On Sun, Aug 06, 2017 at 02:41:41PM +1000, Aleksa Sarai wrote: > It appears as though the addition of the PID namespace did not update > the output code for /proc/*/sched, which resulted in it providing PIDs > that were not self-consistent with the /proc mount. This additionally > made it trivial to detect whether a process was inside &init_pid_ns from > userspace (making container detection trivial[1]). This lead to > situations such as: > > % unshare -pmf > % mount -t proc proc /proc > % head -n1 /proc/1/sched > head (10047, #threads: 1) > > Fix this by just using task_pid_nr_ns for the output of /proc/*/sched. > All of the other uses of task_pid_nr in kernel/sched/debug.c are from a > sysctl context and thus don't need to be namespaced. > > [1]: https://github.com/jessfraz/amicontained > > Cc: <stable@xxxxxxxxxxxxxxx> > Cc: Jess Frazelle <acidburn@xxxxxxxxxx> > Signed-off-by: Aleksa Sarai <asarai@xxxxxxxx> Thanks!