Handling unshare() and kernel namespaces

Robert O'Callahan robert at ocallahan.org
Sat Apr 18 13:21:38 UTC 2015


On Sat, Apr 18, 2015 at 3:13 PM, Robert O'Callahan <robert at ocallahan.org>
wrote:

> Getting pid namespaces to work was a bit of a pain. We can no longer use
> the pids returned by system calls (i.e. fork/clone) because they might be
> in a different pid namespace. Instead we observe the
> PTRACE_EVENT_FORK/CLONE and stash a pointer to the new task where
> process_fork/clone can find it.
>

... aaaaand I just discovered that kernels before June 2014 have a bug that
breaks this :-(.
https://github.com/torvalds/linux/commit/4e52365f279564cef0ddd41db5237f0471381093
Firefox sandboxing currently doesn't use pid namespaces, and by the time it
does, maybe most devs will be on newer kernels (he said hopefully). Or
maybe I can think of an easy workaround.

I also discovered that my old Ubuntu test VM kernel for some reason
prevents a tracee using a root-dir-fd chroot-escape to create a file in
/dev/shm, but allows the tracee to create a file in /tmp. Which is weird
but easily worked around by using /tmp.

Rob
-- 
oIo otoeololo oyooouo otohoaoto oaonoyooonoeo owohooo oioso oaonogoroyo
owoiotoho oao oboroootohoeoro oooro osoiosotoeoro owoiololo oboeo
osouobojoeocoto otooo ojouodogomoeonoto.o oAogoaoiono,o oaonoyooonoeo
owohooo
osoaoyoso otooo oao oboroootohoeoro oooro osoiosotoeoro,o o‘oRoaocoao,o’o
oioso
oaonosowoeoroaoboloeo otooo otohoeo ocooouoroto.o oAonodo oaonoyooonoeo
owohooo
osoaoyoso,o o‘oYooouo ofooooolo!o’o owoiololo oboeo oiono odoaonogoeoro
ooofo
otohoeo ofoioroeo ooofo ohoeololo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rr-dev/attachments/20150419/a7a477e9/attachment.html>


More information about the rr-dev mailing list