From d3ae74d2a5f5933981abeae10e676a2f0cccf67e Mon Sep 17 00:00:00 2001
From: Nicolas Lacasse <nlacasse@google.com>
Date: Mon, 17 Dec 2018 13:45:59 -0800
Subject: overlayBoundEndpoint must be recursive if there is an overlay in the
 lower.

The old overlayBoundEndpoint assumed that the lower is not an overlay.  It
should check if the lower is an overlay and handle that case.

PiperOrigin-RevId: 225882303
Change-Id: I60660c587d91db2826e0719da0983ec8ad024cb8
---
 pkg/sentry/fs/inode_overlay.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'pkg/sentry/fs')

diff --git a/pkg/sentry/fs/inode_overlay.go b/pkg/sentry/fs/inode_overlay.go
index 78923fb5b..512a0da28 100644
--- a/pkg/sentry/fs/inode_overlay.go
+++ b/pkg/sentry/fs/inode_overlay.go
@@ -390,8 +390,12 @@ func overlayBoundEndpoint(o *overlayEntry, path string) transport.BoundEndpoint
 	if o.upper != nil {
 		return o.upper.InodeOperations.BoundEndpoint(o.upper, path)
 	}
-	// If a socket is already in the lower file system, allow connections
-	// to it.
+
+	// If the lower is itself an overlay, recurse.
+	if o.lower.overlay != nil {
+		return overlayBoundEndpoint(o.lower.overlay, path)
+	}
+	// Lower is not an overlay. Call BoundEndpoint directly.
 	return o.lower.InodeOperations.BoundEndpoint(o.lower, path)
 }
 
-- 
cgit v1.2.3