On 02/14/2013 10:23 PM, Eric W. Biederman wrote:
With recent changes this is tied to the initial user namespace. So the
simple solution to this and so many other similiar security problems is
to run your container in a user namespace.
The permission check currently is capable(CAP_SYS_ADMIN) w
Corey Minyard writes:
> On 02/13/2013 01:08 PM, Eric W. Biederman wrote:
>> Bruno Prémont writes:
>>
>>> CCing containers list
>>>
>>> On Fri, 08 February 2013 miny...@acm.org wrote:
From: Corey Minyard
The console redirect - ioctl(fd, TIOCCONS) - is not in a namespace,
thus
On 02/13/2013 01:08 PM, Eric W. Biederman wrote:
Bruno Prémont writes:
CCing containers list
On Fri, 08 February 2013 miny...@acm.org wrote:
From: Corey Minyard
The console redirect - ioctl(fd, TIOCCONS) - is not in a namespace,
thus a container can do a redirect and grab all the I/O on th
Bruno Prémont writes:
> CCing containers list
>
> On Fri, 08 February 2013 miny...@acm.org wrote:
>> From: Corey Minyard
>>
>> The console redirect - ioctl(fd, TIOCCONS) - is not in a namespace,
>> thus a container can do a redirect and grab all the I/O on the host
>> and all container consoles
CCing containers list
On Fri, 08 February 2013 miny...@acm.org wrote:
> From: Corey Minyard
>
> The console redirect - ioctl(fd, TIOCCONS) - is not in a namespace,
> thus a container can do a redirect and grab all the I/O on the host
> and all container consoles.
>
> This change puts the redire
From: Corey Minyard
The console redirect - ioctl(fd, TIOCCONS) - is not in a namespace,
thus a container can do a redirect and grab all the I/O on the host
and all container consoles.
This change puts the redirect in the pid namespace.
Signed-off-by: Corey Minyard
---
I'm pretty sure this pat
6 matches
Mail list logo
