* Escape from a bind mount
@ 2016-09-22 12:49 Gandalf Corvotempesta
[not found] ` <CAJH6TXhzy4XAQKaKjrK5Yqzg0sxtPjU9D=X3AHZZ76N3Cpwkwg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: Gandalf Corvotempesta @ 2016-09-22 12:49 UTC (permalink / raw)
To: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA
Last year, this thread was posted:
https://lists.linuxfoundation.org/pipermail/containers/2015-April/035788.html
is this fixed or is still possible to escape from a bind mount inside
the container ?
^ permalink raw reply [flat|nested] 7+ messages in thread[parent not found: <CAJH6TXhzy4XAQKaKjrK5Yqzg0sxtPjU9D=X3AHZZ76N3Cpwkwg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: Escape from a bind mount [not found] ` <CAJH6TXhzy4XAQKaKjrK5Yqzg0sxtPjU9D=X3AHZZ76N3Cpwkwg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2016-09-22 13:02 ` Jann Horn [not found] ` <20160922130253.GB20504-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org> 0 siblings, 1 reply; 7+ messages in thread From: Jann Horn @ 2016-09-22 13:02 UTC (permalink / raw) To: Gandalf Corvotempesta Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric Biederman [-- Attachment #1.1: Type: text/plain, Size: 458 bytes --] On Thu, Sep 22, 2016 at 02:49:12PM +0200, Gandalf Corvotempesta wrote: > Last year, this thread was posted: > https://lists.linuxfoundation.org/pipermail/containers/2015-April/035788.html > > is this fixed or is still possible to escape from a bind mount inside > the container ? This was fixed by Eric Biederman in the "Bind mount escape fixes" patch series in August 2015. Relevant commits are 397d425d and cde93be4 (maybe more? I'm not sure). [-- Attachment #1.2: Digital signature --] [-- Type: application/pgp-signature, Size: 819 bytes --] [-- Attachment #2: Type: text/plain, Size: 205 bytes --] _______________________________________________ Containers mailing list Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org https://lists.linuxfoundation.org/mailman/listinfo/containers ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <20160922130253.GB20504-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>]
* Re: Escape from a bind mount [not found] ` <20160922130253.GB20504-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org> @ 2016-09-22 13:31 ` Gandalf Corvotempesta [not found] ` <CAJH6TXje-Zb54scg8-UTchZEa2RCOGVdaB0DQ_ipbJtNEAPPGA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 0 siblings, 1 reply; 7+ messages in thread From: Gandalf Corvotempesta @ 2016-09-22 13:31 UTC (permalink / raw) To: Jann Horn Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric Biederman 2016-09-22 15:02 GMT+02:00 Jann Horn <jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org>: > This was fixed by Eric Biederman in the "Bind mount escape fixes" patch series > in August 2015. > Relevant commits are 397d425d and cde93be4 (maybe more? I'm not sure). So, now is not possible to escape from bind ? There was a reference to this in official Docker docs. Just for my info: to escape from the container, an attacker would have to move the bound directory directly from the host? Having access only to the container would't make this issue happen ? In example, if I have bound as follow: /mnt/dir1 => /home/myuser/path_inside_container moving (from the host) /mnt/dir1 to somewhere else like /tmp/dir1 will make the container able to escape ? ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <CAJH6TXje-Zb54scg8-UTchZEa2RCOGVdaB0DQ_ipbJtNEAPPGA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: Escape from a bind mount [not found] ` <CAJH6TXje-Zb54scg8-UTchZEa2RCOGVdaB0DQ_ipbJtNEAPPGA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2016-09-22 13:48 ` Jann Horn [not found] ` <20160922134833.GC20504-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org> 0 siblings, 1 reply; 7+ messages in thread From: Jann Horn @ 2016-09-22 13:48 UTC (permalink / raw) To: Gandalf Corvotempesta Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric Biederman [-- Attachment #1.1: Type: text/plain, Size: 1348 bytes --] On Thu, Sep 22, 2016 at 03:31:45PM +0200, Gandalf Corvotempesta wrote: > 2016-09-22 15:02 GMT+02:00 Jann Horn <jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org>: > > This was fixed by Eric Biederman in the "Bind mount escape fixes" patch series > > in August 2015. > > Relevant commits are 397d425d and cde93be4 (maybe more? I'm not sure). > > So, now is not possible to escape from bind ? There was a reference to > this in official Docker docs. It shouldn't be possible to escape from bind mounts anymore. That was a bug, and it was fixed. Where do the docs mention this? We should probably ask them to fix that. > Just for my info: to escape from the container, an attacker would have > to move the bound directory directly from the host? Having access only > to the container would't make this issue happen ? > In example, if I have bound as follow: > /mnt/dir1 => /home/myuser/path_inside_container > > moving (from the host) /mnt/dir1 to somewhere else like /tmp/dir1 will > make the container able to escape ? No. If you had namespaced root privileges in a container, it was also possible to trigger the bug from inside the container. But really, that shouldn't be an issue for you anymore, considering that this was fixed a year ago and was apparently also backported to stable kernels. Why are you asking? [-- Attachment #1.2: Digital signature --] [-- Type: application/pgp-signature, Size: 819 bytes --] [-- Attachment #2: Type: text/plain, Size: 205 bytes --] _______________________________________________ Containers mailing list Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org https://lists.linuxfoundation.org/mailman/listinfo/containers ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <20160922134833.GC20504-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>]
* Re: Escape from a bind mount [not found] ` <20160922134833.GC20504-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org> @ 2016-09-22 13:57 ` Gandalf Corvotempesta 2016-09-22 14:23 ` Gandalf Corvotempesta 1 sibling, 0 replies; 7+ messages in thread From: Gandalf Corvotempesta @ 2016-09-22 13:57 UTC (permalink / raw) To: Jann Horn Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric Biederman 2016-09-22 15:48 GMT+02:00 Jann Horn <jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org>: > It shouldn't be possible to escape from bind mounts anymore. That was a > bug, and it was fixed. > Where do the docs mention this? We should probably ask them to fix that. Here: https://docs.docker.com/engine/tutorials/dockervolumes/ But I've opened an issue to let them fix. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Escape from a bind mount [not found] ` <20160922134833.GC20504-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org> 2016-09-22 13:57 ` Gandalf Corvotempesta @ 2016-09-22 14:23 ` Gandalf Corvotempesta [not found] ` <CAJH6TXi=G90x24ThdZAfZMhVRN86B0LS5R-WuCn+OtGsFNjm8Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 1 sibling, 1 reply; 7+ messages in thread From: Gandalf Corvotempesta @ 2016-09-22 14:23 UTC (permalink / raw) To: Jann Horn Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric Biederman 2016-09-22 15:48 GMT+02:00 Jann Horn <jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org>: > It shouldn't be possible to escape from bind mounts anymore. That was a > bug, and it was fixed. > Where do the docs mention this? We should probably ask them to fix that. Is this also backported to older kernel versions? From which kernel version is fixed ? ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <CAJH6TXi=G90x24ThdZAfZMhVRN86B0LS5R-WuCn+OtGsFNjm8Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: Escape from a bind mount [not found] ` <CAJH6TXi=G90x24ThdZAfZMhVRN86B0LS5R-WuCn+OtGsFNjm8Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2016-09-22 14:34 ` Jann Horn 0 siblings, 0 replies; 7+ messages in thread From: Jann Horn @ 2016-09-22 14:34 UTC (permalink / raw) To: Gandalf Corvotempesta Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric Biederman [-- Attachment #1.1: Type: text/plain, Size: 2065 bytes --] On Thu, Sep 22, 2016 at 04:23:11PM +0200, Gandalf Corvotempesta wrote: > 2016-09-22 15:48 GMT+02:00 Jann Horn <jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org>: > > It shouldn't be possible to escape from bind mounts anymore. That was a > > bug, and it was fixed. > > Where do the docs mention this? We should probably ask them to fix that. > > Is this also backported to older kernel versions? From which kernel > version is fixed ? $ git describe --contains 397d425d v4.3-rc1~66^2 It was fixed in kernel 4.3. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/?id=refs%2Ftags%2Fv4.1.33&qt=grep&q=vfs%3A+Test+for+and+handle+paths+that+are+unreachable+from+their+mnt_root https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/?id=refs/tags/v3.18.42&qt=grep&q=vfs%3A+Test+for+and+handle+paths+that+are+unreachable+from+their+mnt_root https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/?id=refs/tags/v3.16.37&qt=grep&q=vfs%3A+Test+for+and+handle+paths+that+are+unreachable+from+their+mnt_root https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/?id=refs/tags/v3.14.79&qt=grep&q=vfs%3A+Test+for+and+handle+paths+that+are+unreachable+from+their+mnt_root https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/?id=refs/tags/v3.12.63&qt=grep&q=vfs%3A+Test+for+and+handle+paths+that+are+unreachable+from+their+mnt_root https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/?id=refs/tags/v3.10.103&qt=grep&q=vfs%3A+Test+for+and+handle+paths+that+are+unreachable+from+their+mnt_root https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/?id=refs/tags/v3.4.112&qt=grep&q=vfs%3A+Test+for+and+handle+paths+that+are+unreachable+from+their+mnt_root https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/?id=refs/tags/v3.2.82&qt=grep&q=vfs%3A+Test+for+and+handle+paths+that+are+unreachable+from+their+mnt_root The fix was backported to all longterm stable kernels listed at https://kernel.org/. [-- Attachment #1.2: Digital signature --] [-- Type: application/pgp-signature, Size: 819 bytes --] [-- Attachment #2: Type: text/plain, Size: 205 bytes --] _______________________________________________ Containers mailing list Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org https://lists.linuxfoundation.org/mailman/listinfo/containers ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-09-22 14:34 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-22 12:49 Escape from a bind mount Gandalf Corvotempesta
[not found] ` <CAJH6TXhzy4XAQKaKjrK5Yqzg0sxtPjU9D=X3AHZZ76N3Cpwkwg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-09-22 13:02 ` Jann Horn
[not found] ` <20160922130253.GB20504-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-09-22 13:31 ` Gandalf Corvotempesta
[not found] ` <CAJH6TXje-Zb54scg8-UTchZEa2RCOGVdaB0DQ_ipbJtNEAPPGA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-09-22 13:48 ` Jann Horn
[not found] ` <20160922134833.GC20504-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-09-22 13:57 ` Gandalf Corvotempesta
2016-09-22 14:23 ` Gandalf Corvotempesta
[not found] ` <CAJH6TXi=G90x24ThdZAfZMhVRN86B0LS5R-WuCn+OtGsFNjm8Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-09-22 14:34 ` Jann Horn
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.