Handling unshare() and kernel namespaces

Robert O'Callahan robert at ocallahan.org
Sat Apr 18 13:21:38 UTC 2015

On Sat, Apr 18, 2015 at 3:13 PM, Robert O'Callahan <robert at ocallahan.org>

> Getting pid namespaces to work was a bit of a pain. We can no longer use
> the pids returned by system calls (i.e. fork/clone) because they might be
> in a different pid namespace. Instead we observe the
> PTRACE_EVENT_FORK/CLONE and stash a pointer to the new task where
> process_fork/clone can find it.

... aaaaand I just discovered that kernels before June 2014 have a bug that
breaks this :-(.
Firefox sandboxing currently doesn't use pid namespaces, and by the time it
does, maybe most devs will be on newer kernels (he said hopefully). Or
maybe I can think of an easy workaround.

I also discovered that my old Ubuntu test VM kernel for some reason
prevents a tracee using a root-dir-fd chroot-escape to create a file in
/dev/shm, but allows the tracee to create a file in /tmp. Which is weird
but easily worked around by using /tmp.

oIo otoeololo oyooouo otohoaoto oaonoyooonoeo owohooo oioso oaonogoroyo
owoiotoho oao oboroootohoeoro oooro osoiosotoeoro owoiololo oboeo
osouobojoeocoto otooo ojouodogomoeonoto.o oAogoaoiono,o oaonoyooonoeo
osoaoyoso otooo oao oboroootohoeoro oooro osoiosotoeoro,o o‘oRoaocoao,o’o
oaonosowoeoroaoboloeo otooo otohoeo ocooouoroto.o oAonodo oaonoyooonoeo
osoaoyoso,o o‘oYooouo ofooooolo!o’o owoiololo oboeo oiono odoaonogoeoro
otohoeo ofoioroeo ooofo ohoeololo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rr-dev/attachments/20150419/a7a477e9/attachment.html>

More information about the rr-dev mailing list