The patch in comment #4 of bug 1726372 was mostly complete but issues were discovered late as we were approached the CRD for the CVEs described in that bug:
1) The patch should be updated to forward the new dump_mode argument into the container. This is a trivial change. 2) The patch changed the functionality of apport so that it processes, in the host, all crashes that come from a "non-full" container. The PoC in the description of bug 1726372 simply creates a PID namespace, without a new mount namespace, and then calls abort(). The behavioral change introduced by the patch resulted in apport writing the core dump to /tmp/core when it didn't do that before because it ignored such crashes. 3) The combination of the patch and the fix for CVE-2017-14177, which added a new required dump_mode command line option to Apport, made it potentially dangerous for an updated Apport in the host to forward a crash to a non-updated Apport in a container as the dump_mode parameter would be treated as the global_pid in the container's Apport. These three issues are why we had to make the decision to (temporarily) drop container crash forwarding. I won't be directly involved in re-enabling the container crash forwarding support but please feel free to ping me for a review, if needed. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14177 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1732518 Title: Please re-enable container support in apport Status in apport package in Ubuntu: Triaged Status in apport source package in Xenial: Triaged Status in apport source package in Zesty: Triaged Status in apport source package in Artful: Triaged Status in apport source package in Bionic: Triaged Bug description: The latest security update for apport disabled container crash forwarding, this is a feature which users do rely on in production and while it may have been appropriate to turn it off to put a security update out, this needs to be re-enabled ASAP. I provided a patch which fixed the security issue before the security issue was publicly disclosed so pushing an SRU to all Ubuntu releases re-enabling this code should be pretty trivial. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1732518/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
