[avahi] Avahi daemon doesn't work inside an unprivileged container

[Trent Lloyd]

Hi Yann,

Can you tell me what value of cred->uid you are actually getting inside these containers? I wonder if somehow you are getting the unmapped value.
I assume that inside the container running “Id” shows 0, but outside the container you see it remapped to another id?

If you can confirm the lxc version, and possibly supply a config (or as much info as possible) I can reproduce with, that would be great.

Cheers,
Trent

> On 6 Feb 2015, at 4:23 pm, Yann Soubeyrand <ysoubeyrand at adeneo-embedded.com> wrote:
> 
> Hi,
> 
> Avahi daemon doesn't work inside an unprivileged container, more
> precisely inside a container where the uid 0 is mapped to an uid other
> than 0.
> 
> I identified the line where the problem occurs in the Avahi sources:
> http://git.0pointer.net/avahi.git/tree/avahi-core/netlink.c#n85.
> 
> I don't know if it's a bug of Avahi or if it's a bug inside the kernel.
> My guess is that it's the latter one but I'm not sure. I think that the
> kernel passes the credentials mapped to zero when it's the sender of the
> message whereas it should pass all zero credentials in this case. But I
> didn't read the code of netlink and it's purely speculation. Also, I
> wonder if it could not introduce security flaws doing so.
> 
> Feel free to ask me if you need further information or if you need me to
> be clearer in my explanations ;-)
> 
> I'm using Debian Sid as my host system (I tried 3.16 and 3.18 kernels)
> and Ubuntu Vivid inside my container.
> 
> Cheers
> 
> 
> 
> -- 
> Yann Soubeyrand
> 
> _______________________________________________
> avahi mailing list
> avahi at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/avahi