Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rootfs: umount all procfs and sysfs with --no-pivot #1962

Merged
merged 1 commit into from
Jan 15, 2019

Conversation

giuseppe
Copy link
Member

When creating a new user namespace, the kernel doesn't allow to mount
a new procfs or sysfs file system if there is not already one instance
fully visible in the current mount namespace.

When using --no-pivot we were effectively inhibiting this protection
from the kernel, as /proc and /sys from the host are still present in
the container mount namespace.

A container without full access to /proc could then create a new user
namespace, and from there able to mount a fully visible /proc, bypassing
the limitations in the container.

A simple reproducer for this issue is:

unshare -mrfp sh -c "mount -t proc none /proc && echo c > /proc/sysrq-trigger"

Signed-off-by: Giuseppe Scrivano [email protected]

Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (IANAM)

@mrunalp
Copy link
Contributor

mrunalp commented Jan 12, 2019

LGTM

Approved with PullApprove

return err
}
if err := unix.Unmount(p, unix.MNT_DETACH); err != nil {
if err.(syscall.Errno) != unix.EINVAL {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potentially we can also get EPERM here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess, but I never saw that error message, when trying to umount /proc or /sys I got only EINVAL. I can amend the patch if you'd like

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went forward and amended the change in the updated version

When creating a new user namespace, the kernel doesn't allow to mount
a new procfs or sysfs file system if there is not already one instance
fully visible in the current mount namespace.

When using --no-pivot we were effectively inhibiting this protection
from the kernel, as /proc and /sys from the host are still present in
the container mount namespace.

A container without full access to /proc could then create a new user
namespace, and from there able to mount a fully visible /proc, bypassing
the limitations in the container.

A simple reproducer for this issue is:

unshare -mrfp sh -c "mount -t proc none /proc && echo c > /proc/sysrq-trigger"

Signed-off-by: Giuseppe Scrivano <[email protected]>
@mrunalp
Copy link
Contributor

mrunalp commented Jan 14, 2019

LGTM

Approved with PullApprove

@cyphar
Copy link
Member

cyphar commented Jan 15, 2019

LGTM.

Approved with PullApprove

@cyphar cyphar merged commit 28a697c into opencontainers:master Jan 15, 2019
cyphar added a commit that referenced this pull request Jan 15, 2019
  rootfs: umount all procfs and sysfs with --no-pivot

LGTMs: @mrunalp @cyphar
Closes #1962
AkihiroSuda added a commit to AkihiroSuda/docker that referenced this pull request Jan 15, 2019
Changes: opencontainers/runc@96ec217...12f6a99

Including critical security fix for `runc run --no-pivot` (`DOCKER_RAMDISK=1`): opencontainers/runc#1962

Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda added a commit to AkihiroSuda/buildkit_poc that referenced this pull request Jan 15, 2019
Including critical security fix for `runc run --no-pivot` (unlikely to
affect BuildKit): opencontainers/runc#1962

Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda added a commit to AkihiroSuda/containerd that referenced this pull request Jan 15, 2019
Changes: opencontainers/runc@96ec217...12f6a99

Including critical security fix for `runc run --no-pivot` (`DOCKER_RAMDISK=1`): opencontainers/runc#1962

Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda added a commit to AkihiroSuda/containerd that referenced this pull request Jan 15, 2019
Changes: opencontainers/runc@96ec217...12f6a99

Including critical security fix for `runc run --no-pivot` (`DOCKER_RAMDISK=1`): opencontainers/runc#1962

Signed-off-by: Akihiro Suda <[email protected]>
(cherry picked from commit 3aec9e7)
AkihiroSuda added a commit to AkihiroSuda/docker that referenced this pull request Jan 15, 2019
Changes: opencontainers/runc@96ec217...12f6a99

Including critical security fix for `runc run --no-pivot` (`DOCKER_RAMDISK=1`): opencontainers/runc#1962

Signed-off-by: Akihiro Suda <[email protected]>
(cherry picked from commit 1ee33f4)
AkihiroSuda added a commit to AkihiroSuda/containerd that referenced this pull request Jan 15, 2019
Changes: opencontainers/runc@96ec217...12f6a99

Including critical security fix for `runc run --no-pivot` (`DOCKER_RAMDISK=1`): opencontainers/runc#1962

Signed-off-by: Akihiro Suda <[email protected]>
(cherry picked from commit 3aec9e7)
Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda added a commit to AkihiroSuda/docker that referenced this pull request Jan 15, 2019
Changes: opencontainers/runc@69663f0...12f6a99

Including critical security fix for `runc run --no-pivot` (`DOCKER_RAMDISK=1`): opencontainers/runc#1962

Signed-off-by: Akihiro Suda <[email protected]>
tstromberg added a commit to tstromberg/minikube that referenced this pull request Jan 16, 2019
return err
}

absRootfs, err := filepath.Abs(rootfs)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAICS this is not needed since rootfs is already validated by (*ConfigValidator).rootfs()

}

for _, info := range mountinfos {
p, err := filepath.Abs(info.Mountpoint)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not needed either as paths returned from the kernel are absolute and clean (unless I'm missing something).

I have addressed this in #2255 (a separate commit to keep things simple), PTAL @giuseppe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants