[lxc-devel] [lxc/lxc] 6de26a: CVE-2015-1335: Protect container mounts against sy...

GitHub noreply at github.com
Tue Sep 29 15:28:13 UTC 2015


  Branch: refs/heads/stable-1.1
  Home:   https://github.com/lxc/lxc
  Commit: 6de26af93d3dd87c8b21a42fdf20f30fa1c1948d
      https://github.com/lxc/lxc/commit/6de26af93d3dd87c8b21a42fdf20f30fa1c1948d
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2015-09-29 (Tue, 29 Sep 2015)

  Changed paths:
    M doc/lxc.container.conf.sgml.in
    M src/lxc/cgfs.c
    M src/lxc/cgmanager.c
    M src/lxc/conf.c
    M src/lxc/utils.c
    M src/lxc/utils.h
    M src/tests/Makefile.am
    A src/tests/lxc-test-symlink

  Log Message:
  -----------
  CVE-2015-1335: Protect container mounts against symlinks

When a container starts up, lxc sets up the container's inital fstree
by doing a bunch of mounting, guided by the container configuration
file.  The container config is owned by the admin or user on the host,
so we do not try to guard against bad entries.  However, since the
mount target is in the container, it's possible that the container admin
could divert the mount with symbolic links.  This could bypass proper
container startup (i.e. confinement of a root-owned container by the
restrictive apparmor policy, by diverting the required write to
/proc/self/attr/current), or bypass the (path-based) apparmor policy
by diverting, say, /proc to /mnt in the container.

To prevent this,

1. do not allow mounts to paths containing symbolic links

2. do not allow bind mounts from relative paths containing symbolic
links.

Details:

Define safe_mount which ensures that the container has not inserted any
symbolic links into any mount targets for mounts to be done during
container setup.

The host's mount path may contain symbolic links.  As it is under the
control of the administrator, that's ok.  So safe_mount begins the check
for symbolic links after the rootfs->mount, by opening that directory.

It opens each directory along the path using openat() relative to the
parent directory using O_NOFOLLOW.  When the target is reached, it
mounts onto /proc/self/fd/<targetfd>.

Use safe_mount() in mount_entry(), when mounting container proc,
and when needed.  In particular, safe_mount() need not be used in
any case where:

1. the mount is done in the container's namespace
2. the mount is for the container's rootfs
3. the mount is relative to a tmpfs or proc/sysfs which we have
   just safe_mount()ed ourselves

Since we were using proc/net as a temporary placeholder for /proc/sys/net
during container startup, and proc/net is a symbolic link, use proc/tty
instead.

Update the lxc.container.conf manpage with details about the new
restrictions.

Finally, add a testcase to test some symbolic link possibilities.

Reported-by: Roman Fiedler
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>




More information about the lxc-devel mailing list