diff --git a/patch/0118-runc-rootfs-do-not-permit-proc-mounts-to-no.patch b/patch/0118-runc-rootfs-do-not-permit-proc-mounts-to-no.patch new file mode 100644 index 0000000000000000000000000000000000000000..b203ba4643c24dbca7d1fbb2ff3ccc7793c0beea --- /dev/null +++ b/patch/0118-runc-rootfs-do-not-permit-proc-mounts-to-no.patch @@ -0,0 +1,49 @@ +From 78b4cdf24a75950da64dab9146984b448497cc28 Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Wed, 15 Apr 2020 16:58:02 +0800 +Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories + +mount(2) will blindly follow symlinks, which is a problem because it +allows a malicious container to trick runc into mounting /proc to an +entirely different location (and thus within the attacker's control for +a rename-exchange attack). + +This is just a hotfix (to "stop the bleeding"), and the more complete +fix would be finish libpathrs and port runc to it (to avoid these types +of attacks entirely, and defend against a variety of other /proc-related +attacks). It can be bypased by someone having "/" be a volume controlled +by another container. + +Fixes: CVE-2019-19921 +Signed-off-by: Aleksa Sarai +Signed-off-by: xiadanni1 +--- + libcontainer/rootfs_linux.go | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go +index 4c18482..67cf0bf 100644 +--- a/libcontainer/rootfs_linux.go ++++ b/libcontainer/rootfs_linux.go +@@ -168,6 +168,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error { + + switch m.Device { + case "proc", "sysfs": ++ // If the destination already exists and is not a directory, we bail ++ // out This is to avoid mounting through a symlink or similar -- which ++ // has been a "fun" attack scenario in the past. ++ // TODO: This won't be necessary once we switch to libpathrs and we can ++ // stop all of these symlink-exchange attacks. ++ if fi, err := os.Lstat(dest); err != nil { ++ if !os.IsNotExist(err) { ++ return err ++ } ++ } else if fi.Mode()&os.ModeDir == 0 { ++ return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device) ++ } + if strings.HasPrefix(m.Destination, "/proc/sys/") { + return nil + } +-- +1.8.3.1 + diff --git a/runc-openeuler.spec b/runc-openeuler.spec index df0c4fa12d82b4c206da6aebc0c7c423d018104c..c0a742d602a97ae678f95dc3638ee038d74e3c84 100644 --- a/runc-openeuler.spec +++ b/runc-openeuler.spec @@ -2,7 +2,7 @@ Name: docker-runc Version: 1.0.0.rc3 -Release: 103 +Release: 104 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 diff --git a/series.conf b/series.conf index 376f1a2781eb5b00b92f787a322eb1f3881bf83d..c7b6362021af31462a6e25061d671c75c716d300 100644 --- a/series.conf +++ b/series.conf @@ -114,3 +114,4 @@ 0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch 0116-runc-check-nil-pointers-in-cgroup-manager.patch 0117-runc-Pass-back-the-pid-of-runc-1-CHILD-so-w.patch +0118-runc-rootfs-do-not-permit-proc-mounts-to-no.patch