It would appear this has always been the case, and probably is not a
bug. We will work around it in lxc.
I think what is happening is: in pivot_root, the new root is mounted
over the struct path of the previous current->fs->root (using
attach_mnt). Since current->fs->root after a chroot was not absolute,
the chroot escape can still escape. In fact in the example scripts,
where we chrooted to /mnt, we can see after the chrootbreak that our new
root is under /mnt/root.
** Changed in: linux (Ubuntu)
Status: Triaged => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1377267
Title:
On trusty I can break out of pivot_root chroot
Status in “linux” package in Ubuntu:
Invalid
Bug description:
After doing a pivot_root, it should not be possible to use the
standard well-known 'chroot escape' technique to escape back to the
host root. However, Andrey Vagin found that on 14.04 that is in fact
possible, if you first chroot.
In 14.10, this is NOT possible.
I've uploaded testscripts under
http://people.canonical.com/~serge/chrootintoslave . Download the
cis.* from there into a home directory in a clean vm, make them all
executable, and run "./cis.maintest".
I posted a similar set of scripts (just tweaking how the chroot+chdir
are done after pivot_root) in
http://people.canonical.com/~serge/chrootintoslave.2 - those have the
same results on my system.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1377267/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
