Proc connector across pid namespace - a security issue?
I was experimenting monitoring process changes from a container. The container has all namespace of its own. What I did was to first switch to host network namespace, open the proc connector socket, send LISTEN message, switch back to container network namespace, then start receiving notifications.
I didn't receive any notification. This seems to be expected because container and the host are in different Pid namespace.
However, if at this time, I start the same program on the host, then my program running within the container starts receiving notifications for process changes. The pid value is of those in the host Pid namespace.
I am wondering if the notification should be passed to the process in different Pid namespace. If not, if what I observed is a security issue.
The kernel version is 3.19.0-25
Last edited by goalotc; 01-14-2017 at 01:55 PM.
|