runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. References: https://github.com/opencontainers/runc/issues/2128
Created runc tracking bugs for this issue: Affects: fedora-all [bug 1757290]
According to the upstream bug report, this also affects SELinux labels: - https://github.com/opencontainers/runc/issues/2128#issuecomment-535478352
Yes this is an SELinux issue as well as an AppArmor problem.
Created docker tracking bugs for this issue: Affects: fedora-all [bug 1760989] Affects: openstack-rdo [bug 1760990]
Statement: The AppArmor security module is not supported by Red Hat, on the other hand the flaw also affects SELinux based distributions like Red Hat Enterprise Linux.
When creating a new container runc doesn't proper validate whether a non-procfs filesystem is being mounted on top of /proc mount point. As runc relies on attr entries to read or set SELinux labels and attacker may leverage this weakness by creating a crafted container image, with malicious values set on security attributes entry for processes, and mounted on top of container's /proc. This flaw may allow containers to run with more privileged SELinux labels than the default, allowing tasks confined inside the container instance to eventually execute non expected actions. The security impact for this issue is considered Medium for Red Hat Enterprise Linux, as with SELinux the task still runs confined under a less privileged label than unconfined_t.
WIP backports here: https://github.com/projectatomic/runc/pull/28
Upstream Fix: https://github.com/opencontainers/runc/pull/2129
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:3940 https://access.redhat.com/errata/RHSA-2019:3940
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16884
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2019:4074 https://access.redhat.com/errata/RHSA-2019:4074
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:4269 https://access.redhat.com/errata/RHSA-2019:4269
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:1234 https://access.redhat.com/errata/RHSA-2020:1234
This CVE was fixed in runc Red Hat Enterprise Linux 7.8 - Extra Packages via RHSA-2020:1232 https://access.redhat.com/errata/RHBA-2020:1232