Re: realpath() leakage and unix socket collision in -o union mounts + jails

On Wed, Oct 08, 2025 at 09:36:26AM +0200, David 'equinox' Lamparter wrote:
> On Wed, Oct 08, 2025 at 07:37:49AM +0300, Konstantin Belousov wrote:
> > On Tue, Oct 07, 2025 at 08:49:27PM +0200, David 'equinox' Lamparter wrote:
> > > I'm working on a network testing system that uses jails to emulate
> > > virtual routers.  The test target is == the host here, so I'm using
> > > union mounts to create a "clone" of the host.  That looks like this:
> >
> > What are you trying to achieve by the MNT_UNION flag?
> > Or rather, do not use union mounts as root for jails.
> 
> The test target is the host system.  The user has installed & modified a
> bunch of things on the host.  I need multiple clones of the host to run
> as virtual test targets in vnet jails, and repeatedly create & drop
> these (they exist for about 10 seconds on the shortest tests.)  Note
> there is no security boundary or requirement, the jail's only purpose is
> the vnet.
> 
> My alternatives are, in order:  unionfs, zfs snapshots, copying the
> entire system tree.  unionfs works but I was attempting to get away from
> an unsupported component.
> 
> > > Neither of these two issues happens with unionfs (which I've now fallen
> > > back to using, but AIUI that's entirely unmaintained and unsupported...)
> > > Could someone investigate these?
> >
> > There is nothing to investigate, unix sockets are bypassed for nullfs,
> > this is feature.
> 
> Can I turn off this feature?  Is it documented somewhere?

No, there is no knob for it.  It is not too hard to add a mount option
for nullfs.

It is documented in the sense that it is a normal behavior for the
unix sockets: nullfs bypasses the socket vnode to single instance.