Debian
lxc package

  1. Bug #1783591
  2. Comment #4

Comment 4 for bug 1783591

Revision history for this message
Christian Brauner (cbrauner) wrote :

I think I have a patch:
1. open() O_PATH fd which won't trigger an actual open()
2. fstatvfs() the O_PATH fd and verify that f_fsid == NSFS_MAGIC
3. build proc path to the O_PATH fd and reopen O_PATH fd with O_RDONLY | O_CLOEXEC
4. perform setns(netns_fd, CLONE_NEWNET) (which will fail on anything else than an actual netns fd

Doing the O_PATH open and then the /proc reopen trick let's us avoid TOCTOU.