Sebastian Krahmer, SUSE Security Research Member, announced the GNU/Linux kernel Elevation of Privilege Vulnerability. The recent GNU/Linux kernel (3.8 +) introduced a new feature to facilitate container implementation: user-namespaces (user-ns, CLONE_NEWUSER flag), this feature allows you to own a UID of 0, as a container for process isolation, this facilitates implementation, but it also brings related security risks. Specifically, if you mix this feature with CLONE_FS, the state of the file system will be shared between different containers (that is, processes, attackers can use this combination to obtain the root permission:
Only when the sub-process obtains its user-ns (user namespace), the parent process and the sub-process share the information of the file system (in this example, chroot is used ), using the chroot () system call in your user-ns and adding CLONE_FS to clone () directly affects the parent process, the parent process has the root permission when the user-ns is initialized, and exploit has been published here.