On Tue, Jan 31, 2017 at 11:34:43AM +0100, Christian Brauner wrote: > I've reproduced this on a fresh standard xenial instance with LXD > 2.0.8 and also on a xenial instance with a patched glibc that reports > ENODEV on ttyname{_r}() on a pty fd that does not exist: > > root@x:~# ./enodev_on_pty_in_different_namespace > ttyname(): The pty device might exist in a different namespace: No such device > ttyname_r(): The pty device might exist in a different namespace: No such > device
So to make this a little more elaborate: - I managed to reproduce this with an unpatched glibc inside and outside the container just like @Tyler outlined. - I managed to reproduce this with a patched glibc inside the container and an unpatched glibc outside the container. - I managed to reproduce this with a patched glibc inside and outside the container. So a patched glibc which returns ENODEV in case a symlink like /proc/self/fd/0 points to a pts device that lives in another namespace does not improve the situation. The problem that @Tyler outlined still exists. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1641236 Title: Confined processes inside container cannot fully access host pty device passed in by lxc exec To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1641236/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs