Comment 32 for bug 1639345

Revision history for this message
Stéphane Graber (stgraber) wrote :

Ok, so on the topic of CVE assignation, I've been going back and forth on this throughout the day.

Ultimately the security issue is with the kernel and Eric's patch fixes that, that in my mind is the real CVE worthy issue here.

On the LXC side of things, the current implementation of procfd allows an attacker to get a dirfd to the host's /proc which then allows escaping to the host's filesystem and ultimately completely escaping from the container.

Christian's fix restricts that exposure to just the apparmor label switching interface, making it still possible for an attacker in the container to alter the apparmor profile of the joining task.
That's still a security problem, but much less worse than a privileged escalation (in the case of a privileged attach process) and full container escape.

So as it stands, I think we'll want a CVE for the LXC side of this as even without the related kernel fix, the proposed fix does make things massively better by turning a privilege escalation + container escape issue into "just" an apparmor bypass issue.

As far as CRD, assuming we're all happy with the proposed fix. Anytime next week would be fine with me. If that's not an option, then the 1st or 2nd of December would work too.

I'm going to be mostly unavailable between the 28th and 30th and then again between the 5th and 9th so would rather avoid those days.

As usual, the plan will be for upstream LXC to push out security releases for the two supported branches as well as handle the announcement. So I'll be tagging LXC 1.0.9 and LXC 2.0.6 containing only this one fix on top of the latest stable release (1.0.8 and 2.0.5 respectively).

For Ubuntu, that means:
 - precise-backports: update to 1.0.9
 - trusty: update to 1.0.9
 - xenial: update to 2.0.6
 - yakkety: update to 2.0.6
 - zesty: update to 2.0.6

Once we've had a few more eyes on the proposed patch and have a CRD set in stone, I'll push all of the above in the private LXC security PPA, then on the CRD, the security team (or I) can just copy all of that stuff in the archive.