Re: [RFC] Null Namespaces
From: "H. Peter Anvin" <hpa@zytor.com>
Date: 2026-06-25 21:02:07
Also in:
linux-arch, linux-fsdevel, lkml
On 2026-06-24 16:12, Al Viro wrote:
On Wed, Jun 24, 2026 at 06:51:47PM -0400, John Ericson wrote:quoted
#### Null mount namespace - requires: - null root file system: absolute paths don't work. - null current working directory: relative paths with traditional, non-`*at` system calls (and `*at` ones using `AT_FDCWD`) don't work. - All operations relating to the "ambient" mount tree don't work. - `*at` operations with a file descriptor do work.Huh? The last bit looks contradicts the previous one - if you have an opened directory in a mount from some namespace, those `*at` operations with that descriptor *will* be seeing the mount tree of that namespace, whatever the hell is "ambient" supposed to mean. Either that, or you will be exposing whatever's overmounted in that mount, which is a huge can of worms.
It seems to me that this is really no different *in practice* to having an
empty mount namespace, no? You might still be able to stat("/") and get a
d--------- result, but how does that actually affect anything?
The big thing with a lot of this is that introducing a null case can really
complicate things all over the place, and since this is very likely to be only
a niche use case, it kind of screams to me like it has the potential to become
an attack surface like any other rarely used code in the kernel...
-hpa