Hi, Le lundi 01 avril 2019 à 02:52 +0200, Jann Horn a écrit : > One minor detail to keep in mind for the future is that in a > straightforward implementation of this concept, if a non-capable > process is running in a mount namespace, but in the initial network > namespace, without any reachable /proc mount, it will be able to look > at information about other processes' network connections by first > using pidfd_open() on itself or by using clone(CLONE_PIDFD), then > looking at the "net" directory under the resulting file descriptor. I also think it would punch a hole in chroot() ... (but in 2019, nobody should rely on it for security purpose). Regards. -- Yann Droneaud OPTEYA
