-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't create our own temporary mount point for pivot_root (#304) #305
Conversation
I'd be curious to know how the reporter got in a situation without Hmm but if we do this it breaks Seems to me like it's safer to just use |
And I still like using |
I assume the reporter has at least one system that doesn't have systemd-logind, or is running bubblewrap as a uid that isn't in a logind session.
Probably, but we keep a fd to /proc open for the duration of the various pivots already, which we have to do because our root directory keeps changing.
If we did that, I think we'd create a temp directory and never delete it? |
Do you mean Strictly speaking, |
Yeah but as a suid app we can't trust environment variables.
Right but I'm thinking about things like glibc reading If we just need a mountpoint...hum, maybe In the suid case we could also create that before we drop privileges.
Well, systemd's tmpfiles pruner would get it. But we could maybe fork off a process to I'm OK personally "leaking" a tmpdir in the case where there isn't a properly set up |
I think we do just need any arbitrary mount point. We could create
bubblewrap doesn't currently require systemd, and making bubblewrap and flatpak require systemd would be politically problematic (in an "endless flamewars" way), at least in Debian. Sorry, but that particular war is still being fought :-( |
Agree.
This seems simplest indeed; bikeshed more,
My worry about those is around what happens if people use e.g. I think that brings |
An attacker could pre-create /tmp/.bubblewrap-$UID and make it a non-directory, non-symlink (in which case mounting our tmpfs would fail, causing denial of service), or make it a symlink under their control (potentially allowing bad things if the protected_symlinks sysctl is not enabled). Instead, temporarily mount the tmpfs on a directory that we are sure exists and is not attacker-controlled. /tmp (the directory itself, not a subdirectory) will do. Fixes: containers#304 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557 Signed-off-by: Simon McVittie <smcv@debian.org>
I've updated this branch to use
The reason I'm a little reluctant to do that is that it's all very well for a distro-included At the moment, an application (even one that might be installed in a home directory from a tarball of binaries, like Steam) can bundle a copy of |
…iner Signed-off-by: Simon McVittie <smcv@collabora.com>
I added a test that asserts that /tmp gets mounted as we'd expect, and /tmp/oldroot, /tmp/newroot aren't exposed in the container. |
An attacker could pre-create /tmp/.bubblewrap-$UID and make it a non-directory, non-symlink (in which case mounting our tmpfs would fail, causing denial of service), or make it a symlink under their control (potentially allowing bad things if the protected_symlinks sysctl is not enabled). Instead, temporarily mount the tmpfs on a directory that we are sure exists and is not attacker-controlled. /tmp (the directory itself, not a subdirectory) will do. Fixes: #304 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557 Signed-off-by: Simon McVittie <smcv@debian.org> Closes: #305 Approved by: cgwalters
…iner Signed-off-by: Simon McVittie <smcv@collabora.com> Closes: #305 Approved by: cgwalters
An attacker could pre-create /tmp/.bubblewrap-$UID and make it a non-directory, non-symlink (in which case mounting our tmpfs would fail, causing denial of service), or make it a symlink under their control (potentially allowing bad things if the protected_symlinks sysctl is not enabled). Instead, temporarily mount the tmpfs on a directory that we are sure exists and is not attacker-controlled. /tmp (the directory itself, not a subdirectory) will do. Fixes: #304 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557 Signed-off-by: Simon McVittie <smcv@debian.org> Closes: #305 Approved by: cgwalters
…iner Signed-off-by: Simon McVittie <smcv@collabora.com> Closes: #305 Approved by: cgwalters
💥 Test timed out |
@rh-atomic-bot retry |
An attacker could pre-create /tmp/.bubblewrap-$UID and make it a non-directory, non-symlink (in which case mounting our tmpfs would fail, causing denial of service), or make it a symlink under their control (potentially allowing bad things if the protected_symlinks sysctl is not enabled). Instead, temporarily mount the tmpfs on a directory that we are sure exists and is not attacker-controlled. /tmp (the directory itself, not a subdirectory) will do. Fixes: #304 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557 Signed-off-by: Simon McVittie <smcv@debian.org> Closes: #305 Approved by: cgwalters
…iner Signed-off-by: Simon McVittie <smcv@collabora.com> Closes: #305 Approved by: cgwalters
…iner Signed-off-by: Simon McVittie <smcv@collabora.com> Closes: #305 Approved by: cgwalters
☀️ Test successful - status-papr |
An attacker could pre-create /tmp/.bubblewrap-$UID and make it a
non-directory, non-symlink (in which case mounting our tmpfs would fail,
causing denial of service), or make it a symlink under their control
(potentially allowing bad things if the protected_symlinks sysctl is
not enabled).
Instead, temporarily mount the tmpfs on a directory that we are sure
exists and is not attacker-controlled. We already rely on /proc to have
those properties, so it seems as good a place as any. This doesn't appear
to have any impact on our ability to use /proc as either the source or
the destination of a bind-mount.
Fixes: #304
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557