[lxc-devel] LXC security issue - affects all supported releases
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Oct 2 13:50:48 UTC 2015
Quoting Thomas Moschny (thomas.moschny at gmail.com):
> Hi,
>
> the patch unfortunately doesn't work on RHEL/CentOS 6, as it uses the
> O_PATH flag for openat(), which is supported only for kernels >=
> 2.6.39, afaict.
> Is there a workaround?
I was worried about this at first (and avoided its use for that reason), but
then Eric pointed out that user namespaces were not available until long
after 2.6.39, and without user namespaces, being root you should be able
to open the file and won't need O_PATH anyway.
Now saying that I realize that selinux/apparmor may still cause a denial,
but in that case there's not much we can do. O_PATH was the last ditch
method. Can you tell me what happens when you do an openat with
O_PATH? Does it simply return < 0? If so then I think this is all ok.
(since an openat without O_PATH already failed, you shouldn't be allowed
to mount on it in this case)
Still, another alternative is to use the patch we used in the ubuntu
trusty lxc package. It simply does the mount then checks that
/proc/self/mountinfo is right.
-serge
More information about the lxc-devel
mailing list