Skip to content

fix symlink resolution for noble #200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dudejas wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix symlink resolution for noble #200

dudejas wants to merge 3 commits into from
+103 −1

Conversation

@dudejas
Copy link

@dudejas dudejas commented Jan 9, 2026

Fixes #199

aramprice
aramprice reviewed Jan 17, 2026
View reviewed changes
aramprice
aramprice reviewed Jan 17, 2026
View reviewed changes
aramprice
aramprice reviewed Jan 17, 2026
View reviewed changes
Copy link
Member

@aramprice aramprice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the changes, this look good code wise. I would appreciate some other folks looking at it as well, especially to think over any potential security changes from this.

Before this change we allowed an inside-container-mount of an outside-the-container-symlink to resolve at container runtime, from inside the container to the outside-container-symlink-target.

With this change bpm will pre-resolve, not at container runtime, an outside-the-container-symlink to its outside-the-container-symlink-target (not mediated by the container subsystem), and then an inside-the-container-mount will be created which points directly to the outside-the-container-symlink-target

I think this change introduces a difference in the time at which a symlink is resolved (container-creation vs. ad hoc during container runtime)... and I'm curious if this is consequential to the security posture of bpm. I don't think this is the case for the issue mentioned in #199...

I'm wondering if this could have implications in arbitrary cases?

@aramprice aramprice requested review from a team, lnguyen and ragaskar and removed request for a team January 20, 2026 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aramprice aramprice aramprice left review comments

@ragaskar ragaskar Awaiting requested review from ragaskar ragaskar was automatically assigned from cloudfoundry/wg-foundational-infrastructure-vm-deployment-lifecycle-bosh-approvers

@lnguyen lnguyen Awaiting requested review from lnguyen lnguyen was automatically assigned from cloudfoundry/wg-foundational-infrastructure-vm-deployment-lifecycle-bosh-approvers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Foundational Infrastructure Working Group
Status: Inbox

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix Symlink Resolution in Bind Mounts for Noble Stemcell Compatibility

2 participants

@dudejas @aramprice