[Bug 427863] [NEW] binfmt allows breaking out of chroots due to not respecting namespaces

[Oliver Grawert]

Public bug reported:

in ubuntu and debian using the binfmt-support tool, it is possible to register
interpreters based on file magic with the binfmt module, so a mono file gets
executed by the proper mono interpreter, java by the java interpreter etc.

we recently added a qemu-arm-static package that allows executing armel
binaries under x86 systems. this package also registers with binfmt. it also
comes with a script that builds armel specific chroots (and copies the static
binary into the chroot). 

now chrooting into such an armel chroot and trying to execute something another
binfmt handler is available for in the kernel (i.e. installing mono
applications in this armel chroot on a x86 system) ends up in the situation
that $interpreter of the host system gets executed instead of
$chroot/$interpreter. 

the module should determine from which namespace ($chroot) the binary wanting
to execute the interpreter comes and act accordingly by executing the binary
from inside the chroot instead of the one from the host system.

given that i now could use an x86 mono or java binary from inside the chroot to
access the actual host system with them appears like a (even not actually
major) security issue.

** Affects: linux
     Importance: Unknown
         Status: Unknown

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

** Bug watch added: Linux Kernel Bug Tracker #14162
   http://bugzilla.kernel.org/show_bug.cgi?id=14162

** Also affects: linux via
   http://bugzilla.kernel.org/show_bug.cgi?id=14162
   Importance: Unknown
       Status: Unknown

-- 
binfmt allows breaking out of chroots due to not respecting namespaces
https://bugs.launchpad.net/bugs/427863
You received this bug notification because you are a member of Kernel
Bugs, which is subscribed to Linux.