-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
internal: proc: do not join the process user namespace #92
Conversation
I'm not quite sure how to test whether this works -- the sample binary doesn't seem to do anything with |
If you vendor this into Podman you should see
|
Yup, with this patch applied you get the right results and you can run it on containers that don't have
|
LGTM |
@giuseppe PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just minimal nits. Excellent work, @cyphar, thanks a lot for tackling that!
b0dbe2e
to
d67bb38
Compare
The only reason we joined the process user namespace was to map a handful of fields into the same usernamepsace as that process. This procedure can be implemented entirely in Go without having to run code inside the container. In addition, since psgo is used inside "podman top", we were actually executing the nsenter binary *from the container* without all of the container's security profiles applied. At the very least this would allow a container process to return bad data to psgo (possibly confusing management scripts using psgo) and at the very worst it would allow the container process to escalate privileges by getting podman to execute code without all of the container security profiles applied. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
d67bb38
to
d9467da
Compare
PTAL @vrothberg, I've switch to containers/storage/pkg/idtools and removed init(). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
c/storage is currently broken (by me!), waiting for valyala/gozstd#41 we can temporarily revert these patches:
and I'll add them back once valyala/gozstd is fixed |
@giuseppe, thanks! I am OK to wait; we still have until late next week. |
I noticed when vendoring storage there appears to have been another breakage with podman -- podman seems to default to a 1024-long user namespace which causes issues with the newest version of containers/storage (you get an error about unmappable users -- this is fixed by bumping up the size). |
Have releases of psgo been made that include this fix? What version numbers? |
Resolves: CVE-2022-1227 Upstream fix: containers/psgo#92 Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
The only reason we joined the process user namespace was to map a
handful of fields into the same usernamepsace as that process. This
procedure can be implemented entirely in Go without having to run code
inside the container.
In addition, since psgo is used inside "podman top", we were actually
executing the nsenter binary from the container without all of the
container's security profiles applied. At the very least this would
allow a container process to return bad data to psgo (possibly confusing
management scripts using psgo) and at the very worst it would allow the
container process to escalate privileges by getting podman to execute
code without all of the container security profiles applied.
See containers/podman#10941.
Signed-off-by: Aleksa Sarai cyphar@cyphar.com