[lxc-devel] [PATCH 1/1] lxc_attach: fix break with user namespaces
Serge Hallyn
serge.hallyn at canonical.com
Mon Jan 21 21:37:45 UTC 2013
Quoting Serge Hallyn (serge.hallyn at canonical.com):
> When you clone a new user_ns, the child cannot write to the fds
> opened by the parent. Hnadle this by doing an extra fork. The
> grandparent hangs around and waits for its child to tell it the
> pid of of the grandchild, which will be the one attached to the
> container. The grandparent then moves the grandchild into the
> right cgroup, then waits for the child who in turn is waiting on
> the grandchild to complete.
>
> This lets lxc-attach work into another user namespace, but more
> is needed ( which will come in subsequent patches ). lxc-attach
> will need to setuid to the uid of the container's init process,
> because otherwise it is uid -1. It will also need to be entered
> into the apparmor or selinux domain of the child to prevent it
> being used by a task in the container as a stepping stone to
> greater privilege (i.e. through ptrace).
Hold on, the version I sent here had a last minute change and may
be bad.
More information about the lxc-devel
mailing list