kernel-packages team mailing list archive

Thread
Date

[Bug 1322067] Re: 3.15.0-1.x breaks lxc-attach for unprivileged containers

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Seth Forshee <seth.forshee+lp@xxxxxxxxxxxxx>
Date: Thu, 22 May 2014 15:48:48 -0000
Reply-to: Bug 1322067 <1322067@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Fwiw, I suspect the reason for clamping down permissions on the
personality file is because it has an ADDR_NO_RANDOMIZE flag. Perhaps
the rationale is that having this file world-readable means that an
attacker could scan for processes that are vulnerable to an attack which
would otherwise be mitigated by ASLR. Just a guess.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1322067

Title:
  3.15.0-1.x breaks lxc-attach for unprivileged containers

Status in “linux” package in Ubuntu:
  Confirmed
Status in “linux” source package in Utopic:
  Confirmed

Bug description:
  An unprivileged call to lxc-attach fails with kernel 3.15.0.1.2, but
  works fine using 3.13.0-24-generic.

  Under 3.15.0.1.2, attempting to connect to a running unprivileged
  container:

  $ lxc-attach --clear-env -n trusty -- /bin/true
  lxc-attach: Permission denied - Could not open /proc/3805/personality
  lxc-attach: failed to get context of the init process, pid = 3805

  Note that lxc-start and lxc-console are not affected.

  To recreate:

  1) Create an unpriv container:

  $ lxc-create -n utopic -t download -- -d ubuntu -r utopic -a amd64

  2) Boot with 3.13.0-24-generic

  3) Start the container:
  $ lxc-start -n utopic

  4) Run a command in the container:

  $ lxc-attach -n utopic --clear-env -n trusty -- /bin/true

  5) Reboot into 3.15.0.1.2 and re-run the lxc-start and lxc-attach.

  6) Observe the EPERM error.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.10
  Package: linux-generic 3.15.0.1.2
  ProcVersionSignature: Ubuntu 3.13.0-24.47-generic 3.13.9
  Uname: Linux 3.13.0-24-generic x86_64
  ApportVersion: 2.14.2-0ubuntu4
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC1:  james      2827 F.... pulseaudio
   /dev/snd/pcmC1D0p:   james      2827 F...m pulseaudio
   /dev/snd/controlC0:  james      2827 F.... pulseaudio
  CurrentDesktop: Unity
  Date: Thu May 22 07:21:55 2014
  HibernationDevice: RESUME=UUID=db600bbe-faca-41f4-9338-c3e8e227599a
  InstallationDate: Installed on 2014-04-11 (40 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Daily amd64 (20140409)
  MachineType: LENOVO 20AQCTO1WW
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.13.0-24-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash vt.handoff=7
  RelatedPackageVersions:
   linux-restricted-modules-3.13.0-24-generic N/A
   linux-backports-modules-3.13.0-24-generic  N/A
   linux-firmware                             1.129
  SourcePackage: linux
  UpgradeStatus: Upgraded to utopic on 2014-05-08 (13 days ago)
  dmi.bios.date: 02/10/2014
  dmi.bios.vendor: LENOVO
  dmi.bios.version: GJET71WW (2.21 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 20AQCTO1WW
  dmi.board.vendor: LENOVO
  dmi.board.version: 0B98405 STD
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: dmi:bvnLENOVO:bvrGJET71WW(2.21):bd02/10/2014:svnLENOVO:pn20AQCTO1WW:pvrThinkPadT440s:rvnLENOVO:rn20AQCTO1WW:rvr0B98405STD:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 20AQCTO1WW
  dmi.product.version: ThinkPad T440s
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1322067/+subscriptions

Follow ups

Re: [Bug 1322067] Re: 3.15.0-1.x breaks lxc-attach for unprivileged containers
From: Serge Hallyn, 2014-05-22

References

[Bug 1322067] [NEW] 3.15.0.1.2 breaks lxc-attach for unprivileged containers
From: James Hunt, 2014-05-22