You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
then we don't correctly track that the resultant file created is $CWD/some-link, because we only see "some-link" in the syscall. There are a few other syscalls like this that work with the AT_FDCWD special value as well that we are not resolving properly again due to the fact that we don't track current working directory changes.
The code to do this is not hard, we would probably just have to have a regexp that catches the chdir syscall and keep track of it as the loop progress through every syscall, and then also have another specific regexp that matches the set of syscalls that use this pattern as well as any syscall that uses AT_FDCWD with a non-absolute path as another syscall argument, and then do the replacement.
There's a related and similar problem about tracking mount namespace changes and chroots where we want to follow the changes into the mount namespace to see that a strictly confined snap accessing /lib/x86_64-linux-gnu/libc-2.27.so is really accessing the base snap's file i.e. /snap/core18/current/lib/x86_64-linux-gnu/libc-2.27.so
The text was updated successfully, but these errors were encountered:
A simple way to handle part of this actually for snaps is to enter the snap's mount namespace through i.e. snap run --shell or the /run/snapd/ns/... files so that we can at least see the size/existence of files from the base snap. That still isn't the full picture though
Currently, if a program issues a syscall like this:
then we don't correctly track that the resultant file created is $CWD/some-link, because we only see "some-link" in the syscall. There are a few other syscalls like this that work with the AT_FDCWD special value as well that we are not resolving properly again due to the fact that we don't track current working directory changes.
The code to do this is not hard, we would probably just have to have a regexp that catches the chdir syscall and keep track of it as the loop progress through every syscall, and then also have another specific regexp that matches the set of syscalls that use this pattern as well as any syscall that uses AT_FDCWD with a non-absolute path as another syscall argument, and then do the replacement.
There's a related and similar problem about tracking mount namespace changes and chroots where we want to follow the changes into the mount namespace to see that a strictly confined snap accessing
/lib/x86_64-linux-gnu/libc-2.27.so
is really accessing the base snap's file i.e./snap/core18/current/lib/x86_64-linux-gnu/libc-2.27.so
The text was updated successfully, but these errors were encountered: