[Lxc-users] Mitigating LXC Container Evasion?

Andre Nathan andre at digirati.com.br
Wed Aug 3 14:20:03 UTC 2011


Thank you!

On Tue, 2011-08-02 at 12:13 +0200, Mauras Olivier wrote:
> Hello Andre,
> 
> All labels are set from the host, so it shouldn't matter if a
> directory is bind mounted or not.
> 
> For the setup, this is actually pretty straightforward:
> - You apply the desired label recursively on the container rootdir -
> See my python script to ease the process here :
> https://svn.coredumb.net/filedetails.php?repname=Coredumb&path=%
> 2Fscripts%2Ftrunk%2Fpython%2Fsmack_label.py
> - You change your current label to the desired one
> - You start the container
> - You change back your current label
> 
> Here's a practical example:
> # smack_label.py -w -r /srv/lxc/lxc1 lxc1
> # echo "lxc1" > /proc/self/current/attr
> # lxc-start -n lxc1
> # echo "_" > /proc/self/current/attr
> 
> You now have a container with all its files and processes labelled
> "lxc1". It's now up to you to set the accesses you need.
> 
> 
> Note: _ or "floor" is the default label
> Out from the documentation of Smack: A read or execute access
> requested on an object labelled "_" is permitted.
> 
> This is the default behaviour and can sure be overridden.
> 
> If you take my example in my previous mail, i tried to mount sysfs in
> the container and got it refused cause mounting it read-only is
> impossible.
> 
> In the message from the host:
> type=1400 audit(1312278692.783:33840): lsm=SMACK fn=smack_sb_mount
> action=denied subject="curse" object="_" requested=w pid=19215
> comm="mount" path="/sys" dev=sysfs ino=1
> 
> You can see here that object labeled "curse" tried to access sysfs
> labeled "_" in write mode and got explicitly refused.
> You could change this behaviour by issuing the following command:
> echo "curse _ rwx" > /smack/load
> 
> As you guess this is not what you want to do, cause it would let your
> container write to the host ;)
> 
> 
> To summarize, by default only setting a different label - without any
> complex configuration at all - to your containers will ensure you that
> a root inside a container could only have minimal impact and/or no
> impact on the host.
> The "smack setup" is only setting up the rules you need to secure your
> containers and datas inside them.
> All smack documentation is available in the Kernel sources directory.
> 
> 
> Hope this helps and that i've made myself clear enough,
> Olivier
> 
> On Mon, Aug 1, 2011 at 2:27 PM, Andre Nathan <andre at digirati.com.br>
> wrote:
>         Hi Olivier
>         
>         On Sun, 2011-07-31 at 16:42 +0200, Mauras Olivier wrote:
>         
>         > Furthermore system has SMACK enabled - Simplified Mandatory
>         Access
>         > Control - a label based MAC.
>         > Each LXC container has its files and processes labeled
>         differently -
>         > Labels which can't write the host system default label, so
>         basically a
>         > root in a container can't make anything harmfull on the host
>         system.
>         > Same can be achieved _less easily_ with Selinux - Look at
>         IBM papers.
>         
>         
>         Would you mind sharing your SMACK setup?
>         
>         Also, do you know how this applies to bind-mounted
>         directories? Can I
>         label a container's files when they are read-only bind-mounted
>         from the
>         host?
>         
>         Thanks,
>         Andre
>         
> 






More information about the lxc-users mailing list