packages/runc - runc - OEPKGS Git Repository for openEuler 24.03 LTS SP1 Template

packages/runc

Fork 0

Commit Graph

Author	SHA1	Message	Date
xiadanni1	1029fc9d1c	rootfs: do not permit /proc mounts to non-directories mount(2) will blindly follow symlinks, which is a problem because it allows a malicious container to trick runc into mounting /proc to an entirely different location (and thus within the attacker's control for a rename-exchange attack). This is just a hotfix (to "stop the bleeding"), and the more complete fix would be finish libpathrs and port runc to it (to avoid these types of attacks entirely, and defend against a variety of other /proc-related attacks). It can be bypased by someone having "/" be a volume controlled by another container. Fixes: CVE-2019-19921 Signed-off-by: Aleksa Sarai <asarai@suse.de> Signed-off-by: xiadanni1 <xiadanni1@huawei.com>	2020-04-15 17:01:50 +08:00

Author

SHA1

Message

Date

xiadanni1

1029fc9d1c

rootfs: do not permit /proc mounts to non-directories

mount(2) will blindly follow symlinks, which is a problem because it
allows a malicious container to trick runc into mounting /proc to an
entirely different location (and thus within the attacker's control for
a rename-exchange attack).

This is just a hotfix (to "stop the bleeding"), and the more complete
fix would be finish libpathrs and port runc to it (to avoid these types
of attacks entirely, and defend against a variety of other /proc-related
attacks). It can be bypased by someone having "/" be a volume controlled
by another container.

Fixes: CVE-2019-19921
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>

2020-04-15 17:01:50 +08:00

1 Commits