docker/patch/0012-hookspec-Security-enhancement-for-hooks.patch

From e81d103000ae3213b91ed54410ddb20d911ddc1a Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Sat, 19 Jan 2019 11:15:56 +0800
Subject: [PATCH 012/111] hookspec:  Security enhancement for hooks

reason: Currently docker support running hooks with any path, this is insecure.
To solve this, we need to restrict path to specified path, e.g.
"/var/lib/docker/hooks" or "/var/lib/docker/1000.1000/hooks" if user
remap enabled for user ns.

Change-Id: I9cff78f1a1105dcb4bc0b00c8e6e715904dfb778
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Signed-off-by: xiadanni <xiadanni@huawei.com>
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
---
 components/engine/daemon/container.go | 37 +++++++++++++++++++++++++++
 components/engine/daemon/daemon.go    |  1 +
 2 files changed, 38 insertions(+)

diff --git a/components/engine/daemon/container.go b/components/engine/daemon/container.go
index 8e68904b16..0864443513 100644
--- a/components/engine/daemon/container.go
+++ b/components/engine/daemon/container.go
@@ -250,6 +250,43 @@ func (daemon *Daemon) registerHooks(container *container.Container, hostConfig *
 	if err = json.NewDecoder(f).Decode(&container.Hooks); err != nil {
 		return fmt.Errorf("malformed hook spec, is your spec file in json format? error: %v", err)
 	}
+
+	// hook path must be absolute and must be subdir of XXX
+	if err = daemon.validateHook(container); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (daemon *Daemon) validateHook(container *container.Container) error {
+	for _, v := range container.Hooks.Prestart {
+		if err := daemon.validateHookPath(v.Path); err != nil {
+			return err
+		}
+	}
+	for _, v := range container.Hooks.Poststart {
+		if err := daemon.validateHookPath(v.Path); err != nil {
+			return err
+		}
+	}
+	for _, v := range container.Hooks.Poststop {
+		if err := daemon.validateHookPath(v.Path); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (daemon *Daemon) validateHookPath(path string) error {
+	// hook path must be absolute and must be subdir of XXX
+	path = filepath.Clean(path)
+	if !filepath.IsAbs(path) {
+		return fmt.Errorf("Hook path %q must be an absolute path", path)
+	}
+
+	if !filepath.HasPrefix(path, daemon.hookStore) {
+		return fmt.Errorf("hook program must be put under %q", daemon.hookStore)
+	}
 	return nil
 }
 
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
index 8d6b4d8546..d1f3131c4f 100644
--- a/components/engine/daemon/daemon.go
+++ b/components/engine/daemon/daemon.go
@@ -95,6 +95,7 @@ type Daemon struct {
 	volumes           *volumesservice.VolumesService
 	discoveryWatcher  discovery.Reloader
 	root              string
+	hookStore         string
 	seccompEnabled    bool
 	apparmorEnabled   bool
 	shutdown          bool
-- 
2.17.1
Package init 2019-09-30 10:37:25 -04:00			`From e81d103000ae3213b91ed54410ddb20d911ddc1a Mon Sep 17 00:00:00 2001`
			`From: lujingxiao <lujingxiao@huawei.com>`
			`Date: Sat, 19 Jan 2019 11:15:56 +0800`
			`Subject: [PATCH 012/111] hookspec: Security enhancement for hooks`

			`reason: Currently docker support running hooks with any path, this is insecure.`
			`To solve this, we need to restrict path to specified path, e.g.`
			`"/var/lib/docker/hooks" or "/var/lib/docker/1000.1000/hooks" if user`
			`remap enabled for user ns.`

			`Change-Id: I9cff78f1a1105dcb4bc0b00c8e6e715904dfb778`
			`Signed-off-by: Zhang Wei <zhangwei555@huawei.com>`
			`Signed-off-by: xiadanni <xiadanni@huawei.com>`
			`Signed-off-by: lujingxiao <lujingxiao@huawei.com>`
			`---`
			`components/engine/daemon/container.go \| 37 +++++++++++++++++++++++++++`
			`components/engine/daemon/daemon.go \| 1 +`
			`2 files changed, 38 insertions(+)`

			`diff --git a/components/engine/daemon/container.go b/components/engine/daemon/container.go`
			`index 8e68904b16..0864443513 100644`
			`--- a/components/engine/daemon/container.go`
			`+++ b/components/engine/daemon/container.go`
			`@@ -250,6 +250,43 @@ func (daemon Daemon) registerHooks(container container.Container, hostConfig *`
			`if err = json.NewDecoder(f).Decode(&container.Hooks); err != nil {`
			`return fmt.Errorf("malformed hook spec, is your spec file in json format? error: %v", err)`
			`}`
			`+`
			`+ // hook path must be absolute and must be subdir of XXX`
			`+ if err = daemon.validateHook(container); err != nil {`
			`+ return err`
			`+ }`
			`+ return nil`
			`+}`
			`+`
			`+func (daemon Daemon) validateHook(container container.Container) error {`
			`+ for _, v := range container.Hooks.Prestart {`
			`+ if err := daemon.validateHookPath(v.Path); err != nil {`
			`+ return err`
			`+ }`
			`+ }`
			`+ for _, v := range container.Hooks.Poststart {`
			`+ if err := daemon.validateHookPath(v.Path); err != nil {`
			`+ return err`
			`+ }`
			`+ }`
			`+ for _, v := range container.Hooks.Poststop {`
			`+ if err := daemon.validateHookPath(v.Path); err != nil {`
			`+ return err`
			`+ }`
			`+ }`
			`+ return nil`
			`+}`
			`+`
			`+func (daemon *Daemon) validateHookPath(path string) error {`
			`+ // hook path must be absolute and must be subdir of XXX`
			`+ path = filepath.Clean(path)`
			`+ if !filepath.IsAbs(path) {`
			`+ return fmt.Errorf("Hook path %q must be an absolute path", path)`
			`+ }`
			`+`
			`+ if !filepath.HasPrefix(path, daemon.hookStore) {`
			`+ return fmt.Errorf("hook program must be put under %q", daemon.hookStore)`
			`+ }`
			`return nil`
			`}`

			`diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go`
			`index 8d6b4d8546..d1f3131c4f 100644`
			`--- a/components/engine/daemon/daemon.go`
			`+++ b/components/engine/daemon/daemon.go`
			`@@ -95,6 +95,7 @@ type Daemon struct {`
			`volumes *volumesservice.VolumesService`
			`discoveryWatcher discovery.Reloader`
			`root string`
			`+ hookStore string`
			`seccompEnabled bool`
			`apparmorEnabled bool`
			`shutdown bool`
			`--`
			`2.17.1`