Hi Serge, On Mo 04 Jan 2016 21:26:05 CET, Serge Hallyn wrote:
> Quoting Mike Gabriel (mike.gabr...@das-netzwerkteam.de): >> Hi Serge, >> >> sorry for getting back to this so late. >> >> On Di 08 Dez 2015 17:08:58 CET, Serge Hallyn wrote: >> >> > Quoting Mike Gabriel (mike.gabr...@das-netzwerkteam.de): >> >> >> today I worked on backporting available fixes for CVE-2015-1335 to LXC >> >> 0.7.x (as found in Debian squeeze-lts). >> >> >> >> The patch is attached, I am still in the testing-for-regressions phase. >> >> Can any of the LXC devs take a look at the patch and maybe see if it is >> >> suitable for Ubuntu 12.04, as well? >> > >> > Hi, >> > >> > So the thing to look for is any unconverted "mount" calls. It >> > looks like the lxc_setup_fs() calls to mount_fs() are not being >> > protected. So the contianer admin could attack through a /proc >> > symlink. >> >> Hmmm... ok... >> >> I just checked upstream Git and the location you refer to is not using >> safe_mount either there [1] > > Huh, that's odd. Yes those should be protected, since /proc etc in > the container could be symlinks. Do you mind sending a patch? I will work on the squeeze-lts / precise patch first and test that. If that works well, I will forward-port the change to current HEAD. >> Furthermore, it seems non-trivial to inform safe_mount about the root >> path from within lxc_init.c. >> >> Do you have any input on the following questions?: >> >> o Why mount_fs() in latest HEAD still using the mount() call >> instead of safe_mount()? >> o How could one pipe the rootfs path into lxc_setup_fs() -> mount_fs()? > > You shouldn't need to - it's just '/' because you're already chrooted > there. > Ok. That will make it very easy. I get back to you with results within the month. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs