[patch v3] Allow for unpriviledged nested containers
DJ Delorie
dj@redhat.com
Wed Nov 17 22:44:06 GMT 2021
Florian Weimer <fweimer@redhat.com> writes:
>> When running a "make check" in an untrusted podman container, we do
>> not have priviledges to mount a new /proc. Previously, we just failed
>> to initialize the container and thus all test-container tests were
>> "unsupported". With this change, we bind mount the parent's /proc,
>> which we have priviledges to do. Note that MS_REC is needed as /proc
>> typically has things mounted within it, and not mounting those would
>> be a security hole[*].
>
> I see a new test failure with this, elf/tst-pldd. Happens with
> kernel-5.14.17-301.fc35.x86_64, kernel-5.14.13-100.fc33.x86_64,
> linux-image-5.10.0-9-amd64_5.10.70-1, as a non-root user.
Heh, this is a fun one. If you bind mount /proc, you get the
/proc/<pid> from the parent namespace. If you direct mount it as type
"proc" you get the /proc/<pid> from the child namespace.
I.e. the pldd test fails because it's looking at the wrong process.
I suspect the only way around this is to check for the specific
permission (capability?) we need, early, so we can bind mount /proc only
if we know in advance that the direct mount will fail. Or decide that
having the parent's /proc/<pid> would cause more problems than it's
worth and just not have a /proc at all in that case.
More information about the Libc-alpha
mailing list