[Lxc-users] Mitigating LXC Container Evasion?

Mauras Olivier oliver.mauras at gmail.com
Sun Jul 31 14:42:36 UTC 2011 

Hello Matthew,

Here's an example in on of my containers:

root at nasty:~# ps ax
  PID TTY      STAT   TIME COMMAND
    1 ?        Ss     0:13 init [3]
   44 ?        Ss     0:02 /usr/sbin/syslogd
  141 ?        Ss     0:00 /usr/sbin/sshd
  144 ?        S      0:01 /usr/sbin/crond -l6
  149 ?        Ss     0:25 /usr/sbin/httpd -k start
 2215 ?        S      0:14 /usr/sbin/httpd -k start
 7820 ?        S      0:36 /usr/sbin/httpd -k start
 8663 ?        S      0:00 /usr/sbin/httpd -k start
10159 ?        Ss     0:00 sshd: root at pts/18
10161 pts/18   Ss     0:00 -bash
10175 pts/18   R+     0:00 ps ax
26928 ?        S      0:05 /usr/sbin/httpd -k start
26936 ?        S      0:05 /usr/sbin/httpd -k start
26937 ?        S      0:05 /usr/sbin/httpd -k start
26938 ?        S      0:05 /usr/sbin/httpd -k start
26939 ?        S      0:05 /usr/sbin/httpd -k start
28054 ?        S      1:41 /usr/sbin/httpd -k start
29670 ?        S      0:15 /usr/sbin/httpd -k start
root at nasty:~# whoami
root
root at nasty:~# mount -t sysfs sysfs /sys
mount: block device sysfs is write-protected, mounting read-only
mount: cannot mount block device sysfs read-only
root at nasty:~# touch /test
root at nasty:~# rm /test
root at nasty:~# cat /sys/kernel/uevent_helper

root at nasty:~# echo "test" > /sys/kernel/uevent_helper
-bash: /sys/kernel/uevent_helper: Permission denied


Here's capabilities dropped on the container:

lxc.cap.drop = sys_module mknod
lxc.cap.drop = mac_override  kill sys_time
lxc.cap.drop = setfcap setpcap sys_boot


Furthermore system has SMACK enabled - Simplified Mandatory Access Control -
a label based MAC.
Each LXC container has its files and processes labeled differently - Labels
which can't write the host system default label, so basically a root in a
container can't make anything harmfull on the host system.
Same can be achieved _less easily_ with Selinux - Look at IBM papers.


Hope this helps,
Olivier


On Sun, Jul 31, 2011 at 3:10 AM, Matthew Franz <mdfranz at gmail.com> wrote:

> Had seen some previous discussions before, but are there any ways to
> mitigate this design vulnerability?
>
> http://blog.bofh.it/debian/id_413
>
> Are there any workarounds?
>
> Thanks,
>
> - mdf
>
> --
> --
> Matthew Franz
> mdfranz at gmail.com
>
>
> ------------------------------------------------------------------------------
> Got Input?   Slashdot Needs You.
> Take our quick survey online.  Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110731/aea26f69/attachment.html>

More information about the lxc-users mailing list