← Back to team overview

kernel-packages team mailing list archive

  1. kernel-packages team
  2. Mailing list archive
  3. Message #144619

[Bug 1357588] Re: 3.13.0-24 broke nested unprivileged LXC

  Thread PreviousDate PreviousThread Next 
** Changed in: linux (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1357588

Title:
  3.13.0-24 broke nested unprivileged LXC

Status in linux package in Ubuntu:
  Fix Released

Bug description:
  The recent security update kernel broke nested unprivileged LXC containers as those attempt to do the following:
  access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)

  The user visible error looks like:
  lxc-start: Operation not permitted - failed to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'
  lxc-start 1408142401.327 DEBUG    lxc_conf - remounting /dev/console on /usr/lib/x86_64-linux-gnu/lxc/dev/console to respect bind or remount options
  lxc-start 1408142401.327 ERROR    lxc_conf - Operation not permitted - failed to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'

  Followed by a complete failure to start the container.
  access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULaccess("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
  L) = -1 EPERM (Operation not permitted)

  As far as I can tell, LXC isn't doing anything particularly wrong
  there and this should succeed. Serge suggested we attempt to pass
  MS_NODEV to the remount call but that didn't help either.

  There are good chances the following upstream patch fixes this:
  http://lkml.org/lkml/2014/8/13/746

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1357588/+subscriptions

References

  Thread PreviousDate PreviousThread Next