[lxc-devel] [lxc-users] Container escape through open_by_handle_at (shocker exploit)

Dwight Engen dwight.engen at oracle.com
Thu Jun 19 01:03:05 UTC 2014 

On Wed, 18 Jun 2014 14:11:49 -0400
Stéphane Graber <stgraber at ubuntu.com> wrote:

> Just fixing lxc-devel's e-mail address, it turns out that e-mails work
> better when you don't forget the tld :)
> 
> So, lxc-devel subscribers, see below:
> 
> On Wed, Jun 18, 2014 at 01:41:19PM -0400, Stéphane Graber wrote:
> > TL;DR: As we've said a few times already, privileged containers
> > shouldn't be considered root safe, here's one more example of that.
> > Please use unprivileged containers whenever possible or if you
> > can't, don't trust anyone with root in your containers!
> > 
> > 
> > Hey everyone,
> > 
> > I'm sure some of you saw the exploit posted at:
> > http://stealth.openwall.net/xSports/shocker.c
> > 
> > This was designed to show how to escape a standard docker container
> > (running docker 0.11) with a standard kernel. It can be adapted to
> > apply to LXC by changing the /.dockerinit to some other valid path
> > inside your container.
> > 
> > 
> > Now as for how this affects LXC 1.0 and higher:
> >  - The exploit doesn't work with unprivileged containers, which are
> > the only kind of containers which you should ever give root access
> > to users you wouldn't trust with root access to the host. In those
> > containers, the kernel returns EPERM as expected and are therefore
> > NOT AFFECTED.
> > 
> >  - The exploit will work with privileged containers if:
> >    - There's any bind-mount setup from the partition the exploit is
> >      trying to access. That means that if you have a separate /home
> >      partition on your host and bind-mount /home/user inside the
> > container, this attack will only let you access files within /home
> > of the host.
> > 
> >    - The open_by_handle_at syscall isn't blocked by a seccomp
> > policy.
> > 
> >    - The CAP_DAC_READ_SEARCH capability wasn't dropped.
> > 
> > 
> > Due to the need to use Apparmor in disconnected mode to workaround
> > some limitations of its policies, there's currently no way for us
> > to prevent this kind of access. However the Apparmor team has been
> > contacted and they have work scheduled to address this kind of
> > issue in the near future.
> > 
> > I haven't been able to check whether using SELinux prevents this
> > attack.
> > 
> > 
> > Recommended ways to mitigate this specific issue are:
> >  - If at all possibles, run your workloads in unprivileged
> > containers.
> > 
> >  - If using privileged containers, assume root in the container is
> > the same as root outside of it, so avoid running tasks as root.
> > 
> >  - If you need to run untrusted tasks as root in the container,
> > either use seccomp to block open_by_handle_at (make a blacklist
> > policy file and set lxc.seccomp to its path) or add lxc.cap.drop =
> > dac_read_search to your config.
> > 
> >    Note that both of those options may cause some userspace
> > failures. In my tests I didn't spot any obvious one but that was
> > basically just creating, starting and stopping a container.
> > 
> > In general, if your distribution supports it, make sure to run
> > privileged LXC containers under AppArmor as it does prevent all the
> > other attacks we've been made aware of so far (though we expect
> > there are a few more we haven't heard of yet...).
> > 
> > The same is probably true of SELinux, however my knowledge there is
> > pretty limited, so maybe Dwight can give a quick update on the
> > state of things.

I've confirmed that the exploit works under SELinux too, at least under
the virtd_lxc_t context. I agree that its best to run in unprivileged
containers when possible.

> > Additionally, Serge is currently working on a default seccomp
> > profile which will block syscalls we know to be problematic in
> > privileged containers. I'm planning on getting this changeset into
> > the stable branch and tag 1.0.5 once we're happy with them.
> > 
> > Unless templates or distro maintainers oppose to it, I'd like that
> > seccomp profile to be set by default by all templates (or for those
> > using the new style configs, in their respective .common.conf). This
> > would only apply to privileged containers.
> > 
> > -- 
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
> 
> 
> 
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 
>

More information about the lxc-devel mailing list