[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] docker VMM breakout
From: Daniel J Walsh <dwalsh () redhat ! com>
Date: 2014-06-18 14:05:35
Message-ID: 53A19CAF.8040408 () redhat ! com
[Download RAW message or body]
On 06/18/2014 09:39 AM, Sven Kieske wrote:
> Am 18.06.2014 12:15, schrieb David Jorm:
>> I tested libvirt via virsh and by default both CAP_DAC_READ_SEARCH and
>> CAP_DAC_OVERRIDE are available (and thus the PoC does run). However,
>> this default is well documented as is the general insecurity of libvirt
>> in regards to DAC, so I don't think a CVE ID is required for libvirt.
> I fail to see why this should be true.
> On most distributions libvirt spawned vms do not run as root but as user
> qemu or similar.
> according to the documentation at:
> http://libvirt.org/drvqemu.html#securitycap
>
> this should imply that libvirt drops these capabilities.
>
> Please correct me if I'm wrong.
>
>
Why is this assumed a problem.
CONTAINERS DO NOT CONTAIN. Root inside the container == Root outside
the container.
This is true in both libvirt-sandbox/libvirt-lxc and docker.
We have a long way to go before we can run anything within a container
without this rule.
User Namespace, SELinux or other MAC are all required to get us near the
point where Container Contain.
People who run services within a container should continue to drop privs
in the services and run them as UID!=0
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic