On Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote:
> Quoting Mike Gabriel (<email address hidden>):
>> today I worked on backporting available fixes for CVE-2015-1335 to LXC
>> 0.7.x (as found in Debian squeeze-lts).
>>
>> The patch is attached, I am still in the testing-for-regressions phase.
>> Can any of the LXC devs take a look at the patch and maybe see if it is
>> suitable for Ubuntu 12.04, as well?
>
> Hi,
>
> So the thing to look for is any unconverted "mount" calls. It
> looks like the lxc_setup_fs() calls to mount_fs() are not being
> protected. So the contianer admin could attack through a /proc
> symlink.
Hmmm... ok...
I just checked upstream Git and the location you refer to is not using
safe_mount either there [1]
Furthermore, it seems non-trivial to inform safe_mount about the root
path from within lxc_init.c.
Do you have any input on the following questions?:
o Why mount_fs() in latest HEAD still using the mount() call
instead of safe_mount()?
o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()?
Hi Serge,
sorry for getting back to this so late.
On Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote:
> Quoting Mike Gabriel (<email address hidden>):
>> today I worked on backporting available fixes for CVE-2015-1335 to LXC for-regressions phase.
>> 0.7.x (as found in Debian squeeze-lts).
>>
>> The patch is attached, I am still in the testing-
>> Can any of the LXC devs take a look at the patch and maybe see if it is
>> suitable for Ubuntu 12.04, as well?
>
> Hi,
>
> So the thing to look for is any unconverted "mount" calls. It
> looks like the lxc_setup_fs() calls to mount_fs() are not being
> protected. So the contianer admin could attack through a /proc
> symlink.
Hmmm... ok...
I just checked upstream Git and the location you refer to is not using
safe_mount either there [1]
Furthermore, it seems non-trivial to inform safe_mount about the root
path from within lxc_init.c.
Do you have any input on the following questions?:
o Why mount_fs() in latest HEAD still using the mount() call
instead of safe_mount()?
o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()?
Thanks for any input.
Mike
[1] https:/ /github. com/lxc/ lxc/blob/ master/ src/lxc/ initutils. c#L35
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 das-netzwerktea m.de
mail: <email address hidden>, http://
freeBusy: /mail.das- netzwerkteam. de/mailxchange/ kronolith/ fb.php? u=m.gabriel% 40das-netzwerkt eam.de
https:/