[lxc-devel] [lxc/lxc] 9f27a4: attach: do not send procfd to attached process

Wed Nov 23 16:18:04 UTC 2016

  Branch: refs/heads/stable-1.0
  Home:   https://github.com/lxc/lxc
  Commit: 9f27a4102459c85ce32383f08e08e1c9b5f40119
      https://github.com/lxc/lxc/commit/9f27a4102459c85ce32383f08e08e1c9b5f40119
  Author: Christian Brauner <christian.brauner at canonical.com>
  Date:   2016-11-23 (Wed, 23 Nov 2016)

  Changed paths:
    M src/lxc/attach.c

  Log Message:
  -----------
  attach: do not send procfd to attached process

So far, we opened a file descriptor refering to proc on the host inside the
host namespace and handed that fd to the attached process in
attach_child_main(). This was done to ensure that LSM labels were correctly
setup. However, by exploiting a potential kernel bug, ptrace could be used to
prevent the file descriptor from being closed which in turn could be used by an
unprivileged container to gain access to the host namespace. Aside from this
needing an upstream kernel fix, we should make sure that we don't pass the fd
for proc itself to the attached process. However, we cannot completely prevent
this, as the attached process needs to be able to change its apparmor profile
by writing to /proc/self/attr/exec or /proc/self/attr/current. To minimize the
attack surface, we only send the fd for /proc/self/attr/exec or
/proc/self/attr/current to the attached process. To do this we introduce a
little more IPC between the child and parent:

	 * IPC mechanism: (X is receiver)
	 *   initial process        intermediate          attached
	 *        X           <---  send pid of
	 *                          attached proc,
	 *                          then exit
	 *    send 0 ------------------------------------>    X
	 *                                              [do initialization]
	 *        X  <------------------------------------  send 1
	 *   [add to cgroup, ...]
	 *    send 2 ------------------------------------>    X
	 *						[set LXC_ATTACH_NO_NEW_PRIVS]
	 *        X  <------------------------------------  send 3
	 *   [open LSM label fd]
	 *    send 4 ------------------------------------>    X
	 *   						[set LSM label]
	 *   close socket                                 close socket
	 *                                                run program

The attached child tells the parent when it is ready to have its LSM labels set
up. The parent then opens an approriate fd for the child PID to
/proc/<pid>/attr/exec or /proc/<pid>/attr/current and sends it via SCM_RIGHTS
to the child. The child can then set its LSM laben. Both sides then close the
socket fds and the child execs the requested process.

Signed-off-by: Christian Brauner <christian.brauner at canonical.com>