It was <2014-07-08 wto 18:30>, when Ben Hutchings wrote: > On Tue, 2014-07-08 at 16:33 +0200, Łukasz Stelmach wrote: >> Package: src:linux >> Version: 3.2.60-1+deb7u1 >> Severity: normal >> >> Dear Maintainer, >> >> tl;dr: init in a container (PID namespace) can call reboot(2) and >> shutdown the host machine. > > Yes, and you need real user namespaces (as introduced in Linux 3.7) to > prevent this.
It does not *seem* the so on 3.14-0.bpo.1-amd64: --8<---------------cut here---------------start------------->8--- # ls -l /proc/1/ns total 0 lrwxrwxrwx 1 root root 0 Jul 9 10:39 ipc -> ipc:[4026531839] lrwxrwxrwx 1 root root 0 Jul 9 10:39 mnt -> mnt:[4026531840] lrwxrwxrwx 1 root root 0 Jul 9 10:39 net -> net:[4026531968] lrwxrwxrwx 1 root root 0 Jul 9 10:39 pid -> pid:[4026531836] lrwxrwxrwx 1 root root 0 Jul 9 10:39 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Jul 9 10:39 uts -> uts:[4026531838] # ls -l /proc/2572/ns/ total 0 lrwxrwxrwx 1 root root 0 Jul 9 10:34 ipc -> ipc:[4026532358] lrwxrwxrwx 1 root root 0 Jul 9 10:34 mnt -> mnt:[4026532356] lrwxrwxrwx 1 root root 0 Jul 9 10:34 net -> net:[4026531968] lrwxrwxrwx 1 root root 0 Jul 9 10:34 pid -> pid:[4026532359] lrwxrwxrwx 1 root root 0 Jul 9 10:34 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Jul 9 10:34 uts -> uts:[4026532357] --8<---------------cut here---------------end--------------->8--- PID 2572 is a contained systemd and it works in the same user (and net) namespace as PID 1. >> Please refer to [1] for a detailed description of symptoms. >> >> After some investigation and thanks to help received from systemd >> developers I can tell the problems can be solved by applying [2] to the >> kernel. The patch is relatively old, it has been released only three >> months after 3.2.0 so I hope applying it wouldn't be a problem. > [...] > > This change seems to make containers work better, but it does not > improve security. I'm not sure whether this is sufficient justification > for a stable update. Please can you ask the stable release team > (debian-rele...@lists.debian.org) to consider this. Sent. -- Łukasz Stelmach Samsung R&D Institute Poland Samsung Electronics
pgpZTbHl0c92W.pgp
Description: PGP signature