runc/security at 2da44f8c7b703f87e9c07164c9cc1cdd31031783 - runc

History

Andrey Vagin 444cc2989a namespaces: allow to use pid namespace without mount namespace The gocapability package uses /proc/PID/status to get a bounding set. If a container uses pidns without mntns, it sees /proc from the host namespace, but the process doesn't know its own pid in this namespace. In this case it can use /proc/self/status, which is always the right one. Signed-off-by: Andrew Vagin <avagin@openvz.org>	2015-02-04 01:01:43 +03:00
..
capabilities	namespaces: allow to use pid namespace without mount namespace	2015-02-04 01:01:43 +03:00
restrict	Migrate selinux system xattr calls and prctl calls	2014-07-14 16:55:49 -07:00

Andrey Vagin 444cc2989a namespaces: allow to use pid namespace without mount namespace

The gocapability package uses /proc/PID/status to get a bounding set.
If a container uses pidns without mntns, it sees /proc from the host
namespace, but the process doesn't know its own pid in this namespace.

In this case it can use /proc/self/status, which is always the right one.

Signed-off-by: Andrew Vagin <avagin@openvz.org>

2015-02-04 01:01:43 +03:00

capabilities

namespaces: allow to use pid namespace without mount namespace

2015-02-04 01:01:43 +03:00

restrict

Migrate selinux system xattr calls and prctl calls

2014-07-14 16:55:49 -07:00