[Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor

Stephen Gaito stephen at perceptisys.co.uk
Wed Sep 30 09:28:09 UTC 2015 

I have a similar problem (but not with /proc).

***Roman Fielder's link (above) suggests the correct work around.***

My lxc configuration file has the following line:

>  lxc.mount.entry = /data/references
/var/lib/lxc/noteServer/rootfs/data/references none ro,bind 0 0

(Note that the mount directory is an **absolute** path)

My resulting error message (in /var/log/lxc/noteServer.log) is:

>  lxc-start 1443599663.225 ERROR    lxc_utils -
utils.c:ensure_not_symlink:1384 - Mount onto /usr/lib/x86_64-linux-
gnu/lxc//data/references resulted in /usr/lib/x86_64-linux-
gnu/lxc/data/references

Tracing through the apt-get source lxc code I think the offending code
(in the mount_entry_on_absolute_rootfs function in the
lxc-1.0.7/src/lxc/conf.c file) is:

>        aux = strstr(mntent->mnt_dir, path);
>        if (aux) {
>                offset = strlen(path);
>                goto skipabs;
>        }
>
>skipvarlib:
>        aux = strstr(mntent->mnt_dir, rootfs->path);
>        if (!aux) {
>                WARN("ignoring mount point '%s'", mntent->mnt_dir);
>                goto out;
>        }
>        offset = strlen(rootfs->path);
>
>skipabs:
>
>        r = snprintf(path, MAXPATHLEN, "%s/%s", rootfs->mount,
>                 aux + offset);

Note that the last line should (probably -- I have not compiled any code
to test this) be:

>        r = snprintf(path, MAXPATHLEN, "%s/%s", rootfs->mount,
>                 aux + offset + 1);

The "+1" then skips over the "/" in the mntent->mnt_dir so there will
only be *one* "/" in the resulting path.

Note that the work around in Roman Fiedler's link ensures that the mount
entry uses the mount_entry_on_relative_rootfs function (which works)
rather than the (currently broken?) mount_entry_on_absolute_rootfs
function.

I can confirm that the following configuration line:

> lxc.mount.entry = /data/references data/references none ro,bind 0 0

now in fact works, since it specifies a **relative** mount directory and
so invokes the mount_entry_on_relative_rootfs function.

Many thanks for excellent **open source** tools!

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1476662

Title:
  lxc-start symlink vulnerabilities may allow guest to read host
  filesystem, interfere with apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions

More information about the Ubuntu-server-bugs mailing list