Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 20 Jun 2014 06:00:38 -0400
From: Daniel J Walsh <dwalsh@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: docker VMM breakout


On 06/19/2014 01:38 AM, gremlin@...mlin.ru wrote:
> On 18-Jun-2014 10:05:35 -0400, Daniel J Walsh wrote:
>
>  > CONTAINERS DO NOT CONTAIN. Root inside the container == Root
>  > outside the container.
>
> Really? :-)
>
>  > This is true in both libvirt-sandbox/libvirt-lxc and docker.
>
> Have you checked that for anything else?
>
>  > We have a long way to go before we can run anything within a
>  > container without this rule. User Namespace, SELinux or other
>  > MAC are all required to get us near the point where Container
>  > Contain.
>
> Have you ever seen OpenVZ?
I am talking about standard Linux Kernel.  I have not played with OpenVZ
so I can not comment on its security.
>
>  > People who run services within a container should continue to
>  > drop privs in the services and run them as UID!=0
>
> Look at this trivial code example...
>
> Classic kernel:
>
> if (!uid)
> {
> 	// perform privileged operation here
> }
>
> Containers-enabled kernel:
>
> if ( !uid && !container_id )	// container_id: 0 for host
> {
> 	// perform privileged operation here
> }
>
> How would you bypass this check to get privileged access to anything
> outside the container?
>
>
My point being that any process on a Linux System that has lots of linux
capabilities (DAC*, SYS_ADMIN, and many others) can not be contained. 

I think it is premature to treat breakouts against Docker Containers
with CVE's because of this.  If people stop making claims about the
security of a docker process with privs being isolated from the host
system, we can prevent the flood of CVE's, that are likely to come.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ