Submitted via IRC for AndyTheAbsurd
A new CVE, (CVE-2016-9962), for the docker container runtime and runc were recently released. Fixed packages are being prepared and shipped for RHEL as well as Fedora and CentOS. This CVE reports that if you
exec
d into a running container, the processes inside of the container could attack the process that just entered the container.If this process had open file descriptors, the processes inside of the container could
ptrace
the new process and gain access to those file descriptors and read/write them, even potentially get access to the host network, or execute commands on the host.[...] It could do that, if you aren't using SELinux in enforcing mode. If you are, though, SELinux is a great tool for protecting systems from 0 Day vulnerabilities.
Note: SELinux can prevent a process from strace-ing another process if the types or MCS Labels are not the same, but when you exec into a container, docker/runc sets the labels to match the container label.
Mainly this is a host-based attack. This is where SELinux steps in to thwart the attack. SELinux is the only thing that protects the host file system from attacks from inside of the container. If the processes inside of the container get access to a host file and attempt to read and write the content SELinux will check the access.
Source: http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/
(Score: 2) by Arik on Sunday January 22 2017, @01:22PM
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Sunday January 22 2017, @05:15PM
They are fancy versions of statically-compiled binaries running as their own user and group in a chroot that has been niced and ulimited to hell.