Bug 860218
Summary: | /dev/pts must use the 'newinstance' mount flag to avoid security problem with containers | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Daniel Berrangé <berrange> |
Component: | kernel | Assignee: | Aristeu Rozanski <arozansk> |
Status: | CLOSED WONTFIX | QA Contact: | Red Hat Kernel QE team <kernel-qe> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 7.0 | CC: | hpa, kernel-maint |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | 527483 | Environment: | |
Last Closed: | 2013-11-01 13:39:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Daniel Berrangé
2012-09-25 09:45:40 UTC
FYI, while it might be nice to do this, I no longer consider this an important fix for containers. With sVirt SELinux rules, the user will be blocked from accessing the original devpts instance, and likewise user namespaces would also block it. So it is only a security risk if neither user namespaces nor selinux were used, and this scenario is insecure for many other reasons too. So feel free to WONTFIX this bug unless the quoted kernel change is in fact already upstream. It seems upstream didn't reach an agreement on this and I believe diverge from upstream on this will cause problems. Closing with WONTFIX. Thanks Daniel |