[lxc-users] Fwd: Security consequences of lxc.id_map not mapping a specific uid and gid

Serge Hallyn serge.hallyn at ubuntu.com
Fri Dec 12 03:52:00 UTC 2014 

Quoting Christian Brauner (christianvanbrauner at gmail.com):
> Hello,
> 
> I run unprivileged containers and I want them to have access to video and
> sound devices. Hence, I  the following in my ~/.config/lxc/default.conf as
> suggested on Stéphane's blog:
> 
>     # Container specific configuration
>     lxc.id_map = u 1001 101001 64535
>     lxc.id_map = g 1001 101001 64535
>     # uid and gid 1000 isn’t translated so that the container can access the
>     # X socket and dri and snd and video0 devices
>     lxc.id_map = u 0 100000 1000
>     lxc.id_map = g 0 100000 1000
>     lxc.id_map = u 1000 1000 1
>     lxc.id_map = g 1000 1000 1
> 
> I was wondering compared to an unprivileged container where I simply
> map:
> 
>     lxc.id_map=u 0 100000 65536
>     lxc.id_map=g 0 100000 65536
> 
> 1) Am I significantly more vulnerable when I preserve the uid/gid of my
> unprivileged user on the host for my user in the container?

That depends on the threats you worry about, I guess.  Short answer is
yes.  So if you run a browser as that user in the container, and the
browser succumbs to say a malicous flash binary, the binary has the
rights to further proceed on the system with your uid.

I do believe it's worthwhile, still.  First, there's a huge difference
in what it can do as a next step if it's your uid, versus if it is running
as the host's root uid.  Secondly, it will at this point still be confined
by apparmor and namespacing.  Now if you next bind-mount your host user's
homedir into the container, then you should be ready to kiss anything in
your homedir goodbye.  But if you don't do that, then the fact that the
exploit is running as your uid shouldn't be all *that* bad.  Probably
the easiest next step for it would be to exploit ownership of the X dir,
i.e. to snoop your keyboard.

> 2) And is there a different solution which would allow me to grant
> access to the sound and video devices in /dev/snd and /dev/dri to the
> user in my unprivileged container while still preserving the standard
> mapping:
> 
>     lxc.id_map=u 0 100000 65536
>     lxc.id_map=g 0 100000 65536

You could forward sound devices using pulseaudio over the network
instead.  Similarly you could forward X session to 10.0.3.1:0, but
that will get you slower video.

> 3) During container bootup of e.g. Debian Wheezy/Stable is constantly
> complaining in the following manner (log output below) and I would like to
> now if this can be avoided:
> 
> 
> 
> INIT: version 2.88 booting
> Using makefile-style concurrent boot in runlevel S.
> Cleaning up temporary files... /tmp.
> mount: permission denied
> mount: permission denied
> mount: permission denied
> mount: permission denied
> mount: permission denied
> Mount point '/dev/console' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/full' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/null' does not exist. Skipping mount. ... (warning).

Hm, that's interesting.  The /dev/full (etc) bind mount entries should
end in ",create=file" which should prevent this.

Could you show the container configuration file (and any files which are
lxc.included, recursively)?

> Mount point '/dev/random' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/tty' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/urandom' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/zero' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/video0' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/fb0' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/console' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/tty1' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/tty2' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/tty3' does not exist. Skipping mount. ... (warning).
> Mount point '/dev/tty4' does not exist. Skipping mount. ... (warning).
> udev requires hotplug support, not started ... failed!
>  failed!
> Activating lvm and md swap...done.
> Checking file systems...fsck from util-linux 2.20.1
> done.
> Mounting local filesystems...done.
> /etc/init.d/mountall.sh: 59: kill: Illegal number: 4 1
> Activating swapfile swap...done.
> Cleaning up temporary files....
> Setting kernel variables ...done.
> Configuring network interfaces...done.
> Cleaning up temporary files....
> Setting up ALSA...Invalid card number.
> Usage: amixer <options> [command]
> Available options:
>   -h,--help       this help
>   -c,--card N     select the card
>   -D,--device N   select the device, default 'default'
>   -d,--debug      debug mode
>   -n,--nocheck    do not perform range checking
>   -v,--version    print version of this program
>   -q,--quiet      be quiet
>   -i,--inactive   show also inactive controls
>   -a,--abstract L select abstraction level (none or basic)
>   -s,--stdin      Read and execute commands from stdin sequentially
> Available commands:
>   scontrols       show all mixer simple controls
>   scontents  show contents of all mixer simple controls (default command)
>   sset sID P      set contents for one mixer simple control
>   sget sID        get contents for one mixer simple control
>   controls        show all controls for given card
>   contents        show contents of all controls for given card
>   cset cID P      set control contents for one control
>   cget cID        get control contents for one control
> 
> 
> Best,
> Christian
> 
> System Information:
> 
> Arch Linux with user namespace supported kernel.
> lxc 1.0.7
> 
> this script:
> 
> cgroups are created with printf '\n\033[42mCreating cgroup
> hierarchy\033[m\n\n' &&
> for d in /sys/fs/cgroup/*; do
>         f=$(basename $d)
>         echo "looking at $f"
>         if [ "$f" = "cpuset" ]; then
>                 echo 1 | sudo tee -a $d/cgroup.clone_children;
>         elif [ "$f" = "memory" ]; then
>                 echo 1 | sudo tee -a $d/memory.use_hierarchy;
>         fi
>         sudo mkdir -p $d/$USER
>         sudo chown -R $USER $d/$USER
>         # add current process to cgroup
>         echo $$ > $d/$USER/tasks
> done

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list