[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2019-5736: runc container breakout exploit code
From:       EJ Campbell <ejc3 () verizonmedia ! com>
Date:       2019-02-13 10:41:48
Message-ID: CABOq=i38wC9q1hvydmhuYK7bPCDYbUjpTHHPRxD7gGMFNXmEPQ () mail ! gmail ! com
[Download RAW message or body]


That should have been +i, sorry. Thank you for your quick response.

EJ

On Wed, Feb 13, 2019 at 1:58 AM Aleksa Sarai <cyphar@cyphar.com> wrote:

> On 2019-02-13, Aleksa Sarai <cyphar@cyphar.com> wrote:
> > On 2019-02-13, EJ Campbell <ejc3@verizonmedia.com> wrote:
> > > While fixing docker / runc is clearly the right fix, would using
> chattr -i
> > > on runc be a quick mitigation for the issue? I believe that will
> prevent
> > > the file from being overwritten by the exploit and Etienne Stalmans
> > > verified that it helped:
> > >  https://twitter.com/_staaldraad/status/1095354945073754112
> >
> > The privileged user in the container could just un-set the immutable
> > bit using "/proc/self/fd/..." and then open it for writing. A read-only
> > filesystem would work much better.
>
> Sorry, I forgot that CAP_LINUX_IMMUTABLE is dropped by default in
> Docker. Yes that mitigation would also work.
>
> --
> Aleksa Sarai
> Senior Software Engineer (Containers)
> SUSE Linux GmbH
> <https://www.cyphar.com/>
>


[prev in list] [next in list] [prev in thread] [next in thread]