Ensure docker cp cannot traverse outside container rootfs
#5720
Conversation
|
Although, there should be a single container method that will get the full path of a resource in the container's rootfs. And everything that creates their own path from a resource should use that method instead... EDIT: Added. |
|
I see that you pretty familiar with |
|
The |
|
integration is deprecated :) Can you please move your tests to integration-cli? |
|
Rebased after moving the tests, and adding myself to /ping @shykes @creack @vieux @crosbymichael |
|
LGTM |
|
ping @unclejack |
|
@cyphar this needs rebased. I moved the symlink func to a separate pkg in |
This patch fixes the bug that allowed cp to copy files outside of the containers rootfs, by passing a relative path (such as ../../../../../../../../etc/shadow). This is fixed by first converting the path to an absolute path (relative to /) and then appending it to the container's rootfs before continuing. Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This patch adds integration tests for the copying of resources from a container, to ensure that regressions in the security of resource copying can be easily discovered. Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This patch is a preventative patch, it fixes possible future vulnerabilities regarding unsantised paths. Due to several recent vulnerabilities, wherein the docker daemon could be fooled into accessing data from the host (rather than a container), this patch was created to try and mitigate future possible vulnerabilities in the same vein. Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
|
@crosbymichael rebase'd. Bumping, since this vulnerability is very serious. |
|
@cyphar Just to make it clear, it's a bug, not a vulnerability per se. If you can run a privileged container, you've got root on the host and that lets you do this and far more. |
|
LGTM |
1 similar comment
|
LGTM |
Ensure `docker cp` cannot traverse outside container rootfs
This patch fixes the bug (#5656) that allowed cp to copy files outside of the containers rootfs, by passing a relative path (such as
../../../../../../../../etc/shadow). This is fixed by first converting the path to an absolute path (relative to /) and then appending it to the container's rootfs before continuing.Docker-DCO-1.1-Signed-off-by: Aleksa Sarai cyphar@cyphar.com (github: cyphar)
EDIT: I want to point out that while the issue (#5656) is closed, the vulnerability still works. The problem is that the docker socket can, even when running in multi-tenant situations, be used to read files as root since paths aren't sanitised properly. This problem has yet to be fixed.
EDIT 2: This patch also now includes fixes to general path generation in the
daemonsubsystem, in order to try and prevent future exploits in the same vein as this one.Fixes #5656
/cc @shykes @creack @vieux @crosbymichael