Ubuntu
lxcfs package

Bug #1508481
Comment #14

Comment 14 for bug 1508481

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2015-11-04: Re: [Bug 1508481] Re: lxcfs does not properly enforce directory escapes

#14

Quoting Seth Arnold (<email address hidden>):
> It's just that there are dozens of calls to work with:

Good point.

Many of those are not implemented. Anything not implemented in lxcfs.c
should return "Function not implemented". For instance truncate
does so, and access returns -ENOENT.

I'll work on a testcase for the below list.

> open
> stat
> access
> bind
> truncate
> chdir
> rename
> mkdir
> rmdir
> creat
> link
> unlink
> symlink
> readlink
> chmod
> chown
> lchown
> mknod
> chroot
> setxattr
> lsetxattr
> getxattr
> lgetxattr
> listxattr
> llistxattr
> removexattr
> lremovexattr
> utimes
>
> Then there's the consequences of an fd to one of these cgroup files or
> directories being passed to another process and then the f* variants of
> the above functions getting used. Or the *at variants.
>
> That's what I'm worried about; the patches you've attached here look
> good, and close a hole you identified, but there's a lot of syscalls
> that include a lot of error returns.
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1508481
>
> Title:
> lxcfs does not properly enforce directory escapes
>
> Status in lxcfs package in Ubuntu:
> New
>
> Bug description:
> lxcfs, like cgmanager, is meant to enforce that a task under cgroup
> /a/b/c cannot query or update cgroups which are not /a/b/c or its
> descendents.
>
> Since lxcfs is a filesystem, it makes an exception so that 'ls /a'
> (really 'ls /var/lib/lxcfs/cgroup/freezer/a') return a single dentry,
> for 'b'.
>
> This enforcement is not complete. So if you are logged into
> 5:freezer:/user/serge/1, you can do
>
> 0 ✓ serge@sl ~ $ sudo mkdir /var/lib/lxcfs/cgroup/freezer/xx
> 0 ✓ serge@sl ~ $ ls /sys/fs/cgroup/freezer/xx
> cgroup.clone_children cgroup.procs freezer.parent_freezing freezer.self_freezing freezer.state notify_on_release tasks
>
> DAC permission still apply, locking unprivileged containers.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1508481/+subscriptions

Quoting Seth Arnold (1508481@bugs.launchpad.net):
> It's just that there are dozens of calls to work with:

Good point.

Many of those are not implemented.  Anything not implemented in lxcfs.c
should return "Function not implemented".  For instance truncate
does so, and access returns -ENOENT.

I'll work on a testcase for the below list.

> open
> stat
> access 
> bind
> truncate
> chdir
> rename
> mkdir
> rmdir
> creat
> link
> unlink
> symlink
> readlink
> chmod
> chown
> lchown
> mknod
> chroot
> setxattr
> lsetxattr
> getxattr
> lgetxattr
> listxattr
> llistxattr
> removexattr
> lremovexattr
> utimes
> 
> Then there's the consequences of an fd to one of these cgroup files or
> directories being passed to another process and then the f* variants of
> the above functions getting used. Or the *at variants.
> 
> That's what I'm worried about; the patches you've attached here look
> good, and close a hole you identified, but there's a lot of syscalls
> that include a lot of error returns.
> 
> Thanks
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1508481
> 
> Title:
>   lxcfs does not properly enforce directory escapes
> 
> Status in lxcfs package in Ubuntu:
>   New
> 
> Bug description:
>   lxcfs, like cgmanager, is meant to enforce that a task under cgroup
>   /a/b/c cannot query or update cgroups which are not /a/b/c or its
>   descendents.
> 
>   Since lxcfs is a filesystem, it makes an exception so that 'ls /a'
>   (really 'ls /var/lib/lxcfs/cgroup/freezer/a') return a single dentry,
>   for 'b'.
> 
>   This enforcement is not complete.  So if you are logged into
>   5:freezer:/user/serge/1, you can do
> 
>   0 ✓ serge@sl ~ $ sudo mkdir /var/lib/lxcfs/cgroup/freezer/xx
>   0 ✓ serge@sl ~ $ ls /sys/fs/cgroup/freezer/xx
>   cgroup.clone_children  cgroup.procs  freezer.parent_freezing  freezer.self_freezing  freezer.state  notify_on_release  tasks
> 
>   DAC permission still apply, locking unprivileged containers.
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1508481/+subscriptions

Ubuntulxcfs package

Comment 14 for bug 1508481

Ubuntu
lxcfs package