3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
4 https://seclists.org/oss-sec/2019/q1/119
6 Patch copied from upstream source repository:
8 https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
10 From 0a8e4117e7f715d5fbeef398405813ce8e88558b Mon Sep 17 00:00:00 2001
11 From: Aleksa Sarai <asarai@suse.de>
12 Date: Wed, 9 Jan 2019 13:40:01 +1100
13 Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary
16 There are quite a few circumstances where /proc/self/exe pointing to a
17 pretty important container binary is a _bad_ thing, so to avoid this we
18 have to make a copy (preferably doing self-clean-up and not being
21 We require memfd_create(2) -- though there is an O_TMPFILE fallback --
22 but we can always extend this to use a scratch MNT_DETACH overlayfs or
23 tmpfs. The main downside to this approach is no page-cache sharing for
24 the runc binary (which overlayfs would give us) but this is far less
27 This is only done during nsenter so that it happens transparently to the
28 Go code, and any libcontainer users benefit from it. This also makes
29 ExtraFiles and --preserve-fds handling trivial (because we don't need to
33 Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
34 Signed-off-by: Aleksa Sarai <asarai@suse.de>
36 libcontainer/nsenter/cloned_binary.c | 268 +++++++++++++++++++++++++++
37 libcontainer/nsenter/nsexec.c | 11 ++
38 2 files changed, 279 insertions(+)
39 create mode 100644 libcontainer/nsenter/cloned_binary.c
41 diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
43 index 000000000..c8a42c23f
45 +++ b/libcontainer/nsenter/cloned_binary.c
48 + * Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
49 + * Copyright (C) 2019 SUSE LLC
51 + * Licensed under the Apache License, Version 2.0 (the "License");
52 + * you may not use this file except in compliance with the License.
53 + * You may obtain a copy of the License at
55 + * http://www.apache.org/licenses/LICENSE-2.0
57 + * Unless required by applicable law or agreed to in writing, software
58 + * distributed under the License is distributed on an "AS IS" BASIS,
59 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
60 + * See the License for the specific language governing permissions and
61 + * limitations under the License.
74 +#include <sys/types.h>
75 +#include <sys/stat.h>
77 +#include <sys/mman.h>
78 +#include <sys/sendfile.h>
79 +#include <sys/syscall.h>
81 +/* Use our own wrapper for memfd_create. */
82 +#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
83 +# define SYS_memfd_create __NR_memfd_create
85 +#ifdef SYS_memfd_create
86 +# define HAVE_MEMFD_CREATE
87 +/* memfd_create(2) flags -- copied from <linux/memfd.h>. */
89 +# define MFD_CLOEXEC 0x0001U
90 +# define MFD_ALLOW_SEALING 0x0002U
92 +int memfd_create(const char *name, unsigned int flags)
94 + return syscall(SYS_memfd_create, name, flags);
98 +/* This comes directly from <linux/fcntl.h>. */
99 +#ifndef F_LINUX_SPECIFIC_BASE
100 +# define F_LINUX_SPECIFIC_BASE 1024
103 +# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
104 +# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
107 +# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */
108 +# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
109 +# define F_SEAL_GROW 0x0004 /* prevent file from growing */
110 +# define F_SEAL_WRITE 0x0008 /* prevent writes */
113 +#define RUNC_SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
114 +#ifdef HAVE_MEMFD_CREATE
115 +# define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
116 +# define RUNC_MEMFD_SEALS \
117 + (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
120 +static void *must_realloc(void *ptr, size_t size)
124 + ptr = realloc(old, size);
130 + * Verify whether we are currently in a self-cloned program (namely, is
131 + * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
132 + * for shmem files), and we want to be sure it's actually sealed.
134 +static int is_self_cloned(void)
136 + int fd, ret, is_cloned = 0;
138 + fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
140 + return -ENOTRECOVERABLE;
142 +#ifdef HAVE_MEMFD_CREATE
143 + ret = fcntl(fd, F_GET_SEALS);
144 + is_cloned = (ret == RUNC_MEMFD_SEALS);
146 + struct stat statbuf = {0};
147 + ret = fstat(fd, &statbuf);
149 + is_cloned = (statbuf.st_nlink == 0);
156 + * Basic wrapper around mmap(2) that gives you the file length so you can
157 + * safely treat it as an ordinary buffer. Only gives you read access.
159 +static char *read_file(char *path, size_t *length)
162 + char buf[4096], *copy = NULL;
167 + fd = open(path, O_RDONLY | O_CLOEXEC);
175 + n = read(fd, buf, sizeof(buf));
181 + copy = must_realloc(copy, (*length + n) * sizeof(*copy));
182 + memcpy(copy + *length, buf, n);
195 + * A poor-man's version of "xargs -0". Basically parses a given block of
196 + * NUL-delimited data, within the given length and adds a pointer to each entry
197 + * to the array of pointers.
199 +static int parse_xargs(char *data, int data_length, char ***output)
204 + if (!data || *output != NULL)
207 + while (cur < data + data_length) {
209 + *output = must_realloc(*output, (num + 1) * sizeof(**output));
210 + (*output)[num - 1] = cur;
211 + cur += strlen(cur) + 1;
213 + (*output)[num] = NULL;
218 + * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
219 + * This is necessary because we are running in a context where we don't have a
220 + * main() that we can just get the arguments from.
222 +static int fetchve(char ***argv, char ***envp)
224 + char *cmdline = NULL, *environ = NULL;
225 + size_t cmdline_size, environ_size;
227 + cmdline = read_file("/proc/self/cmdline", &cmdline_size);
230 + environ = read_file("/proc/self/environ", &environ_size);
234 + if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
236 + if (parse_xargs(environ, environ_size, envp) <= 0)
247 +static int clone_binary(void)
252 +#ifdef HAVE_MEMFD_CREATE
253 + memfd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
255 + memfd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0711);
258 + return -ENOTRECOVERABLE;
260 + binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
264 + sent = sendfile(memfd, binfd, NULL, RUNC_SENDFILE_MAX);
269 +#ifdef HAVE_MEMFD_CREATE
270 + int err = fcntl(memfd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
274 + /* Need to re-open "memfd" as read-only to avoid execve(2) giving -EXTBUSY. */
276 + char *fdpath = NULL;
278 + if (asprintf(&fdpath, "/proc/self/fd/%d", memfd) < 0)
280 + newfd = open(fdpath, O_RDONLY | O_CLOEXEC);
295 +int ensure_cloned_binary(void)
298 + char **argv = NULL, **envp = NULL;
300 + /* Check that we're not self-cloned, and if we are then bail. */
301 + int cloned = is_self_cloned();
302 + if (cloned > 0 || cloned == -ENOTRECOVERABLE)
305 + if (fetchve(&argv, &envp) < 0)
308 + execfd = clone_binary();
312 + fexecve(execfd, argv, envp);
315 diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
316 index 28269dfc0..7750af35e 100644
317 --- a/libcontainer/nsenter/nsexec.c
318 +++ b/libcontainer/nsenter/nsexec.c
319 @@ -534,6 +534,9 @@ void join_namespaces(char *nslist)
323 +/* Defined in cloned_binary.c. */
324 +extern int ensure_cloned_binary(void);
329 @@ -549,6 +552,14 @@ void nsexec(void)
334 + * We need to re-exec if we are not in a cloned binary. This is necessary
335 + * to ensure that containers won't be able to access the host binary
336 + * through /proc/self/exe. See CVE-2019-5736.
338 + if (ensure_cloned_binary() < 0)
339 + bail("could not ensure we are a cloned binary");
341 /* Parse all of the netlink configuration. */
342 nl_parse(pipenum, &config);
HCoop / jackhill / guix / guix.git / blob