Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday January 22 2017, @03:07AM   Printer-friendly
from the think-security dept.

Submitted via IRC for AndyTheAbsurd

A new CVE, (CVE-2016-9962), for the docker container runtime and runc were recently released. Fixed packages are being prepared and shipped for RHEL as well as Fedora and CentOS. This CVE reports that if you execd into a running container, the processes inside of the container could attack the process that just entered the container.

If this process had open file descriptors, the processes inside of the container could ptrace the new process and gain access to those file descriptors and read/write them, even potentially get access to the host network, or execute commands on the host.

[...] It could do that, if you aren't using SELinux in enforcing mode. If you are, though, SELinux is a great tool for protecting systems from 0 Day vulnerabilities.

Note: SELinux can prevent a process from strace-ing another process if the types or MCS Labels are not the same, but when you exec into a container, docker/runc sets the labels to match the container label.

Mainly this is a host-based attack. This is where SELinux steps in to thwart the attack. SELinux is the only thing that protects the host file system from attacks from inside of the container. If the processes inside of the container get access to a host file and attempt to read and write the content SELinux will check the access.

Source: http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Informative) by Anonymous Coward on Sunday January 22 2017, @04:05AM

    by Anonymous Coward on Sunday January 22 2017, @04:05AM (#457253)

    Any compromise of the container, which has root privs, means the host and the other containers are hosed.

    I'll stick with my fat KVM thanks.

    • (Score: 0) by Anonymous Coward on Sunday January 22 2017, @12:19PM

      by Anonymous Coward on Sunday January 22 2017, @12:19PM (#457314)

      Containers can be run as unprivileged, i.e. non-root. Whoever runs containers as root has it coming.

      • (Score: 0) by Anonymous Coward on Sunday January 22 2017, @09:12PM

        by Anonymous Coward on Sunday January 22 2017, @09:12PM (#457434)

        it's not that simple. the unprivileged implementation (looking at you boontoo) is insecure itself. it's debatable as to which is better overall.

    • (Score: 2) by Arik on Sunday January 22 2017, @01:22PM

      by Arik (4543) on Sunday January 22 2017, @01:22PM (#457326) Journal
      "Containers" are a solution in search of a problem.
      --
      If laughter is the best medicine, who are the best doctors?
      • (Score: 0) by Anonymous Coward on Sunday January 22 2017, @05:15PM

        by Anonymous Coward on Sunday January 22 2017, @05:15PM (#457374)

        They are fancy versions of statically-compiled binaries running as their own user and group in a chroot that has been niced and ulimited to hell.

  • (Score: 0) by Anonymous Coward on Tuesday January 24 2017, @10:43AM

    by Anonymous Coward on Tuesday January 24 2017, @10:43AM (#458035)

    If only Linux had incorporated FreeBSD jails...