[pkg-lxc-devel] Bug#838957: lxc: read-only bind mounts are in fact read/write
g1
g1pi at libero.it
Tue Sep 27 04:26:37 UTC 2016
Package: lxc
Version: 1:1.0.6-6+deb8u3
Severity: important
To reproduce:
root at debian-host# lxc-create -n bb -t busybox
root at debian-host# cat /var/lib/lxc/bb/config
lxc.network.type = empty
lxc.rootfs = /var/lib/lxc/bb/rootfs
lxc.haltsignal = SIGUSR1
lxc.utsname = bb
lxc.tty = 1
lxc.pts = 1
lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.mount.entry = /lib lib none ro,bind 0 0
lxc.mount.entry = /usr/lib usr/lib none ro,bind 0 0
lxc.mount.entry = /lib64 lib64 none ro,bind 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0
lxc.mount.auto = proc:mixed sys
root at debian-host# lxc-start -n bb -d
root at debian-host# lxc-attach -n bb touch /lib/test-file
root at debian-host# ls -l /lib/test-file && rm -f /lib/test-file
-rw-r--r-- 1 root root 0 Sep 15 16:57 /lib/test-file
I.E., where the lxc config specifies "ro,bind" for the bind mounts,
in fact only the "bind" flag is honoured, and filesystems are mounted
read/write. That's because of this passage in the mount(2) manpage:
MS_BIND (Linux 2.4 onward)
Perform a bind mount, making a file or a directory subtree visi-
ble at another point within a filesystem. Bind mounts may cross
filesystem boundaries and span chroot(2) jails. The filesystem-
type and data arguments are ignored. Up until Linux 2.6.26,
>>>mountflags was also ignored<<< (the bind mount has the same
mount options as the underlying mount point).
Apparently, this behaviour (respect MS_BIND, _silently_ ignore other
flags) is still present in recent kernels, and is (IMO) a bug in
itself.
As a result, people are misled into thinking they can use LXC to build
sandboxes, perhaps by dropping the SYS_ADMIN capability in the containers,
yet commands performed by root inside such a container (think dpkg -i/-r,
or rm -rf or ...) may cause considerable damage to the host system, unless
uid/gid remapping is enforced.
The bug in mount(2) can be verified in debian/jessie e.g. by running
# mkdir /tmp/xyz-lib; mount -o ro,bind /lib /tmp/xyz-lib
which leaves /lib mounted r/w as /tmp/xyz-lib.
Recent versions of the mount(1) command work around the bug in mount(2)
by calling it twice, once with the MS_BIND flag, and then with the
other user-specified flags. It is not an ideal solution (implies a race
condition), yet the end result is correct.
As to LXC, I believe the problem was fixed upstream by this commit:
https://github.com/lxc/lxc/commit/7c5b6e7c3524031c3e9e203a9ab3beea7efa7a41
which implements the double call to mount(2), and AFAICT is included
in lxc-1.0.7. Therefore, I suggest to rebase the debian/jessie lxc
sources on lxc-1.0.7, instead of lxc-1.0.6.
Best regards,
giuseppe
-- System Information:
Debian Release: 8.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages lxc depends on:
ii init-system-helpers 1.22
ii libapparmor1 2.9.0-3
ii libc6 2.19-18+deb8u6
ii libcap2 1:2.24-8
ii libseccomp2 2.1.1-1
ii libselinux1 2.3-2
ii multiarch-support 2.19-18+deb8u6
ii python3 3.4.2-2
Versions of packages lxc recommends:
ii debootstrap 1.0.67
ii openssl 1.0.1t-1+deb8u5
ii rsync 3.1.1-3
Versions of packages lxc suggests:
pn lua5.2 <none>
-- no debconf information
More information about the Pkg-lxc-devel
mailing list