Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libpod: mount safely subpaths #17992

Merged
merged 1 commit into from
Mar 31, 2023
Merged

libpod: mount safely subpaths #17992

merged 1 commit into from
Mar 31, 2023

Conversation

giuseppe
Copy link
Member

@giuseppe giuseppe commented Mar 30, 2023
edited

add a function to securely mount a subpath inside a volume. We cannot trust that the subpath is safe since it is beneath a volume that could be controlled by a separate container. To avoid TOCTOU races between when we check the subpath and when the OCI runtime mounts it, we open the subpath, validate it, bind mount to a temporary directory and use it instead of the original path.

Does this PR introduce a user-facing change?

None

@openshift-ci openshift-ci bot added release-note-none approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Mar 30, 2023
@giuseppe giuseppe force-pushed the safe-mount-subpath branch 3 times, most recently from b0fb2e6 to 38b9036 Compare March 31, 2023 07:39
vrothberg
vrothberg reviewed Mar 31, 2023
View reviewed changes
libpod/container_internal_linux.go
}
}()

fdPath := fmt.Sprintf("/proc/%d/fd/%d", os.Getpid(), f.Fd())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I understand it correctly that the trick to avoid a TOCTOU is by using the FD here? The path may change but the FD will continue pointing to the same file?

Whether I understood it correctly or not, I think that a comment would be nice.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the trick is that once it is opened, it cannot become a symlink anymore. So if we open, validate it and then use it, we are safe. I'll add a comment

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent, thanks!

Clever idea, btw

vrothberg
vrothberg approved these changes Mar 31, 2023
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 31, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rhatdan
Copy link
Member

rhatdan commented Mar 31, 2023

Nice work. One nit, but not worth fixing unless you need to repush.

/lgtm
/hold

@openshift-ci openshift-ci bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. labels Mar 31, 2023
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 31, 2023
@giuseppe
libpod: mount safely subpaths
4d56292 
add a function to securely mount a subpath inside a volume.  We cannot
trust that the subpath is safe since it is beneath a volume that could
be controlled by a separate container.  To avoid TOCTOU races between
when we check the subpath and when the OCI runtime mounts it, we open
the subpath, validate it, bind mount to a temporary directory and use
it instead of the original path.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@rhatdan
Copy link
Member

rhatdan commented Mar 31, 2023

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 31, 2023
@giuseppe
Copy link
Member Author

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 31, 2023
@openshift-merge-robot openshift-merge-robot merged commit 8a92f9d into containers:main Mar 31, 2023
This was referenced May 2, 2023
Closed
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 3, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@vrothberg vrothberg vrothberg approved these changes

Assignees

@rhatdan rhatdan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note-none
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@giuseppe @rhatdan @vrothberg @openshift-merge-robot