So options here are to apparmor block it, assuming that no common piece
of software relies on it or to mask it with lxcfs (though that still
allows access to user, so not necessarily ideal).
I'm a bit confused as to why this data is accessible to unprivileged
users in the first place, wouldn't that also allow bypassing some of the
/proc filtering modes?
** Changed in: lxc (Ubuntu)
Status: New => Triaged
** Changed in: lxc (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1549391
Title:
/proc/sched_debug Information Leak
Status in lxc package in Ubuntu:
Triaged
Bug description:
Description: Unprivileged containers can read from
'/proc/sched_debug', a world-readable file within proc that contains a
large amount of CFS and CPU scheduler information. This allows a
trivial information leak which discloses what processes IDs and names
are running in the host or other containers, as well as cgroup
information which can disclose container names and other details. This
effectively breaks the expected PID Namespace isolation.
Reproduction: Inside a default and unprivileged LXC container, run the
command `cat /proc/sched_debug`. Note that information is displayed
about processes running on the host, as well as inside other
containers.
Sample output includes:
task PID tree-key switches prio exec-runtime sum-exec
sum-sleep
----------------------------------------------------------------------------------------------------------
kthreadd 2 319429235.224770 9339 120 319429235.224770
753.267075 1067018909.484918 0 /
rcu_sched 7 319489137.064234 18896675 120 319489137.064234
170125.420028 1066508074.968528 0 /
rcuos/5 13 319218638.012762 192 120 319218638.012762
0.896416 1065991450.159691 0 /
.... SNIP .... .... SNIP ....
acpid 1813 57932.203222 1676704 120 57932.203222
114395.580999 1067170248.528885 0 /autogroup-222
sh 2273 113050772.150884 42 120 113050772.150884
0.754525 1066111947.155906 0 /user/1000.user/c1.session
bash 2276 113052316.082339 788 120 113052316.082339
137.826052 1066155735.798643 0 /user/1000.user/c1.session
wpa_supplicant 2319 113098971.410443 119765 120 113098971.410443
6903.885769 1067229349.942336 0 /user/1000.user/c1.session
sh 2426 113050772.151956 43 120 113050772.151956
2.035147 1066012436.338286 0 /user/1000.user/c1.session
urxvt 2440 113098872.794317 606323 120 113098872.794317
28198.224898 1067122648.025421 0 /user/1000.user/c1.session
dbus-daemon 2664 113092371.341763 6155 109 113092371.341763
432.939147 1066723733.656385 0 /user/1000.user/c1.session
dio/dm-2 2695 20657.783903 2 100 20657.783903
0.007240 0.002253 0 /
Chrome_FileThre 3286 31903985.081343 213744 120 31903985.081343
14398.389541 1065335604.938435 0 /lxc/chrome
Recommendation: In the short term, modify the base LXC AppArmor profile to
block access to this file. In the long term, this procfs interface should be
rewritten to be namespace aware and possibly restricted to root-only users. If
AppArmor is not in use, end-users could recompile their kernel to have
CONFIG_SCHED_DEBUG disabled.
#####
About NCC:
NCC Group is a security consulting company that performs all manner of
security testing and has a strong desire to help make the industry a
better, more resilient place. Because of this, when NCC Group
identifies vulnerabilities in a system they prefer to work closely with
vendors to create more secure systems. NCC Group strongly believes in
responsible disclosure, and has strict guidelines in place to ensure
that proper disclosure procedure is followed at all times. This serves
the dual purpose of allowing the vendor to safely secure the product or
system in question as well as allowing NCC Group to share cutting edge
research or advisories with the security community.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1549391/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
