mirror of
https://github.com/opencontainers/runc.git
synced 2025-10-07 16:31:38 +08:00
0ca91f44f1
Because the target of a mount is inside a container (which may be a volume that is shared with another container), there exists a race condition where the target of the mount may change to a path containing a symlink after we have sanitised the path -- resulting in us inadvertently mounting the path outside of the container. This is not immediately useful because we are in a mount namespace with MS_SLAVE mount propagation applied to "/", so we cannot mount on top of host paths in the host namespace. However, if any subsequent mountpoints in the configuration use a subdirectory of that host path as a source, those subsequent mounts will use an attacker-controlled source path (resolved within the host rootfs) -- allowing the bind-mounting of "/" into the container. While arguably configuration issues like this are not entirely within runc's threat model, within the context of Kubernetes (and possibly other container managers that provide semi-arbitrary container creation privileges to untrusted users) this is a legitimate issue. Since we cannot block mounting from the host into the container, we need to block the first stage of this attack (mounting onto a path outside the container). The long-term plan to solve this would be to migrate to libpathrs, but as a stop-gap we implement libpathrs-like path verification through readlink(/proc/self/fd/$n) and then do mount operations through the procfd once it's been verified to be inside the container. The target could move after we've checked it, but if it is inside the container then we can assume that it is safe for the same reason that libpathrs operations would be safe. A slight wrinkle is the "copyup" functionality we provide for tmpfs, which is the only case where we want to do a mount on the host filesystem. To facilitate this, I split out the copy-up functionality entirely so that the logic isn't interspersed with the regular tmpfs logic. In addition, all dependencies on m.Destination being overwritten have been removed since that pattern was just begging to be a source of more mount-target bugs (we do still have to modify m.Destination for tmpfs-copyup but we only do it temporarily). Fixes: CVE-2021-30465 Reported-by: Etienne Champetier <champetier.etienne@gmail.com> Co-authored-by: Noah Meyerhans <nmeyerha@amazon.com> Reviewed-by: Samuel Karp <skarp@amazon.com> Reviewed-by: Kir Kolyshkin <kolyshkin@gmail.com> (@kolyshkin) Reviewed-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
181 lines
4.4 KiB
Go
181 lines
4.4 KiB
Go
package utils
|
|
|
|
import (
|
|
"bytes"
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"golang.org/x/sys/unix"
|
|
)
|
|
|
|
var labelTest = []struct {
|
|
labels []string
|
|
query string
|
|
expectedValue string
|
|
}{
|
|
{[]string{"bundle=/path/to/bundle"}, "bundle", "/path/to/bundle"},
|
|
{[]string{"test=a", "test=b"}, "bundle", ""},
|
|
{[]string{"bundle=a", "test=b", "bundle=c"}, "bundle", "a"},
|
|
{[]string{"", "test=a", "bundle=b"}, "bundle", "b"},
|
|
{[]string{"test", "bundle=a"}, "bundle", "a"},
|
|
{[]string{"test=a", "bundle="}, "bundle", ""},
|
|
}
|
|
|
|
func TestSearchLabels(t *testing.T) {
|
|
for _, tt := range labelTest {
|
|
if v := SearchLabels(tt.labels, tt.query); v != tt.expectedValue {
|
|
t.Errorf("expected value '%s' for query '%s'; got '%s'", tt.expectedValue, tt.query, v)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestResolveRootfs(t *testing.T) {
|
|
dir := "rootfs"
|
|
if err := os.Mkdir(dir, 0600); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
defer os.Remove(dir)
|
|
|
|
path, err := ResolveRootfs(dir)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
pwd, err := os.Getwd()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if path != pwd+"/rootfs" {
|
|
t.Errorf("expected rootfs to be abs and was %s", path)
|
|
}
|
|
}
|
|
|
|
func TestResolveRootfsWithSymlink(t *testing.T) {
|
|
dir := "rootfs"
|
|
tmpDir, _ := filepath.EvalSymlinks(os.TempDir())
|
|
if err := os.Symlink(tmpDir, dir); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
defer os.Remove(dir)
|
|
|
|
path, err := ResolveRootfs(dir)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if path != tmpDir {
|
|
t.Errorf("expected rootfs to be the real path %s and was %s", path, os.TempDir())
|
|
}
|
|
}
|
|
|
|
func TestResolveRootfsWithNonExistingDir(t *testing.T) {
|
|
_, err := ResolveRootfs("foo")
|
|
if err == nil {
|
|
t.Error("expected error to happen but received nil")
|
|
}
|
|
}
|
|
|
|
func TestExitStatus(t *testing.T) {
|
|
status := unix.WaitStatus(0)
|
|
ex := ExitStatus(status)
|
|
if ex != 0 {
|
|
t.Errorf("expected exit status to equal 0 and received %d", ex)
|
|
}
|
|
}
|
|
|
|
func TestExitStatusSignaled(t *testing.T) {
|
|
status := unix.WaitStatus(2)
|
|
ex := ExitStatus(status)
|
|
if ex != 130 {
|
|
t.Errorf("expected exit status to equal 130 and received %d", ex)
|
|
}
|
|
}
|
|
|
|
func TestWriteJSON(t *testing.T) {
|
|
person := struct {
|
|
Name string
|
|
Age int
|
|
}{
|
|
Name: "Alice",
|
|
Age: 30,
|
|
}
|
|
|
|
var b bytes.Buffer
|
|
err := WriteJSON(&b, person)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
expected := `{"Name":"Alice","Age":30}`
|
|
if b.String() != expected {
|
|
t.Errorf("expected to write %s but was %s", expected, b.String())
|
|
}
|
|
}
|
|
|
|
func TestCleanPath(t *testing.T) {
|
|
path := CleanPath("")
|
|
if path != "" {
|
|
t.Errorf("expected to receive empty string and received %s", path)
|
|
}
|
|
|
|
path = CleanPath("rootfs")
|
|
if path != "rootfs" {
|
|
t.Errorf("expected to receive 'rootfs' and received %s", path)
|
|
}
|
|
|
|
path = CleanPath("../../../var")
|
|
if path != "var" {
|
|
t.Errorf("expected to receive 'var' and received %s", path)
|
|
}
|
|
|
|
path = CleanPath("/../../../var")
|
|
if path != "/var" {
|
|
t.Errorf("expected to receive '/var' and received %s", path)
|
|
}
|
|
|
|
path = CleanPath("/foo/bar/")
|
|
if path != "/foo/bar" {
|
|
t.Errorf("expected to receive '/foo/bar' and received %s", path)
|
|
}
|
|
|
|
path = CleanPath("/foo/bar/../")
|
|
if path != "/foo" {
|
|
t.Errorf("expected to receive '/foo' and received %s", path)
|
|
}
|
|
}
|
|
|
|
func TestStripRoot(t *testing.T) {
|
|
for _, test := range []struct {
|
|
root, path, out string
|
|
}{
|
|
// Works with multiple components.
|
|
{"/a/b", "/a/b/c", "/c"},
|
|
{"/hello/world", "/hello/world/the/quick-brown/fox", "/the/quick-brown/fox"},
|
|
// '/' must be a no-op.
|
|
{"/", "/a/b/c", "/a/b/c"},
|
|
// Must be the correct order.
|
|
{"/a/b", "/a/c/b", "/a/c/b"},
|
|
// Must be at start.
|
|
{"/abc/def", "/foo/abc/def/bar", "/foo/abc/def/bar"},
|
|
// Must be a lexical parent.
|
|
{"/foo/bar", "/foo/barSAMECOMPONENT", "/foo/barSAMECOMPONENT"},
|
|
// Must only strip the root once.
|
|
{"/foo/bar", "/foo/bar/foo/bar/baz", "/foo/bar/baz"},
|
|
// Deal with .. in a fairly sane way.
|
|
{"/foo/bar", "/foo/bar/../baz", "/foo/baz"},
|
|
{"/foo/bar", "../../../../../../foo/bar/baz", "/baz"},
|
|
{"/foo/bar", "/../../../../../../foo/bar/baz", "/baz"},
|
|
{"/foo/bar/../baz", "/foo/baz/bar", "/bar"},
|
|
{"/foo/bar/../baz", "/foo/baz/../bar/../baz/./foo", "/foo"},
|
|
// All paths are made absolute before stripping.
|
|
{"foo/bar", "/foo/bar/baz/bee", "/baz/bee"},
|
|
{"/foo/bar", "foo/bar/baz/beef", "/baz/beef"},
|
|
{"foo/bar", "foo/bar/baz/beets", "/baz/beets"},
|
|
} {
|
|
got := stripRoot(test.root, test.path)
|
|
if got != test.out {
|
|
t.Errorf("stripRoot(%q, %q) -- got %q, expected %q", test.root, test.path, got, test.out)
|
|
}
|
|
}
|
|
}
|