[Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor

[Mike Gabriel]

Hi Serge,

sorry for getting back to this so late.

On  Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote:

> Quoting Mike Gabriel (mike.gabriel at das-netzwerkteam.de):

>> today I worked on backporting available fixes for CVE-2015-1335 to LXC
>> 0.7.x (as found in Debian squeeze-lts).
>>
>> The patch is attached, I am still in the testing-for-regressions phase.
>> Can any of the LXC devs take a look at the patch and maybe see if it is
>> suitable for Ubuntu 12.04, as well?
>
> Hi,
>
> So the thing to look for is any unconverted "mount" calls.  It
> looks like the lxc_setup_fs() calls to mount_fs() are not being
> protected.  So the contianer admin could attack through a /proc
> symlink.

Hmmm... ok...

I just checked upstream Git and the location you refer to is not using  
safe_mount either there [1]

Furthermore, it seems non-trivial to inform safe_mount about the root  
path from within lxc_init.c.

Do you have any input on the following questions?:

   o Why mount_fs() in latest HEAD still using the mount() call  
instead of safe_mount()?
   o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()?

Thanks for any input.

Mike

[1] https://github.com/lxc/lxc/blob/master/src/lxc/initutils.c#L35
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1476662

Title:
  lxc-start symlink vulnerabilities may allow guest to read host
  filesystem, interfere with apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions