Hi, This is a heads-up about a recent CVE which affects our community/lxc, please see the description below. Cheers, L. ----- Forwarded message from Stéphane Graber <stgraber@ubuntu.com> ----- Date: Tue, 29 Sep 2015 11:29:17 -0400 From: Stéphane Graber <stgraber@ubuntu.com> To: lxc-devel@lists.linuxcontainers.org, lxc-users@lists.linuxcontainers.org Subject: [lxc-users] LXC security issue - affects all supported releases User-Agent: Mutt/1.5.23 (2014-03-12) Reply-To: LXC users mailing-list <lxc-users@lists.linuxcontainers.org> Hello, During a recent security audit of LXC, Roman Fiedler identified a security vulnerability in LXC. CVE 2015-1335: When a container starts up, lxc sets up the container's inital fstree by doing a bunch of mounting, guided by the container configuration file. The container config is owned by the admin or user on the host, so we do not try to guard against bad entries. However, since the mount target is in the container, it's possible that the container admin could divert the mount with symbolic links. This could bypass proper container startup (i.e. confinement of a root-owned container by the restrictive apparmor policy, by diverting the required write to /proc/self/attr/current), or bypass the (path-based) apparmor policy by diverting, say, /proc to /mnt in the container. To prevent this, 1. do not allow mounts to paths containing symbolic links 2. do not allow bind mounts from relative paths containing symbolic links. The fix for LXC 1.0 is: https://github.com/lxc/lxc/commit/6bbb8100c4dec4b1c71758c27104985a694a4eac The fix for LXC 1.1 is: https://github.com/lxc/lxc/commit/6de26af93d3dd87c8b21a42fdf20f30fa1c1948d The fix for LXC master is: https://github.com/lxc/lxc/commit/592fd47a6245508b79fe6ac819fe6d3b2c1289be Patches for a few recent LXC releases are also attached to this e-mail. The fix will be included in the upcoming stable releases for both branches. That will be LXC 1.1.4 and LXC 1.0.8 which will both be released very soon. The security teams from the various Linux distributions have been informed of those security issues ahead of time and so should have or soon will be pushing security updates to their supported releases. I'd like to thank Roman for his great work at finding and responsibly disclosing those issues to us. The fix for this issue has been developed by Serge Hallyn with the help of Tyler Hicks and myself. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com ----- End forwarded message ----- -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D