config-drive needs to be better secured
Bug #1675741 reported by
James Page
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nova-lxd |
Fix Released
|
High
|
James Page | ||
Newton |
Fix Committed
|
High
|
Unassigned | ||
Ocata |
Fix Committed
|
High
|
Unassigned |
Bug Description
The config-drive support in nova-lxd presents a directory on the host directly into the container at /config-drive:
# cd /config-drive
# df -h .
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 39G 2.4G 37G 7% /config-drive
This directory is write-able by the root user within the container, but writes directly to the host OS FS which would allow an unpriviledged container to fill the host OS root filesystem.
I think we can make the config-drive read-only - so setting the 'readonly' flag on the configuration profile should be sufficient.
Changed in nova-lxd: | |
status: | New → Triaged |
importance: | Undecided → High |
information type: | Private Security → Public Security |
Changed in nova-lxd: | |
assignee: | nobody → James Page (james-page) |
status: | Triaged → In Progress |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/449618 /git.openstack. org/cgit/ openstack/ nova-lxd/ commit/ ?id=c3f55e797ec 4cbb34b9238c352 b6bf70f975c1b0
Committed: https:/
Submitter: Jenkins
Branch: master
commit c3f55e797ec4cbb 34b9238c352b6bf 70f975c1b0
Author: James Page <email address hidden>
Date: Fri Mar 24 13:14:18 2017 +0000
Ensure config-drive is read-only
The /config-drive dir presented from the host OS should
be presented as read only to ensure that the instance
can write directly to the host OS filesystem.
Change-Id: I997ef68048fa0a 77f9cb0b70c325b 9b96c079e2f
Closes-Bug: 1675741