Ubuntu
lxc package

Bug #1476662
Comment #79

Comment 79 for bug 1476662

Revision history for this message

Mike Gabriel (sunweaver) wrote on 2016-01-06: Re: [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor

#79

Hi Serge,

On Mo 04 Jan 2016 21:26:05 CET, Serge Hallyn wrote:

> Quoting Mike Gabriel (<email address hidden>):
>> Hi Serge,
>>
>> sorry for getting back to this so late.
>>
>> On Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote:
>>
>> > Quoting Mike Gabriel (<email address hidden>):
>>
>> >> today I worked on backporting available fixes for CVE-2015-1335 to LXC
>> >> 0.7.x (as found in Debian squeeze-lts).
>> >>
>> >> The patch is attached, I am still in the testing-for-regressions phase.
>> >> Can any of the LXC devs take a look at the patch and maybe see if it is
>> >> suitable for Ubuntu 12.04, as well?
>> >
>> > Hi,
>> >
>> > So the thing to look for is any unconverted "mount" calls. It
>> > looks like the lxc_setup_fs() calls to mount_fs() are not being
>> > protected. So the contianer admin could attack through a /proc
>> > symlink.
>>
>> Hmmm... ok...
>>
>> I just checked upstream Git and the location you refer to is not using
>> safe_mount either there [1]
>
> Huh, that's odd. Yes those should be protected, since /proc etc in
> the container could be symlinks. Do you mind sending a patch?

I will work on the squeeze-lts / precise patch first and test that. If
that works well, I will forward-port the change to current HEAD.

>> Furthermore, it seems non-trivial to inform safe_mount about the root
>> path from within lxc_init.c.
>>
>> Do you have any input on the following questions?:
>>
>> o Why mount_fs() in latest HEAD still using the mount() call
>> instead of safe_mount()?
>> o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()?
>
> You shouldn't need to - it's just '/' because you're already chrooted
> there.
>

Ok. That will make it very easy.

I get back to you with results within the month.

Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: <email address hidden>, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de

Hi Serge,

On  Mo 04 Jan 2016 21:26:05 CET, Serge Hallyn wrote:

> Quoting Mike Gabriel (mike.gabriel@das-netzwerkteam.de):
>> Hi Serge,
>>
>> sorry for getting back to this so late.
>>
>> On  Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote:
>>
>> > Quoting Mike Gabriel (mike.gabriel@das-netzwerkteam.de):
>>
>> >> today I worked on backporting available fixes for CVE-2015-1335 to LXC
>> >> 0.7.x (as found in Debian squeeze-lts).
>> >>
>> >> The patch is attached, I am still in the testing-for-regressions phase.
>> >> Can any of the LXC devs take a look at the patch and maybe see if it is
>> >> suitable for Ubuntu 12.04, as well?
>> >
>> > Hi,
>> >
>> > So the thing to look for is any unconverted "mount" calls.  It
>> > looks like the lxc_setup_fs() calls to mount_fs() are not being
>> > protected.  So the contianer admin could attack through a /proc
>> > symlink.
>>
>> Hmmm... ok...
>>
>> I just checked upstream Git and the location you refer to is not using
>> safe_mount either there [1]
>
> Huh, that's odd.  Yes those should be protected, since /proc etc in
> the container could be symlinks.  Do you mind sending a patch?

I will work on the squeeze-lts / precise patch first and test that. If  
that works well, I will forward-port the change to current HEAD.

>> Furthermore, it seems non-trivial to inform safe_mount about the root
>> path from within lxc_init.c.
>>
>> Do you have any input on the following questions?:
>>
>>    o Why mount_fs() in latest HEAD still using the mount() call
>> instead of safe_mount()?
>>    o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()?
>
> You shouldn't need to - it's just '/' because you're already chrooted
> there.
>