proc: checkSymlinkOvermount -> checkSubpathOvermount

cyphar · cyphar · commit 13f35b09e064 · 2025-06-19T09:36:41.000+10:00
The logic is not symlink-specific, and will be used for non-symlinks in
the O_PATH resolver.

Signed-off-by: Aleksa Sarai &lt;cyphar@cyphar.com&gt;
diff --git a/open_linux.go b/open_linux.go
@@ -88,7 +88,7 @@ func Reopen(handle *os.File, flags int) (*os.File, error) {
 	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
 	// onto targets that reside on shared mounts").
 	fdStr := strconv.Itoa(int(handle.Fd()))
-	if err := checkSymlinkOvermount(procRoot, procFdDir, fdStr); err != nil {
+	if err := checkSubpathOvermount(procRoot, procFdDir, fdStr); err != nil {
 		return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err)
 	}
 
diff --git a/procfs_linux.go b/procfs_linux.go
@@ -347,7 +347,7 @@ func getMountID(dir *os.File, path string) (uint64, error) {
 	return stx.Mnt_id, nil
 }
 
-func checkSymlinkOvermount(procRoot *os.File, dir *os.File, path string) error {
+func checkSubpathOvermount(procRoot *os.File, dir *os.File, path string) error {
 	// Get the mntID of our procfs handle.
 	expectedMountID, err := getMountID(procRoot, "")
 	if err != nil {
@@ -363,7 +363,7 @@ func checkSymlinkOvermount(procRoot *os.File, dir *os.File, path string) error {
 	// using unsafeHostProcRoot() then an attaker could change this after we
 	// did this check.)
 	if expectedMountID != gotMountID {
-		return fmt.Errorf("%w: symlink %s/%s has an overmount obscuring the real link (mount ids do not match %d != %d)", errUnsafeProcfs, dir.Name(), path, expectedMountID, gotMountID)
+		return fmt.Errorf("%w: subpath %s/%s has an overmount obscuring the real link (mount ids do not match %d != %d)", errUnsafeProcfs, dir.Name(), path, expectedMountID, gotMountID)
 	}
 	return nil
 }
@@ -386,7 +386,7 @@ func doRawProcSelfFdReadlink(procRoot *os.File, fd int) (string, error) {
 	//
 	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
 	// onto targets that reside on shared mounts").
-	if err := checkSymlinkOvermount(procRoot, procFdLink, ""); err != nil {
+	if err := checkSubpathOvermount(procRoot, procFdLink, ""); err != nil {
 		return "", fmt.Errorf("check safety of /proc/thread-self/fd/%d magiclink: %w", fd, err)
 	}
 
diff --git a/procfs_linux_test.go b/procfs_linux_test.go
@@ -114,7 +114,7 @@ func testProcOvermountSubdir(t *testing.T, procRootFn procRootFunc, expectOvermo
 				// moved to libpathrs.
 				{"/proc/self/sched", "attr/current", "", unix.MS_BIND},
 				// Bind-mounts on top of symlinks should be detected by
-				// checkSymlinkOvermount.
+				// checkSubpathOvermount.
 				{"/proc/1/fd/0", "exe", "", unix.MS_BIND},
 				{"/proc/1/exe", "fd/0", "", unix.MS_BIND},
 				// TODO: Add a test for mounting on top of /proc/self or
@@ -150,7 +150,7 @@ func testProcOvermountSubdir(t *testing.T, procRootFn procRootFunc, expectOvermo
 		defer closer()
 
 		// Open these paths directly to emulate a non-openat2 handle that
-		// didn't detect a bind-mount to check that checkSymlinkOvermount works
+		// didn't detect a bind-mount to check that checkSubpathOvermount works
 		// properly for AT_EMPTY_PATH checks as well.
 		procCwd, err := openatFile(procSelf, "cwd", unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
 		require.NoError(t, err)
@@ -160,14 +160,14 @@ func testProcOvermountSubdir(t *testing.T, procRootFn procRootFunc, expectOvermo
 		defer procExe.Close() //nolint:errcheck // test code
 
 		// no overmount
-		err = checkSymlinkOvermount(procRoot, procCwd, "")
+		err = checkSubpathOvermount(procRoot, procCwd, "")
 		assert.NoError(t, err, "checking /proc/self/cwd with no overmount should succeed") //nolint:testifylint // this is an isolated operation so we can continue despite an error
-		err = checkSymlinkOvermount(procRoot, procSelf, "cwd")
+		err = checkSubpathOvermount(procRoot, procSelf, "cwd")
 		assert.NoError(t, err, "checking /proc/self/cwd with no overmount should succeed") //nolint:testifylint // this is an isolated operation so we can continue despite an error
 		// basic overmount
-		err = checkSymlinkOvermount(procRoot, procExe, "")
+		err = checkSubpathOvermount(procRoot, procExe, "")
 		assert.ErrorIs(t, err, symlinkOvermountErr, "unexpected /proc/self/exe overmount result") //nolint:testifylint // this is an isolated operation so we can continue despite an error
-		err = checkSymlinkOvermount(procRoot, procSelf, "exe")
+		err = checkSubpathOvermount(procRoot, procSelf, "exe")
 		assert.ErrorIs(t, err, symlinkOvermountErr, "unexpected /proc/self/exe overmount result") //nolint:testifylint // this is an isolated operation so we can continue despite an error
 
 		// fd no overmount

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ func Reopen(handle os.File, flags int) (os.File, error) {`
`88`	`88`	`// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts`
`89`	`89`	`// onto targets that reside on shared mounts").`
`90`	`90`	`fdStr := strconv.Itoa(int(handle.Fd()))`
`91`		`- if err := checkSymlinkOvermount(procRoot, procFdDir, fdStr); err != nil {`
	`91`	`+ if err := checkSubpathOvermount(procRoot, procFdDir, fdStr); err != nil {`
`92`	`92`	`return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err)`
`93`	`93`	`}`
`94`	`94`
Original file line number	Diff line number	Diff line change
`@@ -347,7 +347,7 @@ func getMountID(dir *os.File, path string) (uint64, error) {`
`347`	`347`	`return stx.Mnt_id, nil`
`348`	`348`	`}`
`349`	`349`
`350`		`-func checkSymlinkOvermount(procRoot os.File, dir os.File, path string) error {`
	`350`	`+func checkSubpathOvermount(procRoot os.File, dir os.File, path string) error {`
`351`	`351`	`// Get the mntID of our procfs handle.`
`352`	`352`	`expectedMountID, err := getMountID(procRoot, "")`
`353`	`353`	`if err != nil {`
`@@ -363,7 +363,7 @@ func checkSymlinkOvermount(procRoot os.File, dir os.File, path string) error {`
`363`	`363`	`// using unsafeHostProcRoot() then an attaker could change this after we`
`364`	`364`	`// did this check.)`
`365`	`365`	`if expectedMountID != gotMountID {`
`366`		`- return fmt.Errorf("%w: symlink %s/%s has an overmount obscuring the real link (mount ids do not match %d != %d)", errUnsafeProcfs, dir.Name(), path, expectedMountID, gotMountID)`
	`366`	`+ return fmt.Errorf("%w: subpath %s/%s has an overmount obscuring the real link (mount ids do not match %d != %d)", errUnsafeProcfs, dir.Name(), path, expectedMountID, gotMountID)`
`367`	`367`	`}`
`368`	`368`	`return nil`
`369`	`369`	`}`
`@@ -386,7 +386,7 @@ func doRawProcSelfFdReadlink(procRoot *os.File, fd int) (string, error) {`
`386`	`386`	`//`
`387`	`387`	`// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts`
`388`	`388`	`// onto targets that reside on shared mounts").`
`389`		`- if err := checkSymlinkOvermount(procRoot, procFdLink, ""); err != nil {`
	`389`	`+ if err := checkSubpathOvermount(procRoot, procFdLink, ""); err != nil {`
`390`	`390`	`return "", fmt.Errorf("check safety of /proc/thread-self/fd/%d magiclink: %w", fd, err)`
`391`	`391`	`}`
`392`	`392`