Skip to content

[1.3] rootfs: remove /proc/net/dev from allowed overmount list #4819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 26, 2025
Merged

[1.3] rootfs: remove /proc/net/dev from allowed overmount list #4819

merged 1 commit into from
Jul 26, 2025

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Jul 25, 2025

This is a backport of #4817.

This was added in 2ee9cbb ("It's /proc/stat, not /proc/stats") with
no actual justification, and doesn't really make much sense on further
inspection:

  • /proc/net is a symlink to "self/net", which means that /proc/net/dev
    is a per-process file, and so overmounting it would only affect pid1.
    Any other program that cares about /proc/net/dev would see their own
    process's configuration, and unprivileged processes wouldn't be able
    to see /proc/1/... data anyway.

    In addition, the fact that this is a symlink means that runc will
    deny the overmount because /proc/1/net/dev is not in the proc
    overmount allowlist. This means that this has not worked for many
    years, and probably never worked in the first place.

  • /proc/self/net is already namespaced with network namespaces, so the
    primary argument for allowing /proc overmounts (lxcfs-like masking of
    procfs files to emulate namespacing for files that are not properly
    namespaced for containers -- such as /proc/cpuinfo) is moot.

    It goes without saying that lxcfs has never overmounted
    /proc/self/net/... files, so the general "because lxcfs"
    justification doesn't hold water either.

  • The kernel has slowly been moving towards blocking overmounts in
    /proc/self/. Linux 6.12 blocked overmounts for fd, fdinfo, and
    map_files; future Linux versions will probably end up blocking
    everything under /proc/self/.

Fixes #4771
Signed-off-by: Aleksa Sarai [email protected]

@cyphar
[1.3] rootfs: remove /proc/net/dev from allowed overmount list
3ac9e16 
This was added in 2ee9cbb ("It's /proc/stat, not /proc/stats") with
no actual justification, and doesn't really make much sense on further
inspection:

 * /proc/net is a symlink to "self/net", which means that /proc/net/dev
   is a per-process file, and so overmounting it would only affect pid1.
   Any other program that cares about /proc/net/dev would see their own
   process's configuration, and unprivileged processes wouldn't be able
   to see /proc/1/... data anyway.

   In addition, the fact that this is a symlink means that runc will
   deny the overmount because /proc/1/net/dev is not in the proc
   overmount allowlist. This means that this has not worked for many
   years, and probably never worked in the first place.

 * /proc/self/net is already namespaced with network namespaces, so the
   primary argument for allowing /proc overmounts (lxcfs-like masking of
   procfs files to emulate namespacing for files that are not properly
   namespaced for containers -- such as /proc/cpuinfo) is moot.

   It goes without saying that lxcfs has never overmounted
   /proc/self/net/... files, so the general "because lxcfs"
   justification doesn't hold water either.

 * The kernel has slowly been moving towards blocking overmounts in
   /proc/self/. Linux 6.12 blocked overmounts for fd, fdinfo, and
   map_files; future Linux versions will probably end up blocking
   everything under /proc/self/.

Fixes: 2ee9cbb ("It's /proc/stat, not /proc/stats")
Signed-off-by: Aleksa Sarai <[email protected]>
(cherry-picked from commit 3620185.)
Signed-off-by: Aleksa Sarai <[email protected]>
@lifubang lifubang added the backport/1.3-pr A backport PR to release-1.3 label Jul 25, 2025
@lifubang lifubang added this to the 1.3.1 milestone Jul 25, 2025
kolyshkin
kolyshkin approved these changes Jul 26, 2025
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kolyshkin kolyshkin merged commit 3e72ae4 into opencontainers:release-1.3 Jul 26, 2025
31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lifubang lifubang lifubang approved these changes

@kolyshkin kolyshkin kolyshkin approved these changes

Assignees
No one assigned
Labels
backport/1.3-pr A backport PR to release-1.3
Projects
None yet
Milestone
1.3.1
Development

Successfully merging this pull request may close these issues.
3 participants
@cyphar @lifubang @kolyshkin