[Lxc-users] lxc and guest /proc/kcore access restriction

Fiedler Roman Roman.Fiedler at ait.ac.at
Tue Dec 13 09:56:00 UTC 2011 

Hello List,

I have problems finding information about lxc with system virtualization and access restriction to /proc/kcore. In my setup, root in guest can read /proc/kcore, data from host shows up in container kcore, so kcore is not somehow faked/virtualized.

I did not find no suitable information about securing /proc use inside container, so perhaps someone could point me to information to these questions?

* Is secure /proc use (no escape, no major host/container or inter-container info leaks) inside guest possible?
* Did I miss something during setup? Cgroup Config option, proc mount options?
* If not, are there known good workarounds for that problem, e.g. overmount part of procfs or remove CAP_SYS_ADMIN or alike?

Thanks,
Roman Fiedler

PS: To test

* Outside container:
sleep 1000; echo "TestSomethingFromOuterSpace"

* In container:
cat /proc/kcore | grep -a 'TestSomething' | xxd | more

0004ef0: 0000 0000 f706 5555 0001 0000 6361 7420  ......UU....cat 
0004f00: 2f70 726f 632f 6b63 6f72 6520 7c20 6772  /proc/kcore | gr
0004f10: 6570 202d 6120 2754 6573 7453 6f6d 6574  ep -a 'TestSomet
0004f20: 6869 6e67 2720 7c20 7878 6420 7c20 6d6f  hing' | xxd | mo
0004f30: 7265 006d 6f72 6500 6f72 6500 6500 dfdf  re.more.ore.e...

000f1e0: 0000 0088 5cb3 0802 0000 0008 0000 00cf  ....\...........
000f1f0: cfcf cfcf cfcf cf14 0000 00f7 0355 5530  .............UU0
000f200: 0000 0073 6c65 6570 2031 3030 303b 2065  ...sleep 1000; e
000f210: 6368 6f20 2254 6573 7453 6f6d 6574 6869  cho "TestSomethi
000f220: 6e67 4672 6f6d 4f75 7465 7253 7061 6365  ngFromOuterSpace
000f230: 220a 0030 0000 0034 0000 00f7 0355 5516  "..0...4.....UU.


DI Roman Fiedler
Safety & Security Department
Information Management & eHealth

AIT Austrian Institute of Technology GmbH
Reininghausstrae 13/1  |  8020 Graz  |  Austria
T +43(0) 50550 2957  |  M +43(0) 664 8561599  |  F +43(0) 50550 2950
roman.fiedler at ait.ac.at | http://www.ait.ac.at/

FN: 115980 i HG Wien  |  UID: ATU14703506
This email and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient, please notify the sender by return e-mail or by telephone and delete this message from your system and any printout thereof. Any unauthorized use, reproduction, or dissemination of this message is strictly prohibited. Please note that e-mails are susceptible to change. AIT Austrian Institute of Technology GmbH shall not be liable for the improper or incomplete transmission of the information contained in this communication, nor shall it be liable for any delay in its receipt.

More information about the lxc-users mailing list