Hello Matthew,<br><br>Here's an example in on of my containers:<br><br>root@nasty:~# ps ax<br> PID TTY STAT TIME COMMAND<br> 1 ? Ss 0:13 init [3] <br> 44 ? Ss 0:02 /usr/sbin/syslogd<br>
141 ? Ss 0:00 /usr/sbin/sshd<br> 144 ? S 0:01 /usr/sbin/crond -l6<br> 149 ? Ss 0:25 /usr/sbin/httpd -k start<br> 2215 ? S 0:14 /usr/sbin/httpd -k start<br> 7820 ? S 0:36 /usr/sbin/httpd -k start<br>
8663 ? S 0:00 /usr/sbin/httpd -k start<br>10159 ? Ss 0:00 sshd: root@pts/18<br>10161 pts/18 Ss 0:00 -bash<br>10175 pts/18 R+ 0:00 ps ax<br>26928 ? S 0:05 /usr/sbin/httpd -k start<br>
26936 ? S 0:05 /usr/sbin/httpd -k start<br>26937 ? S 0:05 /usr/sbin/httpd -k start<br>26938 ? S 0:05 /usr/sbin/httpd -k start<br>26939 ? S 0:05 /usr/sbin/httpd -k start<br>28054 ? S 1:41 /usr/sbin/httpd -k start<br>
29670 ? S 0:15 /usr/sbin/httpd -k start<br>root@nasty:~# whoami<br>root<br>root@nasty:~# mount -t sysfs sysfs /sys<br>mount: block device sysfs is write-protected, mounting read-only<br>mount: cannot mount block device sysfs read-only<br>
root@nasty:~# touch /test<br>root@nasty:~# rm /test <br>root@nasty:~# cat /sys/kernel/uevent_helper <br><br>root@nasty:~# echo "test" > /sys/kernel/uevent_helper <br>-bash: /sys/kernel/uevent_helper: Permission denied<br>
<br><br>Here's capabilities dropped on the container:<br><br>lxc.cap.drop = sys_module mknod <br>lxc.cap.drop = mac_override kill sys_time<br>lxc.cap.drop = setfcap setpcap sys_boot <br><br><br>Furthermore system has SMACK enabled - Simplified Mandatory Access Control - a label based MAC.<br>
Each LXC container has its files and processes labeled differently - Labels which can't write the host system default label, so basically a root in a container can't make anything harmfull on the host system.<br>Same can be achieved _less easily_ with Selinux - Look at IBM papers.<br>
<br><br>Hope this helps,<br>Olivier<br><br><br><div class="gmail_quote">On Sun, Jul 31, 2011 at 3:10 AM, Matthew Franz <span dir="ltr"><<a href="mailto:mdfranz@gmail.com">mdfranz@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Had seen some previous discussions before, but are there any ways to<br>
mitigate this design vulnerability?<br>
<br>
<a href="http://blog.bofh.it/debian/id_413" target="_blank">http://blog.bofh.it/debian/id_413</a><br>
<br>
Are there any workarounds?<br>
<br>
Thanks,<br>
<br>
- mdf<br>
<br>
--<br>
--<br>
Matthew Franz<br>
<a href="mailto:mdfranz@gmail.com">mdfranz@gmail.com</a><br>
<br>
------------------------------------------------------------------------------<br>
Got Input? Slashdot Needs You.<br>
Take our quick survey online. Come on, we don't ask for help often.<br>
Plus, you'll get a chance to win $100 to spend on ThinkGeek.<br>
<a href="http://p.sf.net/sfu/slashdot-survey" target="_blank">http://p.sf.net/sfu/slashdot-survey</a><br>
_______________________________________________<br>
Lxc-users mailing list<br>
<a href="mailto:Lxc-users@lists.sourceforge.net">Lxc-users@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/lxc-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/lxc-users</a><br>
</blockquote></div><br>