[PATCH][RFC] v2 exec: move core_pattern pipe helper into the crashing namespace
Eric W. Biederman
ebiederm at xmission.com
Mon Sep 20 11:34:00 PDT 2010
Will Drewry <wad at chromium.org> writes:
> Presently, a core_pattern pipe endpoint will be run in the init
> namespace. It will receive the virtual pid (task_tgid_vnr->%p) of the
> core dumping process but will have no access to that processes /proc
> without walking the init namespace /proc looking through all the global
> pids until it finds the one it thinks matches.
> One option for fixing this is to change the reported pid:
> However, it's unclear if it is desirable for the core_pattern to run
> outside the namespace. In particular, it can easily access the mounts
> via /proc/[pid_nr]/root, but if there is a net namespace, it will not
> have access. (Originally introduced in 2007 in commit
> b488893a390edfe027bae7a46e9af8083e740668 )
> Instead, this change implements the more complex option two. It
> migrates the ____call_usermodehelper() thread into the same namespaces
> as the dumping process. It does not assign a pid in that namespace so
> the collector will appear to be pid 0 in the namespace.
I like the direction this is going but as structured this looks like a
security exploit waiting to happen.
The pipe process needs to run in the namespaces of the process who set
the core pattern, not in the namespaces of the dumping process.
Otherwise it is possible to trigger a privileged process to run in a
context where it's reality that it expected, causing it to misuse
it's privileges. Even if we don't have a privilege problem I think
we will have a case of mismatched functionality where the core pattern
will not work as expected.
I believe the solution here is to move the core pattern into the pid
namespace and to capture the namespaces when set, but if the core
pattern hasn't been set to use the core pattern of the parent pid
More information about the Containers