User can use lxc hooks for privilege escalation on lxd host

[simpoir]

• Distribution: Ubuntu 16.04
• Kernel version: 4.4.0-21-generic
• LXD version: 2.0.0
• Storage backend in use: ZFS

LXD does not filter out or deny user to set lxc pre-start hook in user containers, which could be used to execute code as root on the host, outside the containers. Other hooks either run as subuid or in the contained environment so I see no direct issue with them, but pre-start run as a privileged user and could be used for privilege escalation.

joeuser@desktop:~$ lxc launch images:ubuntu/trusty/amd64 runme -c raw.lxc="lxc.hook.pre-start=sh -c 'echo foo >/runme'"
Creating runme
Starting runme
joeuser@laptop:~$ ls -l /runme 
-rw-r--r-- 1 root root 5 May  7 10:29 /runme

[stgraber]

I thought we had it blocked but apparently had to unblock it for some reason (nova-lxd maybe) and even have a test to make sure it does run...

We may end up blocking it again at some point down the line as we generally don't guarantee anything about raw.lxc.

That being said, I don't think it's a security issue as we consider anyone having access to the LXD API to have full root access anyway.

Basically the following is always possible and will give you similar access:
lxc init ubuntu:16.04 blah -c security.privileged=true
lxc config device add blah root disk source=/ path=/mnt/root recursive=true

At which point you have the whole host mounted in /mnt/root and you have root access against all of it.