Set init process as non-dumpable Backports fix from 2f7393a47307a16f8cee44a37b262e8b81021e3e to 1.11.x Resolves CVE-2016-9962 for Docker 1.11.x. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

commit: 3225639e68e72dac6f554a9af32de140ccd24ea6 [log] [tgz]
author: Brian Goff <cpuguy83@gmail.com> Wed Jan 11 04:32:35 2017
committer: Brian Goff <cpuguy83@gmail.com> Wed Jan 11 15:22:17 2017
tree: b981fc00afa14bf61c156ba0a842c3ffcefdc538
parent: baf6536d6259209c3edfa2b22237af82942d3dfa [diff]
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
index 8f37d6c..25e5f91 100644
--- a/libcontainer/nsenter/nsexec.c
+++ b/libcontainer/nsenter/nsexec.c

@@ -364,6 +364,12 @@
 		return;
 	}
 
+	/* make the process non-dumpable */
+	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
+		pr_perror("failed to set process as non-dumpable");
+		exit(1);
+	}
+
 	// Retrieve the netlink header
 	struct nlmsghdr nl_msg_hdr;
 	int		len;
@@ -438,7 +444,7 @@
 			pr_perror("setgid failed");
 			exit(1);
 		}
-    
+
 		if (setgroups(0, NULL) == -1) {
 			pr_perror("setgroups failed");
 			exit(1);
commit	3225639e68e72dac6f554a9af32de140ccd24ea6	[log] [tgz]
author	Brian Goff <cpuguy83@gmail.com>	Wed Jan 11 04:32:35 2017
committer	Brian Goff <cpuguy83@gmail.com>	Wed Jan 11 15:22:17 2017
tree	b981fc00afa14bf61c156ba0a842c3ffcefdc538
parent	baf6536d6259209c3edfa2b22237af82942d3dfa [diff]