Our /proc/sys/fs/protected_symlinks emulation logic with the O_PATH resolver errors out if you are in a container with /proc/sys overmounted as RO. I think there are two steps to fixing this:
- As a hotfix, if getting the sysctl value errors out we err on the conservative side and assume it is enabled.
- Figure out a way to permit overmounts if they are of the same path (and possibly only permit certain mount flags to be set). We can probably do this with
statmount on newer (6.8) kernels? On old kernels we will need to parse mountinfo. Not sure if it's worth it. :/
Our
/proc/sys/fs/protected_symlinksemulation logic with theO_PATHresolver errors out if you are in a container with/proc/sysovermounted as RO. I think there are two steps to fixing this:statmounton newer (6.8) kernels? On old kernels we will need to parsemountinfo. Not sure if it's worth it. :/