diff --git a/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch b/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch new file mode 100644 index 0000000..73b91f5 --- /dev/null +++ b/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch @@ -0,0 +1,76 @@ +From 1cc9e07b7c36fe9f9784b40b58f0a2a3694dd328 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Thu, 13 Jul 2023 13:08:40 +0200 +Subject: [PATCH] cmd/initContainer: Be aware of security hardened mount points + +Sometimes locations such as /var/lib/flatpak, /var/lib/systemd/coredump +and /var/log/journal sit on security hardened mount points that are +marked as 'nosuid,nodev,noexec' [1]. In such cases, when Toolbx is used +rootless, an attempt to bind mount these locations read-only at runtime +with mount(8) fails because of permission problems: + # mount --rbind -o ro + mount: : filesystem was mounted, but any subsequent + operation failed: Unknown error 5005. + +(Note that the above error message from mount(8) was subsequently +improved to show something more meaningful than 'Unknown error' [2].) + +The problem is that 'init-container' is running inside the container's +mount and user namespace, and the source paths were mounted inside the +host's namespace with 'nosuid,nodev,noexec'. The above mount(8) call +tries to remove the 'nosuid,nodev,noexec' flags from the mount point and +replace them with only 'ro', which is something that can't be done from +a child namespace. + +Note that this doesn't fail when Toolbx is running as root. This is +because the container uses the host's user namespace and is able to +remove the 'nosuid,nodev,noexec' flags from the mount point and replace +them with only 'ro'. Even though it doesn't fail, the flags shouldn't +get replaced like that inside the container, because it removes the +security hardening of those mount points. + +There's actually no benefit in bind mounting these paths as read-only. +It was historically done this way 'just to be safe' because a user isn't +expected to write to these locations from inside a container. However, +Toolbx doesn't intend to provide any heightened security beyond what's +already available on the host. + +Hence, it's better to get out of the way and leave it to the permissions +on the source location from the host operating system to guard the +castle. This is accomplished by not passing any file system options to +mount(8) [1]. + +Based on an idea from Si. + +[1] https://man7.org/linux/man-pages/man8/mount.8.html + +[2] util-linux commit 9420ca34dc8b6f0f + https://github.com/util-linux/util-linux/commit/9420ca34dc8b6f0f + https://github.com/util-linux/util-linux/pull/2376 + +https://github.com/containers/toolbox/issues/911 +--- + src/cmd/initContainer.go | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go +index 222aa42e1036..41b825b33f58 100644 +--- a/src/cmd/initContainer.go ++++ b/src/cmd/initContainer.go +@@ -62,10 +62,10 @@ var ( + {"/run/udev/data", "/run/host/run/udev/data", ""}, + {"/run/udev/tags", "/run/host/run/udev/tags", ""}, + {"/tmp", "/run/host/tmp", "rslave"}, +- {"/var/lib/flatpak", "/run/host/var/lib/flatpak", "ro"}, ++ {"/var/lib/flatpak", "/run/host/var/lib/flatpak", ""}, + {"/var/lib/libvirt", "/run/host/var/lib/libvirt", ""}, +- {"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", "ro"}, +- {"/var/log/journal", "/run/host/var/log/journal", "ro"}, ++ {"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", ""}, ++ {"/var/log/journal", "/run/host/var/log/journal", ""}, + {"/var/mnt", "/run/host/var/mnt", "rslave"}, + } + ) +-- +2.41.0 + diff --git a/toolbox.spec b/toolbox.spec index 007d137..8107baf 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -11,7 +11,7 @@ Version: 0.0.99.4 %gometa -f %endif -Release: 4%{?dist} +Release: 5%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 @@ -24,6 +24,7 @@ Source1: %{name}.conf # Upstream Patch0: toolbox-Don-t-use-podman-1-when-generating-the-comp.patch Patch1: toolbox-Don-t-validate-subordinate-IDs-when-generat.patch +Patch2: toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch # RHEL specific Patch100: toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch @@ -92,6 +93,7 @@ The %{name}-tests package contains system tests for %{name}. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %ifnarch ppc64 %patch100 -p1 @@ -154,6 +156,10 @@ install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf %changelog +* Fri Aug 11 2023 Debarshi Ray - 0.0.99.4-5 +- Be aware of security hardened mount points +Resolves: #2222789 + * Mon Aug 07 2023 Debarshi Ray - 0.0.99.4-4 - Rebuild for CVE-2023-24539, CVE-2023-24540 and CVE-2023-29400 Resolves: #2221850