bypass4netns icon indicating copy to clipboard operation
bypass4netns copied to clipboard

Published 20 hours ago verified publisher icon rootless-containers

Eliminate TOCTOU races for connect(2)

Open rata opened this issue 3 years ago • 2 comments

The TOCTOU races mentioned in the README can be eliminated if, instead of allowing the connect(2) syscall to continue, we run the syscall on behalf of the container and then just forward the return code & errno.

I mean, we can copy the syscall params and make sure they are out of localhost and such, then we run the syscall.Connect ourselves, and then answer the seccomp notification with the return value & errno we got when running it. In this way, we can chose to run it only when it is safe to do so.

What do you think?

rata avatar Mar 10 '22 15:03 rata

PR is wanted 🙏

AkihiroSuda avatar Mar 16 '22 09:03 AkihiroSuda

I'm currently swamped, I don't expect to have time soon. But I'll have a look if I can :)

rata avatar Mar 16 '22 10:03 rata