Skip to content

libcontainer: cgroups: fs: fix innerPath #552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
crosbymichael merged 3 commits into from
Feb 16, 2016
Merged

libcontainer: cgroups: fs: fix innerPath #552

crosbymichael merged 3 commits into from
Feb 16, 2016

Conversation

@cyphar
Copy link
Member

@cyphar cyphar commented Feb 11, 2016

Fix m.Path legacy code to actually work. This means
we'll be able to finally vendor to Docker. It'd be nice
to merge this ASAP so we can finally merge a bunch
of stuff in Docker.

Fixes #551

Signed-off-by: Aleksa Sarai [email protected]

/cc @crosbymichael @LK4D4

@cyphar
Copy link
Member Author

cyphar commented Feb 11, 2016

Right, so it turns out that the patch I'm fixing also introduced a security vulnerability. I'll include it in this PR.

This was referenced Feb 11, 2016
Merged
Merged
@cyphar
Copy link
Member Author

cyphar commented Feb 11, 2016

The Docker suite passes once you apply this PR. Please merge ASAP. Thanks guys. :D

/ping @crosbymichael @LK4D4 @dqminh @mrunalp @vmarmol

@mlaventure
Copy link
Contributor

mlaventure commented Feb 11, 2016

Looks like I forgot to call the cleaning path routine in my last refactoring. Thanks for spotting it!

Could you also add a unit test for it within runc? This would avoid having to wait on vendoring into docker to find future regression if any.

@crosbymichael
Copy link
Member

crosbymichael commented Feb 11, 2016

Yes, can you add some unit tests for this path logic?

@cyphar
Copy link
Member Author

cyphar commented Feb 12, 2016

@crosbymichael I've added some (pretty exhaustive IMO) unit tests to make sure we don't run into this again. :P

mlaventure
mlaventure reviewed Feb 12, 2016
View reviewed changes
libcontainer/cgroups/fs/apply_raw_test.go Outdated
}

config := &configs.Cgroup{
Parent: "../../../../../../../../../../some/path",
Copy link
Contributor

@mlaventure mlaventure Feb 12, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing the initial / to make it absolute

Copy link
Member Author

@cyphar cyphar Feb 13, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit addressed (in TestInvalidAbsoluteCgroupParent).

@cyphar
libcontainer: cgroups: fs: fix innerPath
90140a5 
Fix m.Path legacy code to actually work.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
libcontainer: cgroups: fs: fix path safety
b8dc521 
Ensure that path safety is maintained, this essentially reapplies
c0cad6a ("cgroups: fs: fix cgroup.Parent path sanitisation"), which
was accidentally removed in 256f3a8 ("Add support for CgroupsPath
field").

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
libcontainer: cgroups: fs: add cgroup path safety unit tests
21dc85c 
In order to avoid problems with security regressions going unnoticed,
add some unit tests that should make sure security regressions in cgroup
path safety cause tests to fail in runC.

Signed-off-by: Aleksa Sarai <[email protected]>
@hqhq
Copy link
Contributor

hqhq commented Feb 15, 2016

LGTM

@cyphar
Copy link
Member Author

cyphar commented Feb 16, 2016

/ping @crosbymichael @mlaventure @LK4D4

LK4D4
LK4D4 reviewed Feb 16, 2016
View reviewed changes
libcontainer/cgroups/fs/apply_raw.go
cgName := libcontainerUtils.CleanPath(c.Name)

innerPath := cgPath
if innerPath == "" {
Copy link
Contributor

@LK4D4 LK4D4 Feb 16, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe just rename innerPath to cgPath to avoid temp variable

@crosbymichael
Copy link
Member

crosbymichael commented Feb 16, 2016

LGTM

crosbymichael added a commit that referenced this pull request Feb 16, 2016
@crosbymichael
Merge pull request #552 from cyphar/fix-cgroup-path
2b0a53b 
libcontainer: cgroups: fs: fix innerPath
@crosbymichael crosbymichael merged commit 2b0a53b into opencontainers:master Feb 16, 2016
@cyphar cyphar deleted the fix-cgroup-path branch February 16, 2016 21:36
stefanberger pushed a commit to stefanberger/runc that referenced this pull request Sep 8, 2017
Merge pull request opencontainers#552 from x1022as/validate
7c1a16b 
improve validate usage message
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@cyphar @mlaventure @crosbymichael @hqhq @LK4D4