[patch v3] Allow for unpriviledged nested containers
DJ Delorie
dj@redhat.com
Thu Nov 18 20:18:12 GMT 2021
IIRC part of the unshared pid namespace was to test processes that act
differently if they're pid 1 (init) but I don't think we have any of
those yet. Certainly the unshared mount namespace has been used to test
corrupt config files etc.
But the security issue is for the CICD tools, which test unvetted
patches from the mailing list. Bind mounting /proc doesn't exit that
security (it just gives you the same /proc the build already saw) but
*enabling* a non-bind-mounted proc means giving security privs to the
build that I'd rather not give.
Florian Weimer <fweimer@redhat.com> writes:
>> One process can have different PIDs depending on how you look at it.
>
> Then elf/tst-pldd should be fine with 4.
Sure, but if getpid() returns 4, and /proc/4/ is for a different process
(or doesn't exist), the test fails. pldd would have to know the pid in
the parent's namespace, for the same process, which might be something
like /proc/41768423/ instead of /proc/4/
I wouldn't be surprised if /proc/self/ referred to the wrong process
too.
More information about the Libc-alpha
mailing list