[Bug 1034125] [NEW] containers can load a kernel to kexec

Serge Hallyn 1034125 at bugs.launchpad.net
Tue Aug 7 19:15:15 UTC 2012


Public bug reported:

Loading a kexec kernel is guarded by CAP_SYS_BOOT, which we allow a
container to have.

A container can't do 'kexec -e' to actually execute the new kernel, because that requires a call to reboot which is refused.  However, it can do kexec -l do load a kernel for the next kexec -e.  This means that it could race with an admin on the host doing 'kexec -l; kexec -e'.  Exact command line used in the container (after
copying /boot/* from the host to /var/lib/lxc/q1/rootfs/boot/ ) :

sudo kexec -l /boot/vmlinuz-3.5.0-5-generic --append=root=LABEL
=cloudimg-rootfs --initrd=/boot/initrd.img-3.5.0-5-generic

Before this, kexec -e on the host gives:

Nothing has been loaded!

After this, it loads the new kernel.

There is a patch on lkml to prevent a task in non-init pid namespace
(i.e. a container) from loading kexec kernels:
https://lkml.org/lkml/2012/8/3/152.  Please apply to precise and
quantal.

After quantal, user namespaces will provide an alternative fix.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: lxc (Ubuntu)
     Importance: High
         Status: Triaged

** Also affects: linux (Ubuntu)
   Importance: Undecided
       Status: New

** Description changed:

  Loading a kexec kernel is guarded by CAP_SYS_BOOT, which we allow a
  container to have.
  
- A container can't do 'kexec -e' to actually execute the new kernel,
- because that requires a call to reboot which is refused.  However, it
- can do kexec -l do load a kernel for the next kexec -e.  This means that
- it could race with an admin on the host doing 'kexec -l; kexec -e'.
- Exact command line used in the container:
+ A container can't do 'kexec -e' to actually execute the new kernel, because that requires a call to reboot which is refused.  However, it can do kexec -l do load a kernel for the next kexec -e.  This means that it could race with an admin on the host doing 'kexec -l; kexec -e'.  Exact command line used in the container (after
+ copying /boot/* from the host to /var/lib/lxc/q1/rootfs/boot/ ) :
  
  sudo kexec -l /boot/vmlinuz-3.5.0-5-generic --append=root=LABEL
  =cloudimg-rootfs --initrd=/boot/initrd.img-3.5.0-5-generic
  
  Before this, kexec -e on the host gives:
  
  Nothing has been loaded!
  
  After this, it loads the new kernel.
  
  There is a patch on lkml to prevent a task in non-init pid namespace
  (i.e. a container) from loading kexec kernels:
  https://lkml.org/lkml/2012/8/3/152.  Please apply to precise and
  quantal.
  
  After quantal, user namespaces will provide an alternative fix.

** Changed in: lxc (Ubuntu)
       Status: New => Triaged

** Changed in: lxc (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1034125

Title:
  containers can load a kernel to kexec

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1034125/+subscriptions



More information about the Ubuntu-server-bugs mailing list