[Lxc-users] Mitigating LXC Container Evasion?
Mauras Olivier
oliver.mauras at gmail.com
Sun Jul 31 14:42:36 UTC 2011
Hello Matthew,
Here's an example in on of my containers:
root at nasty:~# ps ax
PID TTY STAT TIME COMMAND
1 ? Ss 0:13 init [3]
44 ? Ss 0:02 /usr/sbin/syslogd
141 ? Ss 0:00 /usr/sbin/sshd
144 ? S 0:01 /usr/sbin/crond -l6
149 ? Ss 0:25 /usr/sbin/httpd -k start
2215 ? S 0:14 /usr/sbin/httpd -k start
7820 ? S 0:36 /usr/sbin/httpd -k start
8663 ? S 0:00 /usr/sbin/httpd -k start
10159 ? Ss 0:00 sshd: root at pts/18
10161 pts/18 Ss 0:00 -bash
10175 pts/18 R+ 0:00 ps ax
26928 ? S 0:05 /usr/sbin/httpd -k start
26936 ? S 0:05 /usr/sbin/httpd -k start
26937 ? S 0:05 /usr/sbin/httpd -k start
26938 ? S 0:05 /usr/sbin/httpd -k start
26939 ? S 0:05 /usr/sbin/httpd -k start
28054 ? S 1:41 /usr/sbin/httpd -k start
29670 ? S 0:15 /usr/sbin/httpd -k start
root at nasty:~# whoami
root
root at nasty:~# mount -t sysfs sysfs /sys
mount: block device sysfs is write-protected, mounting read-only
mount: cannot mount block device sysfs read-only
root at nasty:~# touch /test
root at nasty:~# rm /test
root at nasty:~# cat /sys/kernel/uevent_helper
root at nasty:~# echo "test" > /sys/kernel/uevent_helper
-bash: /sys/kernel/uevent_helper: Permission denied
Here's capabilities dropped on the container:
lxc.cap.drop = sys_module mknod
lxc.cap.drop = mac_override kill sys_time
lxc.cap.drop = setfcap setpcap sys_boot
Furthermore system has SMACK enabled - Simplified Mandatory Access Control -
a label based MAC.
Each LXC container has its files and processes labeled differently - Labels
which can't write the host system default label, so basically a root in a
container can't make anything harmfull on the host system.
Same can be achieved _less easily_ with Selinux - Look at IBM papers.
Hope this helps,
Olivier
On Sun, Jul 31, 2011 at 3:10 AM, Matthew Franz <mdfranz at gmail.com> wrote:
> Had seen some previous discussions before, but are there any ways to
> mitigate this design vulnerability?
>
> http://blog.bofh.it/debian/id_413
>
> Are there any workarounds?
>
> Thanks,
>
> - mdf
>
> --
> --
> Matthew Franz
> mdfranz at gmail.com
>
>
> ------------------------------------------------------------------------------
> Got Input? Slashdot Needs You.
> Take our quick survey online. Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110731/aea26f69/attachment.html>
More information about the lxc-users
mailing list