opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-25 03:52:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2899 from giuseppe/prevent-sys-fs-kernel-paths-in-userns

Browse Source 
userns: prevent /sys/kernel/* paths in the container
This commit is contained in:
OpenShift Merge Robot
2019-04-11 08:30:31 -07:00
committed by GitHub
parent 4596c39655 2c9c40dc82
commit b281c34b31
3 changed files with 64 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
libpod/oci_linux.go
View File

@ -3,15 +3,20 @@
package libpod package libpod
import ( import (
"fmt"
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
"runtime"
"strings" "strings"
"syscall" "syscall"
"github.com/containerd/cgroups" "github.com/containerd/cgroups"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/utils" "github.com/containers/libpod/utils"
pmount "github.com/containers/storage/pkg/mount"
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
) )
@ -91,6 +96,54 @@ func (r *OCIRuntime) createContainer(ctr *Container, cgroupParent string, restor
return err return err
} }
} }
// if we are running a non privileged container, be sure to umount some kernel paths so they are not
// bind mounted inside the container at all.
if !ctr.config.Privileged && !rootless.IsRootless() {
ch := make(chan error)
go func() {
runtime.LockOSThread()
err := func() error {
fd, err := os.Open(fmt.Sprintf("/proc/%d/task/%d/ns/mnt", os.Getpid(), unix.Gettid()))
if err != nil {
return err
}
defer fd.Close()
// create a new mountns on the current thread
if err = unix.Unshare(unix.CLONE_NEWNS); err != nil {
return err
}
defer unix.Setns(int(fd.Fd()), unix.CLONE_NEWNS)
// don't spread our mounts around. We are setting only /sys to be slave
// so that the cleanup process is still able to umount the storage and the
// changes are propagated to the host.
err = unix.Mount("/sys", "/sys", "none", unix.MS_REC|unix.MS_SLAVE, "")
if err != nil {
return errors.Wrapf(err, "cannot make /sys slave")
}
mounts, err := pmount.GetMounts()
if err != nil {
return err
}
for _, m := range mounts {
if !strings.HasPrefix(m.Mountpoint, "/sys/kernel") {
continue
}
err = unix.Unmount(m.Mountpoint, 0)
if err != nil {
return errors.Wrapf(err, "cannot unmount %s", m.Mountpoint)
}
}
return r.createOCIContainer(ctr, cgroupParent, restoreOptions)
}()
ch <- err
}()
err := <-ch
return err
}
} }
return r.createOCIContainer(ctr, cgroupParent, restoreOptions) return r.createOCIContainer(ctr, cgroupParent, restoreOptions)
} }

3
pkg/spec/spec.go
View File

@ -132,6 +132,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
Options: []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"}, Options: []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"},
} }
g.AddMount(sysMnt) g.AddMount(sysMnt)
if !config.Privileged && isRootless {
g.AddLinuxMaskedPaths("/sys/kernel")
}
} }
if isRootless { if isRootless {
nGids, err := getAvailableGids() nGids, err := getAvailableGids()

8
test/system/030-run.bats
View File

@ -31,4 +31,12 @@ echo $rand | 0 | $rand
done < <(parse_table "$tests") done < <(parse_table "$tests")
} }
@test "podman run - uidmapping has no /sys/kernel mounts" {
run_podman $expected_rc run --uidmapping 0:100:10000 $IMAGE mount | grep /sys/kernel
is "$output" "" "podman run $cmd - output"
run_podman $expected_rc run --net host --uidmapping 0:100:10000 $IMAGE mount | grep /sys/kernel
is "$output" "" "podman run $cmd - output"
}
# vim: filetype=sh # vim: filetype=sh