Set init process as non-dumpable
Backports fix from 2f7393a47307a16f8cee44a37b262e8b81021e3e to 1.10.x
Resolves CVE-2016-9962 for Docker 1.10.x.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
index 27e6e53..878c01f 100644
--- a/libcontainer/nsenter/nsexec.c
+++ b/libcontainer/nsenter/nsexec.c
@@ -11,6 +11,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
+#include <sys/prctl.h>
#include <fcntl.h>
#include <signal.h>
#include <setjmp.h>
@@ -110,6 +111,12 @@
exit(1);
}
+ /* make the process non-dumpable */
+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
+ pr_perror("failed to set process as non-dumpable");
+ exit(1);
+ }
+
char nlbuf[NLMSG_HDRLEN];
struct nlmsghdr *nh;
if ((n = read(pipenum, nlbuf, NLMSG_HDRLEN)) != NLMSG_HDRLEN) {
