packages/iSulad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
iSulad/0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch

141 lines
3.7 KiB
Diff
Raw Normal View History

!621 Add vsock support for exec * Add vsock support for exec
2023-09-13 02:47:13 +00:00
From 64f94112728f35ee76d56fa4cf6dc41bd5cd5d33 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Sat, 2 Sep 2023 08:56:38 +0000
Subject: [PATCH 24/33] !2165 preventing the use of insecure isulad tmpdir
directory * preventing the use of insecure isulad tmpdir directory
---
src/common/constants.h | 2 +
.../container/leftover_cleanup/cleanup.c | 66 ++++++++++++++++++-
src/daemon/modules/image/oci/utils_images.c | 10 +++
3 files changed, 77 insertions(+), 1 deletion(-)
diff --git a/src/common/constants.h b/src/common/constants.h
index d93bb464..c0417263 100644
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -50,6 +50,8 @@ extern "C" {
#define TEMP_DIRECTORY_MODE 0700
+#define ISULAD_TEMP_DIRECTORY_MODE 0660
+
#define CONSOLE_FIFO_DIRECTORY_MODE 0770
#define SOCKET_GROUP_DIRECTORY_MODE 0660
diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c
index 9a38ffc2..f24ec467 100644
--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c
+++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c
@@ -13,6 +13,8 @@
* Description: provide cleanup functions
*********************************************************************************/
#include <sys/mount.h>
+#include <sys/stat.h>
+#include <unistd.h>
#include "utils.h"
#include "utils_fs.h"
@@ -169,6 +171,67 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su
return true;
}
+static int isulad_tmpdir_security_check(const char *tmpdir)
+{
+ struct stat st = { 0 };
+
+ if (lstat(tmpdir, &st) != 0) {
+ SYSERROR("Failed to lstat %s", tmpdir);
+ return -1;
+ }
+
+ if (!S_ISDIR(st.st_mode)) {
+ return -1;
+ }
+
+ if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) {
+ return -1;
+ }
+
+ if (st.st_uid != 0) {
+ return -1;
+ }
+
+ if (S_ISLNK(st.st_mode)) {
+ return -1;
+ }
+
+ return 0;
+}
+
+static int recreate_tmpdir(const char *tmpdir)
+{
+ int ret;
+ struct stat st = { 0 };
+
+ if (util_recursive_rmdir(tmpdir, 0)) {
+ ERROR("Failed to remove directory %s", tmpdir);
+ return -1;
+ }
+
+ if (util_mkdir_p(tmpdir, ISULAD_TEMP_DIRECTORY_MODE)) {
+ ERROR("Failed to create directory %s", tmpdir);
+ return -1;
+ }
+
+ if (lstat(tmpdir, &st) != 0) {
+ SYSERROR("Failed to lstat %s", tmpdir);
+ return -1;
+ }
+
+ return ret;
+}
+
+static int ensure_isulad_tmpdir_security(const char *tmpdir)
+{
+ if (isulad_tmpdir_security_check(tmpdir) == 0) {
+ return 0;
+ }
+
+ INFO("iSulad tmpdir does not meet security requirements, recreate it");
+ return recreate_tmpdir(tmpdir);
+}
+
static void cleanup_path(char *dir)
{
int nret;
@@ -186,7 +249,8 @@ static void cleanup_path(char *dir)
return;
}
- if (!util_dir_exists(cleanpath)) {
+ // preventing the use of insecure isulad tmpdir directory
+ if (ensure_isulad_tmpdir_security(cleanpath) != 0) {
return;
}
diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c
index f8fd1e73..4342db5b 100644
--- a/src/daemon/modules/image/oci/utils_images.c
+++ b/src/daemon/modules/image/oci/utils_images.c
@@ -630,6 +630,16 @@ int makesure_isulad_tmpdir_perm_right(const char *root_dir)
goto out;
}
+ if ((st.st_mode & 0777) != TEMP_DIRECTORY_MODE) {
+ ret = -1;
+ goto out;
+ }
+
+ if (S_ISLNK(st.st_mode)) {
+ ret = -1;
+ goto out;
+ }
+
// chown to root
ret = lchown(isulad_tmpdir, 0, 0);
if (ret == 0 || (ret == EPERM && st.st_uid == 0 && st.st_gid == 0)) {
--
2.40.1
Reference in New Issue Copy Permalink