Improve comment above nameicap_check_dotdot().

Explain why tracker is needed at all. Reviewed by: markj Tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D25886
2020-09-22 21:54:30 +00:00 · 2020-09-22 21:54:30 +00:00 · 44619a5e86
commit 44619a5e86
parent d458747eb2
1 changed files with 5 additions and 1 deletions
--- a/sys/kern/vfs_lookup.c
+++ b/sys/kern/vfs_lookup.c
@ -215,7 +215,11 @@ nameicap_cleanup(struct nameidata *ndp, bool clean_latch)
 /*
 * For dotdot lookups in capability mode, only allow the component
 * lookup to succeed if the resulting directory was already traversed
- * during the operation.  Also fail dotdot lookups for non-local
+ * during the operation.  This catches situations where already
+ * traversed directory is moved to different parent, and then we walk
+ * over it with dotdots.
+ *
+ * Also allow to force failure of dotdot lookups for non-local
 * filesystems, where external agents might assist local lookups to
 * escape the compartment.
 */