[Bug 1732518] Re: Please re-enable container support in apport

Tyler Hicks tyhicks at canonical.com
Wed Nov 15 19:58:57 UTC 2017 

The patch in comment #4 of bug 1726372 was mostly complete but issues
were discovered late as we were approached the CRD for the CVEs
described in that bug:

1) The patch should be updated to forward the new dump_mode argument into the container. This is a trivial change.
2) The patch changed the functionality of apport so that it processes, in the host, all crashes that come from a "non-full" container. The PoC in the description of bug 1726372 simply creates a PID namespace, without a new mount namespace, and then calls abort(). The behavioral change introduced by the patch resulted in apport writing the core dump to /tmp/core when it didn't do that before because it ignored such crashes.
3) The combination of the patch and the fix for CVE-2017-14177, which added a new required dump_mode command line option to Apport, made it potentially dangerous for an updated Apport in the host to forward a crash to a non-updated Apport in a container as the dump_mode parameter would be treated as the global_pid in the container's Apport.

These three issues are why we had to make the decision to (temporarily)
drop container crash forwarding.

I won't be directly involved in re-enabling the container crash
forwarding support but please feel free to ping me for a review, if
needed.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14177

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1732518

Title:
  Please re-enable container support in apport

Status in apport package in Ubuntu:
  Triaged
Status in apport source package in Xenial:
  Triaged
Status in apport source package in Zesty:
  Triaged
Status in apport source package in Artful:
  Triaged
Status in apport source package in Bionic:
  Triaged

Bug description:
  The latest security update for apport disabled container crash
  forwarding, this is a feature which users do rely on in production and
  while it may have been appropriate to turn it off to put a security
  update out, this needs to be re-enabled ASAP.

  I provided a patch which fixed the security issue before the security
  issue was publicly disclosed so pushing an SRU to all Ubuntu releases
  re-enabling this code should be pretty trivial.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1732518/+subscriptions

More information about the foundations-bugs mailing list