Architecture emulation containers with binfmt_misc

Posted Mar 10, 2016 12:34 UTC (Thu) by jejb (subscriber, #6654)
In reply to: Architecture emulation containers with binfmt_misc by raven667
Parent article: Architecture emulation containers with binfmt_misc

Actually, that's not possible. The emulator runs inside the container, not outside of it. What is poked through into the container from the outside is a file descriptor, opened in the host OS, which is then mapped and executed inside the container, so any fault in the emulator faults inside the container, not outside of it. It also means, except for the fd of the emulator binary, the emulator has no access to any resources outside of the container (that's why, as I explained in the 0/3 patch, the emulator has to be static ... it can't resolve dynamic libraries outside of the container)

Architecture emulation containers with binfmt_misc

Posted Mar 10, 2016 15:39 UTC (Thu) by raven667 (subscriber, #5198) [Link]

I'm sure you are probably right, I'm a sysadmin and not much of a developer, but I just have a unformed suspicion that there is some kernel syscall or resource commonly presented inside containers that would treat the open fd from outside the contained environment as an access token proving the program should be allowed to perform operations outside the container that could be leveraged to exit the container. I don't know of a mechanism to do this, so you are probably right and it's not possible, my lack of confidence is more my lack of deep knowledge of this area than any real problem.