[lxc-devel] LXC security issue - affects all supported releases

St├ęphane Graber stgraber at ubuntu.com
Tue Sep 29 15:29:17 UTC 2015


Hello,

During a recent security audit of LXC, Roman Fiedler identified a
security vulnerability in LXC.

CVE 2015-1335:
    When a container starts up, lxc sets up the container's inital fstree
    by doing a bunch of mounting, guided by the container configuration
    file.  The container config is owned by the admin or user on the host,
    so we do not try to guard against bad entries.  However, since the
    mount target is in the container, it's possible that the container admin
    could divert the mount with symbolic links.  This could bypass proper
    container startup (i.e. confinement of a root-owned container by the
    restrictive apparmor policy, by diverting the required write to
    /proc/self/attr/current), or bypass the (path-based) apparmor policy
    by diverting, say, /proc to /mnt in the container.

    To prevent this,
    1. do not allow mounts to paths containing symbolic links
    2. do not allow bind mounts from relative paths containing symbolic
    links.

    The fix for LXC 1.0 is:
    https://github.com/lxc/lxc/commit/6bbb8100c4dec4b1c71758c27104985a694a4eac

    The fix for LXC 1.1 is:
    https://github.com/lxc/lxc/commit/6de26af93d3dd87c8b21a42fdf20f30fa1c1948d

    The fix for LXC master is:
    https://github.com/lxc/lxc/commit/592fd47a6245508b79fe6ac819fe6d3b2c1289be

    Patches for a few recent LXC releases are also attached to this e-mail.


The fix will be included in the upcoming stable releases for both
branches. That will be LXC 1.1.4 and LXC 1.0.8 which will both be
released very soon.

The security teams from the various Linux distributions have been
informed of those security issues ahead of time and so should have or
soon will be pushing security updates to their supported releases.


I'd like to thank Roman for his great work at finding and responsibly
disclosing those issues to us.

The fix for this issue has been developed by Serge Hallyn with the help
of Tyler Hicks and myself.

-- 
St├ęphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.0.7.patch
Type: text/x-diff
Size: 20097 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150929/124b7c29/attachment-0003.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.1.2.patch
Type: text/x-diff
Size: 21517 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150929/124b7c29/attachment-0004.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.1.3.patch
Type: text/x-diff
Size: 22082 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150929/124b7c29/attachment-0005.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150929/124b7c29/attachment-0001.sig>


More information about the lxc-devel mailing list