[lxc-devel] [PATCH 1/1] lxc_attach: fix break with user namespaces

[Serge Hallyn]

Quoting Serge Hallyn (serge.hallyn at canonical.com):
> When you clone a new user_ns, the child cannot write to the fds
> opened by the parent.  Hnadle this by doing an extra fork.  The
> grandparent hangs around and waits for its child to tell it the
> pid of of the grandchild, which will be the one attached to the
> container.  The grandparent then moves the grandchild into the
> right cgroup, then waits for the child who in turn is waiting on
> the grandchild to complete.
> 
> This lets lxc-attach work into another user namespace, but more
> is needed ( which will come in subsequent patches ).  lxc-attach
> will need to setuid to the uid of the container's init process,
> because otherwise it is uid -1.  It will also need to be entered
> into the apparmor or selinux domain of the child to prevent it
> being used by a task in the container as a stepping stone to
> greater privilege (i.e. through ptrace).

Hold on, the version I sent here had a last minute change and may
be bad.