This was disclosed in the whitepaper referenced in https://www.nccgroup.trust/us/about-us/newsroom-and- events/blog/2016/june/abusing-privileged-and-unprivileged-linux- containers/ (written by the reporter), so there's no need for this bug report to stay private.
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1549391 Title: /proc/sched_debug Information Leak Status in lxc package in Ubuntu: New Bug description: Description: Unprivileged containers can read from '/proc/sched_debug', a world-readable file within proc that contains a large amount of CFS and CPU scheduler information. This allows a trivial information leak which discloses what processes IDs and names are running in the host or other containers, as well as cgroup information which can disclose container names and other details. This effectively breaks the expected PID Namespace isolation. Reproduction: Inside a default and unprivileged LXC container, run the command `cat /proc/sched_debug`. Note that information is displayed about processes running on the host, as well as inside other containers. Sample output includes: task PID tree-key switches prio exec-runtime sum-exec sum-sleep ---------------------------------------------------------------------------------------------------------- kthreadd 2 319429235.224770 9339 120 319429235.224770 753.267075 1067018909.484918 0 / rcu_sched 7 319489137.064234 18896675 120 319489137.064234 170125.420028 1066508074.968528 0 / rcuos/5 13 319218638.012762 192 120 319218638.012762 0.896416 1065991450.159691 0 / .... SNIP .... .... SNIP .... acpid 1813 57932.203222 1676704 120 57932.203222 114395.580999 1067170248.528885 0 /autogroup-222 sh 2273 113050772.150884 42 120 113050772.150884 0.754525 1066111947.155906 0 /user/1000.user/c1.session bash 2276 113052316.082339 788 120 113052316.082339 137.826052 1066155735.798643 0 /user/1000.user/c1.session wpa_supplicant 2319 113098971.410443 119765 120 113098971.410443 6903.885769 1067229349.942336 0 /user/1000.user/c1.session sh 2426 113050772.151956 43 120 113050772.151956 2.035147 1066012436.338286 0 /user/1000.user/c1.session urxvt 2440 113098872.794317 606323 120 113098872.794317 28198.224898 1067122648.025421 0 /user/1000.user/c1.session dbus-daemon 2664 113092371.341763 6155 109 113092371.341763 432.939147 1066723733.656385 0 /user/1000.user/c1.session dio/dm-2 2695 20657.783903 2 100 20657.783903 0.007240 0.002253 0 / Chrome_FileThre 3286 31903985.081343 213744 120 31903985.081343 14398.389541 1065335604.938435 0 /lxc/chrome Recommendation: In the short term, modify the base LXC AppArmor profile to block access to this file. In the long term, this procfs interface should be rewritten to be namespace aware and possibly restricted to root-only users. If AppArmor is not in use, end-users could recompile their kernel to have CONFIG_SCHED_DEBUG disabled. ##### About NCC: NCC Group is a security consulting company that performs all manner of security testing and has a strong desire to help make the industry a better, more resilient place. Because of this, when NCC Group identifies vulnerabilities in a system they prefer to work closely with vendors to create more secure systems. NCC Group strongly believes in responsible disclosure, and has strict guidelines in place to ensure that proper disclosure procedure is followed at all times. This serves the dual purpose of allowing the vendor to safely secure the product or system in question as well as allowing NCC Group to share cutting edge research or advisories with the security community. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1549391/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
