跳到主要内容
版本:main

Vulnerability Mitigation

cgroups-lxcfs-escape-mitigation

Mitigate cgroups & lxcfs escape.

Description

If users mount the host's cgroupfs into a container or use lxcfs to provide a resource view for the container, there may be a risk of container escape in both scenarios. Attackers could manipulate cgroupfs from within the container to achieve container escape.

This rule can also be used to defend against CVE-2022-0492 vulnerability exploitation.

Principle & Impact

AppArmor Enforcer prevents writing to:

  • /\*\*/release_agent
  • /\*\*/devices/device.allow
  • /\*\*/devices/\*\*/device.allow
  • /\*\*/devices/cgroup.procs
  • /\*\*/devices/\*\*/cgroup.procs
  • /\*\*/devices/task
  • /\*\*/devices/\*\*/task

BPF Enforcer prevents writing to:

  • /\*\*/release_agent
  • /\*\*/devices.allow
  • /\*\*/cgroup.procs
  • /\*\*/devices/tasks
Supported Enforcer
  • AppArmor
  • BPF

runc-override-mitigation

Mitigate the ability to override runc to escape.

Description

The rule is designed to mitigate vulnerabilities such as CVE-2019-5736 that exploit container escape by tampering with the host machine's runc.

Principle & Impact

Disallow writing to /**/runc files.

Supported Enforcer
  • AppArmor
  • BPF

dirty-pipe-mitigation

Mitigate the 'Dirty Pipe' exploit to escape.

Description

The rule is designed to defend against attacks exploiting the CVE-2022-0847 (Dirty Pipe) vulnerability for container escape. You can use this rule to harden container, before upgrading or patching the kernel.

Note: While this rule may cause issues in some software packages, blocking the syscall usually does not have an effect on legitimate applications, since use of this syscall is relatively rare.

Principle & Impact

Disallow calling splice syscall.

Supported Enforcer
  • Seccomp