Re: [RFC] Null Namespaces
From: Andy Lutomirski <luto@kernel.org>
Date: 2026-07-06 17:10:47
Also in:
linux-arch, linux-fsdevel, lkml
On Mon, Jul 6, 2026 at 9:55 AM Jann Horn [off-list ref] wrote:
I mostly agree, though we might want to gate this on no_new_privs just to be sure - you could theoretically have a setuid root program that gives the caller more privileges if it can't find its config file. That's kind of a far-fetched scenario, and in reality it would probably fail because the dynamic linker can't be found, but there is precedent for other sandboxing stuff also requiring no_new_privs, so we might as well require that here, too...
My ancient patch did this gating. FWIW, if we are contemplating letting unprivileged tasks chroot to an *empty* mountns and they don't have privileges to bind anything there, then the mnt_may_suid() will prevent them from using execveat to run a setuid program.
(I think it actually might be fine to just make chroot entirely unprivileged as long as no_new_privs is set, but I don't think we should actually do that, that would just be unnecessarily playing with fire and would probably confuse some security monitoring tools or such.) We should probably also reject if current_chrooted() is true, for the same reason we reject userns creation when that's true.
These empty-tree proposals might expose a little issue in current_chrooted(). We don't want to check whether our root is the namespace root -- I think we may want to check whether our root has a parent. Otherwise once you chroot to an empty tree once, you can't chroot again, which is silly. Maybe if we add this empty tree thing, the definition of current_chrooted should change. (This is already an issue with open_tree and probably even with detached mounts before that, but I don't think it's as easily observable.)