You've already forked runc
mirror of
https://github.com/opencontainers/runc.git
synced 2025-07-30 17:43:06 +03:00
d463f6485b
This is an additional mitigation for CVE-2019-16884. The primary problem is that Docker can be coerced into bind-mounting a file system on top of /proc (resulting in label-related writes to /proc no longer happening). While we are working on mitigations against permitting the mounts, this helps avoid our code from being tricked into writing to non-procfs files. This is not a perfect solution (after all, there might be a bind-mount of a different procfs file over the target) but in order to exploit that you would need to be able to tweak a config.json pretty specifically (which thankfully Docker doesn't allow). Specifically this stops AppArmor from not labeling a process silently due to /proc/self/attr/... being incorrectly set, and stops any accidental fd leaks because /proc/self/fd/... is not real. Signed-off-by: Aleksa Sarai <asarai@suse.de>
61 lines
1.4 KiB
Go
61 lines
1.4 KiB
Go
// +build apparmor,linux
|
|
|
|
package apparmor
|
|
|
|
import (
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
|
|
"github.com/opencontainers/runc/libcontainer/utils"
|
|
)
|
|
|
|
// IsEnabled returns true if apparmor is enabled for the host.
|
|
func IsEnabled() bool {
|
|
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
|
|
if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
|
|
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
|
|
return err == nil && len(buf) > 1 && buf[0] == 'Y'
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func setProcAttr(attr, value string) error {
|
|
// Under AppArmor you can only change your own attr, so use /proc/self/
|
|
// instead of /proc/<tid>/ like libapparmor does
|
|
path := fmt.Sprintf("/proc/self/attr/%s", attr)
|
|
|
|
f, err := os.OpenFile(path, os.O_WRONLY, 0)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer f.Close()
|
|
|
|
if err := utils.EnsureProcHandle(f); err != nil {
|
|
return err
|
|
}
|
|
|
|
_, err = fmt.Fprintf(f, "%s", value)
|
|
return err
|
|
}
|
|
|
|
// changeOnExec reimplements aa_change_onexec from libapparmor in Go
|
|
func changeOnExec(name string) error {
|
|
value := "exec " + name
|
|
if err := setProcAttr("exec", value); err != nil {
|
|
return fmt.Errorf("apparmor failed to apply profile: %s", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ApplyProfile will apply the profile with the specified name to the process after
|
|
// the next exec.
|
|
func ApplyProfile(name string) error {
|
|
if name == "" {
|
|
return nil
|
|
}
|
|
|
|
return changeOnExec(name)
|
|
}
|