On Thu, Sep 22, 2016 at 03:31:45PM +0200, Gandalf Corvotempesta wrote: > 2016-09-22 15:02 GMT+02:00 Jann Horn <jann@xxxxxxxxx>: > > This was fixed by Eric Biederman in the "Bind mount escape fixes" patch series > > in August 2015. > > Relevant commits are 397d425d and cde93be4 (maybe more? I'm not sure). > > So, now is not possible to escape from bind ? There was a reference to > this in official Docker docs. It shouldn't be possible to escape from bind mounts anymore. That was a bug, and it was fixed. Where do the docs mention this? We should probably ask them to fix that. > Just for my info: to escape from the container, an attacker would have > to move the bound directory directly from the host? Having access only > to the container would't make this issue happen ? > In example, if I have bound as follow: > /mnt/dir1 => /home/myuser/path_inside_container > > moving (from the host) /mnt/dir1 to somewhere else like /tmp/dir1 will > make the container able to escape ? No. If you had namespaced root privileges in a container, it was also possible to trigger the bug from inside the container. But really, that shouldn't be an issue for you anymore, considering that this was fixed a year ago and was apparently also backported to stable kernels. Why are you asking?
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
