Re: docker VMM breakout

[Daniel J Walsh <dwalsh () redhat com>]

On 06/19/2014 01:38 AM, gremlin () gremlin ru wrote:
> On 18-Jun-2014 10:05:35 -0400, Daniel J Walsh wrote:
>
>  > CONTAINERS DO NOT CONTAIN. Root inside the container == Root
>  > outside the container.
>
> Really? :-)
>
>  > This is true in both libvirt-sandbox/libvirt-lxc and docker.
>
> Have you checked that for anything else?
>
>  > We have a long way to go before we can run anything within a
>  > container without this rule. User Namespace, SELinux or other
>  > MAC are all required to get us near the point where Container
>  > Contain.
>
> Have you ever seen OpenVZ?
I am talking about standard Linux Kernel.  I have not played with OpenVZ
so I can not comment on its security.
>  > People who run services within a container should continue to
>  > drop privs in the services and run them as UID!=0
>
> Look at this trivial code example...
>
> Classic kernel:
>
> if (!uid)
> {
>       // perform privileged operation here
> }
>
> Containers-enabled kernel:
>
> if ( !uid && !container_id )  // container_id: 0 for host
> {
>       // perform privileged operation here
> }
>
> How would you bypass this check to get privileged access to anything
> outside the container?
My point being that any process on a Linux System that has lots of linux
capabilities (DAC*, SYS_ADMIN, and many others) can not be contained. 

I think it is premature to treat breakouts against Docker Containers
with CVE's because of this.  If people stop making claims about the
security of a docker process with privs being isolated from the host
system, we can prevent the flood of CVE's, that are likely to come.