[Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Stephen Gaito
stephen at perceptisys.co.uk
Wed Sep 30 09:56:35 UTC 2015
Looking through the top Google results on how to bind-mount a directory
from the host-server into the lxc-server I notice that:
* Stéphane Graber's "LXC 1.0: Advanced container usage [3/10]" post (
https://www.stgraber.org/2013/12/21/lxc-1-0-advanced-container-usage/ )
makes use of the **relative** mount point (in the lxc-server's fstab
config file on the host-server)
* Unfortunately the **official**(?) Debian LXC wiki page on "LXC" has
the topic "Bind mounts inside the container" (
https://wiki.debian.org/LXC#Bind_mounts_inside_the_container ) which
uses the lxc.mount.entry line in the config file **and** makes use of an
**absolute** mount point.
So those following the official Debian LXC documentation will be caught
by this security patch. ;-(
Just to be definite: changing all lxc.mount.entry mount points to
**relative** paths is a current workaround.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1476662
Title:
lxc-start symlink vulnerabilities may allow guest to read host
filesystem, interfere with apparmor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions
More information about the Ubuntu-server-bugs
mailing list