[Lxc-users] Mitigating LXC Container Evasion?
Michael H. Warfield
mhw at WittsEnd.com
Sun Jul 31 21:08:49 UTC 2011
On Sun, 2011-07-31 at 16:42 +0200, Mauras Olivier wrote:
> Hello Matthew,
>
> Here's an example in on of my containers:
>
> root at nasty:~# ps ax
> PID TTY STAT TIME COMMAND
> 1 ? Ss 0:13 init [3]
> 44 ? Ss 0:02 /usr/sbin/syslogd
> 141 ? Ss 0:00 /usr/sbin/sshd
> 144 ? S 0:01 /usr/sbin/crond -l6
> 149 ? Ss 0:25 /usr/sbin/httpd -k start
> 2215 ? S 0:14 /usr/sbin/httpd -k start
> 7820 ? S 0:36 /usr/sbin/httpd -k start
> 8663 ? S 0:00 /usr/sbin/httpd -k start
> 10159 ? Ss 0:00 sshd: root at pts/18
> 10161 pts/18 Ss 0:00 -bash
> 10175 pts/18 R+ 0:00 ps ax
> 26928 ? S 0:05 /usr/sbin/httpd -k start
> 26936 ? S 0:05 /usr/sbin/httpd -k start
> 26937 ? S 0:05 /usr/sbin/httpd -k start
> 26938 ? S 0:05 /usr/sbin/httpd -k start
> 26939 ? S 0:05 /usr/sbin/httpd -k start
> 28054 ? S 1:41 /usr/sbin/httpd -k start
> 29670 ? S 0:15 /usr/sbin/httpd -k start
> root at nasty:~# whoami
> root
> root at nasty:~# mount -t sysfs sysfs /sys
> mount: block device sysfs is write-protected, mounting read-only
> mount: cannot mount block device sysfs read-only
> root at nasty:~# touch /test
> root at nasty:~# rm /test
> root at nasty:~# cat /sys/kernel/uevent_helper
>
> root at nasty:~# echo "test" > /sys/kernel/uevent_helper
> -bash: /sys/kernel/uevent_helper: Permission denied
Nice job there. Very nice.
Not sure what negative impact will ensue from not having /sys mounted in
the machine. I know /proc is pretty fatal. Something new to experiment
with.
> Here's capabilities dropped on the container:
>
> lxc.cap.drop = sys_module mknod
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
My money is on that line. Nice.
> lxc.cap.drop = mac_override kill sys_time
> lxc.cap.drop = setfcap setpcap sys_boot
Have to think about those others.
> Furthermore system has SMACK enabled - Simplified Mandatory Access Control -
> a label based MAC.
> Each LXC container has its files and processes labeled differently - Labels
> which can't write the host system default label, so basically a root in a
> container can't make anything harmfull on the host system.
> Same can be achieved _less easily_ with Selinux - Look at IBM papers.
Just to refine that comment a bit... This looks like a really good
jumping off point to start. Written by Serge no less!
http://www.ibm.com/developerworks/linux/library/l-lxc-security/
Includes some examples of securing a container with selinux as
well. :-/
> Hope this helps,
> Olivier
Good stuff.
Regards,
Mike
> On Sun, Jul 31, 2011 at 3:10 AM, Matthew Franz <mdfranz at gmail.com> wrote:
>
> > Had seen some previous discussions before, but are there any ways to
> > mitigate this design vulnerability?
> >
> > http://blog.bofh.it/debian/id_413
> >
> > Are there any workarounds?
> >
> > Thanks,
> >
> > - mdf
> >
> > --
> > --
> > Matthew Franz
> > mdfranz at gmail.com
> >
> >
> > ------------------------------------------------------------------------------
> > Got Input? Slashdot Needs You.
> > Take our quick survey online. Come on, we don't ask for help often.
> > Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> > http://p.sf.net/sfu/slashdot-survey
> > _______________________________________________
> > Lxc-users mailing list
> > Lxc-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/lxc-users
> >
>
> ------------------------------------------------------------------------------
> Got Input? Slashdot Needs You.
> Take our quick survey online. Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________ Lxc-users mailing list Lxc-users at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110731/66020862/attachment.pgp>
More information about the lxc-users
mailing list