[Lxc-users] Mitigating LXC Container Evasion?

Mauras Olivier oliver.mauras at gmail.com
Tue Aug 2 10:13:51 UTC 2011 

Hello Andre,

All labels are set from the host, so it shouldn't matter if a directory is
bind mounted or not.

For the setup, this is actually pretty straightforward:
- You apply the desired label recursively on the container rootdir - See my
python script to ease the process here :
https://svn.coredumb.net/filedetails.php?repname=Coredumb&path=%2Fscripts%2Ftrunk%2Fpython%2Fsmack_label.py
- You change your current label to the desired one
- You start the container
- You change back your current label

Here's a practical example:
# smack_label.py -w -r /srv/lxc/lxc1 lxc1
# echo "lxc1" > /proc/self/current/attr
# lxc-start -n lxc1
# echo "_" > /proc/self/current/attr

You now have a container with all its files and processes labelled "lxc1".
It's now up to you to set the accesses you need.


Note: _ or "floor" is the default label
Out from the documentation of Smack: A read or execute access requested on
an object labelled "_" is permitted.

This is the default behaviour and can sure be overridden.

If you take my example in my previous mail, i tried to mount sysfs in the
container and got it refused cause mounting it read-only is impossible.

In the message from the host:
type=1400 audit(1312278692.783:33840): lsm=SMACK fn=smack_sb_mount
action=denied subject="curse" object="_" requested=w pid=19215 comm="mount"
path="/sys" dev=sysfs ino=1

You can see here that object labeled "curse" tried to access sysfs labeled
"_" in write mode and got explicitly refused.
You could change this behaviour by issuing the following command:
echo "curse _ rwx" > /smack/load

As you guess this is not what you want to do, cause it would let your
container write to the host ;)


To summarize, by default only setting a different label - without any
complex configuration at all - to your containers will ensure you that a
root inside a container could only have minimal impact and/or no impact on
the host.
The "smack setup" is only setting up the rules you need to secure your
containers and datas inside them.
All smack documentation is available in the Kernel sources directory.


Hope this helps and that i've made myself clear enough,
Olivier

On Mon, Aug 1, 2011 at 2:27 PM, Andre Nathan <andre at digirati.com.br> wrote:

> Hi Olivier
>
> On Sun, 2011-07-31 at 16:42 +0200, Mauras Olivier wrote:
> > Furthermore system has SMACK enabled - Simplified Mandatory Access
> > Control - a label based MAC.
> > Each LXC container has its files and processes labeled differently -
> > Labels which can't write the host system default label, so basically a
> > root in a container can't make anything harmfull on the host system.
> > Same can be achieved _less easily_ with Selinux - Look at IBM papers.
>
> Would you mind sharing your SMACK setup?
>
> Also, do you know how this applies to bind-mounted directories? Can I
> label a container's files when they are read-only bind-mounted from the
> host?
>
> Thanks,
> Andre
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110802/b161032f/attachment.html>

More information about the lxc-users mailing list