On 01/18/2017 12:05 AM, 面和毅 wrote: > Dear Sir, > > I'm member of Japan-SOSS SIG(Secure OSS Special > Interest Group). > We love SELinux(12years user) and we are promoting SELinux in Japan. > > >From technical interesting(we are promoting Docker > with SELinux), we did PoC for CVE-2016-9962 on Fedora25. > > Then we found current SELinux(maybe policy) does not > mitigate that vulnerability. > > We could reproduce that vulnerability with > - add CAP_SYS_PTRACE to container > - modified runc because there’s not so much race window on runc. > then we think it's not so easy in usual situation. > Also we couldn't reproduce it on CentOS7(latest). > > We posted that PoC result on our community blog. > https://jsosug.github.io/post/omok-selinux-docker-20170118/ > > Also we wish to argue how can we protect this kind of > vulnerability by using SELinux. > > Kind Regards, > > OMO It mitigates the escape by controlling what can be written and most of what can be read. Currently policy allows for some information to be read off of the host system since the idea was to allow things like docker run -ti -v /etc/passwd:/etc/passwd fedora sh Content in /usr and some content in /etc allowed to be read from inside of the container. Content in /var, /home, /root or most other places where people would store data are blocked. To work. I am tightening up the policy to remove the ability to read content in /etc _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
