Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: "Tóth Attila" <atoth@××××××××××.hu>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] GRKERNSEC_PROC_USERGROUP and docker exec
Date: Sat, 09 Sep 2017 09:23:57
Message-Id: a86642f44453386b00161f4ee3df3062.squirrel@atoth.sote.hu
In Reply to: [gentoo-hardened] GRKERNSEC_PROC_USERGROUP and docker exec by Alex Efros
1 I don't use docker myself, but if we are speaking about
2 CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP, it would
3 be important to know what GID is specified in CONFIG_GRKERNSEC_PROC_GID?
4 That GID is an exception and can provide a way to let that group bypass
5 CONFIG_GRKERNSEC_PROC_USER restrictions. I could successfully find the
6 proper settings when I converted to systemd - although I had enough, so
7 I'm using openrc for some time now. So if you can figure out the important
8 process's GID, you can officially circumwent the restrictions. Too bad if
9 the incriminated process runs as root... If you can influence with what
10 GID the important process starts, you have a key for a solution.
11 --
12 dr Tóth Attila, Radiológus, 06-20-825-8057
13 Attila Toth MD, Radiologist, +36-20-825-8057
14
15 2017.Szeptember 8.(P) 21:20 időpontban Alex Efros ezt írta:
16 > Hi!
17 >
18 > It looks like when connecting to existing docker container with `docker
19 > exec` CONFIG_GRKERNSEC_PROC_USERGROUP (and probably
20 > CONFIG_GRKERNSEC_PROC_USER too) hide processes started by `docker run`
21 > from processes started by `docker exec` (all processes are running as
22 > docker "root", docker daemon is started with default options, i.e. without
23 > --userns-remap).
24 >
25 > Why is this happens and is there any workaround?
26 >
27 >
28 > $ sudo zgrep GRKERNSEC_PROC_USER /proc/config.gz
29 > # CONFIG_GRKERNSEC_PROC_USER is not set
30 > CONFIG_GRKERNSEC_PROC_USERGROUP=y
31 >
32 > $ docker run -d -it --rm --init alpine sh -c 'ps ax; exec sleep 42'
33 > 49bec4451495563d702ad0edb9a7c80a9a7f5918fab4eb67e5a44b803f3ac656
34 >
35 > $ docker logs 49bec4451495
36 > PID USER TIME COMMAND
37 > 1 root 0:00 /dev/init -- sh -c ps ax; exec sleep 42
38 > 7 root 0:00 sh -c ps ax; exec sleep 42
39 > 8 root 0:00 ps ax
40 >
41 > $ docker exec -it 49bec4451495 ps ax
42 > PID USER TIME COMMAND
43 > 9 root 0:00 ps ax
44 >
45 > --
46 > WBR, Alex.
47 >

Replies

Subject Author
Re: [gentoo-hardened] GRKERNSEC_PROC_USERGROUP and docker exec Alex Efros <powerman@××××××××.name>
Report Message
Find on MARC Find on Google Groups