542 lines
20 KiB
Diff
542 lines
20 KiB
Diff
From 3ca79e786cb0e0098f1d2ab06212a5608a8b257a Mon Sep 17 00:00:00 2001
|
|
From: Aleksa Sarai <cyphar@cyphar.com>
|
|
Date: Thu, 1 Apr 2021 12:00:31 -0700
|
|
Subject: [PATCH] [rc92] rootfs: add mount destination validation
|
|
|
|
This is a manual backport of upstream fix for CVE-2021-30465 to runc
|
|
v1.0.0-rc92. Original description follows.
|
|
|
|
----
|
|
|
|
Because the target of a mount is inside a container (which may be a
|
|
volume that is shared with another container), there exists a race
|
|
condition where the target of the mount may change to a path containing
|
|
a symlink after we have sanitised the path -- resulting in us
|
|
inadvertently mounting the path outside of the container.
|
|
|
|
This is not immediately useful because we are in a mount namespace with
|
|
MS_SLAVE mount propagation applied to "/", so we cannot mount on top of
|
|
host paths in the host namespace. However, if any subsequent mountpoints
|
|
in the configuration use a subdirectory of that host path as a source,
|
|
those subsequent mounts will use an attacker-controlled source path
|
|
(resolved within the host rootfs) -- allowing the bind-mounting of "/"
|
|
into the container.
|
|
|
|
While arguably configuration issues like this are not entirely within
|
|
runc's threat model, within the context of Kubernetes (and possibly
|
|
other container managers that provide semi-arbitrary container creation
|
|
privileges to untrusted users) this is a legitimate issue. Since we
|
|
cannot block mounting from the host into the container, we need to block
|
|
the first stage of this attack (mounting onto a path outside the
|
|
container).
|
|
|
|
The long-term plan to solve this would be to migrate to libpathrs, but
|
|
as a stop-gap we implement libpathrs-like path verification through
|
|
readlink(/proc/self/fd/$n) and then do mount operations through the
|
|
procfd once it's been verified to be inside the container. The target
|
|
could move after we've checked it, but if it is inside the container
|
|
then we can assume that it is safe for the same reason that libpathrs
|
|
operations would be safe.
|
|
|
|
A slight wrinkle is the "copyup" functionality we provide for tmpfs,
|
|
which is the only case where we want to do a mount on the host
|
|
filesystem. To facilitate this, I split out the copy-up functionality
|
|
entirely so that the logic isn't interspersed with the regular tmpfs
|
|
logic. In addition, all dependencies on m.Destination being overwritten
|
|
have been removed since that pattern was just begging to be a source of
|
|
more mount-target bugs (we do still have to modify m.Destination for
|
|
tmpfs-copyup but we only do it temporarily).
|
|
|
|
Fixes: CVE-2021-30465
|
|
Reported-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
Co-authored-by: Noah Meyerhans <nmeyerha@amazon.com>
|
|
Reviewed-by: Samuel Karp <skarp@amazon.com>
|
|
Reviewed-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
|
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
|
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
|
---
|
|
libcontainer/rootfs_linux.go | 226 ++++++++++++++++---------------
|
|
libcontainer/utils/utils.go | 54 ++++++++
|
|
libcontainer/utils/utils_test.go | 35 +++++
|
|
3 files changed, 205 insertions(+), 110 deletions(-)
|
|
|
|
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
|
|
index e00df0a2..e24e0e0c 100644
|
|
--- a/libcontainer/rootfs_linux.go
|
|
+++ b/libcontainer/rootfs_linux.go
|
|
@@ -19,9 +19,10 @@ import (
|
|
"github.com/opencontainers/runc/libcontainer/cgroups"
|
|
"github.com/opencontainers/runc/libcontainer/configs"
|
|
"github.com/opencontainers/runc/libcontainer/system"
|
|
- libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
|
|
+ "github.com/opencontainers/runc/libcontainer/utils"
|
|
"github.com/opencontainers/runtime-spec/specs-go"
|
|
"github.com/opencontainers/selinux/go-selinux/label"
|
|
+ "github.com/sirupsen/logrus"
|
|
|
|
"golang.org/x/sys/unix"
|
|
)
|
|
@@ -31,7 +32,7 @@ const defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
|
|
// needsSetupDev returns true if /dev needs to be set up.
|
|
func needsSetupDev(config *configs.Config) bool {
|
|
for _, m := range config.Mounts {
|
|
- if m.Device == "bind" && libcontainerUtils.CleanPath(m.Destination) == "/dev" {
|
|
+ if m.Device == "bind" && utils.CleanPath(m.Destination) == "/dev" {
|
|
return false
|
|
}
|
|
}
|
|
@@ -139,7 +140,7 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) {
|
|
func finalizeRootfs(config *configs.Config) (err error) {
|
|
// remount dev as ro if specified
|
|
for _, m := range config.Mounts {
|
|
- if libcontainerUtils.CleanPath(m.Destination) == "/dev" {
|
|
+ if utils.CleanPath(m.Destination) == "/dev" {
|
|
if m.Flags&unix.MS_RDONLY == unix.MS_RDONLY {
|
|
if err := remountReadonly(m); err != nil {
|
|
return newSystemErrorWithCausef(err, "remounting %q as readonly", m.Destination)
|
|
@@ -208,8 +209,6 @@ func prepareBindMount(m *configs.Mount, rootfs string) error {
|
|
if err := checkProcMount(rootfs, dest, m.Source); err != nil {
|
|
return err
|
|
}
|
|
- // update the mount with the correct dest after symlinks are resolved.
|
|
- m.Destination = dest
|
|
if err := createIfNotExists(dest, stat.IsDir()); err != nil {
|
|
return err
|
|
}
|
|
@@ -246,18 +245,21 @@ func mountCgroupV1(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
|
|
if err := os.MkdirAll(subsystemPath, 0755); err != nil {
|
|
return err
|
|
}
|
|
- flags := defaultMountFlags
|
|
- if m.Flags&unix.MS_RDONLY != 0 {
|
|
- flags = flags | unix.MS_RDONLY
|
|
- }
|
|
- cgroupmount := &configs.Mount{
|
|
- Source: "cgroup",
|
|
- Device: "cgroup", // this is actually fstype
|
|
- Destination: subsystemPath,
|
|
- Flags: flags,
|
|
- Data: filepath.Base(subsystemPath),
|
|
- }
|
|
- if err := mountNewCgroup(cgroupmount); err != nil {
|
|
+ if err := utils.WithProcfd(rootfs, b.Destination, func(procfd string) error {
|
|
+ flags := defaultMountFlags
|
|
+ if m.Flags&unix.MS_RDONLY != 0 {
|
|
+ flags = flags | unix.MS_RDONLY
|
|
+ }
|
|
+ var (
|
|
+ source = "cgroup"
|
|
+ data = filepath.Base(subsystemPath)
|
|
+ )
|
|
+ if data == "systemd" {
|
|
+ data = cgroups.CgroupNamePrefix + data
|
|
+ source = "systemd"
|
|
+ }
|
|
+ return unix.Mount(source, procfd, "cgroup", uintptr(flags), data)
|
|
+ }); err != nil {
|
|
return err
|
|
}
|
|
} else {
|
|
@@ -287,22 +289,67 @@ func mountCgroupV2(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
|
|
if err := os.MkdirAll(cgroupPath, 0755); err != nil {
|
|
return err
|
|
}
|
|
- if err := unix.Mount(m.Source, cgroupPath, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
|
|
- // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
|
|
- if err == unix.EPERM || err == unix.EBUSY {
|
|
- return unix.Mount("/sys/fs/cgroup", cgroupPath, "", uintptr(m.Flags)|unix.MS_BIND, "")
|
|
+ return utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
|
|
+ if err := unix.Mount(m.Source, procfd, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
|
|
+ // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
|
|
+ if err == unix.EPERM || err == unix.EBUSY {
|
|
+ return unix.Mount("/sys/fs/cgroup", procfd, "", uintptr(m.Flags)|unix.MS_BIND, "")
|
|
+ }
|
|
+ return err
|
|
}
|
|
+ return nil
|
|
+ })
|
|
+}
|
|
+
|
|
+func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) {
|
|
+ // Set up a scratch dir for the tmpfs on the host.
|
|
+ tmpdir, err := prepareTmp("/tmp")
|
|
+ if err != nil {
|
|
+ return newSystemErrorWithCause(err, "tmpcopyup: failed to setup tmpdir")
|
|
+ }
|
|
+ defer cleanupTmp(tmpdir)
|
|
+ tmpDir, err := ioutil.TempDir(tmpdir, "runctmpdir")
|
|
+ if err != nil {
|
|
+ return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir")
|
|
+ }
|
|
+ defer os.RemoveAll(tmpDir)
|
|
+
|
|
+ // Configure the *host* tmpdir as if it's the container mount. We change
|
|
+ // m.Destination since we are going to mount *on the host*.
|
|
+ oldDest := m.Destination
|
|
+ m.Destination = tmpDir
|
|
+ err = mountPropagate(m, "/", mountLabel)
|
|
+ m.Destination = oldDest
|
|
+ if err != nil {
|
|
return err
|
|
}
|
|
- return nil
|
|
+ defer func() {
|
|
+ if Err != nil {
|
|
+ if err := unix.Unmount(tmpDir, unix.MNT_DETACH); err != nil {
|
|
+ logrus.Warnf("tmpcopyup: failed to unmount tmpdir on error: %v", err)
|
|
+ }
|
|
+ }
|
|
+ }()
|
|
+
|
|
+ return utils.WithProcfd(rootfs, m.Destination, func(procfd string) (Err error) {
|
|
+ // Copy the container data to the host tmpdir. We append "/" to force
|
|
+ // CopyDirectory to resolve the symlink rather than trying to copy the
|
|
+ // symlink itself.
|
|
+ if err := fileutils.CopyDirectory(procfd+"/", tmpDir); err != nil {
|
|
+ return fmt.Errorf("tmpcopyup: failed to copy %s to %s (%s): %w", m.Destination, procfd, tmpDir, err)
|
|
+ }
|
|
+ // Now move the mount into the container.
|
|
+ if err := unix.Mount(tmpDir, procfd, "", unix.MS_MOVE, ""); err != nil {
|
|
+ return fmt.Errorf("tmpcopyup: failed to move mount %s to %s (%s): %w", tmpDir, procfd, m.Destination, err)
|
|
+ }
|
|
+ return nil
|
|
+ })
|
|
}
|
|
|
|
func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns bool) error {
|
|
- var (
|
|
- dest = m.Destination
|
|
- )
|
|
- if !strings.HasPrefix(dest, rootfs) {
|
|
- dest = filepath.Join(rootfs, dest)
|
|
+ dest, err := securejoin.SecureJoin(rootfs, m.Destination)
|
|
+ if err != nil {
|
|
+ return err
|
|
}
|
|
|
|
switch m.Device {
|
|
@@ -337,46 +384,22 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
|
|
}
|
|
return nil
|
|
case "tmpfs":
|
|
- copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
|
|
- tmpDir := ""
|
|
stat, err := os.Stat(dest)
|
|
if err != nil {
|
|
if err := os.MkdirAll(dest, 0755); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
- if copyUp {
|
|
- tmpdir, err := prepareTmp("/tmp")
|
|
- if err != nil {
|
|
- return newSystemErrorWithCause(err, "tmpcopyup: failed to setup tmpdir")
|
|
- }
|
|
- defer cleanupTmp(tmpdir)
|
|
- tmpDir, err = ioutil.TempDir(tmpdir, "runctmpdir")
|
|
- if err != nil {
|
|
- return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir")
|
|
- }
|
|
- defer os.RemoveAll(tmpDir)
|
|
- m.Destination = tmpDir
|
|
+
|
|
+ if m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP {
|
|
+ err = doTmpfsCopyUp(m, rootfs, mountLabel)
|
|
+ } else {
|
|
+ err = mountPropagate(m, rootfs, mountLabel)
|
|
}
|
|
- if err := mountPropagate(m, rootfs, mountLabel); err != nil {
|
|
+ if err != nil {
|
|
return err
|
|
}
|
|
- if copyUp {
|
|
- if err := fileutils.CopyDirectory(dest, tmpDir); err != nil {
|
|
- errMsg := fmt.Errorf("tmpcopyup: failed to copy %s to %s: %v", dest, tmpDir, err)
|
|
- if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
|
|
- return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
|
|
- }
|
|
- return errMsg
|
|
- }
|
|
- if err := unix.Mount(tmpDir, dest, "", unix.MS_MOVE, ""); err != nil {
|
|
- errMsg := fmt.Errorf("tmpcopyup: failed to move mount %s to %s: %v", tmpDir, dest, err)
|
|
- if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
|
|
- return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
|
|
- }
|
|
- return errMsg
|
|
- }
|
|
- }
|
|
+
|
|
if stat != nil {
|
|
if err = os.Chmod(dest, stat.Mode()); err != nil {
|
|
return err
|
|
@@ -414,19 +437,9 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
|
|
}
|
|
return mountCgroupV1(m, rootfs, mountLabel, enableCgroupns)
|
|
default:
|
|
- // ensure that the destination of the mount is resolved of symlinks at mount time because
|
|
- // any previous mounts can invalidate the next mount's destination.
|
|
- // this can happen when a user specifies mounts within other mounts to cause breakouts or other
|
|
- // evil stuff to try to escape the container's rootfs.
|
|
- var err error
|
|
- if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
|
|
- return err
|
|
- }
|
|
if err := checkProcMount(rootfs, dest, m.Source); err != nil {
|
|
return err
|
|
}
|
|
- // update the mount with the correct dest after symlinks are resolved.
|
|
- m.Destination = dest
|
|
if err := os.MkdirAll(dest, 0755); err != nil {
|
|
return err
|
|
}
|
|
@@ -601,7 +614,7 @@ func createDevices(config *configs.Config) error {
|
|
return nil
|
|
}
|
|
|
|
-func bindMountDeviceNode(dest string, node *configs.Device) error {
|
|
+func bindMountDeviceNode(rootfs, dest string, node *configs.Device) error {
|
|
f, err := os.Create(dest)
|
|
if err != nil && !os.IsExist(err) {
|
|
return err
|
|
@@ -609,7 +622,9 @@ func bindMountDeviceNode(dest string, node *configs.Device) error {
|
|
if f != nil {
|
|
f.Close()
|
|
}
|
|
- return unix.Mount(node.Path, dest, "bind", unix.MS_BIND, "")
|
|
+ return utils.WithProcfd(rootfs, dest, func(procfd string) error {
|
|
+ return unix.Mount(node.Path, procfd, "bind", unix.MS_BIND, "")
|
|
+ })
|
|
}
|
|
|
|
// Creates the device node in the rootfs of the container.
|
|
@@ -618,18 +633,21 @@ func createDeviceNode(rootfs string, node *configs.Device, bind bool) error {
|
|
// The node only exists for cgroup reasons, ignore it here.
|
|
return nil
|
|
}
|
|
- dest := filepath.Join(rootfs, node.Path)
|
|
+ dest, err := securejoin.SecureJoin(rootfs, node.Path)
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
if err := os.MkdirAll(filepath.Dir(dest), 0755); err != nil {
|
|
return err
|
|
}
|
|
if bind {
|
|
- return bindMountDeviceNode(dest, node)
|
|
+ return bindMountDeviceNode(rootfs, dest, node)
|
|
}
|
|
if err := mknodDevice(dest, node); err != nil {
|
|
if os.IsExist(err) {
|
|
return nil
|
|
} else if os.IsPermission(err) {
|
|
- return bindMountDeviceNode(dest, node)
|
|
+ return bindMountDeviceNode(rootfs, dest, node)
|
|
}
|
|
return err
|
|
}
|
|
@@ -929,55 +947,43 @@ func writeSystemProperty(key, value string) error {
|
|
}
|
|
|
|
func remount(m *configs.Mount, rootfs string) error {
|
|
- var (
|
|
- dest = m.Destination
|
|
- )
|
|
- if !strings.HasPrefix(dest, rootfs) {
|
|
- dest = filepath.Join(rootfs, dest)
|
|
- }
|
|
- return unix.Mount(m.Source, dest, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "")
|
|
+ return utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
|
|
+ return unix.Mount(m.Source, procfd, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "")
|
|
+ })
|
|
}
|
|
|
|
// Do the mount operation followed by additional mounts required to take care
|
|
-// of propagation flags.
|
|
+// of propagation flags. This will always be scoped inside the container rootfs.
|
|
func mountPropagate(m *configs.Mount, rootfs string, mountLabel string) error {
|
|
var (
|
|
- dest = m.Destination
|
|
data = label.FormatMountLabel(m.Data, mountLabel)
|
|
flags = m.Flags
|
|
)
|
|
- if libcontainerUtils.CleanPath(dest) == "/dev" {
|
|
+ if utils.CleanPath(m.Destination) == "/dev" {
|
|
flags &= ^unix.MS_RDONLY
|
|
}
|
|
|
|
- copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
|
|
- if !(copyUp || strings.HasPrefix(dest, rootfs)) {
|
|
- dest = filepath.Join(rootfs, dest)
|
|
- }
|
|
-
|
|
- if err := unix.Mount(m.Source, dest, m.Device, uintptr(flags), data); err != nil {
|
|
- return err
|
|
- }
|
|
-
|
|
- for _, pflag := range m.PropagationFlags {
|
|
- if err := unix.Mount("", dest, "", uintptr(pflag), ""); err != nil {
|
|
- return err
|
|
+ // Because the destination is inside a container path which might be
|
|
+ // mutating underneath us, we verify that we are actually going to mount
|
|
+ // inside the container with WithProcfd() -- mounting through a procfd
|
|
+ // mounts on the target.
|
|
+ if err := utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
|
|
+ return unix.Mount(m.Source, procfd, m.Device, uintptr(flags), data)
|
|
+ }); err != nil {
|
|
+ return fmt.Errorf("mount through procfd: %w", err)
|
|
+ }
|
|
+ // We have to apply mount propagation flags in a separate WithProcfd() call
|
|
+ // because the previous call invalidates the passed procfd -- the mount
|
|
+ // target needs to be re-opened.
|
|
+ if err := utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
|
|
+ for _, pflag := range m.PropagationFlags {
|
|
+ if err := unix.Mount("", procfd, "", uintptr(pflag), ""); err != nil {
|
|
+ return err
|
|
+ }
|
|
}
|
|
- }
|
|
- return nil
|
|
-}
|
|
-
|
|
-func mountNewCgroup(m *configs.Mount) error {
|
|
- var (
|
|
- data = m.Data
|
|
- source = m.Source
|
|
- )
|
|
- if data == "systemd" {
|
|
- data = cgroups.CgroupNamePrefix + data
|
|
- source = "systemd"
|
|
- }
|
|
- if err := unix.Mount(source, m.Destination, m.Device, uintptr(m.Flags), data); err != nil {
|
|
- return err
|
|
+ return nil
|
|
+ }); err != nil {
|
|
+ return fmt.Errorf("change mount propagation through procfd: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
diff --git a/libcontainer/utils/utils.go b/libcontainer/utils/utils.go
|
|
index 40ccfaa1..53563951 100644
|
|
--- a/libcontainer/utils/utils.go
|
|
+++ b/libcontainer/utils/utils.go
|
|
@@ -2,12 +2,15 @@ package utils
|
|
|
|
import (
|
|
"encoding/json"
|
|
+ "fmt"
|
|
"io"
|
|
"os"
|
|
"path/filepath"
|
|
+ "strconv"
|
|
"strings"
|
|
"unsafe"
|
|
|
|
+ "github.com/cyphar/filepath-securejoin"
|
|
"golang.org/x/sys/unix"
|
|
)
|
|
|
|
@@ -73,6 +76,57 @@ func CleanPath(path string) string {
|
|
return filepath.Clean(path)
|
|
}
|
|
|
|
+// stripRoot returns the passed path, stripping the root path if it was
|
|
+// (lexicially) inside it. Note that both passed paths will always be treated
|
|
+// as absolute, and the returned path will also always be absolute. In
|
|
+// addition, the paths are cleaned before stripping the root.
|
|
+func stripRoot(root, path string) string {
|
|
+ // Make the paths clean and absolute.
|
|
+ root, path = CleanPath("/"+root), CleanPath("/"+path)
|
|
+ switch {
|
|
+ case path == root:
|
|
+ path = "/"
|
|
+ case root == "/":
|
|
+ // do nothing
|
|
+ case strings.HasPrefix(path, root+"/"):
|
|
+ path = strings.TrimPrefix(path, root+"/")
|
|
+ }
|
|
+ return CleanPath("/" + path)
|
|
+}
|
|
+
|
|
+// WithProcfd runs the passed closure with a procfd path (/proc/self/fd/...)
|
|
+// corresponding to the unsafePath resolved within the root. Before passing the
|
|
+// fd, this path is verified to have been inside the root -- so operating on it
|
|
+// through the passed fdpath should be safe. Do not access this path through
|
|
+// the original path strings, and do not attempt to use the pathname outside of
|
|
+// the passed closure (the file handle will be freed once the closure returns).
|
|
+func WithProcfd(root, unsafePath string, fn func(procfd string) error) error {
|
|
+ // Remove the root then forcefully resolve inside the root.
|
|
+ unsafePath = stripRoot(root, unsafePath)
|
|
+ path, err := securejoin.SecureJoin(root, unsafePath)
|
|
+ if err != nil {
|
|
+ return fmt.Errorf("resolving path inside rootfs failed: %v", err)
|
|
+ }
|
|
+
|
|
+ // Open the target path.
|
|
+ fh, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC, 0)
|
|
+ if err != nil {
|
|
+ return fmt.Errorf("open o_path procfd: %w", err)
|
|
+ }
|
|
+ defer fh.Close()
|
|
+
|
|
+ // Double-check the path is the one we expected.
|
|
+ procfd := "/proc/self/fd/" + strconv.Itoa(int(fh.Fd()))
|
|
+ if realpath, err := os.Readlink(procfd); err != nil {
|
|
+ return fmt.Errorf("procfd verification failed: %w", err)
|
|
+ } else if realpath != path {
|
|
+ return fmt.Errorf("possibly malicious path detected -- refusing to operate on %s", realpath)
|
|
+ }
|
|
+
|
|
+ // Run the closure.
|
|
+ return fn(procfd)
|
|
+}
|
|
+
|
|
// SearchLabels searches a list of key-value pairs for the provided key and
|
|
// returns the corresponding value. The pairs must be separated with '='.
|
|
func SearchLabels(labels []string, query string) string {
|
|
diff --git a/libcontainer/utils/utils_test.go b/libcontainer/utils/utils_test.go
|
|
index 395eedcf..5b80cac6 100644
|
|
--- a/libcontainer/utils/utils_test.go
|
|
+++ b/libcontainer/utils/utils_test.go
|
|
@@ -140,3 +140,38 @@ func TestCleanPath(t *testing.T) {
|
|
t.Errorf("expected to receive '/foo' and received %s", path)
|
|
}
|
|
}
|
|
+
|
|
+func TestStripRoot(t *testing.T) {
|
|
+ for _, test := range []struct {
|
|
+ root, path, out string
|
|
+ }{
|
|
+ // Works with multiple components.
|
|
+ {"/a/b", "/a/b/c", "/c"},
|
|
+ {"/hello/world", "/hello/world/the/quick-brown/fox", "/the/quick-brown/fox"},
|
|
+ // '/' must be a no-op.
|
|
+ {"/", "/a/b/c", "/a/b/c"},
|
|
+ // Must be the correct order.
|
|
+ {"/a/b", "/a/c/b", "/a/c/b"},
|
|
+ // Must be at start.
|
|
+ {"/abc/def", "/foo/abc/def/bar", "/foo/abc/def/bar"},
|
|
+ // Must be a lexical parent.
|
|
+ {"/foo/bar", "/foo/barSAMECOMPONENT", "/foo/barSAMECOMPONENT"},
|
|
+ // Must only strip the root once.
|
|
+ {"/foo/bar", "/foo/bar/foo/bar/baz", "/foo/bar/baz"},
|
|
+ // Deal with .. in a fairly sane way.
|
|
+ {"/foo/bar", "/foo/bar/../baz", "/foo/baz"},
|
|
+ {"/foo/bar", "../../../../../../foo/bar/baz", "/baz"},
|
|
+ {"/foo/bar", "/../../../../../../foo/bar/baz", "/baz"},
|
|
+ {"/foo/bar/../baz", "/foo/baz/bar", "/bar"},
|
|
+ {"/foo/bar/../baz", "/foo/baz/../bar/../baz/./foo", "/foo"},
|
|
+ // All paths are made absolute before stripping.
|
|
+ {"foo/bar", "/foo/bar/baz/bee", "/baz/bee"},
|
|
+ {"/foo/bar", "foo/bar/baz/beef", "/baz/beef"},
|
|
+ {"foo/bar", "foo/bar/baz/beets", "/baz/beets"},
|
|
+ } {
|
|
+ got := stripRoot(test.root, test.path)
|
|
+ if got != test.out {
|
|
+ t.Errorf("stripRoot(%q, %q) -- got %q, expected %q", test.root, test.path, got, test.out)
|
|
+ }
|
|
+ }
|
|
+}
|
|
--
|
|
2.31.1
|
|
|