[lxc-users] permissions question: netstat -anp does not show process for non owned processes

Serge Hallyn serge.hallyn at ubuntu.com
Fri May 27 17:43:24 UTC 2016


So running a netstat as ubuntu user in the container and stracing netstat, the
only eaccess I got was:

492   open("/proc/90/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 EACCES (Permission denied)
492   open("/proc/95/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 EACCES (Permission denied)
492   open("/proc/97/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 EACCES (Permission denied)
492   open("/proc/462/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 EACCES (Permission denied)
492   open("/proc/464/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 EACCES (Permission denied)


those tasks are:
daemon      90     1  0 17:12 ?        00:00:00 /usr/sbin/atd -f
syslog      95     1  0 17:12 ?        00:00:00 /usr/sbin/rsyslogd -n
message+    97     1  0 17:12 ?        00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root       462   452  0 17:13 ?        00:00:00 su - ubuntu
ubuntu     464   463  0 17:13 ?        00:00:00 (sd-pam)

interesting.

It doesn't appear to be yama - setting ptrace_scope -t 0 doesn't help.

/proc/90/fd is owned by nobody:nogroup in the container, root:root on
the host.

Looking at the code in fs/proc/base.c, it seems the code intends to
use the cred of the task to which the procpid entry belongs.  So it
really should be owned by daemon.

(proc_tgid_lookup should be called, iiuc, to fill in the details about fd
under /proc/pid, it gets the task to which /proc/pid belongs, passes that
to proc_pident_instantiate, which passes it to proc_pid_make_inode, which
gets the task cred uid/gid and assigns them to the inode)

I'm sure there's a good reason for this, but i'm failing to remember what
it is.

-serge


More information about the lxc-users mailing list