Skip to content

Commit

Permalink
selinux: verify that writes to /proc/... are on procfs
Browse files Browse the repository at this point in the history 
This is an additional mitigation for CVE-2019-16884. The primary problem
is that Docker can be coerced into bind-mounting a file system on top of
/proc (resulting in label-related writes to /proc no longer happening).

While runc is working on mitigations against permitting the mounts, this
helps avoid go-selinux from being tricked into writing to non-procfs
files. This is not a perfect solution (after all, there might be a
bind-mount of a different procfs file over the target) but in order to
exploit that you would need to be able to tweak a config.json pretty
specifically (which thankfully Docker doesn't allow).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
  • Loading branch information
@cyphar
cyphar committed Sep 27, 2019
1 parent bd44319 commit 03b517d
Showing 1 changed file with 20 additions and 1 deletion.
21 changes: 20 additions & 1 deletion go-selinux/selinux_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"strings"
"sync"
"syscall"

"golang.org/x/sys/unix"
)

Expand Down Expand Up @@ -253,6 +254,12 @@ func getSELinuxPolicyRoot() string {
return filepath.Join(selinuxDir, readConfig(selinuxTypeTag))
}

func isProcHandle(fh *os.File) (bool, error) {
var buf unix.Statfs_t
err := unix.Fstatfs(int(fh.Fd()), &buf)
return buf.Type == unix.PROC_SUPER_MAGIC, err
}

func readCon(fpath string) (string, error) {
if fpath == "" {
return "", ErrEmptyPath
Expand All @@ -264,6 +271,12 @@ func readCon(fpath string) (string, error) {
}
defer in.Close()

if ok, err := isProcHandle(in); err != nil {
return "", err
} else if !ok {
return "", fmt.Errorf("%s not on procfs", fpath)
}

var retval string
if _, err := fmt.Fscanf(in, "%s", &retval); err != nil {
return "", err
Expand Down Expand Up @@ -346,6 +359,12 @@ func writeCon(fpath string, val string) error {
}
defer out.Close()

if ok, err := isProcHandle(out); err != nil {
return err
} else if !ok {
return fmt.Errorf("%s not on procfs", fpath)
}

if val != "" {
_, err = out.Write([]byte(val))
} else {
Expand Down Expand Up @@ -394,7 +413,7 @@ func SetExecLabel(label string) error {
}

/*
SetTaskLabel sets the SELinux label for the current thread, or an error.
SetTaskLabel sets the SELinux label for the current thread, or an error.
This requires the dyntransition permission.
*/
func SetTaskLabel(label string) error {
Expand Down

0 comments on commit 03b517d

Please sign in to comment.