On Tue, Jun 07, 2016 at 07:29:37PM +0800, Zhao Lei wrote: > In current system, when we set core_pattern to a pipe, both pipe program > and program's output are in host's filesystem. > But when we set core_pattern to a file, the container will write dump > into container's filesystem. > > For example, when we set following core_pattern: > # echo "|/my_dump_pipe %s %c %p %u %g %t e" >/proc/sys/kernel/core_pattern > and trigger a segment fault in a container, my_dump_pipe is searched from > host's filesystem, and it will write coredump into host's filesystem too. > > In a privileged container, user can destroy host system by following > command: > # # In a container > # echo "|/bin/dd of=/boot/vmlinuz" >/proc/sys/kernel/core_pattern > # make_dump > > Actually, all operation in a container should not change host's > environment, the container should use core_pattern as its private setting. > In detail, in core dump action: > 1: Search pipe program in container's fs namespace. > 2: Run pipe program in container's fs namespace to write coredump to it. > > This patch fixed above problem by running pipe program with container's > fs_root. > This does not look sufficient, but I can't easily verify. For instance, is the spawned process able to attach itself with ptrace to processes outside of the original container? Even if not, can it mount procfs and use /proc/pid/root of processes outside of said container? The spawned process should be subject to all limitations imposed on the container (which may mean it just must be in the container). -- Mateusz Guzik _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
