[Lxc-users] Mitigating LXC Container Evasion?

Michael H. Warfield mhw at WittsEnd.com
Sun Jul 31 21:08:49 UTC 2011 

On Sun, 2011-07-31 at 16:42 +0200, Mauras Olivier wrote: 
> Hello Matthew,
> 
> Here's an example in on of my containers:
> 
> root at nasty:~# ps ax
>   PID TTY      STAT   TIME COMMAND
>     1 ?        Ss     0:13 init [3]
>    44 ?        Ss     0:02 /usr/sbin/syslogd
>   141 ?        Ss     0:00 /usr/sbin/sshd
>   144 ?        S      0:01 /usr/sbin/crond -l6
>   149 ?        Ss     0:25 /usr/sbin/httpd -k start
>  2215 ?        S      0:14 /usr/sbin/httpd -k start
>  7820 ?        S      0:36 /usr/sbin/httpd -k start
>  8663 ?        S      0:00 /usr/sbin/httpd -k start
> 10159 ?        Ss     0:00 sshd: root at pts/18
> 10161 pts/18   Ss     0:00 -bash
> 10175 pts/18   R+     0:00 ps ax
> 26928 ?        S      0:05 /usr/sbin/httpd -k start
> 26936 ?        S      0:05 /usr/sbin/httpd -k start
> 26937 ?        S      0:05 /usr/sbin/httpd -k start
> 26938 ?        S      0:05 /usr/sbin/httpd -k start
> 26939 ?        S      0:05 /usr/sbin/httpd -k start
> 28054 ?        S      1:41 /usr/sbin/httpd -k start
> 29670 ?        S      0:15 /usr/sbin/httpd -k start
> root at nasty:~# whoami
> root
> root at nasty:~# mount -t sysfs sysfs /sys
> mount: block device sysfs is write-protected, mounting read-only
> mount: cannot mount block device sysfs read-only
> root at nasty:~# touch /test
> root at nasty:~# rm /test
> root at nasty:~# cat /sys/kernel/uevent_helper
> 
> root at nasty:~# echo "test" > /sys/kernel/uevent_helper
> -bash: /sys/kernel/uevent_helper: Permission denied

Nice job there.  Very nice.

Not sure what negative impact will ensue from not having /sys mounted in
the machine.  I know /proc is pretty fatal.  Something new to experiment
with.

> Here's capabilities dropped on the container:
> 
> lxc.cap.drop = sys_module mknod
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

My money is on that line.  Nice.

> lxc.cap.drop = mac_override  kill sys_time
> lxc.cap.drop = setfcap setpcap sys_boot

Have to think about those others.

> Furthermore system has SMACK enabled - Simplified Mandatory Access Control -
> a label based MAC.
> Each LXC container has its files and processes labeled differently - Labels
> which can't write the host system default label, so basically a root in a
> container can't make anything harmfull on the host system.
> Same can be achieved _less easily_ with Selinux - Look at IBM papers.

Just to refine that comment a bit...  This looks like a really good
jumping off point to start.  Written by Serge no less!

http://www.ibm.com/developerworks/linux/library/l-lxc-security/

Includes some examples of securing a container with selinux as
well.  :-/

> Hope this helps,
> Olivier

Good stuff.

Regards,
Mike

> On Sun, Jul 31, 2011 at 3:10 AM, Matthew Franz <mdfranz at gmail.com> wrote:
> 
> > Had seen some previous discussions before, but are there any ways to
> > mitigate this design vulnerability?
> >
> > http://blog.bofh.it/debian/id_413
> >
> > Are there any workarounds?
> >
> > Thanks,
> >
> > - mdf
> >
> > --
> > --
> > Matthew Franz
> > mdfranz at gmail.com
> >
> >
> > ------------------------------------------------------------------------------
> > Got Input?   Slashdot Needs You.
> > Take our quick survey online.  Come on, we don't ask for help often.
> > Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> > http://p.sf.net/sfu/slashdot-survey
> > _______________________________________________
> > Lxc-users mailing list
> > Lxc-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/lxc-users
> >
> 
> ------------------------------------------------------------------------------
> Got Input?   Slashdot Needs You.
> Take our quick survey online.  Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________ Lxc-users mailing list Lxc-users at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110731/66020862/attachment.pgp>

More information about the lxc-users mailing list