[Lxc-users] Mitigating LXC Container Evasion?
Andre Nathan
andre at digirati.com.br
Wed Aug 3 14:20:03 UTC 2011
Thank you!
On Tue, 2011-08-02 at 12:13 +0200, Mauras Olivier wrote:
> Hello Andre,
>
> All labels are set from the host, so it shouldn't matter if a
> directory is bind mounted or not.
>
> For the setup, this is actually pretty straightforward:
> - You apply the desired label recursively on the container rootdir -
> See my python script to ease the process here :
> https://svn.coredumb.net/filedetails.php?repname=Coredumb&path=%
> 2Fscripts%2Ftrunk%2Fpython%2Fsmack_label.py
> - You change your current label to the desired one
> - You start the container
> - You change back your current label
>
> Here's a practical example:
> # smack_label.py -w -r /srv/lxc/lxc1 lxc1
> # echo "lxc1" > /proc/self/current/attr
> # lxc-start -n lxc1
> # echo "_" > /proc/self/current/attr
>
> You now have a container with all its files and processes labelled
> "lxc1". It's now up to you to set the accesses you need.
>
>
> Note: _ or "floor" is the default label
> Out from the documentation of Smack: A read or execute access
> requested on an object labelled "_" is permitted.
>
> This is the default behaviour and can sure be overridden.
>
> If you take my example in my previous mail, i tried to mount sysfs in
> the container and got it refused cause mounting it read-only is
> impossible.
>
> In the message from the host:
> type=1400 audit(1312278692.783:33840): lsm=SMACK fn=smack_sb_mount
> action=denied subject="curse" object="_" requested=w pid=19215
> comm="mount" path="/sys" dev=sysfs ino=1
>
> You can see here that object labeled "curse" tried to access sysfs
> labeled "_" in write mode and got explicitly refused.
> You could change this behaviour by issuing the following command:
> echo "curse _ rwx" > /smack/load
>
> As you guess this is not what you want to do, cause it would let your
> container write to the host ;)
>
>
> To summarize, by default only setting a different label - without any
> complex configuration at all - to your containers will ensure you that
> a root inside a container could only have minimal impact and/or no
> impact on the host.
> The "smack setup" is only setting up the rules you need to secure your
> containers and datas inside them.
> All smack documentation is available in the Kernel sources directory.
>
>
> Hope this helps and that i've made myself clear enough,
> Olivier
>
> On Mon, Aug 1, 2011 at 2:27 PM, Andre Nathan <andre at digirati.com.br>
> wrote:
> Hi Olivier
>
> On Sun, 2011-07-31 at 16:42 +0200, Mauras Olivier wrote:
>
> > Furthermore system has SMACK enabled - Simplified Mandatory
> Access
> > Control - a label based MAC.
> > Each LXC container has its files and processes labeled
> differently -
> > Labels which can't write the host system default label, so
> basically a
> > root in a container can't make anything harmfull on the host
> system.
> > Same can be achieved _less easily_ with Selinux - Look at
> IBM papers.
>
>
> Would you mind sharing your SMACK setup?
>
> Also, do you know how this applies to bind-mounted
> directories? Can I
> label a container's files when they are read-only bind-mounted
> from the
> host?
>
> Thanks,
> Andre
>
>
More information about the lxc-users
mailing list