selinux: verify that writes to /proc/... are on procfs#59
Merged
rhatdan merged 1 commit intoopencontainers:masterfrom Sep 29, 2019
Merged
selinux: verify that writes to /proc/... are on procfs#59rhatdan merged 1 commit intoopencontainers:masterfrom
rhatdan merged 1 commit intoopencontainers:masterfrom
Conversation
cyphar
force-pushed
the
selinux-verify-procfs
branch
from
cd2783e to
0386f01
Compare
Collaborator
|
LGTM |
This is an additional mitigation for CVE-2019-16884. The primary problem is that Docker can be coerced into bind-mounting a file system on top of /proc (resulting in label-related writes to /proc no longer happening). While runc is working on mitigations against permitting the mounts, this helps avoid go-selinux from being tricked into writing to non-procfs files. This is not a perfect solution (after all, there might be a bind-mount of a different procfs file over the target) but in order to exploit that you would need to be able to tweak a config.json pretty specifically (which thankfully Docker doesn't allow). Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
force-pushed
the
selinux-verify-procfs
branch
from
0386f01 to
03b517d
Compare
Member
Author
|
I changed the error message formatting to match the updated runc PR. /cc @opencontainers/selinux-maintainers |
Contributor
|
LGTM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an additional mitigation for CVE-2019-16884. The primary problem
is that Docker can be coerced into bind-mounting a file system on top of
/proc (resulting in label-related writes to /proc no longer happening).
While runc is working on mitigations against permitting the mounts, this
helps avoid go-selinux from being tricked into writing to non-procfs
files. This is not a perfect solution (after all, there might be a
bind-mount of a different procfs file over the target) but in order to
exploit that you would need to be able to tweak a config.json pretty
specifically (which thankfully Docker doesn't allow).
See opencontainers/runc#2128
Signed-off-by: Aleksa Sarai cyphar@cyphar.com