Debian Security Advisory
DLA-442-1 lxc -- LTS security update
- Date Reported:
- 29 Feb 2016
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2013-6441, CVE-2015-1335.
- More information:
The template script lxc-sshd used to mount itself as /sbin/init in the container using a writable bind-mount.
This update resolved the above issue by using a read-only bind-mount instead preventing any form of potentially accidental damage.
On container startup, lxc sets up the container's initial file system tree by doing a bunch of mounting, guided by the container's configuration file.
The container config is owned by the admin or user on the host, so we do not try to guard against bad entries. However, since the mount target is in the container, it's possible that the container admin could divert the mount with symbolic links. This could bypass proper container startup (i.e. confinement of a root-owned container by the restrictive apparmor policy, by diverting the required write to /proc/self/attr/current), or bypass the (path-based) apparmor policy by diverting, say, /proc to /mnt in the container.
This update implements a safe_mount() function that prevents lxc from doing mounts onto symbolic links.