From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by sourceware.org (Postfix) with ESMTP id 0667E386196E for ; Mon, 18 Jan 2021 15:59:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 0667E386196E Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-423-ghcK_zdLOxaNv_4fSbp3VA-1; Mon, 18 Jan 2021 10:59:20 -0500 X-MC-Unique: ghcK_zdLOxaNv_4fSbp3VA-1 Received: by mail-qt1-f200.google.com with SMTP id w5so4391529qts.9 for ; Mon, 18 Jan 2021 07:59:20 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=VHI7ky9Dh49Sd+X+l/PsajQ4lmjR2Z6EgGcnl7TJJFU=; b=OpJEhznvC3N3CL4MeqYTrdBVtZUa6aUq1WVZTV7LKsM8IiW8s8VhtFJUrVgHJMDizo VFOpLaTH0TYp+cYdvop3NAdTeQpiHvvLfLbLe96CvbfQ+ySCVb3+Ahx1qa25HZkU903J hd+6YbpA09H6vCYR9U7mVHbPn/KgsKOTAKAYIb7sp3zP2xaydqiVxsmqtL/Zk9dgZnPd gb8LGFntWx6IkWrA3F9xC45VyfPwny6lLePr/leLivf8Fba/tol3u7+g8p3IlEXvoZOh tWxm67jovTelTK7Ph0Ykmz7iQ70gN/ZO5INdmM/LtJ2ohdK/Awb/6vYD3BinM/dOoibK +dhA== X-Gm-Message-State: AOAM531AJ73SWcS1Z98biIEwFnboho8iR/PW04NArHsEE5vmTQxT1pZF 5Y3l0CYRCrRsZUZz0eAUoHQAIBLrnn0kiUtNuHeJc/jQmayJ26A45DExUz0wCx94neQqyBBHUb5 tV6mfRekXxJbgYweBSsERToouTWu4ENeL+3qVzRi/8cNQq0q2sIP6o9VHAIoIwU/YMcv4wQ== X-Received: by 2002:aed:3306:: with SMTP id u6mr256058qtd.386.1610985559982; Mon, 18 Jan 2021 07:59:19 -0800 (PST) X-Google-Smtp-Source: ABdhPJwOmz8tZA1hOJfpS2Z6UOSzEWVp/H9eBds5Xq+tt66dktb0ly1hQn8OlbHVZJI/vPgATGT+Mg== X-Received: by 2002:aed:3306:: with SMTP id u6mr256042qtd.386.1610985559762; Mon, 18 Jan 2021 07:59:19 -0800 (PST) Received: from [192.168.1.16] (198-84-214-74.cpe.teksavvy.com. [198.84.214.74]) by smtp.gmail.com with ESMTPSA id d25sm11041950qkl.97.2021.01.18.07.59.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 18 Jan 2021 07:59:18 -0800 (PST) Subject: Re: nsswitch: do not reload if "/" changes To: DJ Delorie , libc-alpha@sourceware.org References: From: Carlos O'Donell Organization: Red Hat Message-ID: <25a79acd-f739-83ec-5dcf-ab2bd771f561@redhat.com> Date: Mon, 18 Jan 2021 10:59:17 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-5.7 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jan 2021 15:59:25 -0000 On 1/15/21 7:59 PM, DJ Delorie via Libc-alpha wrote: > > [Note: I tried putting this functionality in the file_change_detection > module, but that didn't have enough persistence.] > > [Note: tested by instrumenting test-container.c and observing the > instrumentation with test containers on the root fs and on a separate > fs] > > https://sourceware.org/bugzilla/show_bug.cgi?id=27077 > > Before reloading nsswitch.conf, verify that the root directory > hasn't changed - if it has, it's likely that we've entered a > container and should not trust the nsswitch inside the container > nor load any shared objects therein. Can we create a non-test-container test for this? I think you can use support_become_root to unshare and then try to use support_chroot_create/support_chroot_free and xhcroot to change root, and then try to do an NSS call that will fail? The test can start by calling __nss_lookup_configure to set a known module to provide the NSS values, and then do an IdM call, verify you're using a known value, and then try to become root and chroot. I'm not sure if this is possible though. -- Cheers, Carlos.