SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    SELinux Mitigates Container Vulnerability
Date    Sunday January 22 2017, @03:07AM
Author    cmn32480
Topic   
from the think-security dept.
https://soylentnews.org/article.pl?sid=17/01/21/159210

MrPlow writes:

Submitted via IRC for AndyTheAbsurd

A new CVE, (CVE-2016-9962), for the docker container runtime and runc were recently released. Fixed packages are being prepared and shipped for RHEL as well as Fedora and CentOS. This CVE reports that if you execd into a running container, the processes inside of the container could attack the process that just entered the container.

If this process had open file descriptors, the processes inside of the container could ptrace the new process and gain access to those file descriptors and read/write them, even potentially get access to the host network, or execute commands on the host.

[...] It could do that, if you aren't using SELinux in enforcing mode. If you are, though, SELinux is a great tool for protecting systems from 0 Day vulnerabilities.

Note: SELinux can prevent a process from strace-ing another process if the types or MCS Labels are not the same, but when you exec into a container, docker/runc sets the labels to match the container label.

Mainly this is a host-based attack. This is where SELinux steps in to thwart the attack. SELinux is the only thing that protects the host file system from attacks from inside of the container. If the processes inside of the container get access to a host file and attempt to read and write the content SELinux will check the access.

Source: http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/


Original Submission

Links

  1. "MrPlow" - https://soylentnews.org/~MrPlow/
  2. "CVE-2016-9962" - https://access.redhat.com/security/cve/CVE-2016-9962
  3. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=18121

© Copyright 2024 - SoylentNews, All Rights Reserved

printed from SoylentNews, SELinux Mitigates Container Vulnerability on 2024-03-28 21:29:03