© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
The patch above was tested with:
- Normal crash on host (processed as normal host binary crash)
- Crash in a proper container without apport forwarding (dropped due to lack of forwarder)
- Crash in a proper container with apport forwarding (processed by container apport)
- Crash in a user namespace (processed as normal host binary crash)
- Crash in a user namespace with a mount namespace and apport forwarding (rejected due to lack of pid namespace)
- Crash in a user namespace with a pid namespace and a mount namespace and apport forwarding (rejected by new uid/gid check)
I didn't try the symlink side of the report as it's a much more obvious fix and as socket connections have worked with this patch, the mitigation must be working too.
Note that to prevent accidents due to the chroot() call, I've added a WARNING stating that we should not import anything past that point AND I've added logic to disable python module import entirely too.