Comment 10 for bug 1783591

Revision history for this message
Christian Brauner (cbrauner) wrote :

Here's the updated version that switches from fstatvfs() to fstatfs()
to reuse infrastructure we already have and to correctly check for the fs type.
The logic stays the same:

1. open() O_PATH fd which won't trigger an actual open()
2. fstats() the O_PATH fd and verify that f_type == NSFS_MAGIC
3. build proc path to the O_PATH fd and reopen O_PATH fd with O_RDONLY | O_CLOEXEC
4. perform setns(netns_fd, CLONE_NEWNET) (which will fail on anything else than an actual netns fd

Doing the O_PATH open and then the /proc reopen trick let's us avoid TOCTOU.