[Bug 1244635] Re: setuid executables in a container may compromise security on the host
Stéphane Graber
stgraber at stgraber.org
Sat Oct 26 19:16:07 UTC 2013
Right, libvirt-lxc isn't LXC (even though they sort of stole the name)
and is indeed completely unsafe...
As for the rest, I'm happy to report that you misread the apparmor profile and that we thought of and blocked all of those from the beginning as is shown below:
root at lxc-dev:/# echo abc > /sys/kernel/uevent_helper
bash: /sys/kernel/uevent_helper: Permission denied
root at lxc-dev:/# echo abc > /sys/class/mem/null/uevent
bash: /sys/class/mem/null/uevent: Permission denied
root at lxc-dev:/# mount -t sysfs syfs /mnt
mount: block device syfs is write-protected, mounting read-only
mount: cannot mount block device syfs read-only
root at lxc-dev:/# mount --bind /sys /mnt
mount: block device /sys is write-protected, mounting read-only
mount: cannot mount block device /sys read-only
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1244635
Title:
setuid executables in a container may compromise security on the host
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635/+subscriptions
More information about the Ubuntu-server-bugs
mailing list