From 0c9ee57259fc5d4341069fc09d9dfc7e2a0c2192 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sat, 13 May 2023 02:14:57 +1000 Subject: [PATCH] conversion: mention the potential risks of blindly copying annotations While the ability to copy arbitrary container labels into the generated runtime-spec is a very useful feature, it needs to be mentioned that some runtime-spec annotations (such as "org.systemd.property.*" and "run.oci.hooks.*") can allow an image to cause runtimes to either configure an insecure container or act as a way to attack the host machine. It should be noted this is no different to any other malicious config.json attack -- it is the responsibility of runtime-spec generators to make sure the configuration is secure. Reported-by: Akihiro Suda Signed-off-by: Aleksa Sarai --- conversion.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/conversion.md b/conversion.md index eca55065c..5f85bde4d 100644 --- a/conversion.md +++ b/conversion.md @@ -128,3 +128,10 @@ If there is a conflict (same key but different value) between an implicit annota A converter MAY add annotations which have keys not specified in the image. A converter MUST NOT modify the values of annotations specified in the image. + +Note there is a risk that some annotations might be used by container runtimes to do operations that pose a security risk (such as running container hooks on the host or modifying security-related aspects of the container configuration). +As with any runtime specification configuration, generators SHOULD verify that the generated container configuration is safe before it is used to create a container. +A converter MAY choose to not include annotations specified in the image, if the annotations are considered to be unsafe by the converter's security policy. +If a converter does omit annotations during the conversion, it SHOULD provide feedback to the user to indicate that an annotation has not been converted. + +**Implementor's Note:** Some implementations (such as Docker/Moby) are known to indiscriminately and silently exclude all annotations specified in the image. Implementations SHOULD NOT do this.