← Back to team overview

kernel-packages team mailing list archive

[Bug 1377267] Re: On trusty I can break out of pivot_root chroot

 

It would appear this has always been the case, and probably is not a
bug.  We will work around it in lxc.

I think what is happening is:  in pivot_root, the new root is mounted
over the struct path of the previous current->fs->root (using
attach_mnt).  Since current->fs->root after a chroot was not absolute,
the chroot escape can still escape.  In fact in the example scripts,
where we chrooted to /mnt, we can see after the chrootbreak that our new
root is under /mnt/root.


** Changed in: linux (Ubuntu)
       Status: Triaged => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1377267

Title:
  On trusty I can break out of pivot_root chroot

Status in “linux” package in Ubuntu:
  Invalid

Bug description:
  After doing a pivot_root, it should not be possible to use the
  standard well-known 'chroot escape' technique to escape back to the
  host root.  However, Andrey Vagin found that on 14.04 that is in fact
  possible, if you first chroot.

  In 14.10, this is NOT possible.

  I've uploaded testscripts under
  http://people.canonical.com/~serge/chrootintoslave .  Download the
  cis.* from there into a home directory in a clean vm, make them all
  executable, and run "./cis.maintest".

  I posted a similar set of scripts (just tweaking how the chroot+chdir
  are done after pivot_root) in
  http://people.canonical.com/~serge/chrootintoslave.2 - those have the
  same results on my system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1377267/+subscriptions


References