Gentoo Archives: gentoo-hardened

From:	Alex Efros <powerman@××××××××.name>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] GRKERNSEC_PROC_USERGROUP and docker exec
Date:	Fri, 08 Sep 2017 19:20:51
Message-Id:	`20170908192045.GC2677@home.power`

1	Hi!
2
3	It looks like when connecting to existing docker container with `docker
4	exec` CONFIG_GRKERNSEC_PROC_USERGROUP (and probably
5	CONFIG_GRKERNSEC_PROC_USER too) hide processes started by `docker run`
6	from processes started by `docker exec` (all processes are running as
7	docker "root", docker daemon is started with default options, i.e. without
8	--userns-remap).
9
10	Why is this happens and is there any workaround?
11
12
13	$ sudo zgrep GRKERNSEC_PROC_USER /proc/config.gz
14	# CONFIG_GRKERNSEC_PROC_USER is not set
15	CONFIG_GRKERNSEC_PROC_USERGROUP=y
16
17	$ docker run -d -it --rm --init alpine sh -c 'ps ax; exec sleep 42'
18	49bec4451495563d702ad0edb9a7c80a9a7f5918fab4eb67e5a44b803f3ac656
19
20	$ docker logs 49bec4451495
21	PID USER TIME COMMAND
22	1 root 0:00 /dev/init -- sh -c ps ax; exec sleep 42
23	7 root 0:00 sh -c ps ax; exec sleep 42
24	8 root 0:00 ps ax
25
26	$ docker exec -it 49bec4451495 ps ax
27	PID USER TIME COMMAND
28	9 root 0:00 ps ax
29
30	--
31	WBR, Alex.

Subject	Author
Re: [gentoo-hardened] GRKERNSEC_PROC_USERGROUP and docker exec	"Tóth Attila" <atoth@××××××××××.hu>