can core_pattern be modified from privileged CT?

harvie

Active Member
Apr 5, 2017
130
21
38
32
i've just found this: https://pwning.systems/posts/escaping-containers-for-fun/

They simply set /proc/sys/kernel/core_pattern to execute user provided binary in host context by triggering coredump inside of privileged docker container.
Can this be done with privileged CTs on proxmox? Or is core_patter somehow protected by apparmor or something?
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,473
1,392
164
/proc/sys is mounted ro in privileged containers as well (protected by apparmor). that being said, unprivileged containers do offer more isolation and an additional barrier compared to privileged ones, see "Unprivileged Containers" and "Privileged Containers" in https://pve.proxmox.com/pve-docs/chapter-pct.html#pct_general
 
Last edited:
  • Like
Reactions: Stoiko Ivanov

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!