Merge pull request from GHSA-mvff-h3cj-wj9c

[release/1.5] only relabel cri managed host mounts
k3s-io · Jan 5, 2022 · 1407cab · 1407cab
2 parents 167c3e0 + e4b62aa
commit 1407cab
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 68 deletions.
diff --git a/pkg/cri/opts/spec_linux.go b/pkg/cri/opts/spec_linux.go
@@ -225,30 +225,6 @@ func WithMounts(osi osinterface.OS, config *runtime.ContainerConfig, extra []*ru
 	}
 }
 
-const (
-	etcHosts       = "/etc/hosts"
-	etcHostname    = "/etc/hostname"
-	resolvConfPath = "/etc/resolv.conf"
-)
-
-// WithRelabeledContainerMounts relabels the default container mounts for files in /etc
-func WithRelabeledContainerMounts(mountLabel string) oci.SpecOpts {
-	return func(ctx context.Context, client oci.Client, _ *containers.Container, s *runtimespec.Spec) (err error) {
-		if mountLabel == "" {
-			return nil
-		}
-		for _, m := range s.Mounts {
-			switch m.Destination {
-			case etcHosts, etcHostname, resolvConfPath:
-				if err := label.Relabel(m.Source, mountLabel, false); err != nil {
-					return err
-				}
-			}
-		}
-		return nil
-	}
-}
-
 // Ensure mount point on which path is mounted, is shared.
 func ensureShared(path string, lookupMount func(string) (mount.Info, error)) error {
 	mountInfo, err := lookupMount(path)

diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go
@@ -68,28 +68,31 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
 		hostpath := c.getSandboxHostname(sandboxID)
 		if _, err := c.os.Stat(hostpath); err == nil {
 			mounts = append(mounts, &runtime.Mount{
-				ContainerPath: etcHostname,
-				HostPath:      hostpath,
-				Readonly:      securityContext.GetReadonlyRootfs(),
+				ContainerPath:  etcHostname,
+				HostPath:       hostpath,
+				Readonly:       securityContext.GetReadonlyRootfs(),
+				SelinuxRelabel: true,
 			})
 		}
 	}
 
 	if !isInCRIMounts(etcHosts, config.GetMounts()) {
 		mounts = append(mounts, &runtime.Mount{
-			ContainerPath: etcHosts,
-			HostPath:      c.getSandboxHosts(sandboxID),
-			Readonly:      securityContext.GetReadonlyRootfs(),
+			ContainerPath:  etcHosts,
+			HostPath:       c.getSandboxHosts(sandboxID),
+			Readonly:       securityContext.GetReadonlyRootfs(),
+			SelinuxRelabel: true,
 		})
 	}
 
 	// Mount sandbox resolv.config.
 	// TODO: Need to figure out whether we should always mount it as read-only
 	if !isInCRIMounts(resolvConfPath, config.GetMounts()) {
 		mounts = append(mounts, &runtime.Mount{
-			ContainerPath: resolvConfPath,
-			HostPath:      c.getResolvPath(sandboxID),
-			Readonly:      securityContext.GetReadonlyRootfs(),
+			ContainerPath:  resolvConfPath,
+			HostPath:       c.getResolvPath(sandboxID),
+			Readonly:       securityContext.GetReadonlyRootfs(),
+			SelinuxRelabel: true,
 		})
 	}
 
@@ -192,7 +195,7 @@ func (c *criService) containerSpec(
 		}
 	}()
 
-	specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel), customopts.WithRelabeledContainerMounts(mountLabel))
+	specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))
 
 	if !c.config.DisableProcMount {
 		// Change the default masked/readonly paths to empty slices

diff --git a/pkg/cri/server/container_create_linux_test.go b/pkg/cri/server/container_create_linux_test.go
@@ -450,19 +450,22 @@ func TestContainerMounts(t *testing.T) {
 			},
 			expectedMounts: []*runtime.Mount{
 				{
-					ContainerPath: "/etc/hostname",
-					HostPath:      filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
-					Readonly:      true,
+					ContainerPath:  "/etc/hostname",
+					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
+					Readonly:       true,
+					SelinuxRelabel: true,
 				},
 				{
-					ContainerPath: "/etc/hosts",
-					HostPath:      filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
-					Readonly:      true,
+					ContainerPath:  "/etc/hosts",
+					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
+					Readonly:       true,
+					SelinuxRelabel: true,
 				},
 				{
-					ContainerPath: resolvConfPath,
-					HostPath:      filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
-					Readonly:      true,
+					ContainerPath:  resolvConfPath,
+					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
+					Readonly:       true,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  "/dev/shm",
@@ -476,19 +479,22 @@ func TestContainerMounts(t *testing.T) {
 			securityContext: &runtime.LinuxContainerSecurityContext{},
 			expectedMounts: []*runtime.Mount{
 				{
-					ContainerPath: "/etc/hostname",
-					HostPath:      filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
-					Readonly:      false,
+					ContainerPath:  "/etc/hostname",
+					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
-					ContainerPath: "/etc/hosts",
-					HostPath:      filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
-					Readonly:      false,
+					ContainerPath:  "/etc/hosts",
+					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
-					ContainerPath: resolvConfPath,
-					HostPath:      filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
-					Readonly:      false,
+					ContainerPath:  resolvConfPath,
+					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  "/dev/shm",
@@ -504,19 +510,22 @@ func TestContainerMounts(t *testing.T) {
 			},
 			expectedMounts: []*runtime.Mount{
 				{
-					ContainerPath: "/etc/hostname",
-					HostPath:      filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
-					Readonly:      false,
+					ContainerPath:  "/etc/hostname",
+					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
-					ContainerPath: "/etc/hosts",
-					HostPath:      filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
-					Readonly:      false,
+					ContainerPath:  "/etc/hosts",
+					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
-					ContainerPath: resolvConfPath,
-					HostPath:      filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
-					Readonly:      false,
+					ContainerPath:  resolvConfPath,
+					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath: "/dev/shm",
@@ -555,14 +564,16 @@ func TestContainerMounts(t *testing.T) {
 			securityContext: &runtime.LinuxContainerSecurityContext{},
 			expectedMounts: []*runtime.Mount{
 				{
-					ContainerPath: "/etc/hosts",
-					HostPath:      filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
-					Readonly:      false,
+					ContainerPath:  "/etc/hosts",
+					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
-					ContainerPath: resolvConfPath,
-					HostPath:      filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
-					Readonly:      false,
+					ContainerPath:  resolvConfPath,
+					HostPath:       filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 				{
 					ContainerPath:  "/dev/shm",

diff --git a/releases/v1.5.9.toml b/releases/v1.5.9.toml
@@ -0,0 +1,20 @@
+# commit to be tagged for new release
+commit = "HEAD"
+
+project_name = "containerd"
+github_repo = "containerd/containerd"
+match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$"
+
+# previous release
+previous = "v1.5.8"
+
+pre_release = false
+
+preface = """\
+The ninth patch release for containerd 1.5 is a security release to fix CVE-2021-43816.
+
+### Notable Updates
+* **Fix unprivileged pod using 'hostPath' bypassing SELinux labels** ([GHSA-mvff-h3cj-wj9c](https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c))
+* **Fix setting the "container_kvm_t" SELinux label** ([#6381](https://github.com/containerd/containerd/pull/6381))
+
+See the changelog for complete list of changes"""
diff --git a/version/version.go b/version/version.go
@@ -23,7 +23,7 @@ var (
 	Package = "github.com/containerd/containerd"
 
 	// Version holds the complete version number. Filled in at linking time.
-	Version = "1.5.8+unknown"
+	Version = "1.5.9+unknown"
 
 	// Revision is filled with the VCS (e.g. git) revision being used to build
 	// the program at linking time.