Skip to content

[1.1] rootfs: fix 'can we mount on top of /proc' check #4334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lifubang merged 1 commit into from
Jul 5, 2024
Merged

[1.1] rootfs: fix 'can we mount on top of /proc' check #4334

lifubang merged 1 commit into from
Jul 5, 2024

Conversation

@cyphar
Copy link
Member

@cyphar cyphar commented Jul 2, 2024

(Backport of a patch from #3985.)

(This is a cherry-pick of cdff09a but modified so that changes like 8e8b136 and a60933b don't also need to be backported. Ideally we would backport the entire "remove all mount logic from nsexec" series, but that would be a bit too much.)

Our previous test for whether we can mount on top of /proc incorrectly assumed that it would only be called with bind-mount sources. This meant that having a non bind-mount entry for a pseudo-filesystem (like overlayfs) with a dummy source set to /proc on the host would let you bypass the check, which could easily lead to security issues.

In addition, the check should be applied more uniformly to all mount types, so fix that as well. And add some tests for some of the tricky cases to make sure we protect against them properly.

Fixes: 331692b ("Only allow proc mount if it is procfs")
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

@cyphar cyphar added the backport/1.1-pr A backport PR to release-1.1 label Jul 2, 2024
@cyphar cyphar force-pushed the 1.1-rootfs-mountfd branch from 3f9f656 to c1877c8 Compare July 2, 2024 10:27
@kolyshkin kolyshkin added this to the 1.1.14 milestone Jul 2, 2024
kolyshkin
kolyshkin approved these changes Jul 2, 2024
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@kolyshkin
Copy link
Contributor

kolyshkin commented Jul 3, 2024

@cyphar this one needs a rebase to make CI green again as #4336 is now merged

@kolyshkin kolyshkin requested review from AkihiroSuda and lifubang July 3, 2024 05:37
@cyphar cyphar force-pushed the 1.1-rootfs-mountfd branch from c1877c8 to 0318bb2 Compare July 3, 2024 05:39
lifubang
lifubang reviewed Jul 3, 2024
View reviewed changes
lifubang
lifubang reviewed Jul 3, 2024
View reviewed changes
@cyphar cyphar mentioned this pull request Jul 4, 2024
Merged
@cyphar
[1.1] rootfs: fix 'can we mount on top of /proc' check
a0292ca 
(This is a cherry-pick of cdff09a but
modified so that changes like 8e8b136 and a60933b don't also
need to be backported. Ideally we would backport the entire "remove all
mount logic from nsexec" series, but that would be a bit too much.)

Our previous test for whether we can mount on top of /proc incorrectly
assumed that it would only be called with bind-mount sources. This meant
that having a non bind-mount entry for a pseudo-filesystem (like
overlayfs) with a dummy source set to /proc on the host would let you
bypass the check, which could easily lead to security issues.

In addition, the check should be applied more uniformly to all mount
types, so fix that as well. And add some tests for some of the tricky
cases to make sure we protect against them properly.

Fixes: 331692b ("Only allow proc mount if it is procfs")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar force-pushed the 1.1-rootfs-mountfd branch from 0318bb2 to a0292ca Compare July 4, 2024 04:19
@cyphar
Copy link
Member Author

cyphar commented Jul 4, 2024

I re-added the if source == "" check to avoid any possible breakage. I'll add a follow-up patch for main to clarify this behaviour.

@cyphar cyphar requested a review from lifubang July 4, 2024 15:16
@lifubang lifubang merged commit 615068f into opencontainers:release-1.1 Jul 5, 2024
@cyphar cyphar deleted the 1.1-rootfs-mountfd branch July 5, 2024 04:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lifubang lifubang lifubang approved these changes

@kolyshkin kolyshkin kolyshkin approved these changes

@AkihiroSuda AkihiroSuda Awaiting requested review from AkihiroSuda

Assignees

No one assigned

Labels

backport/1.1-pr A backport PR to release-1.1

Projects

None yet

Milestone

1.1.14

Development

Successfully merging this pull request may close these issues.

3 participants

@cyphar @kolyshkin @lifubang