[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-30465: runc <1.0.0-rc95 vulnerable to symlink-exchange attack
From: Aleksa Sarai <cyphar () cyphar ! com>
Date: 2021-05-19 10:00:33
Message-ID: 20210519100013.7qu6n5xtqwezmq4e () yavin
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
This vulnerability was made public on 2021-05-19 10:00:00 UTC.
[ Summary ]
runc 1.0.0-rc94 and earlier are vulnerable to a symlink exchange attack whereby
an attacker can request a seemingly-innocuous container configuration that
actually results in the host filesystem being bind-mounted into the container
(allowing for a container escape). CVE-2021-30465 has been assigned for this
issue.
An attacker must have the ability to start containers using some kind of custom
volume configuration, and while recommended container hardening mechanisms such
as LSMs (AppArmor/SELinux) and user namespaces will restrict the amount of
damage an attacker could do, they do not block this attack outright. We have a
reproducer using Kubernetes (and the below description mentions
Kubernetes-specific paths), but this is not a Kubernetes-specific issue.
The now-released runc v1.0.0-rc95[1] contains a fix for this issue, we
recommend users update as soon as possible. I have also attached the standalone
patch. If you have any questions please direct them to the public runc
bug-tracker or <security@opencontainers.org> if they are security-critical.
[ Details ]
In circumstances where a container is being started, and runc is mounting
inside a volume shared with another container (which is conducting a
symlink-exchange attack), runc can be tricked into mounting outside of the
container rootfs by swapping the target of a mount with a symlink due to a
time-of-check-to-time-of-use (TOCTTOU) flaw. This is fairly similar in style to
previous TOCTTOU attacks (and is a problem we are working on solving with
libpathrs[2]).
However, this alone is not useful because this happens inside a mount namespace
with `MS_SLAVE` propagation applied to `/` (meaning that the mount doesn't
appear on the host -- it's only a "host-side mount" inside the container's
namespace). To exploit this, you must have additional mount entries in the
configuration that use some subpath of the mounted-over host path as a source
for a subsequent mount.
However, it turns out with some container orchestrators (such as Kubernetes --
though it is very likely that other downstream users of runc could have similar
behaviour be accessible to untrusted users), the existence of additional volume
management infrastructure allows this attack to be applied to gain access to
the host filesystem without requiring the attacker to have completely arbitrary
control over container configuration.
In the case of Kubernetes, this is exploitable by creating a symlink in a
volume to the top-level (well-known) directory where volumes are sourced from
(for instance,
`/var/lib/kubelet/pods/$MY_POD_UID/volumes/kubernetes.io~empty-dir`), and then
using that symlink as the target of a mount. The source of the mount is an
attacker controlled directory, and thus the source directory from which
subsequent mounts will occur is an attacker-controlled directory. Thus the
attacker can first place a symlink to `/` in their malicious source directory
with the name of a volume, and a subsequent mount in the container will
bind-mount `/` into the container.
Applying this attack requires the attacker to start containers with a slightly
peculiar volume configuration (though not explicitly malicious-looking such as
bind-mounting `/` into the container explicitly), and be able to run malicious
code in a container that shares volumes with said volume configuration. It
helps the attacker if the host paths used for volume management are well known,
though this is not a hard requirement.
[ Patches ]
I have attached the upstream patch (CVE-2021-30465.patch), a patch which
applies cleanly on 1.0.0-rc94 (rc94-*.patch) and a patchset which applies on
rc93 (rc93-*.patch). But for obvious reasons we highly recommend just updating
to runc 1.0.0-rc95.
[ Workarounds ]
There are no known workarounds for this issue.
However, users who enforce running containers with more confined security
profiles (such as reduced capabilities, not running code as root in the
container, user namespaces, AppArmor/SELinux, and seccomp) will restrict what
an attacker can do in the case of a container breakout -- we recommend users
make use of strict security profiles if possible (most notably user namespaces
-- which can massively restrict the impact a container breakout can have on the
host system).
[ Credit ]
Thanks to Etienne Champetier for discovering and disclosing this vulnerability,
to Noah Meyerhans for writing the first draft of this patch, and to Samuel Karp
for testing it.
[ References ]
The GitHub security advisory for this vulnerability has been posted[3].
[1]: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95
[2]: https://github.com/openSUSE/libpathrs
[3]: https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
["CVE-2021-30465.patch" (text/x-patch)]
From 0ca91f44f1664da834bc61115a849b56d22f595f Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Thu, 1 Apr 2021 12:00:31 -0700
Subject: [PATCH] rootfs: add mount destination validation
Because the target of a mount is inside a container (which may be a
volume that is shared with another container), there exists a race
condition where the target of the mount may change to a path containing
a symlink after we have sanitised the path -- resulting in us
inadvertently mounting the path outside of the container.
This is not immediately useful because we are in a mount namespace with
MS_SLAVE mount propagation applied to "/", so we cannot mount on top of
host paths in the host namespace. However, if any subsequent mountpoints
in the configuration use a subdirectory of that host path as a source,
those subsequent mounts will use an attacker-controlled source path
(resolved within the host rootfs) -- allowing the bind-mounting of "/"
into the container.
While arguably configuration issues like this are not entirely within
runc's threat model, within the context of Kubernetes (and possibly
other container managers that provide semi-arbitrary container creation
privileges to untrusted users) this is a legitimate issue. Since we
cannot block mounting from the host into the container, we need to block
the first stage of this attack (mounting onto a path outside the
container).
The long-term plan to solve this would be to migrate to libpathrs, but
as a stop-gap we implement libpathrs-like path verification through
readlink(/proc/self/fd/$n) and then do mount operations through the
procfd once it's been verified to be inside the container. The target
could move after we've checked it, but if it is inside the container
then we can assume that it is safe for the same reason that libpathrs
operations would be safe.
A slight wrinkle is the "copyup" functionality we provide for tmpfs,
which is the only case where we want to do a mount on the host
filesystem. To facilitate this, I split out the copy-up functionality
entirely so that the logic isn't interspersed with the regular tmpfs
logic. In addition, all dependencies on m.Destination being overwritten
have been removed since that pattern was just begging to be a source of
more mount-target bugs (we do still have to modify m.Destination for
tmpfs-copyup but we only do it temporarily).
Fixes: CVE-2021-30465
Reported-by: Etienne Champetier <champetier.etienne@gmail.com>
Co-authored-by: Noah Meyerhans <nmeyerha@amazon.com>
Reviewed-by: Samuel Karp <skarp@amazon.com>
Reviewed-by: Kir Kolyshkin <kolyshkin@gmail.com> (@kolyshkin)
Reviewed-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
libcontainer/container_linux.go | 25 +--
libcontainer/rootfs_linux.go | 251 +++++++++++++++----------------
libcontainer/utils/utils.go | 54 +++++++
libcontainer/utils/utils_test.go | 35 +++++
4 files changed, 229 insertions(+), 136 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 945a0fa0d577..849bf4a613ce 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -1217,7 +1217,6 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error {
if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil {
return err
}
- m.Destination = dest
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
@@ -1257,13 +1256,16 @@ func (c *linuxContainer) prepareCriuRestoreMounts(mounts []*configs.Mount) error
umounts := []string{}
defer func() {
for _, u := range umounts {
- if e := unix.Unmount(u, unix.MNT_DETACH); e != nil {
- if e != unix.EINVAL {
- // Ignore EINVAL as it means 'target is not a mount point.'
- // It probably has already been unmounted.
- logrus.Warnf("Error during cleanup unmounting of %q (%v)", u, e)
+ _ = utils.WithProcfd(c.config.Rootfs, u, func(procfd string) error {
+ if e := unix.Unmount(procfd, unix.MNT_DETACH); e != nil {
+ if e != unix.EINVAL {
+ // Ignore EINVAL as it means 'target is not a mount point.'
+ // It probably has already been unmounted.
+ logrus.Warnf("Error during cleanup unmounting of %s (%s): %v", procfd, u, e)
+ }
}
- }
+ return nil
+ })
}
}()
for _, m := range mounts {
@@ -1281,8 +1283,13 @@ func (c *linuxContainer) prepareCriuRestoreMounts(mounts []*configs.Mount) error
// because during initial container creation mounts are
// set up in the order they are configured.
if m.Device == "bind" {
- if err := unix.Mount(m.Source, m.Destination, "", unix.MS_BIND|unix.MS_REC, ""); err != nil {
- return errorsf.Wrapf(err, "unable to bind mount %q to %q", m.Source, m.Destination)
+ if err := utils.WithProcfd(c.config.Rootfs, m.Destination, func(procfd string) error {
+ if err := unix.Mount(m.Source, procfd, "", unix.MS_BIND|unix.MS_REC, ""); err != nil {
+ return errorsf.Wrapf(err, "unable to bind mount %q to %q (through %q)", m.Source, m.Destination, procfd)
+ }
+ return nil
+ }); err != nil {
+ return err
}
umounts = append(umounts, m.Destination)
}
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 1d8a5a036017..d9c5146dddd1 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -25,6 +25,7 @@ import (
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)
@@ -228,8 +229,6 @@ func prepareBindMount(m *configs.Mount, rootfs string) error {
if err := checkProcMount(rootfs, dest, m.Source); err != nil {
return err
}
- // update the mount with the correct dest after symlinks are resolved.
- m.Destination = dest
if err := createIfNotExists(dest, stat.IsDir()); err != nil {
return err
}
@@ -266,18 +265,21 @@ func mountCgroupV1(m *configs.Mount, c *mountConfig) error {
if err := os.MkdirAll(subsystemPath, 0755); err != nil {
return err
}
- flags := defaultMountFlags
- if m.Flags&unix.MS_RDONLY != 0 {
- flags = flags | unix.MS_RDONLY
- }
- cgroupmount := &configs.Mount{
- Source: "cgroup",
- Device: "cgroup", // this is actually fstype
- Destination: subsystemPath,
- Flags: flags,
- Data: filepath.Base(subsystemPath),
- }
- if err := mountNewCgroup(cgroupmount); err != nil {
+ if err := utils.WithProcfd(c.root, b.Destination, func(procfd string) error {
+ flags := defaultMountFlags
+ if m.Flags&unix.MS_RDONLY != 0 {
+ flags = flags | unix.MS_RDONLY
+ }
+ var (
+ source = "cgroup"
+ data = filepath.Base(subsystemPath)
+ )
+ if data == "systemd" {
+ data = cgroups.CgroupNamePrefix + data
+ source = "systemd"
+ }
+ return unix.Mount(source, procfd, "cgroup", uintptr(flags), data)
+ }); err != nil {
return err
}
} else {
@@ -307,33 +309,79 @@ func mountCgroupV2(m *configs.Mount, c *mountConfig) error {
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
- if err := unix.Mount(m.Source, dest, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
- // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
- if err == unix.EPERM || err == unix.EBUSY {
- src := fs2.UnifiedMountpoint
- if c.cgroupns && c.cgroup2Path != "" {
- // Emulate cgroupns by bind-mounting
- // the container cgroup path rather than
- // the whole /sys/fs/cgroup.
- src = c.cgroup2Path
- }
- err = unix.Mount(src, dest, "", uintptr(m.Flags)|unix.MS_BIND, "")
- if err == unix.ENOENT && c.rootlessCgroups {
- err = nil
+ return utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
+ if err := unix.Mount(m.Source, procfd, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
+ // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
+ if err == unix.EPERM || err == unix.EBUSY {
+ src := fs2.UnifiedMountpoint
+ if c.cgroupns && c.cgroup2Path != "" {
+ // Emulate cgroupns by bind-mounting
+ // the container cgroup path rather than
+ // the whole /sys/fs/cgroup.
+ src = c.cgroup2Path
+ }
+ err = unix.Mount(src, procfd, "", uintptr(m.Flags)|unix.MS_BIND, "")
+ if err == unix.ENOENT && c.rootlessCgroups {
+ err = nil
+ }
}
return err
}
+ return nil
+ })
+}
+
+func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) {
+ // Set up a scratch dir for the tmpfs on the host.
+ tmpdir, err := prepareTmp("/tmp")
+ if err != nil {
+ return newSystemErrorWithCause(err, "tmpcopyup: failed to setup tmpdir")
+ }
+ defer cleanupTmp(tmpdir)
+ tmpDir, err := ioutil.TempDir(tmpdir, "runctmpdir")
+ if err != nil {
+ return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir")
+ }
+ defer os.RemoveAll(tmpDir)
+
+ // Configure the *host* tmpdir as if it's the container mount. We change
+ // m.Destination since we are going to mount *on the host*.
+ oldDest := m.Destination
+ m.Destination = tmpDir
+ err = mountPropagate(m, "/", mountLabel)
+ m.Destination = oldDest
+ if err != nil {
return err
}
- return nil
+ defer func() {
+ if Err != nil {
+ if err := unix.Unmount(tmpDir, unix.MNT_DETACH); err != nil {
+ logrus.Warnf("tmpcopyup: failed to unmount tmpdir on error: %v", err)
+ }
+ }
+ }()
+
+ return utils.WithProcfd(rootfs, m.Destination, func(procfd string) (Err error) {
+ // Copy the container data to the host tmpdir. We append "/" to force
+ // CopyDirectory to resolve the symlink rather than trying to copy the
+ // symlink itself.
+ if err := fileutils.CopyDirectory(procfd+"/", tmpDir); err != nil {
+ return fmt.Errorf("tmpcopyup: failed to copy %s to %s (%s): %w", m.Destination, procfd, tmpDir, err)
+ }
+ // Now move the mount into the container.
+ if err := unix.Mount(tmpDir, procfd, "", unix.MS_MOVE, ""); err != nil {
+ return fmt.Errorf("tmpcopyup: failed to move mount %s to %s (%s): %w", tmpDir, procfd, m.Destination, err)
+ }
+ return nil
+ })
}
func mountToRootfs(m *configs.Mount, c *mountConfig) error {
rootfs := c.root
mountLabel := c.label
- dest := m.Destination
- if !strings.HasPrefix(dest, rootfs) {
- dest = filepath.Join(rootfs, dest)
+ dest, err := securejoin.SecureJoin(rootfs, m.Destination)
+ if err != nil {
+ return err
}
switch m.Device {
@@ -364,53 +412,21 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
}
return label.SetFileLabel(dest, mountLabel)
case "tmpfs":
- copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
- tmpDir := ""
- // dest might be an absolute symlink, so it needs
- // to be resolved under rootfs.
- dest, err := securejoin.SecureJoin(rootfs, m.Destination)
- if err != nil {
- return err
- }
- m.Destination = dest
stat, err := os.Stat(dest)
if err != nil {
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
}
- if copyUp {
- tmpdir, err := prepareTmp("/tmp")
- if err != nil {
- return newSystemErrorWithCause(err, "tmpcopyup: failed to setup tmpdir")
- }
- defer cleanupTmp(tmpdir)
- tmpDir, err = ioutil.TempDir(tmpdir, "runctmpdir")
- if err != nil {
- return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir")
- }
- defer os.RemoveAll(tmpDir)
- m.Destination = tmpDir
+
+ if m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP {
+ err = doTmpfsCopyUp(m, rootfs, mountLabel)
+ } else {
+ err = mountPropagate(m, rootfs, mountLabel)
}
- if err := mountPropagate(m, rootfs, mountLabel); err != nil {
+ if err != nil {
return err
}
- if copyUp {
- if err := fileutils.CopyDirectory(dest, tmpDir); err != nil {
- errMsg := fmt.Errorf("tmpcopyup: failed to copy %s to %s: %v", dest, tmpDir, err)
- if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
- return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
- }
- return errMsg
- }
- if err := unix.Mount(tmpDir, dest, "", unix.MS_MOVE, ""); err != nil {
- errMsg := fmt.Errorf("tmpcopyup: failed to move mount %s to %s: %v", tmpDir, dest, err)
- if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
- return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
- }
- return errMsg
- }
- }
if stat != nil {
if err = os.Chmod(dest, stat.Mode()); err != nil {
return err
@@ -454,19 +470,9 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
}
return mountCgroupV1(m, c)
default:
- // ensure that the destination of the mount is resolved of symlinks at mount time because
- // any previous mounts can invalidate the next mount's destination.
- // this can happen when a user specifies mounts within other mounts to cause breakouts or other
- // evil stuff to try to escape the container's rootfs.
- var err error
- if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
- return err
- }
if err := checkProcMount(rootfs, dest, m.Source); err != nil {
return err
}
- // update the mount with the correct dest after symlinks are resolved.
- m.Destination = dest
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
@@ -649,7 +655,7 @@ func createDevices(config *configs.Config) error {
return nil
}
-func bindMountDeviceNode(dest string, node *devices.Device) error {
+func bindMountDeviceNode(rootfs, dest string, node *devices.Device) error {
f, err := os.Create(dest)
if err != nil && !os.IsExist(err) {
return err
@@ -657,7 +663,9 @@ func bindMountDeviceNode(dest string, node *devices.Device) error {
if f != nil {
f.Close()
}
- return unix.Mount(node.Path, dest, "bind", unix.MS_BIND, "")
+ return utils.WithProcfd(rootfs, dest, func(procfd string) error {
+ return unix.Mount(node.Path, procfd, "bind", unix.MS_BIND, "")
+ })
}
// Creates the device node in the rootfs of the container.
@@ -666,18 +674,21 @@ func createDeviceNode(rootfs string, node *devices.Device, bind bool) error {
// The node only exists for cgroup reasons, ignore it here.
return nil
}
- dest := filepath.Join(rootfs, node.Path)
+ dest, err := securejoin.SecureJoin(rootfs, node.Path)
+ if err != nil {
+ return err
+ }
if err := os.MkdirAll(filepath.Dir(dest), 0755); err != nil {
return err
}
if bind {
- return bindMountDeviceNode(dest, node)
+ return bindMountDeviceNode(rootfs, dest, node)
}
if err := mknodDevice(dest, node); err != nil {
if os.IsExist(err) {
return nil
} else if os.IsPermission(err) {
- return bindMountDeviceNode(dest, node)
+ return bindMountDeviceNode(rootfs, dest, node)
}
return err
}
@@ -1024,61 +1035,47 @@ func writeSystemProperty(key, value string) error {
}
func remount(m *configs.Mount, rootfs string) error {
- var (
- dest = m.Destination
- )
- if !strings.HasPrefix(dest, rootfs) {
- dest = filepath.Join(rootfs, dest)
- }
- return unix.Mount(m.Source, dest, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "")
+ return utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
+ return unix.Mount(m.Source, procfd, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "")
+ })
}
// Do the mount operation followed by additional mounts required to take care
-// of propagation flags.
+// of propagation flags. This will always be scoped inside the container rootfs.
func mountPropagate(m *configs.Mount, rootfs string, mountLabel string) error {
var (
- dest = m.Destination
data = label.FormatMountLabel(m.Data, mountLabel)
flags = m.Flags
)
- if libcontainerUtils.CleanPath(dest) == "/dev" {
- flags &= ^unix.MS_RDONLY
- }
-
- // Mount it rw to allow chmod operation. A remount will be performed
- // later to make it ro if set.
- if m.Device == "tmpfs" {
+ // Delay mounting the filesystem read-only if we need to do further
+ // operations on it. We need to set up files in "/dev" and tmpfs mounts may
+ // need to be chmod-ed after mounting. The mount will be remounted ro later
+ // in finalizeRootfs() if necessary.
+ if libcontainerUtils.CleanPath(m.Destination) == "/dev" || m.Device == "tmpfs" {
flags &= ^unix.MS_RDONLY
}
- copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
- if !(copyUp || strings.HasPrefix(dest, rootfs)) {
- dest = filepath.Join(rootfs, dest)
- }
-
- if err := unix.Mount(m.Source, dest, m.Device, uintptr(flags), data); err != nil {
- return err
- }
-
- for _, pflag := range m.PropagationFlags {
- if err := unix.Mount("", dest, "", uintptr(pflag), ""); err != nil {
- return err
+ // Because the destination is inside a container path which might be
+ // mutating underneath us, we verify that we are actually going to mount
+ // inside the container with WithProcfd() -- mounting through a procfd
+ // mounts on the target.
+ if err := utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
+ return unix.Mount(m.Source, procfd, m.Device, uintptr(flags), data)
+ }); err != nil {
+ return fmt.Errorf("mount through procfd: %w", err)
+ }
+ // We have to apply mount propagation flags in a separate WithProcfd() call
+ // because the previous call invalidates the passed procfd -- the mount
+ // target needs to be re-opened.
+ if err := utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
+ for _, pflag := range m.PropagationFlags {
+ if err := unix.Mount("", procfd, "", uintptr(pflag), ""); err != nil {
+ return err
+ }
}
- }
- return nil
-}
-
-func mountNewCgroup(m *configs.Mount) error {
- var (
- data = m.Data
- source = m.Source
- )
- if data == "systemd" {
- data = cgroups.CgroupNamePrefix + data
- source = "systemd"
- }
- if err := unix.Mount(source, m.Destination, m.Device, uintptr(m.Flags), data); err != nil {
- return err
+ return nil
+ }); err != nil {
+ return fmt.Errorf("change mount propagation through procfd: %w", err)
}
return nil
}
diff --git a/libcontainer/utils/utils.go b/libcontainer/utils/utils.go
index 1b72b7a1c1ba..cd78f23e1bd0 100644
--- a/libcontainer/utils/utils.go
+++ b/libcontainer/utils/utils.go
@@ -3,12 +3,15 @@ package utils
import (
"encoding/binary"
"encoding/json"
+ "fmt"
"io"
"os"
"path/filepath"
+ "strconv"
"strings"
"unsafe"
+ "github.com/cyphar/filepath-securejoin"
"golang.org/x/sys/unix"
)
@@ -88,6 +91,57 @@ func CleanPath(path string) string {
return filepath.Clean(path)
}
+// stripRoot returns the passed path, stripping the root path if it was
+// (lexicially) inside it. Note that both passed paths will always be treated
+// as absolute, and the returned path will also always be absolute. In
+// addition, the paths are cleaned before stripping the root.
+func stripRoot(root, path string) string {
+ // Make the paths clean and absolute.
+ root, path = CleanPath("/"+root), CleanPath("/"+path)
+ switch {
+ case path == root:
+ path = "/"
+ case root == "/":
+ // do nothing
+ case strings.HasPrefix(path, root+"/"):
+ path = strings.TrimPrefix(path, root+"/")
+ }
+ return CleanPath("/" + path)
+}
+
+// WithProcfd runs the passed closure with a procfd path (/proc/self/fd/...)
+// corresponding to the unsafePath resolved within the root. Before passing the
+// fd, this path is verified to have been inside the root -- so operating on it
+// through the passed fdpath should be safe. Do not access this path through
+// the original path strings, and do not attempt to use the pathname outside of
+// the passed closure (the file handle will be freed once the closure returns).
+func WithProcfd(root, unsafePath string, fn func(procfd string) error) error {
+ // Remove the root then forcefully resolve inside the root.
+ unsafePath = stripRoot(root, unsafePath)
+ path, err := securejoin.SecureJoin(root, unsafePath)
+ if err != nil {
+ return fmt.Errorf("resolving path inside rootfs failed: %v", err)
+ }
+
+ // Open the target path.
+ fh, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC, 0)
+ if err != nil {
+ return fmt.Errorf("open o_path procfd: %w", err)
+ }
+ defer fh.Close()
+
+ // Double-check the path is the one we expected.
+ procfd := "/proc/self/fd/" + strconv.Itoa(int(fh.Fd()))
+ if realpath, err := os.Readlink(procfd); err != nil {
+ return fmt.Errorf("procfd verification failed: %w", err)
+ } else if realpath != path {
+ return fmt.Errorf("possibly malicious path detected -- refusing to operate on %s", realpath)
+ }
+
+ // Run the closure.
+ return fn(procfd)
+}
+
// SearchLabels searches a list of key-value pairs for the provided key and
// returns the corresponding value. The pairs must be separated with '='.
func SearchLabels(labels []string, query string) string {
diff --git a/libcontainer/utils/utils_test.go b/libcontainer/utils/utils_test.go
index 7f38ed169a6b..d33662238d36 100644
--- a/libcontainer/utils/utils_test.go
+++ b/libcontainer/utils/utils_test.go
@@ -143,3 +143,38 @@ func TestCleanPath(t *testing.T) {
t.Errorf("expected to receive '/foo' and received %s", path)
}
}
+
+func TestStripRoot(t *testing.T) {
+ for _, test := range []struct {
+ root, path, out string
+ }{
+ // Works with multiple components.
+ {"/a/b", "/a/b/c", "/c"},
+ {"/hello/world", "/hello/world/the/quick-brown/fox", "/the/quick-brown/fox"},
+ // '/' must be a no-op.
+ {"/", "/a/b/c", "/a/b/c"},
+ // Must be the correct order.
+ {"/a/b", "/a/c/b", "/a/c/b"},
+ // Must be at start.
+ {"/abc/def", "/foo/abc/def/bar", "/foo/abc/def/bar"},
+ // Must be a lexical parent.
+ {"/foo/bar", "/foo/barSAMECOMPONENT", "/foo/barSAMECOMPONENT"},
+ // Must only strip the root once.
+ {"/foo/bar", "/foo/bar/foo/bar/baz", "/foo/bar/baz"},
+ // Deal with .. in a fairly sane way.
+ {"/foo/bar", "/foo/bar/../baz", "/foo/baz"},
+ {"/foo/bar", "../../../../../../foo/bar/baz", "/baz"},
+ {"/foo/bar", "/../../../../../../foo/bar/baz", "/baz"},
+ {"/foo/bar/../baz", "/foo/baz/bar", "/bar"},
+ {"/foo/bar/../baz", "/foo/baz/../bar/../baz/./foo", "/foo"},
+ // All paths are made absolute before stripping.
+ {"foo/bar", "/foo/bar/baz/bee", "/baz/bee"},
+ {"/foo/bar", "foo/bar/baz/beef", "/baz/beef"},
+ {"foo/bar", "foo/bar/baz/beets", "/baz/beets"},
+ } {
+ got := stripRoot(test.root, test.path)
+ if got != test.out {
+ t.Errorf("stripRoot(%q, %q) -- got %q, expected %q", test.root, test.path, got, test.out)
+ }
+ }
+}
--
2.31.1
["rc94-CVE-2021-30465.patch" (text/x-patch)]
From 7aa8c630d3a5605456873c4125178d8fbffc8bf5 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Thu, 1 Apr 2021 12:00:31 -0700
Subject: [PATCH] rootfs: add mount destination validation
Because the target of a mount is inside a container (which may be a
volume that is shared with another container), there exists a race
condition where the target of the mount may change to a path containing
a symlink after we have sanitised the path -- resulting in us
inadvertently mounting the path outside of the container.
This is not immediately useful because we are in a mount namespace with
MS_SLAVE mount propagation applied to "/", so we cannot mount on top of
host paths in the host namespace. However, if any subsequent mountpoints
in the configuration use a subdirectory of that host path as a source,
those subsequent mounts will use an attacker-controlled source path
(resolved within the host rootfs) -- allowing the bind-mounting of "/"
into the container.
While arguably configuration issues like this are not entirely within
runc's threat model, within the context of Kubernetes (and possibly
other container managers that provide semi-arbitrary container creation
privileges to untrusted users) this is a legitimate issue. Since we
cannot block mounting from the host into the container, we need to block
the first stage of this attack (mounting onto a path outside the
container).
The long-term plan to solve this would be to migrate to libpathrs, but
as a stop-gap we implement libpathrs-like path verification through
readlink(/proc/self/fd/$n) and then do mount operations through the
procfd once it's been verified to be inside the container. The target
could move after we've checked it, but if it is inside the container
then we can assume that it is safe for the same reason that libpathrs
operations would be safe.
A slight wrinkle is the "copyup" functionality we provide for tmpfs,
which is the only case where we want to do a mount on the host
filesystem. To facilitate this, I split out the copy-up functionality
entirely so that the logic isn't interspersed with the regular tmpfs
logic. In addition, all dependencies on m.Destination being overwritten
have been removed since that pattern was just begging to be a source of
more mount-target bugs (we do still have to modify m.Destination for
tmpfs-copyup but we only do it temporarily).
Fixes: CVE-2021-30465
Reported-by: Etienne Champetier <champetier.etienne@gmail.com>
Co-authored-by: Noah Meyerhans <nmeyerha@amazon.com>
Reviewed-by: Samuel Karp <skarp@amazon.com>
Reviewed-by: Kir Kolyshkin <kolyshkin@gmail.com> (@kolyshkin)
Reviewed-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
libcontainer/container_linux.go | 25 +--
libcontainer/rootfs_linux.go | 251 +++++++++++++++----------------
libcontainer/utils/utils.go | 54 +++++++
libcontainer/utils/utils_test.go | 35 +++++
4 files changed, 229 insertions(+), 136 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 945a0fa0d577..849bf4a613ce 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -1217,7 +1217,6 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error {
if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil {
return err
}
- m.Destination = dest
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
@@ -1257,13 +1256,16 @@ func (c *linuxContainer) prepareCriuRestoreMounts(mounts []*configs.Mount) error
umounts := []string{}
defer func() {
for _, u := range umounts {
- if e := unix.Unmount(u, unix.MNT_DETACH); e != nil {
- if e != unix.EINVAL {
- // Ignore EINVAL as it means 'target is not a mount point.'
- // It probably has already been unmounted.
- logrus.Warnf("Error during cleanup unmounting of %q (%v)", u, e)
+ _ = utils.WithProcfd(c.config.Rootfs, u, func(procfd string) error {
+ if e := unix.Unmount(procfd, unix.MNT_DETACH); e != nil {
+ if e != unix.EINVAL {
+ // Ignore EINVAL as it means 'target is not a mount point.'
+ // It probably has already been unmounted.
+ logrus.Warnf("Error during cleanup unmounting of %s (%s): %v", procfd, u, e)
+ }
}
- }
+ return nil
+ })
}
}()
for _, m := range mounts {
@@ -1281,8 +1283,13 @@ func (c *linuxContainer) prepareCriuRestoreMounts(mounts []*configs.Mount) error
// because during initial container creation mounts are
// set up in the order they are configured.
if m.Device == "bind" {
- if err := unix.Mount(m.Source, m.Destination, "", unix.MS_BIND|unix.MS_REC, ""); err != nil {
- return errorsf.Wrapf(err, "unable to bind mount %q to %q", m.Source, m.Destination)
+ if err := utils.WithProcfd(c.config.Rootfs, m.Destination, func(procfd string) error {
+ if err := unix.Mount(m.Source, procfd, "", unix.MS_BIND|unix.MS_REC, ""); err != nil {
+ return errorsf.Wrapf(err, "unable to bind mount %q to %q (through %q)", m.Source, m.Destination, procfd)
+ }
+ return nil
+ }); err != nil {
+ return err
}
umounts = append(umounts, m.Destination)
}
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 1d8a5a036017..d9c5146dddd1 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -25,6 +25,7 @@ import (
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)
@@ -228,8 +229,6 @@ func prepareBindMount(m *configs.Mount, rootfs string) error {
if err := checkProcMount(rootfs, dest, m.Source); err != nil {
return err
}
- // update the mount with the correct dest after symlinks are resolved.
- m.Destination = dest
if err := createIfNotExists(dest, stat.IsDir()); err != nil {
return err
}
@@ -266,18 +265,21 @@ func mountCgroupV1(m *configs.Mount, c *mountConfig) error {
if err := os.MkdirAll(subsystemPath, 0755); err != nil {
return err
}
- flags := defaultMountFlags
- if m.Flags&unix.MS_RDONLY != 0 {
- flags = flags | unix.MS_RDONLY
- }
- cgroupmount := &configs.Mount{
- Source: "cgroup",
- Device: "cgroup", // this is actually fstype
- Destination: subsystemPath,
- Flags: flags,
- Data: filepath.Base(subsystemPath),
- }
- if err := mountNewCgroup(cgroupmount); err != nil {
+ if err := utils.WithProcfd(c.root, b.Destination, func(procfd string) error {
+ flags := defaultMountFlags
+ if m.Flags&unix.MS_RDONLY != 0 {
+ flags = flags | unix.MS_RDONLY
+ }
+ var (
+ source = "cgroup"
+ data = filepath.Base(subsystemPath)
+ )
+ if data == "systemd" {
+ data = cgroups.CgroupNamePrefix + data
+ source = "systemd"
+ }
+ return unix.Mount(source, procfd, "cgroup", uintptr(flags), data)
+ }); err != nil {
return err
}
} else {
@@ -307,33 +309,79 @@ func mountCgroupV2(m *configs.Mount, c *mountConfig) error {
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
- if err := unix.Mount(m.Source, dest, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
- // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
- if err == unix.EPERM || err == unix.EBUSY {
- src := fs2.UnifiedMountpoint
- if c.cgroupns && c.cgroup2Path != "" {
- // Emulate cgroupns by bind-mounting
- // the container cgroup path rather than
- // the whole /sys/fs/cgroup.
- src = c.cgroup2Path
- }
- err = unix.Mount(src, dest, "", uintptr(m.Flags)|unix.MS_BIND, "")
- if err == unix.ENOENT && c.rootlessCgroups {
- err = nil
+ return utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
+ if err := unix.Mount(m.Source, procfd, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
+ // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
+ if err == unix.EPERM || err == unix.EBUSY {
+ src := fs2.UnifiedMountpoint
+ if c.cgroupns && c.cgroup2Path != "" {
+ // Emulate cgroupns by bind-mounting
+ // the container cgroup path rather than
+ // the whole /sys/fs/cgroup.
+ src = c.cgroup2Path
+ }
+ err = unix.Mount(src, procfd, "", uintptr(m.Flags)|unix.MS_BIND, "")
+ if err == unix.ENOENT && c.rootlessCgroups {
+ err = nil
+ }
}
return err
}
+ return nil
+ })
+}
+
+func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) {
+ // Set up a scratch dir for the tmpfs on the host.
+ tmpdir, err := prepareTmp("/tmp")
+ if err != nil {
+ return newSystemErrorWithCause(err, "tmpcopyup: failed to setup tmpdir")
+ }
+ defer cleanupTmp(tmpdir)
+ tmpDir, err := ioutil.TempDir(tmpdir, "runctmpdir")
+ if err != nil {
+ return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir")
+ }
+ defer os.RemoveAll(tmpDir)
+
+ // Configure the *host* tmpdir as if it's the container mount. We change
+ // m.Destination since we are going to mount *on the host*.
+ oldDest := m.Destination
+ m.Destination = tmpDir
+ err = mountPropagate(m, "/", mountLabel)
+ m.Destination = oldDest
+ if err != nil {
return err
}
- return nil
+ defer func() {
+ if Err != nil {
+ if err := unix.Unmount(tmpDir, unix.MNT_DETACH); err != nil {
+ logrus.Warnf("tmpcopyup: failed to unmount tmpdir on error: %v", err)
+ }
+ }
+ }()
+
+ return utils.WithProcfd(rootfs, m.Destination, func(procfd string) (Err error) {
+ // Copy the container data to the host tmpdir. We append "/" to force
+ // CopyDirectory to resolve the symlink rather than trying to copy the
+ // symlink itself.
+ if err := fileutils.CopyDirectory(procfd+"/", tmpDir); err != nil {
+ return fmt.Errorf("tmpcopyup: failed to copy %s to %s (%s): %w", m.Destination, procfd, tmpDir, err)
+ }
+ // Now move the mount into the container.
+ if err := unix.Mount(tmpDir, procfd, "", unix.MS_MOVE, ""); err != nil {
+ return fmt.Errorf("tmpcopyup: failed to move mount %s to %s (%s): %w", tmpDir, procfd, m.Destination, err)
+ }
+ return nil
+ })
}
func mountToRootfs(m *configs.Mount, c *mountConfig) error {
rootfs := c.root
mountLabel := c.label
- dest := m.Destination
- if !strings.HasPrefix(dest, rootfs) {
- dest = filepath.Join(rootfs, dest)
+ dest, err := securejoin.SecureJoin(rootfs, m.Destination)
+ if err != nil {
+ return err
}
switch m.Device {
@@ -364,53 +412,21 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
}
return label.SetFileLabel(dest, mountLabel)
case "tmpfs":
- copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
- tmpDir := ""
- // dest might be an absolute symlink, so it needs
- // to be resolved under rootfs.
- dest, err := securejoin.SecureJoin(rootfs, m.Destination)
- if err != nil {
- return err
- }
- m.Destination = dest
stat, err := os.Stat(dest)
if err != nil {
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
}
- if copyUp {
- tmpdir, err := prepareTmp("/tmp")
- if err != nil {
- return newSystemErrorWithCause(err, "tmpcopyup: failed to setup tmpdir")
- }
- defer cleanupTmp(tmpdir)
- tmpDir, err = ioutil.TempDir(tmpdir, "runctmpdir")
- if err != nil {
- return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir")
- }
- defer os.RemoveAll(tmpDir)
- m.Destination = tmpDir
+
+ if m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP {
+ err = doTmpfsCopyUp(m, rootfs, mountLabel)
+ } else {
+ err = mountPropagate(m, rootfs, mountLabel)
}
- if err := mountPropagate(m, rootfs, mountLabel); err != nil {
+ if err != nil {
return err
}
- if copyUp {
- if err := fileutils.CopyDirectory(dest, tmpDir); err != nil {
- errMsg := fmt.Errorf("tmpcopyup: failed to copy %s to %s: %v", dest, tmpDir, err)
- if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
- return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
- }
- return errMsg
- }
- if err := unix.Mount(tmpDir, dest, "", unix.MS_MOVE, ""); err != nil {
- errMsg := fmt.Errorf("tmpcopyup: failed to move mount %s to %s: %v", tmpDir, dest, err)
- if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
- return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
- }
- return errMsg
- }
- }
if stat != nil {
if err = os.Chmod(dest, stat.Mode()); err != nil {
return err
@@ -454,19 +470,9 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
}
return mountCgroupV1(m, c)
default:
- // ensure that the destination of the mount is resolved of symlinks at mount time because
- // any previous mounts can invalidate the next mount's destination.
- // this can happen when a user specifies mounts within other mounts to cause breakouts or other
- // evil stuff to try to escape the container's rootfs.
- var err error
- if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
- return err
- }
if err := checkProcMount(rootfs, dest, m.Source); err != nil {
return err
}
- // update the mount with the correct dest after symlinks are resolved.
- m.Destination = dest
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
@@ -649,7 +655,7 @@ func createDevices(config *configs.Config) error {
return nil
}
-func bindMountDeviceNode(dest string, node *devices.Device) error {
+func bindMountDeviceNode(rootfs, dest string, node *devices.Device) error {
f, err := os.Create(dest)
if err != nil && !os.IsExist(err) {
return err
@@ -657,7 +663,9 @@ func bindMountDeviceNode(dest string, node *devices.Device) error {
if f != nil {
f.Close()
}
- return unix.Mount(node.Path, dest, "bind", unix.MS_BIND, "")
+ return utils.WithProcfd(rootfs, dest, func(procfd string) error {
+ return unix.Mount(node.Path, procfd, "bind", unix.MS_BIND, "")
+ })
}
// Creates the device node in the rootfs of the container.
@@ -666,18 +674,21 @@ func createDeviceNode(rootfs string, node *devices.Device, bind bool) error {
// The node only exists for cgroup reasons, ignore it here.
return nil
}
- dest := filepath.Join(rootfs, node.Path)
+ dest, err := securejoin.SecureJoin(rootfs, node.Path)
+ if err != nil {
+ return err
+ }
if err := os.MkdirAll(filepath.Dir(dest), 0755); err != nil {
return err
}
if bind {
- return bindMountDeviceNode(dest, node)
+ return bindMountDeviceNode(rootfs, dest, node)
}
if err := mknodDevice(dest, node); err != nil {
if os.IsExist(err) {
return nil
} else if os.IsPermission(err) {
- return bindMountDeviceNode(dest, node)
+ return bindMountDeviceNode(rootfs, dest, node)
}
return err
}
@@ -1024,61 +1035,47 @@ func writeSystemProperty(key, value string) error {
}
func remount(m *configs.Mount, rootfs string) error {
- var (
- dest = m.Destination
- )
- if !strings.HasPrefix(dest, rootfs) {
- dest = filepath.Join(rootfs, dest)
- }
- return unix.Mount(m.Source, dest, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "")
+ return utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
+ return unix.Mount(m.Source, procfd, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "")
+ })
}
// Do the mount operation followed by additional mounts required to take care
-// of propagation flags.
+// of propagation flags. This will always be scoped inside the container rootfs.
func mountPropagate(m *configs.Mount, rootfs string, mountLabel string) error {
var (
- dest = m.Destination
data = label.FormatMountLabel(m.Data, mountLabel)
flags = m.Flags
)
- if libcontainerUtils.CleanPath(dest) == "/dev" {
- flags &= ^unix.MS_RDONLY
- }
-
- // Mount it rw to allow chmod operation. A remount will be performed
- // later to make it ro if set.
- if m.Device == "tmpfs" {
+ // Delay mounting the filesystem read-only if we need to do further
+ // operations on it. We need to set up files in "/dev" and tmpfs mounts may
+ // need to be chmod-ed after mounting. The mount will be remounted ro later
+ // in finalizeRootfs() if necessary.
+ if libcontainerUtils.CleanPath(m.Destination) == "/dev" || m.Device == "tmpfs" {
flags &= ^unix.MS_RDONLY
}
- copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
- if !(copyUp || strings.HasPrefix(dest, rootfs)) {
- dest = filepath.Join(rootfs, dest)
- }
-
- if err := unix.Mount(m.Source, dest, m.Device, uintptr(flags), data); err != nil {
- return err
- }
-
- for _, pflag := range m.PropagationFlags {
- if err := unix.Mount("", dest, "", uintptr(pflag), ""); err != nil {
- return err
+ // Because the destination is inside a container path which might be
+ // mutating underneath us, we verify that we are actually going to mount
+ // inside the container with WithProcfd() -- mounting through a procfd
+ // mounts on the target.
+ if err := utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
+ return unix.Mount(m.Source, procfd, m.Device, uintptr(flags), data)
+ }); err != nil {
+ return fmt.Errorf("mount through procfd: %w", err)
+ }
+ // We have to apply mount propagation flags in a separate WithProcfd() call
+ // because the previous call invalidates the passed procfd -- the mount
+ // target needs to be re-opened.
+ if err := utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
+ for _, pflag := range m.PropagationFlags {
+ if err := unix.Mount("", procfd, "", uintptr(pflag), ""); err != nil {
+ return err
+ }
}
- }
- return nil
-}
-
-func mountNewCgroup(m *configs.Mount) error {
- var (
- data = m.Data
- source = m.Source
- )
- if data == "systemd" {
- data = cgroups.CgroupNamePrefix + data
- source = "systemd"
- }
- if err := unix.Mount(source, m.Destination, m.Device, uintptr(m.Flags), data); err != nil {
- return err
+ return nil
+ }); err != nil {
+ return fmt.Errorf("change mount propagation through procfd: %w", err)
}
return nil
}
diff --git a/libcontainer/utils/utils.go b/libcontainer/utils/utils.go
index 1b72b7a1c1ba..cd78f23e1bd0 100644
--- a/libcontainer/utils/utils.go
+++ b/libcontainer/utils/utils.go
@@ -3,12 +3,15 @@ package utils
import (
"encoding/binary"
"encoding/json"
+ "fmt"
"io"
"os"
"path/filepath"
+ "strconv"
"strings"
"unsafe"
+ "github.com/cyphar/filepath-securejoin"
"golang.org/x/sys/unix"
)
@@ -88,6 +91,57 @@ func CleanPath(path string) string {
return filepath.Clean(path)
}
+// stripRoot returns the passed path, stripping the root path if it was
+// (lexicially) inside it. Note that both passed paths will always be treated
+// as absolute, and the returned path will also always be absolute. In
+// addition, the paths are cleaned before stripping the root.
+func stripRoot(root, path string) string {
+ // Make the paths clean and absolute.
+ root, path = CleanPath("/"+root), CleanPath("/"+path)
+ switch {
+ case path == root:
+ path = "/"
+ case root == "/":
+ // do nothing
+ case strings.HasPrefix(path, root+"/"):
+ path = strings.TrimPrefix(path, root+"/")
+ }
+ return CleanPath("/" + path)
+}
+
+// WithProcfd runs the passed closure with a procfd path (/proc/self/fd/...)
+// corresponding to the unsafePath resolved within the root. Before passing the
+// fd, this path is verified to have been inside the root -- so operating on it
+// through the passed fdpath should be safe. Do not access this path through
+// the original path strings, and do not attempt to use the pathname outside of
+// the passed closure (the file handle will be freed once the closure returns).
+func WithProcfd(root, unsafePath string, fn func(procfd string) error) error {
+ // Remove the root then forcefully resolve inside the root.
+ unsafePath = stripRoot(root, unsafePath)
+ path, err := securejoin.SecureJoin(root, unsafePath)
+ if err != nil {
+ return fmt.Errorf("resolving path inside rootfs failed: %v", err)
+ }
+
+ // Open the target path.
+ fh, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC, 0)
+ if err != nil {
+ return fmt.Errorf("open o_path procfd: %w", err)
+ }
+ defer fh.Close()
+
+ // Double-check the path is the one we expected.
+ procfd := "/proc/self/fd/" + strconv.Itoa(int(fh.Fd()))
+ if realpath, err := os.Readlink(procfd); err != nil {
+ return fmt.Errorf("procfd verification failed: %w", err)
+ } else if realpath != path {
+ return fmt.Errorf("possibly malicious path detected -- refusing to operate on %s", realpath)
+ }
+
+ // Run the closure.
+ return fn(procfd)
+}
+
// SearchLabels searches a list of key-value pairs for the provided key and
// returns the corresponding value. The pairs must be separated with '='.
func SearchLabels(labels []string, query string) string {
diff --git a/libcontainer/utils/utils_test.go b/libcontainer/utils/utils_test.go
index 7f38ed169a6b..d33662238d36 100644
--- a/libcontainer/utils/utils_test.go
+++ b/libcontainer/utils/utils_test.go
@@ -143,3 +143,38 @@ func TestCleanPath(t *testing.T) {
t.Errorf("expected to receive '/foo' and received %s", path)
}
}
+
+func TestStripRoot(t *testing.T) {
+ for _, test := range []struct {
+ root, path, out string
+ }{
+ // Works with multiple components.
+ {"/a/b", "/a/b/c", "/c"},
+ {"/hello/world", "/hello/world/the/quick-brown/fox", "/the/quick-brown/fox"},
+ // '/' must be a no-op.
+ {"/", "/a/b/c", "/a/b/c"},
+ // Must be the correct order.
+ {"/a/b", "/a/c/b", "/a/c/b"},
+ // Must be at start.
+ {"/abc/def", "/foo/abc/def/bar", "/foo/abc/def/bar"},
+ // Must be a lexical parent.
+ {"/foo/bar", "/foo/barSAMECOMPONENT", "/foo/barSAMECOMPONENT"},
+ // Must only strip the root once.
+ {"/foo/bar", "/foo/bar/foo/bar/baz", "/foo/bar/baz"},
+ // Deal with .. in a fairly sane way.
+ {"/foo/bar", "/foo/bar/../baz", "/foo/baz"},
+ {"/foo/bar", "../../../../../../foo/bar/baz", "/baz"},
+ {"/foo/bar", "/../../../../../../foo/bar/baz", "/baz"},
+ {"/foo/bar/../baz", "/foo/baz/bar", "/bar"},
+ {"/foo/bar/../baz", "/foo/baz/../bar/../baz/./foo", "/foo"},
+ // All paths are made absolute before stripping.
+ {"foo/bar", "/foo/bar/baz/bee", "/baz/bee"},
+ {"/foo/bar", "foo/bar/baz/beef", "/baz/beef"},
+ {"foo/bar", "foo/bar/baz/beets", "/baz/beets"},
+ } {
+ got := stripRoot(test.root, test.path)
+ if got != test.out {
+ t.Errorf("stripRoot(%q, %q) -- got %q, expected %q", test.root, test.path, got, test.out)
+ }
+ }
+}
--
2.31.1
["rc93-0000-cover-letter.patch" (text/x-patch)]
From 14faf1c20948688a48edb9b41367ab07ac11ca91 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Wed, 28 Apr 2021 15:44:36 +1000
Subject: [PATCH 0/5] rootfs: add mount destination validation
This is a backport of the fix for CVE-2021-30465 to the v1.0.0-rc93
release. However, because the patch does not apply cleanly it was
necessary to backport the following commits (from [1]):
* deb8a8dd7767 ("libct/newInitConfig: nit")
* 1e476578b6cd ("libct/rootfs: introduce and use mountConfig")
* 3826db196d59 ("libct/rootfs/mountCgroupV2: minor refactor")
* ff692f289b60 ("Fix cgroup2 mount for rootless case")
And the patch itself was modified to remove hardenings for code which
didn't exist in v1.0.0-rc93 (in particular, the mount changes in [2]).
[1]: https://github.com/opencontainers/runc/pull/2818
[2]: https://github.com/opencontainers/runc/pull/2798
Aleksa Sarai (1):
rootfs: add mount destination validation
Kir Kolyshkin (4):
libct/newInitConfig: nit
libct/rootfs: introduce and use mountConfig
libct/rootfs/mountCgroupV2: minor refactor
Fix cgroup2 mount for rootless case
libcontainer/container_linux.go | 11 +-
libcontainer/init_linux.go | 1 +
libcontainer/rootfs_linux.go | 291 +++++++++++++++++--------------
libcontainer/specconv/example.go | 18 +-
libcontainer/utils/utils.go | 54 ++++++
libcontainer/utils/utils_test.go | 35 ++++
6 files changed, 263 insertions(+), 147 deletions(-)
--
2.31.1
["rc93-0001-libct-newInitConfig-nit.patch" (text/x-patch)]
From 28daf0653d324fad545a7031e64b6891f399969b Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Tue, 23 Feb 2021 17:58:07 -0800
Subject: [PATCH 1/5] libct/newInitConfig: nit
Move the initialization of Console* fields as they are unconditional.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/container_linux.go | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 3dca29e4c3f2..b6100aae9d5a 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -594,6 +594,9 @@ func (c *linuxContainer) newInitConfig(process *Process) *initConfig {
AppArmorProfile: c.config.AppArmorProfile,
ProcessLabel: c.config.ProcessLabel,
Rlimits: c.config.Rlimits,
+ CreateConsole: process.ConsoleSocket != nil,
+ ConsoleWidth: process.ConsoleWidth,
+ ConsoleHeight: process.ConsoleHeight,
}
if process.NoNewPrivileges != nil {
cfg.NoNewPrivileges = *process.NoNewPrivileges
@@ -607,9 +610,7 @@ func (c *linuxContainer) newInitConfig(process *Process) *initConfig {
if len(process.Rlimits) > 0 {
cfg.Rlimits = process.Rlimits
}
- cfg.CreateConsole = process.ConsoleSocket != nil
- cfg.ConsoleWidth = process.ConsoleWidth
- cfg.ConsoleHeight = process.ConsoleHeight
+
return cfg
}
--
2.31.1
["rc93-0002-libct-rootfs-introduce-and-use-mountConfig.patch" (text/x-patch)]
From 46ec7b5a94d370c4963ca361e9d96cb78d75d118 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Tue, 23 Feb 2021 18:14:37 -0800
Subject: [PATCH 2/5] libct/rootfs: introduce and use mountConfig
The code is already passing three parameters around from
mountToRootfs to mountCgroupV* to mountToRootfs again.
I am about to add another parameter, so let's introduce and
use struct mountConfig to pass around.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/rootfs_linux.go | 42 ++++++++++++++++++++++--------------
1 file changed, 26 insertions(+), 16 deletions(-)
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 411496ab7c6d..a384abb7e8a5 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -29,6 +29,12 @@ import (
const defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
+type mountConfig struct {
+ root string
+ label string
+ cgroupns bool
+}
+
// needsSetupDev returns true if /dev needs to be set up.
func needsSetupDev(config *configs.Config) bool {
for _, m := range config.Mounts {
@@ -48,7 +54,11 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) {
return newSystemErrorWithCause(err, "preparing rootfs")
}
- hasCgroupns := config.Namespaces.Contains(configs.NEWCGROUP)
+ mountConfig := &mountConfig{
+ root: config.Rootfs,
+ label: config.MountLabel,
+ cgroupns: config.Namespaces.Contains(configs.NEWCGROUP),
+ }
setupDev := needsSetupDev(config)
for _, m := range config.Mounts {
for _, precmd := range m.PremountCmds {
@@ -56,7 +66,7 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) {
return newSystemErrorWithCause(err, "running premount command")
}
}
- if err := mountToRootfs(m, config.Rootfs, config.MountLabel, hasCgroupns); err != nil {
+ if err := mountToRootfs(m, mountConfig); err != nil {
return newSystemErrorWithCausef(err, "mounting %q to rootfs at %q", m.Source, m.Destination)
}
@@ -222,7 +232,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) error {
return nil
}
-func mountCgroupV1(m *configs.Mount, rootfs, mountLabel string, enableCgroupns bool) error {
+func mountCgroupV1(m *configs.Mount, c *mountConfig) error {
binds, err := getCgroupMounts(m)
if err != nil {
return err
@@ -242,12 +252,12 @@ func mountCgroupV1(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
Data: "mode=755",
PropagationFlags: m.PropagationFlags,
}
- if err := mountToRootfs(tmpfs, rootfs, mountLabel, enableCgroupns); err != nil {
+ if err := mountToRootfs(tmpfs, c); err != nil {
return err
}
for _, b := range binds {
- if enableCgroupns {
- subsystemPath := filepath.Join(rootfs, b.Destination)
+ if c.cgroupns {
+ subsystemPath := filepath.Join(c.root, b.Destination)
if err := os.MkdirAll(subsystemPath, 0755); err != nil {
return err
}
@@ -266,7 +276,7 @@ func mountCgroupV1(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
return err
}
} else {
- if err := mountToRootfs(b, rootfs, mountLabel, enableCgroupns); err != nil {
+ if err := mountToRootfs(b, c); err != nil {
return err
}
}
@@ -276,7 +286,7 @@ func mountCgroupV1(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
// symlink(2) is very dumb, it will just shove the path into
// the link and doesn't do any checks or relative path
// conversion. Also, don't error out if the cgroup already exists.
- if err := os.Symlink(mc, filepath.Join(rootfs, m.Destination, ss)); err != nil && !os.IsExist(err) {
+ if err := os.Symlink(mc, filepath.Join(c.root, m.Destination, ss)); err != nil && !os.IsExist(err) {
return err
}
}
@@ -284,8 +294,8 @@ func mountCgroupV1(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
return nil
}
-func mountCgroupV2(m *configs.Mount, rootfs, mountLabel string, enableCgroupns bool) error {
- cgroupPath, err := securejoin.SecureJoin(rootfs, m.Destination)
+func mountCgroupV2(m *configs.Mount, c *mountConfig) error {
+ cgroupPath, err := securejoin.SecureJoin(c.root, m.Destination)
if err != nil {
return err
}
@@ -302,10 +312,10 @@ func mountCgroupV2(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
return nil
}
-func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns bool) error {
- var (
- dest = m.Destination
- )
+func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ rootfs := c.root
+ mountLabel := c.label
+ dest := m.Destination
if !strings.HasPrefix(dest, rootfs) {
dest = filepath.Join(rootfs, dest)
}
@@ -424,9 +434,9 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
}
case "cgroup":
if cgroups.IsCgroup2UnifiedMode() {
- return mountCgroupV2(m, rootfs, mountLabel, enableCgroupns)
+ return mountCgroupV2(m, c)
}
- return mountCgroupV1(m, rootfs, mountLabel, enableCgroupns)
+ return mountCgroupV1(m, c)
default:
// ensure that the destination of the mount is resolved of symlinks at mount time because
// any previous mounts can invalidate the next mount's destination.
--
2.31.1
["rc93-0003-libct-rootfs-mountCgroupV2-minor-refactor.patch" (text/x-patch)]
From 198a2806b0b5522cff1c53bf4671cfee85e45608 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Tue, 23 Feb 2021 18:25:56 -0800
Subject: [PATCH 3/5] libct/rootfs/mountCgroupV2: minor refactor
1. s/cgroupPath/dest/
2. don't hardcode /sys/fs/cgroup
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/rootfs_linux.go | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index a384abb7e8a5..0f0495b93b3e 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -17,6 +17,7 @@ import (
"github.com/moby/sys/mountinfo"
"github.com/mrunalp/fileutils"
"github.com/opencontainers/runc/libcontainer/cgroups"
+ "github.com/opencontainers/runc/libcontainer/cgroups/fs2"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/devices"
"github.com/opencontainers/runc/libcontainer/system"
@@ -295,17 +296,18 @@ func mountCgroupV1(m *configs.Mount, c *mountConfig) error {
}
func mountCgroupV2(m *configs.Mount, c *mountConfig) error {
- cgroupPath, err := securejoin.SecureJoin(c.root, m.Destination)
+ dest, err := securejoin.SecureJoin(c.root, m.Destination)
if err != nil {
return err
}
- if err := os.MkdirAll(cgroupPath, 0755); err != nil {
+ if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
- if err := unix.Mount(m.Source, cgroupPath, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
+ if err := unix.Mount(m.Source, dest, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
// when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
if err == unix.EPERM || err == unix.EBUSY {
- return unix.Mount("/sys/fs/cgroup", cgroupPath, "", uintptr(m.Flags)|unix.MS_BIND, "")
+ src := fs2.UnifiedMountpoint
+ return unix.Mount(src, dest, "", uintptr(m.Flags)|unix.MS_BIND, "")
}
return err
}
--
2.31.1
["rc93-0004-Fix-cgroup2-mount-for-rootless-case.patch" (text/x-patch)]
From ce352accdfb07a91b5527e70ec8bce658a8b68de Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Tue, 23 Feb 2021 18:27:42 -0800
Subject: [PATCH 4/5] Fix cgroup2 mount for rootless case
In case of rootless, cgroup2 mount is not possible (see [1] for more
details), so since commit 9c81440fb5a7 runc bind-mounts the whole
/sys/fs/cgroup into container.
Problem is, if cgroupns is enabled, /sys/fs/cgroup inside the container
is supposed to show the cgroup files for this cgroup, not the root one.
The fix is to pass through and use the cgroup path in case cgroup2
mount failed, cgroupns is enabled, and the path is non-empty.
Surely this requires the /sys/fs/cgroup mount in the spec, so modify
runc spec --rootless to keep it.
Before:
$ ./runc run aaa
# find /sys/fs/cgroup/ -type d
/sys/fs/cgroup
/sys/fs/cgroup/user.slice
/sys/fs/cgroup/user.slice/user-1000.slice
/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service
...
# ls -l /sys/fs/cgroup/cgroup.controllers
-r--r--r-- 1 nobody nogroup 0 Feb 24 02:22 /sys/fs/cgroup/cgroup.controllers
# wc -w /sys/fs/cgroup/cgroup.procs
142 /sys/fs/cgroup/cgroup.procs
# cat /sys/fs/cgroup/memory.current
cat: can't open '/sys/fs/cgroup/memory.current': No such file or directory
After:
# find /sys/fs/cgroup/ -type d
/sys/fs/cgroup/
# ls -l /sys/fs/cgroup/cgroup.controllers
-r--r--r-- 1 root root 0 Feb 24 02:43 /sys/fs/cgroup/cgroup.controllers
# wc -w /sys/fs/cgroup/cgroup.procs
2 /sys/fs/cgroup/cgroup.procs
# cat /sys/fs/cgroup/memory.current
577536
[1] https://github.com/opencontainers/runc/issues/2158
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/container_linux.go | 3 +++
libcontainer/init_linux.go | 1 +
libcontainer/rootfs_linux.go | 28 +++++++++++++++++++++-------
libcontainer/specconv/example.go | 18 +++++++++---------
4 files changed, 34 insertions(+), 16 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index b6100aae9d5a..1cbc734172d0 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -610,6 +610,9 @@ func (c *linuxContainer) newInitConfig(process *Process) *initConfig {
if len(process.Rlimits) > 0 {
cfg.Rlimits = process.Rlimits
}
+ if cgroups.IsCgroup2UnifiedMode() {
+ cfg.Cgroup2Path = c.cgroupManager.Path("")
+ }
return cfg
}
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index c57af0eebb8b..681797099f46 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -70,6 +70,7 @@ type initConfig struct {
RootlessEUID bool `json:"rootless_euid,omitempty"`
RootlessCgroups bool `json:"rootless_cgroups,omitempty"`
SpecState *specs.State `json:"spec_state,omitempty"`
+ Cgroup2Path string `json:"cgroup2_path,omitempty"`
}
type initer interface {
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 0f0495b93b3e..5d2d74cf924b 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -31,9 +31,11 @@ import (
const defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
type mountConfig struct {
- root string
- label string
- cgroupns bool
+ root string
+ label string
+ cgroup2Path string
+ rootlessCgroups bool
+ cgroupns bool
}
// needsSetupDev returns true if /dev needs to be set up.
@@ -56,9 +58,11 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) {
}
mountConfig := &mountConfig{
- root: config.Rootfs,
- label: config.MountLabel,
- cgroupns: config.Namespaces.Contains(configs.NEWCGROUP),
+ root: config.Rootfs,
+ label: config.MountLabel,
+ cgroup2Path: iConfig.Cgroup2Path,
+ rootlessCgroups: iConfig.RootlessCgroups,
+ cgroupns: config.Namespaces.Contains(configs.NEWCGROUP),
}
setupDev := needsSetupDev(config)
for _, m := range config.Mounts {
@@ -307,7 +311,17 @@ func mountCgroupV2(m *configs.Mount, c *mountConfig) error {
// when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
if err == unix.EPERM || err == unix.EBUSY {
src := fs2.UnifiedMountpoint
- return unix.Mount(src, dest, "", uintptr(m.Flags)|unix.MS_BIND, "")
+ if c.cgroupns && c.cgroup2Path != "" {
+ // Emulate cgroupns by bind-mounting
+ // the container cgroup path rather than
+ // the whole /sys/fs/cgroup.
+ src = c.cgroup2Path
+ }
+ err = unix.Mount(src, dest, "", uintptr(m.Flags)|unix.MS_BIND, "")
+ if err == unix.ENOENT && c.rootlessCgroups {
+ err = nil
+ }
+ return err
}
return err
}
diff --git a/libcontainer/specconv/example.go b/libcontainer/specconv/example.go
index 8a201bc78dd9..56bab3bfbfa5 100644
--- a/libcontainer/specconv/example.go
+++ b/libcontainer/specconv/example.go
@@ -2,6 +2,7 @@ package specconv
import (
"os"
+ "path/filepath"
"strings"
"github.com/opencontainers/runc/libcontainer/cgroups"
@@ -200,8 +201,14 @@ func ToRootless(spec *specs.Spec) {
// Fix up mounts.
var mounts []specs.Mount
for _, mount := range spec.Mounts {
- // Ignore all mounts that are under /sys.
- if strings.HasPrefix(mount.Destination, "/sys") {
+ // Replace the /sys mount with an rbind.
+ if filepath.Clean(mount.Destination) == "/sys" {
+ mounts = append(mounts, specs.Mount{
+ Source: "/sys",
+ Destination: "/sys",
+ Type: "none",
+ Options: []string{"rbind", "nosuid", "noexec", "nodev", "ro"},
+ })
continue
}
@@ -216,13 +223,6 @@ func ToRootless(spec *specs.Spec) {
mount.Options = options
mounts = append(mounts, mount)
}
- // Add the sysfs mount as an rbind.
- mounts = append(mounts, specs.Mount{
- Source: "/sys",
- Destination: "/sys",
- Type: "none",
- Options: []string{"rbind", "nosuid", "noexec", "nodev", "ro"},
- })
spec.Mounts = mounts
// Remove cgroup settings.
--
2.31.1
["rc93-0005-rootfs-add-mount-destination-validation.patch" (text/x-patch)]
From 14faf1c20948688a48edb9b41367ab07ac11ca91 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Thu, 1 Apr 2021 12:00:31 -0700
Subject: [PATCH 5/5] rootfs: add mount destination validation
Because the target of a mount is inside a container (which may be a
volume that is shared with another container), there exists a race
condition where the target of the mount may change to a path containing
a symlink after we have sanitised the path -- resulting in us
inadvertently mounting the path outside of the container.
This is not immediately useful because we are in a mount namespace with
MS_SLAVE mount propagation applied to "/", so we cannot mount on top of
host paths in the host namespace. However, if any subsequent mountpoints
in the configuration use a subdirectory of that host path as a source,
those subsequent mounts will use an attacker-controlled source path
(resolved within the host rootfs) -- allowing the bind-mounting of "/"
into the container.
While arguably configuration issues like this are not entirely within
runc's threat model, within the context of Kubernetes (and possibly
other container managers that provide semi-arbitrary container creation
privileges to untrusted users) this is a legitimate issue. Since we
cannot block mounting from the host into the container, we need to block
the first stage of this attack (mounting onto a path outside the
container).
The long-term plan to solve this would be to migrate to libpathrs, but
as a stop-gap we implement libpathrs-like path verification through
readlink(/proc/self/fd/$n) and then do mount operations through the
procfd once it's been verified to be inside the container. The target
could move after we've checked it, but if it is inside the container
then we can assume that it is safe for the same reason that libpathrs
operations would be safe.
A slight wrinkle is the "copyup" functionality we provide for tmpfs,
which is the only case where we want to do a mount on the host
filesystem. To facilitate this, I split out the copy-up functionality
entirely so that the logic isn't interspersed with the regular tmpfs
logic. In addition, all dependencies on m.Destination being overwritten
have been removed since that pattern was just begging to be a source of
more mount-target bugs (we do still have to modify m.Destination for
tmpfs-copyup but we only do it temporarily).
Fixes: CVE-2021-30465
Reported-by: Etienne Champetier <champetier.etienne@gmail.com>
Co-authored-by: Noah Meyerhans <nmeyerha@amazon.com>
Reviewed-by: Samuel Karp <skarp@amazon.com>
Reviewed-by: Kir Kolyshkin <kolyshkin@gmail.com> (@kolyshkin)
Reviewed-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
libcontainer/container_linux.go | 1 -
libcontainer/rootfs_linux.go | 251 +++++++++++++++----------------
libcontainer/utils/utils.go | 54 +++++++
libcontainer/utils/utils_test.go | 35 +++++
4 files changed, 213 insertions(+), 128 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 1cbc734172d0..70b388b1252e 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -1202,7 +1202,6 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error {
if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil {
return err
}
- m.Destination = dest
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 5d2d74cf924b..96be669c365e 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -25,6 +25,7 @@ import (
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)
@@ -228,8 +229,6 @@ func prepareBindMount(m *configs.Mount, rootfs string) error {
if err := checkProcMount(rootfs, dest, m.Source); err != nil {
return err
}
- // update the mount with the correct dest after symlinks are resolved.
- m.Destination = dest
if err := createIfNotExists(dest, stat.IsDir()); err != nil {
return err
}
@@ -266,18 +265,21 @@ func mountCgroupV1(m *configs.Mount, c *mountConfig) error {
if err := os.MkdirAll(subsystemPath, 0755); err != nil {
return err
}
- flags := defaultMountFlags
- if m.Flags&unix.MS_RDONLY != 0 {
- flags = flags | unix.MS_RDONLY
- }
- cgroupmount := &configs.Mount{
- Source: "cgroup",
- Device: "cgroup", // this is actually fstype
- Destination: subsystemPath,
- Flags: flags,
- Data: filepath.Base(subsystemPath),
- }
- if err := mountNewCgroup(cgroupmount); err != nil {
+ if err := utils.WithProcfd(c.root, b.Destination, func(procfd string) error {
+ flags := defaultMountFlags
+ if m.Flags&unix.MS_RDONLY != 0 {
+ flags = flags | unix.MS_RDONLY
+ }
+ var (
+ source = "cgroup"
+ data = filepath.Base(subsystemPath)
+ )
+ if data == "systemd" {
+ data = cgroups.CgroupNamePrefix + data
+ source = "systemd"
+ }
+ return unix.Mount(source, procfd, "cgroup", uintptr(flags), data)
+ }); err != nil {
return err
}
} else {
@@ -307,33 +309,79 @@ func mountCgroupV2(m *configs.Mount, c *mountConfig) error {
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
- if err := unix.Mount(m.Source, dest, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
- // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
- if err == unix.EPERM || err == unix.EBUSY {
- src := fs2.UnifiedMountpoint
- if c.cgroupns && c.cgroup2Path != "" {
- // Emulate cgroupns by bind-mounting
- // the container cgroup path rather than
- // the whole /sys/fs/cgroup.
- src = c.cgroup2Path
- }
- err = unix.Mount(src, dest, "", uintptr(m.Flags)|unix.MS_BIND, "")
- if err == unix.ENOENT && c.rootlessCgroups {
- err = nil
+ return utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
+ if err := unix.Mount(m.Source, procfd, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
+ // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
+ if err == unix.EPERM || err == unix.EBUSY {
+ src := fs2.UnifiedMountpoint
+ if c.cgroupns && c.cgroup2Path != "" {
+ // Emulate cgroupns by bind-mounting
+ // the container cgroup path rather than
+ // the whole /sys/fs/cgroup.
+ src = c.cgroup2Path
+ }
+ err = unix.Mount(src, procfd, "", uintptr(m.Flags)|unix.MS_BIND, "")
+ if err == unix.ENOENT && c.rootlessCgroups {
+ err = nil
+ }
}
return err
}
+ return nil
+ })
+}
+
+func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) {
+ // Set up a scratch dir for the tmpfs on the host.
+ tmpdir, err := prepareTmp("/tmp")
+ if err != nil {
+ return newSystemErrorWithCause(err, "tmpcopyup: failed to setup tmpdir")
+ }
+ defer cleanupTmp(tmpdir)
+ tmpDir, err := ioutil.TempDir(tmpdir, "runctmpdir")
+ if err != nil {
+ return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir")
+ }
+ defer os.RemoveAll(tmpDir)
+
+ // Configure the *host* tmpdir as if it's the container mount. We change
+ // m.Destination since we are going to mount *on the host*.
+ oldDest := m.Destination
+ m.Destination = tmpDir
+ err = mountPropagate(m, "/", mountLabel)
+ m.Destination = oldDest
+ if err != nil {
return err
}
- return nil
+ defer func() {
+ if Err != nil {
+ if err := unix.Unmount(tmpDir, unix.MNT_DETACH); err != nil {
+ logrus.Warnf("tmpcopyup: failed to unmount tmpdir on error: %v", err)
+ }
+ }
+ }()
+
+ return utils.WithProcfd(rootfs, m.Destination, func(procfd string) (Err error) {
+ // Copy the container data to the host tmpdir. We append "/" to force
+ // CopyDirectory to resolve the symlink rather than trying to copy the
+ // symlink itself.
+ if err := fileutils.CopyDirectory(procfd+"/", tmpDir); err != nil {
+ return fmt.Errorf("tmpcopyup: failed to copy %s to %s (%s): %w", m.Destination, procfd, tmpDir, err)
+ }
+ // Now move the mount into the container.
+ if err := unix.Mount(tmpDir, procfd, "", unix.MS_MOVE, ""); err != nil {
+ return fmt.Errorf("tmpcopyup: failed to move mount %s to %s (%s): %w", tmpDir, procfd, m.Destination, err)
+ }
+ return nil
+ })
}
func mountToRootfs(m *configs.Mount, c *mountConfig) error {
rootfs := c.root
mountLabel := c.label
- dest := m.Destination
- if !strings.HasPrefix(dest, rootfs) {
- dest = filepath.Join(rootfs, dest)
+ dest, err := securejoin.SecureJoin(rootfs, m.Destination)
+ if err != nil {
+ return err
}
switch m.Device {
@@ -364,53 +412,21 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
}
return label.SetFileLabel(dest, mountLabel)
case "tmpfs":
- copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
- tmpDir := ""
- // dest might be an absolute symlink, so it needs
- // to be resolved under rootfs.
- dest, err := securejoin.SecureJoin(rootfs, m.Destination)
- if err != nil {
- return err
- }
- m.Destination = dest
stat, err := os.Stat(dest)
if err != nil {
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
}
- if copyUp {
- tmpdir, err := prepareTmp("/tmp")
- if err != nil {
- return newSystemErrorWithCause(err, "tmpcopyup: failed to setup tmpdir")
- }
- defer cleanupTmp(tmpdir)
- tmpDir, err = ioutil.TempDir(tmpdir, "runctmpdir")
- if err != nil {
- return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir")
- }
- defer os.RemoveAll(tmpDir)
- m.Destination = tmpDir
+
+ if m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP {
+ err = doTmpfsCopyUp(m, rootfs, mountLabel)
+ } else {
+ err = mountPropagate(m, rootfs, mountLabel)
}
- if err := mountPropagate(m, rootfs, mountLabel); err != nil {
+ if err != nil {
return err
}
- if copyUp {
- if err := fileutils.CopyDirectory(dest, tmpDir); err != nil {
- errMsg := fmt.Errorf("tmpcopyup: failed to copy %s to %s: %v", dest, tmpDir, err)
- if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
- return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
- }
- return errMsg
- }
- if err := unix.Mount(tmpDir, dest, "", unix.MS_MOVE, ""); err != nil {
- errMsg := fmt.Errorf("tmpcopyup: failed to move mount %s to %s: %v", tmpDir, dest, err)
- if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
- return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
- }
- return errMsg
- }
- }
if stat != nil {
if err = os.Chmod(dest, stat.Mode()); err != nil {
return err
@@ -454,19 +470,9 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
}
return mountCgroupV1(m, c)
default:
- // ensure that the destination of the mount is resolved of symlinks at mount time because
- // any previous mounts can invalidate the next mount's destination.
- // this can happen when a user specifies mounts within other mounts to cause breakouts or other
- // evil stuff to try to escape the container's rootfs.
- var err error
- if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
- return err
- }
if err := checkProcMount(rootfs, dest, m.Source); err != nil {
return err
}
- // update the mount with the correct dest after symlinks are resolved.
- m.Destination = dest
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
@@ -649,7 +655,7 @@ func createDevices(config *configs.Config) error {
return nil
}
-func bindMountDeviceNode(dest string, node *devices.Device) error {
+func bindMountDeviceNode(rootfs, dest string, node *devices.Device) error {
f, err := os.Create(dest)
if err != nil && !os.IsExist(err) {
return err
@@ -657,7 +663,9 @@ func bindMountDeviceNode(dest string, node *devices.Device) error {
if f != nil {
f.Close()
}
- return unix.Mount(node.Path, dest, "bind", unix.MS_BIND, "")
+ return utils.WithProcfd(rootfs, dest, func(procfd string) error {
+ return unix.Mount(node.Path, procfd, "bind", unix.MS_BIND, "")
+ })
}
// Creates the device node in the rootfs of the container.
@@ -666,18 +674,21 @@ func createDeviceNode(rootfs string, node *devices.Device, bind bool) error {
// The node only exists for cgroup reasons, ignore it here.
return nil
}
- dest := filepath.Join(rootfs, node.Path)
+ dest, err := securejoin.SecureJoin(rootfs, node.Path)
+ if err != nil {
+ return err
+ }
if err := os.MkdirAll(filepath.Dir(dest), 0755); err != nil {
return err
}
if bind {
- return bindMountDeviceNode(dest, node)
+ return bindMountDeviceNode(rootfs, dest, node)
}
if err := mknodDevice(dest, node); err != nil {
if os.IsExist(err) {
return nil
} else if os.IsPermission(err) {
- return bindMountDeviceNode(dest, node)
+ return bindMountDeviceNode(rootfs, dest, node)
}
return err
}
@@ -1013,61 +1024,47 @@ func writeSystemProperty(key, value string) error {
}
func remount(m *configs.Mount, rootfs string) error {
- var (
- dest = m.Destination
- )
- if !strings.HasPrefix(dest, rootfs) {
- dest = filepath.Join(rootfs, dest)
- }
- return unix.Mount(m.Source, dest, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "")
+ return utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
+ return unix.Mount(m.Source, procfd, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "")
+ })
}
// Do the mount operation followed by additional mounts required to take care
-// of propagation flags.
+// of propagation flags. This will always be scoped inside the container rootfs.
func mountPropagate(m *configs.Mount, rootfs string, mountLabel string) error {
var (
- dest = m.Destination
data = label.FormatMountLabel(m.Data, mountLabel)
flags = m.Flags
)
- if libcontainerUtils.CleanPath(dest) == "/dev" {
- flags &= ^unix.MS_RDONLY
- }
-
- // Mount it rw to allow chmod operation. A remount will be performed
- // later to make it ro if set.
- if m.Device == "tmpfs" {
+ // Delay mounting the filesystem read-only if we need to do further
+ // operations on it. We need to set up files in "/dev" and tmpfs mounts may
+ // need to be chmod-ed after mounting. The mount will be remounted ro later
+ // in finalizeRootfs() if necessary.
+ if libcontainerUtils.CleanPath(m.Destination) == "/dev" || m.Device == "tmpfs" {
flags &= ^unix.MS_RDONLY
}
- copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
- if !(copyUp || strings.HasPrefix(dest, rootfs)) {
- dest = filepath.Join(rootfs, dest)
- }
-
- if err := unix.Mount(m.Source, dest, m.Device, uintptr(flags), data); err != nil {
- return err
- }
-
- for _, pflag := range m.PropagationFlags {
- if err := unix.Mount("", dest, "", uintptr(pflag), ""); err != nil {
- return err
+ // Because the destination is inside a container path which might be
+ // mutating underneath us, we verify that we are actually going to mount
+ // inside the container with WithProcfd() -- mounting through a procfd
+ // mounts on the target.
+ if err := utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
+ return unix.Mount(m.Source, procfd, m.Device, uintptr(flags), data)
+ }); err != nil {
+ return fmt.Errorf("mount through procfd: %w", err)
+ }
+ // We have to apply mount propagation flags in a separate WithProcfd() call
+ // because the previous call invalidates the passed procfd -- the mount
+ // target needs to be re-opened.
+ if err := utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
+ for _, pflag := range m.PropagationFlags {
+ if err := unix.Mount("", procfd, "", uintptr(pflag), ""); err != nil {
+ return err
+ }
}
- }
- return nil
-}
-
-func mountNewCgroup(m *configs.Mount) error {
- var (
- data = m.Data
- source = m.Source
- )
- if data == "systemd" {
- data = cgroups.CgroupNamePrefix + data
- source = "systemd"
- }
- if err := unix.Mount(source, m.Destination, m.Device, uintptr(m.Flags), data); err != nil {
- return err
+ return nil
+ }); err != nil {
+ return fmt.Errorf("change mount propagation through procfd: %w", err)
}
return nil
}
diff --git a/libcontainer/utils/utils.go b/libcontainer/utils/utils.go
index 1b72b7a1c1ba..cd78f23e1bd0 100644
--- a/libcontainer/utils/utils.go
+++ b/libcontainer/utils/utils.go
@@ -3,12 +3,15 @@ package utils
import (
"encoding/binary"
"encoding/json"
+ "fmt"
"io"
"os"
"path/filepath"
+ "strconv"
"strings"
"unsafe"
+ "github.com/cyphar/filepath-securejoin"
"golang.org/x/sys/unix"
)
@@ -88,6 +91,57 @@ func CleanPath(path string) string {
return filepath.Clean(path)
}
+// stripRoot returns the passed path, stripping the root path if it was
+// (lexicially) inside it. Note that both passed paths will always be treated
+// as absolute, and the returned path will also always be absolute. In
+// addition, the paths are cleaned before stripping the root.
+func stripRoot(root, path string) string {
+ // Make the paths clean and absolute.
+ root, path = CleanPath("/"+root), CleanPath("/"+path)
+ switch {
+ case path == root:
+ path = "/"
+ case root == "/":
+ // do nothing
+ case strings.HasPrefix(path, root+"/"):
+ path = strings.TrimPrefix(path, root+"/")
+ }
+ return CleanPath("/" + path)
+}
+
+// WithProcfd runs the passed closure with a procfd path (/proc/self/fd/...)
+// corresponding to the unsafePath resolved within the root. Before passing the
+// fd, this path is verified to have been inside the root -- so operating on it
+// through the passed fdpath should be safe. Do not access this path through
+// the original path strings, and do not attempt to use the pathname outside of
+// the passed closure (the file handle will be freed once the closure returns).
+func WithProcfd(root, unsafePath string, fn func(procfd string) error) error {
+ // Remove the root then forcefully resolve inside the root.
+ unsafePath = stripRoot(root, unsafePath)
+ path, err := securejoin.SecureJoin(root, unsafePath)
+ if err != nil {
+ return fmt.Errorf("resolving path inside rootfs failed: %v", err)
+ }
+
+ // Open the target path.
+ fh, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC, 0)
+ if err != nil {
+ return fmt.Errorf("open o_path procfd: %w", err)
+ }
+ defer fh.Close()
+
+ // Double-check the path is the one we expected.
+ procfd := "/proc/self/fd/" + strconv.Itoa(int(fh.Fd()))
+ if realpath, err := os.Readlink(procfd); err != nil {
+ return fmt.Errorf("procfd verification failed: %w", err)
+ } else if realpath != path {
+ return fmt.Errorf("possibly malicious path detected -- refusing to operate on %s", realpath)
+ }
+
+ // Run the closure.
+ return fn(procfd)
+}
+
// SearchLabels searches a list of key-value pairs for the provided key and
// returns the corresponding value. The pairs must be separated with '='.
func SearchLabels(labels []string, query string) string {
diff --git a/libcontainer/utils/utils_test.go b/libcontainer/utils/utils_test.go
index 7f38ed169a6b..d33662238d36 100644
--- a/libcontainer/utils/utils_test.go
+++ b/libcontainer/utils/utils_test.go
@@ -143,3 +143,38 @@ func TestCleanPath(t *testing.T) {
t.Errorf("expected to receive '/foo' and received %s", path)
}
}
+
+func TestStripRoot(t *testing.T) {
+ for _, test := range []struct {
+ root, path, out string
+ }{
+ // Works with multiple components.
+ {"/a/b", "/a/b/c", "/c"},
+ {"/hello/world", "/hello/world/the/quick-brown/fox", "/the/quick-brown/fox"},
+ // '/' must be a no-op.
+ {"/", "/a/b/c", "/a/b/c"},
+ // Must be the correct order.
+ {"/a/b", "/a/c/b", "/a/c/b"},
+ // Must be at start.
+ {"/abc/def", "/foo/abc/def/bar", "/foo/abc/def/bar"},
+ // Must be a lexical parent.
+ {"/foo/bar", "/foo/barSAMECOMPONENT", "/foo/barSAMECOMPONENT"},
+ // Must only strip the root once.
+ {"/foo/bar", "/foo/bar/foo/bar/baz", "/foo/bar/baz"},
+ // Deal with .. in a fairly sane way.
+ {"/foo/bar", "/foo/bar/../baz", "/foo/baz"},
+ {"/foo/bar", "../../../../../../foo/bar/baz", "/baz"},
+ {"/foo/bar", "/../../../../../../foo/bar/baz", "/baz"},
+ {"/foo/bar/../baz", "/foo/baz/bar", "/bar"},
+ {"/foo/bar/../baz", "/foo/baz/../bar/../baz/./foo", "/foo"},
+ // All paths are made absolute before stripping.
+ {"foo/bar", "/foo/bar/baz/bee", "/baz/bee"},
+ {"/foo/bar", "foo/bar/baz/beef", "/baz/beef"},
+ {"foo/bar", "foo/bar/baz/beets", "/baz/beets"},
+ } {
+ got := stripRoot(test.root, test.path)
+ if got != test.out {
+ t.Errorf("stripRoot(%q, %q) -- got %q, expected %q", test.root, test.path, got, test.out)
+ }
+ }
+}
--
2.31.1
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic