[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [RFC PATCH 2/2] LXC: Create ro overlay mounts only if we're not within a user namespace



On Wed, Jun 26, 2013 at 10:26:10AM +0800, Gao feng wrote:
> On 06/26/2013 04:39 AM, Daniel P. Berrange wrote:
> > On Thu, Jun 13, 2013 at 08:02:18PM +0200, Richard Weinberger wrote:
> >> Within a user namespace root can remount these filesysems at any
> >> time rw.
> >> Create these mappings only if we're not playing with user namespaces.
> > 
> > This is a problem with the way we're initializing mounts in the
> > user namespace. 
> 
> This problem exists even libvirt lxc doesn't support user namespace.

Yes, and this is a problem that user namespace is intended to
solve.

> > We need to ensure that the initial mounts setup
> > by libvirt can't be changed by admin inside the container. Preventing
> > the container admin from remounting or unmounting these mounts is key
> > to security.
> > 
> > IIUC, the only way to ensure this is to start a new user namespace
> > /after/ setting up all mounts.
> > 
> 
> start a new user namespace means the container will lose controller of
> mount namespace. so the container can't do mount operation too, though
> we only can mount a little of filesystems in un-init user namespace.

Merely being able to unmount is sufficient to exploit the host. Consider
that the container was configured with the following mapping

  / -> /
  /export/mycontainer/home -> /home

Now, if the container admin can umount /home, then they can now
see the home directory contents of the host. At least this is
likely to be information leakage, and if any of the host home
directories have UIDs that overlap with those assigned to the
container ID map, you have a potentially exploitable situation.

Hence we need to ensure that the container cannot unmount or
remount anything setup by libvirt. AFAICT, this means that all
the mounts libvirt does, must be performed in a seprate user
namespace to that wit hthe container will eventually run in.

> So maybe we should fix this problem by selinux.

User namespaces are intended to allow for secure containers without
the need to run SELinux.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]