Bug 527483
Summary: | /dev/pts must use the 'newinstance' mount flag to avoid security problem with containers | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Daniel Berrangé <berrange> | |
Component: | kernel | Assignee: | Aristeu Rozanski <arozansk> | |
Status: | CLOSED WONTFIX | QA Contact: | Virtualization Bugs <virt-bugs> | |
Severity: | medium | Docs Contact: | ||
Priority: | low | |||
Version: | 6.0 | CC: | giuseppe.ragusa, hpa, kernel-maint | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | 501718 | |||
: | 860218 (view as bug list) | Environment: | ||
Last Closed: | 2013-11-06 14:38:38 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 846704 |
Description
Daniel Berrangé
2009-10-06 15:20:36 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. It has been denied for the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** Since RHEL 6.2 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. Latest proposal for upstream kernel is to kill off the 'newinstance' flag and make all /dev/pts instances private by default. https://lkml.org/lkml/2012/9/22/142 *** Bug 844421 has been marked as a duplicate of this bug. *** FWIW: ebiederman's tree: 4b2e6c9c30349d5691ee6c2aa3002a8c178b2d22 also, this might break third party scripts; people remounting devpts in different directories (think chroot setups) but still wanting to be the same instance. FYI this change https://lkml.org/lkml/2013/1/25/787 would potentially offer a different solution. It would allow us to continue issuing a normal devpts in the host. If we want a secure container, then we'd enable user namespaces, which prevent the container accessing the host's devpts since it lacks the newinstance flag. It isn't really a different solution. It is just enforcing the new setup in a restricted context. The change described here is necessary anyway. |