It appears as though the addition of the PID namespace did not update the output code for /proc/$pid/sched, which made it trivial to figure out whether a process was inside &init_pid_ns from userspace (making container detection trivial[1]). This lead to situations such as: % unshare -pf head -n1 /proc/self/sched head (10047, #threads: 1) Fix this by just using task_pid_vnr for the output of /proc/$pid/sched. All of the other uses of task_pid_nr in kernel/sched/debug.c are from a sysctl context and thus don't need to be namespaced. [1]: https://github.com/jessfraz/amicontained Cc: <stable@xxxxxxxxxxxxxxx> Cc: Jess Frazelle <acidburn@xxxxxxxxxx> Signed-off-by: Aleksa Sarai <asarai@xxxxxxxx> --- kernel/sched/debug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c index 4fa66de52bd6..a06acbe33e16 100644 --- a/kernel/sched/debug.c +++ b/kernel/sched/debug.c @@ -876,7 +876,7 @@ void proc_sched_show_task(struct task_struct *p, struct seq_file *m) { unsigned long nr_switches; - SEQ_printf(m, "%s (%d, #threads: %d)\n", p->comm, task_pid_nr(p), + SEQ_printf(m, "%s (%d, #threads: %d)\n", p->comm, task_pid_vnr(p), get_nr_threads(p)); SEQ_printf(m, "---------------------------------------------------------" -- 2.13.3