Ubuntu
lxc package

Kernel log message corruption due to incomplete /proc separation

Bug #460925 reported by Michael B. Trausch
316
This bug affects 14 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned
lxc (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Binary package hint: lxc

When using LXC (linux containers), /proc/kmsg can be read in guest systems in their filtered view of /proc. This special file should never be present in guest systems, and if created within a guest system, it should be effectively using /dev/null as it's source. The effect of this bug ranges from simply annoying to potentially a security issue in that kernel messages are allowed to be destroyed and never fully logged on the host system, which could be used to cover evidence of some sort of attack on the system.

I'm adding the kernel team as well, as this could be an issue inside the kernel. I'm not sure if /proc filtration happens there or in the context of the lxc userland utilities.

Revision history for this message
Michael B. Trausch (mtrausch) wrote :

I should note that this is in Karmic, fully updated as of 05:19 on 26-Oct-2009, EDT (GMT-0400).

visibility: private → public
Kees Cook (kees)
Changed in lxc (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
Daniel Hahler (blueyed)
Changed in lxc (Ubuntu):
importance: Wishlist → Medium
Revision history for this message
Daniel Hahler (blueyed) wrote :

hallyn talked on #lxcontainers about adding a "patch to define CAP_SYSLOG" and sent it to the mailinglist at https://lists.linux-foundation.org/pipermail/containers/2010-March/023364.html

Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu):
importance: Medium → High
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

(Note this will come after completion of user namespaces)

Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 460925

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Stéphane Graber (stgraber) wrote :

Added bot-stop-nagging.

Changed in linux (Ubuntu):
status: Incomplete → Triaged
tags: added: bot-stop-nagging
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Design notes are at http://wiki.ubuntu.com/LxcSyslogNs

gilberto de lara (apjvanshanmark1)
Changed in lxc (Ubuntu):
status: Triaged → Confirmed
Changed in linux (Ubuntu):
status: Triaged → Incomplete
status: Incomplete → Confirmed
denis steve (steved357)
Changed in lxc (Ubuntu):
status: Confirmed → Fix Released
Changed in linux (Ubuntu):
status: Confirmed → Fix Committed
Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.