Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Jun 2014 09:38:41 +0400
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: docker VMM breakout

On 18-Jun-2014 10:05:35 -0400, Daniel J Walsh wrote:

 > CONTAINERS DO NOT CONTAIN. Root inside the container == Root
 > outside the container.

Really? :-)

 > This is true in both libvirt-sandbox/libvirt-lxc and docker.

Have you checked that for anything else?

 > We have a long way to go before we can run anything within a
 > container without this rule. User Namespace, SELinux or other
 > MAC are all required to get us near the point where Container
 > Contain.

Have you ever seen OpenVZ?

 > People who run services within a container should continue to
 > drop privs in the services and run them as UID!=0

Look at this trivial code example...

Classic kernel:

if (!uid)
{
	// perform privileged operation here
}

Containers-enabled kernel:

if ( !uid && !container_id )	// container_id: 0 for host
{
	// perform privileged operation here
}

How would you bypass this check to get privileged access to anything
outside the container?


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ