Bug#754193: linux-image-3.2.0-4-amd64: reboot(2) called from a PID namespace shuts down a host

To: Ben Hutchings <ben@decadent.org.uk>
Cc: 754193@bugs.debian.org
Subject: Bug#754193: linux-image-3.2.0-4-amd64: reboot(2) called from a PID namespace shuts down a host
From: l.stelmach@samsung.com (Łukasz Stelmach)
Date: Wed, 09 Jul 2014 12:06:03 +0200
Message-id: <[🔎] 878uo23kz8.fsf@samsung.com>
Reply-to: l.stelmach@samsung.com (Łukasz Stelmach), 754193@bugs.debian.org
In-reply-to: <[🔎] 1404837048.26540.12.camel@deadeye.wl.decadent.org.uk>
References: <[🔎] 877g3nq5rv.fsf@samsung.com> <[🔎] 1404837048.26540.12.camel@deadeye.wl.decadent.org.uk>

It was <2014-07-08 wto 18:30>, when Ben Hutchings wrote:
> On Tue, 2014-07-08 at 16:33 +0200, Łukasz Stelmach wrote:
>> Package: src:linux
>> Version: 3.2.60-1+deb7u1
>> Severity: normal
>> 
>> Dear Maintainer,
>> 
>> tl;dr: init in a container (PID namespace) can call reboot(2) and
>> shutdown the host machine.
>
> Yes, and you need real user namespaces (as introduced in Linux 3.7) to
> prevent this.

It does not *seem* the so on 3.14-0.bpo.1-amd64:

--8<---------------cut here---------------start------------->8---
# ls -l /proc/1/ns
total 0
lrwxrwxrwx 1 root root 0 Jul  9 10:39 ipc -> ipc:[4026531839]
lrwxrwxrwx 1 root root 0 Jul  9 10:39 mnt -> mnt:[4026531840]
lrwxrwxrwx 1 root root 0 Jul  9 10:39 net -> net:[4026531968]
lrwxrwxrwx 1 root root 0 Jul  9 10:39 pid -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 Jul  9 10:39 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Jul  9 10:39 uts -> uts:[4026531838]
# ls -l /proc/2572/ns/
total 0
lrwxrwxrwx 1 root root 0 Jul  9 10:34 ipc -> ipc:[4026532358]
lrwxrwxrwx 1 root root 0 Jul  9 10:34 mnt -> mnt:[4026532356]
lrwxrwxrwx 1 root root 0 Jul  9 10:34 net -> net:[4026531968]
lrwxrwxrwx 1 root root 0 Jul  9 10:34 pid -> pid:[4026532359]
lrwxrwxrwx 1 root root 0 Jul  9 10:34 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Jul  9 10:34 uts -> uts:[4026532357]
--8<---------------cut here---------------end--------------->8---

PID 2572 is a contained systemd and it works in the same user (and net)
namespace as PID 1.

>> Please refer to [1] for a detailed description of symptoms.
>> 
>> After some investigation and thanks to help received from systemd
>> developers I can tell the problems can be solved by applying [2] to the
>> kernel. The patch is relatively old, it has been released only three
>> months after 3.2.0 so I hope applying it wouldn't be a problem.
> [...]
>
> This change seems to make containers work better, but it does not
> improve security.  I'm not sure whether this is sufficient justification
> for a stable update.  Please can you ask the stable release team
> (debian-release@lists.debian.org) to consider this.

Sent.

-- 
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics

Attachment: pgpjIG1goVTLY.pgp
Description: PGP signature

Reply to:

References:
- Bug#754193: linux-image-3.2.0-4-amd64: reboot(2) called from a PID namespace shuts down a host
  - From: l.stelmach@samsung.com (Łukasz Stelmach)
- Bug#754193: linux-image-3.2.0-4-amd64: reboot(2) called from a PID namespace shuts down a host
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: jessie: nfsroots: "mount: Device or ressource busy"
Next by Date: Package: linux-image-3.14-0.bpo.1-rt-amd64 (3.14.7-1~bpo70+1)
Previous by thread: Bug#754193: linux-image-3.2.0-4-amd64: reboot(2) called from a PID namespace shuts down a host
Next by thread: Bug#754197: linux-image-3.2.0-4-amd64 3.2.60-1+deb7u1 problem with NAT (SFTP)
Index(es):
- Date
- Thread