** Also affects: lxc (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Utopic)
Status: Confirmed = Won't Fix
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
** No longer affects: linux (Ubuntu)
** Also affects: lxc (Ubuntu Trusty)
Importance: Undecided
Status: New
** No longer affects: linux (Ubuntu Utopic)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
** Summary changed:
- 3.15.0.1.2 breaks lxc-attach for unprivileged containers
+ 3.15.0-1.x breaks lxc-attach for unprivileged containers
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
This commit is certainly to blame.
commit 35a35046e4f9d8849e727b0e0f6edac0ece4ca6e
Author: Djalal Harouni tix...@opendz.org
Date: Mon Apr 7 15:38:36 2014 -0700
procfs: make /proc/*/{stack,syscall,personality} 0400
These procfs files contain sensitive information and currently
Fwiw, I suspect the reason for clamping down permissions on the
personality file is because it has an ADDR_NO_RANDOMIZE flag. Perhaps
the rationale is that having this file world-readable means that an
attacker could scan for processes that are vulnerable to an attack which
would otherwise be
Unfortunaty the check is not a simple uid comparison, because when I
use lxc-usernsexec to cat the file using the uid of root in the container,
I still get EPERM.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
Expanding on comment #4: Otherwise we could work around it more easily
in lxc. As it is, if we can't cleanly/safely allow it in the kernel, we
may need to ask a new lxc command interface query to get the container's
personality.
--
You received this bug notification because you are a member of
Serge, could we just have lxc-attach query lxc.arch using
get_config_item over the command interface and do the personality
mapping based on the running container config rather than the running
processes?
That should spare us the addition of a new command interface call and
the usual breakage we
Oh, yeah, I forgot we had that. That sounds good.
Far preferable to having to tweak/relax the kernel constraints on reading
that file.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
9 matches
Mail list logo
