CVE-2016-8649 was assigned to the issue that allows an attacker inside of an unprivileged container to use an inherited file descriptor, of the host's /proc, to access the rest of the host's filesystem via the openat() family of syscalls. The file descriptor is needed to write to /proc/<PID>/attr/current or /proc/<PID>/attr/exec to set the AppArmor/SELinux label of the attached process. Upstream bug: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1639345 Upstream patch: https://github.com/lxc/lxc/commit/81f466d05f2a89cb4f122ef7f593ff3f279b165c References: http://seclists.org/oss-sec/2016/q4/515
Created lxc tracking bugs for this issue: Affects: fedora-all [bug 1398243] Affects: epel-all [bug 1398245]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.