crun icon indicating copy to clipboard operation
crun copied to clipboard

Published 20 hours ago verified publisher icon containers

readonlyPaths create sub-mount to already mounted location without same flags

Open Koczek9 opened this issue 3 years ago • 3 comments

I found out that one can bypass all flags made during creation of a mount just by adding directory (or subdirectory) as a read only. So let imagine someone has mounted:

    {
       "destination": "/vagrant/test",
       "type": "bind",
       "source": "/opt/test",
       "options": [
         "rbind",
         "nosuid",
         "noexec",
        "nodev"
       ]
    },

and later in the config has:

    "readonlyPaths": [
       "/vagrant/test"
    ]

Inside container namespace he would get:

    cat /proc/28728/mountinfo | grep vagrant
    690 667 8:1 /opt/test /vagrant/test rw,nosuid,nodev,noexec,relatime - ext4 /dev/sda1 rw
    704 690 8:1 /opt/test /vagrant/test ro,relatime - ext4 /dev/sda1 rw

Where the first input is done by mount and second is done by readonlyPaths. As one can see the "nosuid,nodev,noexec" are missing. And if I put there some executable, I can run it fine. This can obviously be done to subdirectory also (so i.e. I wanted to have /vagrant/test/ro as read only but parent directory as rw), but important part is that by creating read only sub-mount we didn't check for flags of original one. We should probably just check what are current flags to the parent directory and on top of that add ro, and not just replace it with ro, as we lose all others. If you are interested in test container, I can provide it in next message.

Koczek9 avatar Jun 15 '22 05:06 Koczek9

I was asked why don't create "ro" from the beginning. In the case I have there is situation: This problem is often present in /proc in my case I have:

{
        "destination": "/proc",
        "type": "proc",
        "source": "proc",
        "options": [
                "nosuid",
                "noexec",
                "nodev"
        ]
}

and later:

"readonlyPaths": [
        "/proc/asound",
        "/proc/bus",
        "/proc/fs",
        "/proc/irq",
        "/proc/sys",
        "/proc/sysrq-trigger"
]

and as one can expect from the description above all readonlyPath things CAN be executed and with SUID and SGID. I would expect that readonlyPath would only add ro into the current mount not replace everything.

Koczek9 avatar Jun 15 '22 05:06 Koczek9

@cdoern would you like to take a look at this issue?

giuseppe avatar Jul 03 '22 15:07 giuseppe

@giuseppe sorry for the late reply, but sure!

cdoern avatar Jul 21 '22 15:07 cdoern

@cdoern are you still looking at this ? If not and you are short on time please feel free to assign this to me. :)

flouthoc avatar Feb 07 '23 11:02 flouthoc

@flouthoc take it over. @cdoern is working on the new team and finishing up school

rhatdan avatar Feb 08 '23 01:02 rhatdan