oss-sec mailing list archives
Re: docker VMM breakout
From: Daniel J Walsh <dwalsh () redhat com>
Date: Fri, 20 Jun 2014 06:00:38 -0400
On 06/19/2014 01:38 AM, gremlin () gremlin ru wrote:
On 18-Jun-2014 10:05:35 -0400, Daniel J Walsh wrote: > CONTAINERS DO NOT CONTAIN. Root inside the container == Root > outside the container. Really? :-) > This is true in both libvirt-sandbox/libvirt-lxc and docker. Have you checked that for anything else? > We have a long way to go before we can run anything within a > container without this rule. User Namespace, SELinux or other > MAC are all required to get us near the point where Container > Contain. Have you ever seen OpenVZ?
I am talking about standard Linux Kernel. I have not played with OpenVZ so I can not comment on its security.
> People who run services within a container should continue to > drop privs in the services and run them as UID!=0 Look at this trivial code example... Classic kernel: if (!uid) { // perform privileged operation here } Containers-enabled kernel: if ( !uid && !container_id ) // container_id: 0 for host { // perform privileged operation here } How would you bypass this check to get privileged access to anything outside the container?
My point being that any process on a Linux System that has lots of linux capabilities (DAC*, SYS_ADMIN, and many others) can not be contained. I think it is premature to treat breakouts against Docker Containers with CVE's because of this. If people stop making claims about the security of a docker process with privs being isolated from the host system, we can prevent the flood of CVE's, that are likely to come.
Current thread:
- docker VMM breakout Sebastian Krahmer (Jun 18)
- Re: docker VMM breakout David Jorm (Jun 18)
- Re: docker VMM breakout Yves-Alexis Perez (Jun 18)
- Re: docker VMM breakout Sven Kieske (Jun 18)
- Re: docker VMM breakout Daniel J Walsh (Jun 18)
- Re: docker VMM breakout gremlin (Jun 18)
- Re: docker VMM breakout Serge Hallyn (Jun 19)
- Re: docker VMM breakout Daniel J Walsh (Jun 20)
- Re: docker VMM breakout David Jorm (Jun 18)