Submitted via IRC for AndyTheAbsurd
A new CVE, (CVE-2016-9962), for the docker container runtime and runc were recently released. Fixed packages are being prepared and shipped for RHEL as well as Fedora and CentOS. This CVE reports that if you
exec
d into a running container, the processes inside of the container could attack the process that just entered the container.If this process had open file descriptors, the processes inside of the container could
ptrace
the new process and gain access to those file descriptors and read/write them, even potentially get access to the host network, or execute commands on the host.[...] It could do that, if you aren't using SELinux in enforcing mode. If you are, though, SELinux is a great tool for protecting systems from 0 Day vulnerabilities.
Note: SELinux can prevent a process from strace-ing another process if the types or MCS Labels are not the same, but when you exec into a container, docker/runc sets the labels to match the container label.
Mainly this is a host-based attack. This is where SELinux steps in to thwart the attack. SELinux is the only thing that protects the host file system from attacks from inside of the container. If the processes inside of the container get access to a host file and attempt to read and write the content SELinux will check the access.
Source: http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/
(Score: 0) by Anonymous Coward on Sunday January 22 2017, @12:19PM
Containers can be run as unprivileged, i.e. non-root. Whoever runs containers as root has it coming.
(Score: 0) by Anonymous Coward on Sunday January 22 2017, @09:12PM
it's not that simple. the unprivileged implementation (looking at you boontoo) is insecure itself. it's debatable as to which is better overall.