Comment 5 for bug 1438758

St├ęphane Graber (stgraber) wrote :

Finally got something working.

This patch will load python3-lxc if present, then extract the list of all running containers based on available LXC command sockets, for each of those it'll then attempt to match the namespaces of the crashed task with the container. If a match is found, apport is then run inside that container.

As this now uses the LXC API, this guarantees the apparmor profile is respected, as well as seccomp, selinux, capabilities, personalities and any other security mechanism provided by LXC. The environment is also completely cleared and LXC closes any non-standard fd before execcing the command.

I've confirmed this to be working here. The exploit I posted earlier is now detected as an unknown container and skipped, proper containers with apport present inside get a proper apport call with a valid /var/crash entry as a result.