init: switch away from stateDirFd entirely #1570
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@crosbymichael This is the patchset I've been promising for a while that would remove the entire possibility of a CVE-2016-9962-style bug happening again. |
|
LGTM |
hqhq
reviewed
Aug 25, 2017
libcontainer/container_linux.go
Outdated
| // fd, with _LIBCONTAINER_FIFOFD set to its fd number. | ||
| func (c *linuxContainer) includeExecFifo(cmd *exec.Cmd) error { | ||
| fifoName := filepath.Join(c.root, execFifoFilename) | ||
| fifoFd, err := unix.Open(fifoName, unix.O_PATH|unix.O_RDWR|unix.O_CLOEXEC, 0) |
There was a problem hiding this comment.
"When O_PATH is specified in flags, flag bits other than O_CLOEXEC, O_DIRECTORY, and O_NOFOLLOW are ignored"
Should we remove O_RDWR since it'll be ignored anyway?
There was a problem hiding this comment.
Yeah, you're right. I'll remove it.
While we have significant protections in place against CVE-2016-9962, we still were holding onto a file descriptor that referenced the host filesystem. This meant that in certain scenarios it was still possible for a semi-privileged container to gain access to the host filesystem (if they had CAP_SYS_PTRACE). Instead, open the FIFO itself using a O_PATH. This allows us to reference the FIFO directly without providing the ability for directory-level access. When opening the FIFO inside the init process, open it through procfs to re-open the actual FIFO (this is currently the only supported way to open such a file descriptor). Signed-off-by: Aleksa Sarai <[email protected]>
|
Alright fixed up @hqhq's comment. |
|
LGTM |
|
LGTM, really awesome comments throughout @cyphar. 🥇 |
|
LGTM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
While we have significant protections in place against CVE-2016-9962, we
still were holding onto a file descriptor that referenced the host
filesystem. This meant that in certain scenarios it was still possible
for a semi-privileged container to gain access to the host filesystem
(if they had CAP_SYS_PTRACE).
Instead, open the FIFO itself using a O_PATH. This allows us to
reference the FIFO directly without providing the ability for
directory-level access. When opening the FIFO inside the init process,
open it through procfs to re-open the actual FIFO (this is currently the
only supported way to open such a file descriptor).
Signed-off-by: Aleksa Sarai [email protected]