc/net/dev
    is a per-process file, and so overmounting it would only affect pid1.
    Any other program that cares about /proc/net/dev would see their own
    process's configuration, and unprivileged processes wouldn't be able
    to see /proc/1/... data anyway.

    In addition, the fact that this is a symlink means that runc will
    deny the overmount because /proc/1/net/dev is not in the proc
    overmount allowlist. This means that this has not worked for many
    years, and probably never worked in the first place.

  • /proc/self/net is already namespaced with network namespaces, so the
    primary argument for allowing /proc overmounts (lxcfs-like masking of
    procfs files to emulate namespacing for files that are not properly
    namespaced for containers -- such as /proc/cpuinfo) is moot.

    It goes without saying that lxcfs has never overmounted
    /proc/self/net/... files, so the general "because lxcfs"
    justification doesn't hold water either.

  • The kernel has slowly been moving towards blocking overmounts in
    /proc/self/. Linux 6.12 blocked overmounts for fd, fdinfo, and
    map_files; future Linux versions will probably end up blocking
    everything under /proc/self/.

Fixes #4771
Signed-off-by: Aleksa Sarai [email protected]

@cyphar
rootfs: remove /proc/net/dev from allowed overmount list
3620185 
This was added in 2ee9cbb ("It's /proc/stat, not /proc/stats") with
no actual justification, and doesn't really make much sense on further
inspection:

 * /proc/net is a symlink to "self/net", which means that /proc/net/dev
   is a per-process file, and so overmounting it would only affect pid1.
   Any other program that cares about /proc/net/dev would see their own
   process's configuration, and unprivileged processes wouldn't be able
   to see /proc/1/... data anyway.

   In addition, the fact that this is a symlink means that runc will
   deny the overmount because /proc/1/net/dev is not in the proc
   overmount allowlist. This means that this has not worked for many
   years, and probably never worked in the first place.

 * /proc/self/net is already namespaced with network namespaces, so the
   primary argument for allowing /proc overmounts (lxcfs-like masking of
   procfs files to emulate namespacing for files that are not properly
   namespaced for containers -- such as /proc/cpuinfo) is moot.

   It goes without saying that lxcfs has never overmounted
   /proc/self/net/... files, so the general "because lxcfs"
   justification doesn't hold water either.

 * The kernel has slowly been moving towards blocking overmounts in
   /proc/self/. Linux 6.12 blocked overmounts for fd, fdinfo, and
   map_files; future Linux versions will probably end up blocking
   everything under /proc/self/.

Fixes: 2ee9cbb ("It's /proc/stat, not /proc/stats")
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
Copy link
Member Author

cyphar commented Jul 20, 2025

(This was added in #560.)

@cyphar cyphar requested review from kolyshkin and lifubang July 20, 2025 12:45
@cyphar cyphar merged commit 6bae6ca into opencontainers:main Jul 21, 2025
31 checks passed
@cyphar cyphar deleted the proc-net-dev-overmount branch July 21, 2025 13:47
@kolyshkin
Copy link
Contributor

@cyphar @lifubang do we want to backport this to release-1.3 (and maybe even 1.2)?

@cyphar
Copy link
Member Author

cyphar commented Jul 25, 2025

@kolyshkin Yeah, probably.

This was referenced Jul 25, 2025
Merged
Merged
@lifubang lifubang added backport/1.2-done A PR in main branch which has been backported to release-1.2 backport/1.3-done A PR in main branch which has been backported to release-1.3 labels Jul 25, 2025
@github-actions github-actions bot mentioned this pull request Sep 7, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lifubang lifubang lifubang approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@kolyshkin kolyshkin Awaiting requested review from kolyshkin

Assignees
No one assigned
Labels
backport/1.2-done A PR in main branch which has been backported to release-1.2 backport/1.3-done A PR in main branch which has been backported to release-1.3 easy-to-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[bug] Can't mount /proc/net/dev
4 participants
@cyphar @kolyshkin @lifubang @AkihiroSuda