[lxc-users] apparmor kernel log entries
Fiedler Roman
Roman.Fiedler at ait.ac.at
Fri Jan 8 12:41:06 UTC 2016
> Von: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] Im
>
> Quoting Fiedler Roman (Roman.Fiedler at ait.ac.at):
> > > Von: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] Im
> > > Auftrag von Serge Hallyn
> > >
> > > Wait - are you saying you want tasks in the container to be able to
> > > ptrace tasks on the host?
> >
> > Yes, is possible. Sounds like
>
> I'm asking whether he *wants* the tasks to be able to do that.
Well, not knowing his exact setup, question might be if he wants the machine
to want it. With an adversary on it already, it would be the the best way to
hide the ptrace-exploit within a top/ps instance (thus hide also true positive
failed exploitation attempt messages from auditd within false-positive
ptrace-attach messages when accessing proc file system, making it easier to
come to same FP-conclusion on a TP), best using a rouge shared library from
tempfs with ld-preload (thus not really leaving traces on the disk), and as a
whole, thus being hard to distinguish from real admin activity using only
really trivial tricks.
> If not, then apparmor is correctly stopping the exploit. If so, then I'd
> be interested in the use case.
Yes, if he did not modify apparmor and has the appropriate lxc-updates from
last year in place mitigating the apparmor-escape exploits.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6344 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160108/5a8abd72/attachment.bin>
More information about the lxc-users
mailing list