Bug 1120579

Summary: As root in unprivileged container, cannot kill process of different user
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora <jpazdziora>
Component: dockerAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: bsarathy, dwalsh, lsu, mjenner
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-18 20:46:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1109938    

Description Jan Pazdziora 2014-07-17 08:32:47 UTC 
Description of problem:

I am able to start processes in unprivileged container via runuser (but see bug 1120567 about it being broken in docker 1+). However, I do not seem to be able to kill the process from my root shell anymore.

Version-Release number of selected component (if applicable):

docker-0.11.1-22.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Run # docker run -ti rhel7 /bin/bash
2. In the container install /usr/bin/ps: bash-4.2# yum install -y /usr/bin/ps
3. In the container, run process as different user: bash-4.2# runuser -u ftp sleep 6000 &
4. Get the pid of the sleep process: bash-4.2# ps au | grep sleep
root        33  0.0  0.0  41360  1440 ?        S    04:28   0:00 runuser -u ftp sleep 6000
ftp         34  0.0  0.0   4312   360 ?        S    04:28   0:00 sleep 6000
root        46  0.0  0.0   9032   672 ?        S+   04:29   0:00 grep sleep
5. Attempt to kill the process: bash-4.2# kill 34 ; echo $?

Actual results:

bash: kill: (34) - Operation not permitted
1

Expected results:

0

and process killed.

Additional info:

I can send the signal to the process via runuser: runuser -u ftp kill 34
Comment 2 Daniel Walsh 2014-07-22 17:33:21 UTC 
With docker-1.1.1 I get a different error, basically runuser is failing,

It works if I execute:

docker run --cap-add audit_write --rm -ti fedora /bin/sh

And in this case I don't see a problem with killing the process.

pscap shows the following access.

20785 6386  root        sh                chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap, cap_37
Comment 3 Daniel Walsh 2014-07-24 13:36:15 UTC 
I just ran this test with

docker-1.1.1-3.el7.x86_64

And it worked fine.
Comment 5 errata-xmlrpc 2014-09-18 20:46:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1266.html