From 0ff15c5fc82d8c5b8202143f340a1fd65b99c050 Mon Sep 17 00:00:00 2001 From: lifubang Date: Sun, 21 Jan 2024 23:15:41 +0800 Subject: [PATCH 1/2] use go-containersec to protect the entrypoint of the container Signed-off-by: lifubang --- go.mod | 3 +- go.sum | 7 + libcontainer/setns_init_linux.go | 18 +- libcontainer/standard_init_linux.go | 18 +- .../go-containersec/LICENSE | 201 ++++++++++++++++++ .../go-containersec/execve/sec-execve.go | 100 +++++++++ .../go-containersec/execve/system/linux.go | 52 +++++ .../go-containersec/path/sec-jail.go | 59 +++++ vendor/modules.txt | 5 + 9 files changed, 454 insertions(+), 9 deletions(-) create mode 100644 vendor/github.com/opencontainers-sec/go-containersec/LICENSE create mode 100644 vendor/github.com/opencontainers-sec/go-containersec/execve/sec-execve.go create mode 100644 vendor/github.com/opencontainers-sec/go-containersec/execve/system/linux.go create mode 100644 vendor/github.com/opencontainers-sec/go-containersec/path/sec-jail.go diff --git a/go.mod b/go.mod index 8997861d491..78199dec519 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/opencontainers/runc -go 1.20 +go 1.21 require ( github.com/checkpoint-restore/go-criu/v6 v6.3.0 @@ -13,6 +13,7 @@ require ( github.com/moby/sys/mountinfo v0.7.1 github.com/moby/sys/user v0.1.0 github.com/mrunalp/fileutils v0.5.1 + github.com/opencontainers-sec/go-containersec v0.0.1 github.com/opencontainers/runtime-spec v1.1.1-0.20230823135140-4fec88fd00a4 github.com/opencontainers/selinux v1.11.0 github.com/seccomp/libseccomp-golang v0.10.0 diff --git a/go.sum b/go.sum index a29c7da7bc7..ec8e31a849d 100644 --- a/go.sum +++ b/go.sum @@ -17,21 +17,27 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA= +github.com/frankban/quicktest v1.14.5/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g= github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= github.com/mrunalp/fileutils v0.5.1 h1:F+S7ZlNKnrwHfSwdlgNSkKo67ReVf8o9fel6C3dkm/Q= github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= +github.com/opencontainers-sec/go-containersec v0.0.1 h1:+4ov9mAgONY6w/of5x3eRFLu/5TtfFUh/SXeofqIM8M= +github.com/opencontainers-sec/go-containersec v0.0.1/go.mod h1:8tU3XOqpsj1/WwjTsJa78OkCuJpQ9VrjXkgITmqzeUw= github.com/opencontainers/runtime-spec v1.1.1-0.20230823135140-4fec88fd00a4 h1:EctkgBjZ1y4q+sibyuuIgiKpa0QSd2elFtSSdNvBVow= github.com/opencontainers/runtime-spec v1.1.1-0.20230823135140-4fec88fd00a4/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU= @@ -39,6 +45,7 @@ github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M5 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/seccomp/libseccomp-golang v0.10.0 h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY= diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go index 0dd72f95e7f..072c5abb0d8 100644 --- a/libcontainer/setns_init_linux.go +++ b/libcontainer/setns_init_linux.go @@ -11,6 +11,8 @@ import ( "github.com/sirupsen/logrus" "golang.org/x/sys/unix" + "github.com/opencontainers-sec/go-containersec/execve" + "github.com/opencontainers-sec/go-containersec/path" "github.com/opencontainers/runc/libcontainer/apparmor" "github.com/opencontainers/runc/libcontainer/keys" "github.com/opencontainers/runc/libcontainer/seccomp" @@ -135,9 +137,17 @@ func (l *linuxSetnsInit) Init() error { return &os.PathError{Op: "close log pipe", Path: "fd " + strconv.Itoa(l.logFd), Err: err} } - if l.dmzExe != nil { - l.config.Args[0] = name - return system.Fexecve(l.dmzExe.Fd(), l.config.Args, os.Environ()) + fd, cmd, args, env, err := execve.GetSecExecve(name, l.config.Args, os.Environ()) + if err != nil { + return err + } + jail, err := path.IsPathInJail(cmd) + if err != nil { + return err + } + if !jail { + _ = unix.Close(fd) + return fmt.Errorf("can't find %s in the current file system", cmd) } - return system.Exec(name, l.config.Args, os.Environ()) + return system.Fexecve(uintptr(fd), args, env) } diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go index 3096d0d81ee..a9051ef1617 100644 --- a/libcontainer/standard_init_linux.go +++ b/libcontainer/standard_init_linux.go @@ -12,6 +12,8 @@ import ( "github.com/sirupsen/logrus" "golang.org/x/sys/unix" + "github.com/opencontainers-sec/go-containersec/execve" + "github.com/opencontainers-sec/go-containersec/path" "github.com/opencontainers/runc/libcontainer/apparmor" "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/keys" @@ -278,9 +280,17 @@ func (l *linuxStandardInit) Init() error { return err } - if l.dmzExe != nil { - l.config.Args[0] = name - return system.Fexecve(l.dmzExe.Fd(), l.config.Args, os.Environ()) + fd, cmd, args, env, err := execve.GetSecExecve(name, l.config.Args, os.Environ()) + if err != nil { + return err + } + jail, err := path.IsPathInJail(cmd) + if err != nil { + return err + } + if !jail { + _ = unix.Close(fd) + return fmt.Errorf("can't find %s in the current file system", cmd) } - return system.Exec(name, l.config.Args, os.Environ()) + return system.Fexecve(uintptr(fd), args, env) } diff --git a/vendor/github.com/opencontainers-sec/go-containersec/LICENSE b/vendor/github.com/opencontainers-sec/go-containersec/LICENSE new file mode 100644 index 00000000000..261eeb9e9f8 --- /dev/null +++ b/vendor/github.com/opencontainers-sec/go-containersec/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/opencontainers-sec/go-containersec/execve/sec-execve.go b/vendor/github.com/opencontainers-sec/go-containersec/execve/sec-execve.go new file mode 100644 index 00000000000..dc54b729178 --- /dev/null +++ b/vendor/github.com/opencontainers-sec/go-containersec/execve/sec-execve.go @@ -0,0 +1,100 @@ +package execve + +import ( + "bufio" + "fmt" + "os" + "strings" + + "github.com/opencontainers-sec/go-containersec/execve/system" + "github.com/opencontainers-sec/go-containersec/path" + "golang.org/x/sys/unix" +) + +func isShebang(f int) (bool, error) { + // Read the first 2 bytes to check if it's a shebang. + var buf [2]byte + if _, err := unix.Read(f, buf[:]); err != nil { + return false, err + } + return buf[0] == '#' && buf[1] == '!', nil +} + +func readScript(f int, cmd string, args []string) (string, []string, error) { + scanner := bufio.NewScanner(os.NewFile(uintptr(f), "script")) + if scanner.Scan() { + line := scanner.Text() + line = strings.TrimSpace(line) + arr := strings.Split(line, " ") + if len(arr) > 0 { + nargs := append([]string{cmd}, arr[1:]...) + nargs = append(nargs, args...) + return arr[0], nargs, nil + } + } + return "", args, fmt.Errorf("failed to read script") +} + +func GetSecExecve(cmd string, args []string, env []string) (int, string, []string, []string, error) { + f, err := unix.Open(cmd, unix.O_RDONLY|unix.O_CLOEXEC, 0) + if err != nil { + return 0, "", args, env, fmt.Errorf("failed to open %s: %w", cmd, err) + } + + ncmd := cmd + nargs := args[:] + depth := 0 + for { + sb, err := isShebang(f) + if err != nil { + _ = unix.Close(f) + return 0, "", args, env, err + } + if sb { + depth++ + /* This allows 4 levels of binfmt rewrites before failing hard. + https://github.com/torvalds/linux/blob/9d64bf433c53cab2f48a3fff7a1f2a696bc5229a/fs/exec.c#L1773-L1777 + */ + if depth > 5 { + _ = unix.Close(f) + return 0, "", args, env, unix.ELOOP + } + + ncmd, nargs, err = readScript(f, ncmd, nargs) + _ = unix.Close(f) + if err != nil { + return 0, "", args, env, err + } + f, err = unix.Open(ncmd, unix.O_RDONLY|unix.O_CLOEXEC, 0) + if err != nil { + return 0, "", args, env, fmt.Errorf("failed to open %s: %w", ncmd, err) + } + } else { + break + } + } + + _, err = unix.Seek(f, 0, 0) + if err != nil { + _ = unix.Close(f) + return 0, "", args, env, err + } + + return f, ncmd, nargs, env, nil +} + +func Run(cmd string, args []string, env []string) error { + sfd, scmd, sargs, senv, err := GetSecExecve(cmd, args, env) + if err != nil { + return err + } + jail, err := path.IsPathInJail(scmd) + if err != nil { + return err + } + if !jail { + _ = unix.Close(sfd) + return fmt.Errorf("can't find %s in the current file system", scmd) + } + return system.Fexecve(uintptr(sfd), sargs, senv) +} diff --git a/vendor/github.com/opencontainers-sec/go-containersec/execve/system/linux.go b/vendor/github.com/opencontainers-sec/go-containersec/execve/system/linux.go new file mode 100644 index 00000000000..683a0023aa0 --- /dev/null +++ b/vendor/github.com/opencontainers-sec/go-containersec/execve/system/linux.go @@ -0,0 +1,52 @@ +//go:build linux +// +build linux + +package system + +import ( + "os" + "syscall" + "unsafe" + + "golang.org/x/sys/unix" +) + +func execveat(fd uintptr, pathname string, args []string, env []string, flags int) error { + pathnamep, err := syscall.BytePtrFromString(pathname) + if err != nil { + return err + } + + argvp, err := syscall.SlicePtrFromStrings(args) + if err != nil { + return err + } + + envp, err := syscall.SlicePtrFromStrings(env) + if err != nil { + return err + } + + _, _, errno := syscall.Syscall6( + unix.SYS_EXECVEAT, + fd, + uintptr(unsafe.Pointer(pathnamep)), + uintptr(unsafe.Pointer(&argvp[0])), + uintptr(unsafe.Pointer(&envp[0])), + uintptr(flags), + 0, + ) + return errno +} + +func Fexecve(fd uintptr, args []string, env []string) error { + var err error + for { + err = execveat(fd, "", args, env, unix.AT_EMPTY_PATH) + if err != unix.EINTR { // nolint:errorlint // unix errors are bare + break + } + } + + return os.NewSyscallError("execveat", err) +} diff --git a/vendor/github.com/opencontainers-sec/go-containersec/path/sec-jail.go b/vendor/github.com/opencontainers-sec/go-containersec/path/sec-jail.go new file mode 100644 index 00000000000..2d0828d8899 --- /dev/null +++ b/vendor/github.com/opencontainers-sec/go-containersec/path/sec-jail.go @@ -0,0 +1,59 @@ +package path + +import ( + "fmt" + "os" + "os/exec" + + "golang.org/x/sys/unix" +) + +// IsPathInJail is to ensure the path is in the jail +func IsPathInJail(path string) (bool, error) { + var stat, statLink unix.Stat_t + + // The path maybe not just only a magic link path, so open the path to get the fd + file, err := os.Open(path) + if err != nil { + return false, err + } + defer file.Close() + err = unix.Fstat(int(file.Fd()), &stat) + if err != nil { + return false, err + } + + // We can get the real path from `/proc/self/fd/` + link, err := os.Readlink(fmt.Sprintf("/proc/self/fd/%d", file.Fd())) + if err != nil { + return false, err + } + + err = unix.Lstat(link, &statLink) + if os.IsNotExist(err) { + return false, nil + } else if err != nil { + return false, err + } + + if stat.Dev == statLink.Dev && stat.Ino == statLink.Ino { + return true, nil + } + return false, fmt.Errorf("can't find %s", path) +} + +// LookPath is to find the exactly path of the executable file +func SecLookPath(path string) (string, error) { + name, err := exec.LookPath(path) + if err != nil { + return "", err + } + bl, err := IsPathInJail(name) + if err != nil { + return "", err + } + if !bl { + return "", fmt.Errorf("can't find %s in the current file system", path) + } + return name, nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 34f5a991561..26a5d7a5310 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -42,6 +42,11 @@ github.com/moby/sys/user # github.com/mrunalp/fileutils v0.5.1 ## explicit; go 1.13 github.com/mrunalp/fileutils +# github.com/opencontainers-sec/go-containersec v0.0.1 +## explicit; go 1.21 +github.com/opencontainers-sec/go-containersec/execve +github.com/opencontainers-sec/go-containersec/execve/system +github.com/opencontainers-sec/go-containersec/path # github.com/opencontainers/runtime-spec v1.1.1-0.20230823135140-4fec88fd00a4 ## explicit github.com/opencontainers/runtime-spec/specs-go From 124867d5860155bb19cbb6317877e0b809af3957 Mon Sep 17 00:00:00 2001 From: lifubang Date: Mon, 22 Jan 2024 00:29:16 +0800 Subject: [PATCH 2/2] use /proc/self/exe directly to start init Signed-off-by: lifubang --- go.mod | 2 +- go.sum | 4 +- libcontainer/container_linux.go | 126 +----------------- tests/integration/run.bats | 34 ----- .../go-containersec/execve/sec-execve.go | 7 +- vendor/modules.txt | 2 +- 6 files changed, 10 insertions(+), 165 deletions(-) diff --git a/go.mod b/go.mod index 78199dec519..de96582329d 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/moby/sys/mountinfo v0.7.1 github.com/moby/sys/user v0.1.0 github.com/mrunalp/fileutils v0.5.1 - github.com/opencontainers-sec/go-containersec v0.0.1 + github.com/opencontainers-sec/go-containersec v0.0.2 github.com/opencontainers/runtime-spec v1.1.1-0.20230823135140-4fec88fd00a4 github.com/opencontainers/selinux v1.11.0 github.com/seccomp/libseccomp-golang v0.10.0 diff --git a/go.sum b/go.sum index ec8e31a849d..58df0120fdd 100644 --- a/go.sum +++ b/go.sum @@ -36,8 +36,8 @@ github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= github.com/mrunalp/fileutils v0.5.1 h1:F+S7ZlNKnrwHfSwdlgNSkKo67ReVf8o9fel6C3dkm/Q= github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= -github.com/opencontainers-sec/go-containersec v0.0.1 h1:+4ov9mAgONY6w/of5x3eRFLu/5TtfFUh/SXeofqIM8M= -github.com/opencontainers-sec/go-containersec v0.0.1/go.mod h1:8tU3XOqpsj1/WwjTsJa78OkCuJpQ9VrjXkgITmqzeUw= +github.com/opencontainers-sec/go-containersec v0.0.2 h1:E37DR3CH9VWRJhr4+0VZbjdMQTR3371ijJiUGpQVOOM= +github.com/opencontainers-sec/go-containersec v0.0.2/go.mod h1:8tU3XOqpsj1/WwjTsJa78OkCuJpQ9VrjXkgITmqzeUw= github.com/opencontainers/runtime-spec v1.1.1-0.20230823135140-4fec88fd00a4 h1:EctkgBjZ1y4q+sibyuuIgiKpa0QSd2elFtSSdNvBVow= github.com/opencontainers/runtime-spec v1.1.1-0.20230823135140-4fec88fd00a4/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU= diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go index 5fdafdbca80..4bb3f9eb7fc 100644 --- a/libcontainer/container_linux.go +++ b/libcontainer/container_linux.go @@ -23,10 +23,8 @@ import ( "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/opencontainers/runc/libcontainer/configs" - "github.com/opencontainers/runc/libcontainer/dmz" "github.com/opencontainers/runc/libcontainer/intelrdt" "github.com/opencontainers/runc/libcontainer/system" - "github.com/opencontainers/runc/libcontainer/system/kernelversion" "github.com/opencontainers/runc/libcontainer/utils" ) @@ -443,117 +441,13 @@ func (c *Container) includeExecFifo(cmd *exec.Cmd) error { return nil } -// No longer needed in Go 1.21. -func slicesContains[S ~[]E, E comparable](slice S, needle E) bool { - for _, val := range slice { - if val == needle { - return true - } - } - return false -} - -func isDmzBinarySafe(c *configs.Config) bool { - if !dmz.WorksWithSELinux(c) { - return false - } - - // Because we set the dumpable flag in nsexec, the only time when it is - // unsafe to use runc-dmz is when the container process would be able to - // race against "runc init" and bypass the ptrace_may_access() checks. - // - // This is only the case if the container processes could have - // CAP_SYS_PTRACE somehow (i.e. the capability is present in the bounding, - // inheritable, or ambient sets). Luckily, most containers do not have this - // capability. - if c.Capabilities == nil || - (!slicesContains(c.Capabilities.Bounding, "CAP_SYS_PTRACE") && - !slicesContains(c.Capabilities.Inheritable, "CAP_SYS_PTRACE") && - !slicesContains(c.Capabilities.Ambient, "CAP_SYS_PTRACE")) { - return true - } - - // Since Linux 4.10 (see bfedb589252c0) user namespaced containers cannot - // access /proc/$pid/exe of runc after it joins the namespace (until it - // does an exec), regardless of the capability set. This has been - // backported to other distribution kernels, but there's no way of checking - // this cheaply -- better to be safe than sorry here. - linux410 := kernelversion.KernelVersion{Kernel: 4, Major: 10} - if ok, err := kernelversion.GreaterEqualThan(linux410); ok && err == nil { - if c.Namespaces.Contains(configs.NEWUSER) { - return true - } - } - - // Assume it's unsafe otherwise. - return false -} - func (c *Container) newParentProcess(p *Process) (parentProcess, error) { comm, err := newProcessComm() if err != nil { return nil, err } - // Make sure we use a new safe copy of /proc/self/exe or the runc-dmz - // binary each time this is called, to make sure that if a container - // manages to overwrite the file it cannot affect other containers on the - // system. For runc, this code will only ever be called once, but - // libcontainer users might call this more than once. - p.closeClonedExes() - var ( - exePath string - // only one of dmzExe or safeExe are used at a time - dmzExe, safeExe *os.File - ) - if dmz.IsSelfExeCloned() { - // /proc/self/exe is already a cloned binary -- no need to do anything - logrus.Debug("skipping binary cloning -- /proc/self/exe is already cloned!") - // We don't need to use /proc/thread-self here because the exe mm of a - // thread-group is guaranteed to be the same for all threads by - // definition. This lets us avoid having to do runtime.LockOSThread. - exePath = "/proc/self/exe" - } else { - var err error - if isDmzBinarySafe(c.config) { - dmzExe, err = dmz.Binary(c.stateDir) - if err == nil { - // We can use our own executable without cloning if we are - // using runc-dmz. We don't need to use /proc/thread-self here - // because the exe mm of a thread-group is guaranteed to be the - // same for all threads by definition. This lets us avoid - // having to do runtime.LockOSThread. - exePath = "/proc/self/exe" - p.clonedExes = append(p.clonedExes, dmzExe) - logrus.Debug("runc-dmz: using runc-dmz") // used for tests - } else if errors.Is(err, dmz.ErrNoDmzBinary) { - logrus.Debug("runc-dmz binary not embedded in runc binary, falling back to /proc/self/exe clone") - } else if err != nil { - return nil, fmt.Errorf("failed to create runc-dmz binary clone: %w", err) - } - } else { - // If the configuration makes it unsafe to use runc-dmz, pretend we - // don't have it embedded so we do /proc/self/exe cloning. - logrus.Debug("container configuration unsafe for runc-dmz, falling back to /proc/self/exe clone") - err = dmz.ErrNoDmzBinary - } - if errors.Is(err, dmz.ErrNoDmzBinary) { - safeExe, err = dmz.CloneSelfExe(c.stateDir) - if err != nil { - return nil, fmt.Errorf("unable to create safe /proc/self/exe clone for runc init: %w", err) - } - exePath = "/proc/self/fd/" + strconv.Itoa(int(safeExe.Fd())) - p.clonedExes = append(p.clonedExes, safeExe) - logrus.Debug("runc-dmz: using /proc/self/exe clone") // used for tests - } - // Just to make sure we don't run without protection. - if dmzExe == nil && safeExe == nil { - // This should never happen. - return nil, fmt.Errorf("[internal error] attempted to spawn a container with no /proc/self/exe protection") - } - } - - cmd := exec.Command(exePath, "init") + cmd := exec.Command("/proc/self/exe", "init") cmd.Args[0] = os.Args[0] cmd.Stdin = p.Stdin cmd.Stdout = p.Stdout @@ -580,12 +474,6 @@ func (c *Container) newParentProcess(p *Process) (parentProcess, error) { "_LIBCONTAINER_SYNCPIPE="+strconv.Itoa(stdioFdCount+len(cmd.ExtraFiles)-1), ) - if dmzExe != nil { - cmd.ExtraFiles = append(cmd.ExtraFiles, dmzExe) - cmd.Env = append(cmd.Env, - "_LIBCONTAINER_DMZEXEFD="+strconv.Itoa(stdioFdCount+len(cmd.ExtraFiles)-1)) - } - cmd.ExtraFiles = append(cmd.ExtraFiles, comm.logPipeChild) cmd.Env = append(cmd.Env, "_LIBCONTAINER_LOGPIPE="+strconv.Itoa(stdioFdCount+len(cmd.ExtraFiles)-1)) @@ -600,18 +488,6 @@ func (c *Container) newParentProcess(p *Process) (parentProcess, error) { ) } - if safeExe != nil { - // Due to a Go stdlib bug, we need to add safeExe to the set of - // ExtraFiles otherwise it is possible for the stdlib to clobber the fd - // during forkAndExecInChild1 and replace it with some other file that - // might be malicious. This is less than ideal (because the descriptor - // will be non-O_CLOEXEC) however we have protections in "runc init" to - // stop us from leaking extra file descriptors. - // - // See . - cmd.ExtraFiles = append(cmd.ExtraFiles, safeExe) - } - // NOTE: when running a container with no PID namespace and the parent // process spawning the container is PID1 the pdeathsig is being // delivered to the container's init process by the kernel for some diff --git a/tests/integration/run.bats b/tests/integration/run.bats index f6bd3c86500..d3940ee11ac 100644 --- a/tests/integration/run.bats +++ b/tests/integration/run.bats @@ -127,40 +127,6 @@ function teardown() { [ "${lines[0]}" = "410" ] } -@test "runc run [runc-dmz]" { - runc --debug run test_hello - [ "$status" -eq 0 ] - [[ "$output" = *"Hello World"* ]] - # We use runc-dmz if we can. - [[ "$output" = *"runc-dmz: using runc-dmz"* ]] -} - -@test "runc run [cap_sys_ptrace -> /proc/self/exe clone]" { - # Add CAP_SYS_PTRACE to the bounding set, the minimum needed to indicate a - # container process _could_ get CAP_SYS_PTRACE. - update_config '.process.capabilities.bounding += ["CAP_SYS_PTRACE"]' - - runc --debug run test_hello - [ "$status" -eq 0 ] - [[ "$output" = *"Hello World"* ]] - if [ "$EUID" -ne 0 ] && is_kernel_gte 4.10; then - # For Linux 4.10 and later, rootless containers will use runc-dmz - # because they are running in a user namespace. See isDmzBinarySafe(). - [[ "$output" = *"runc-dmz: using runc-dmz"* ]] - else - # If the container has CAP_SYS_PTRACE and is not rootless, we use - # /proc/self/exe cloning. - [[ "$output" = *"runc-dmz: using /proc/self/exe clone"* ]] - fi -} - -@test "RUNC_DMZ=legacy runc run [/proc/self/exe clone]" { - RUNC_DMZ=legacy runc --debug run test_hello - [ "$status" -eq 0 ] - [[ "$output" = *"Hello World"* ]] - [[ "$output" = *"runc-dmz: using /proc/self/exe clone"* ]] -} - @test "runc run [joining existing container namespaces]" { requires timens diff --git a/vendor/github.com/opencontainers-sec/go-containersec/execve/sec-execve.go b/vendor/github.com/opencontainers-sec/go-containersec/execve/sec-execve.go index dc54b729178..062acb07022 100644 --- a/vendor/github.com/opencontainers-sec/go-containersec/execve/sec-execve.go +++ b/vendor/github.com/opencontainers-sec/go-containersec/execve/sec-execve.go @@ -27,8 +27,8 @@ func readScript(f int, cmd string, args []string) (string, []string, error) { line = strings.TrimSpace(line) arr := strings.Split(line, " ") if len(arr) > 0 { - nargs := append([]string{cmd}, arr[1:]...) - nargs = append(nargs, args...) + nargs := append(arr, cmd) + nargs = append(nargs, args[1:]...) return arr[0], nargs, nil } } @@ -70,6 +70,9 @@ func GetSecExecve(cmd string, args []string, env []string) (int, string, []strin return 0, "", args, env, fmt.Errorf("failed to open %s: %w", ncmd, err) } } else { + if depth > 0 { + nargs[0] = ncmd + } break } } diff --git a/vendor/modules.txt b/vendor/modules.txt index 26a5d7a5310..8756b63334f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -42,7 +42,7 @@ github.com/moby/sys/user # github.com/mrunalp/fileutils v0.5.1 ## explicit; go 1.13 github.com/mrunalp/fileutils -# github.com/opencontainers-sec/go-containersec v0.0.1 +# github.com/opencontainers-sec/go-containersec v0.0.2 ## explicit; go 1.21 github.com/opencontainers-sec/go-containersec/execve github.com/opencontainers-sec/go-containersec/execve/system