Blame SOURCES/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch

0678ad
From 2a03a0c265d5bd3e77bc22e7d1fbb57388984727 Mon Sep 17 00:00:00 2001
0678ad
From: Aleksa Sarai <asarai@suse.de>
0678ad
Date: Wed, 9 Jan 2019 13:40:01 +1100
0678ad
Subject: [PATCH 1/1] nsenter: clone /proc/self/exe to avoid exposing host
0678ad
 binary to container
0678ad
0678ad
There are quite a few circumstances where /proc/self/exe pointing to a
0678ad
pretty important container binary is a _bad_ thing, so to avoid this we
0678ad
have to make a copy (preferably doing self-clean-up and not being
0678ad
writeable).
0678ad
0678ad
As a hotfix we require memfd_create(2), but we can always extend this to
0678ad
use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this
0678ad
approach is no page-cache sharing for the runc binary (which overlayfs
0678ad
would give us) but this is far less complicated.
0678ad
0678ad
This is only done during nsenter so that it happens transparently to the
0678ad
Go code, and any libcontainer users benefit from it. This also makes
0678ad
ExtraFiles and --preserve-fds handling trivial (because we don't need to
0678ad
worry about it).
0678ad
0678ad
Fixes: CVE-2019-5736
0678ad
Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
0678ad
Signed-off-by: Aleksa Sarai <asarai@suse.de>
0678ad
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
0678ad
---
0678ad
 libcontainer/nsenter/cloned_binary.c | 221 +++++++++++++++++++++++++++
0678ad
 libcontainer/nsenter/nsexec.c        |  11 ++
0678ad
 2 files changed, 232 insertions(+)
0678ad
 create mode 100644 libcontainer/nsenter/cloned_binary.c
0678ad
0678ad
diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
0678ad
new file mode 100644
0678ad
index 00000000..d9f6093a
0678ad
--- /dev/null
0678ad
+++ b/libcontainer/nsenter/cloned_binary.c
0678ad
@@ -0,0 +1,221 @@
0678ad
+#define _GNU_SOURCE
0678ad
+#include <unistd.h>
0678ad
+#include <stdio.h>
0678ad
+#include <stdlib.h>
0678ad
+#include <stdbool.h>
0678ad
+#include <string.h>
0678ad
+#include <limits.h>
0678ad
+#include <fcntl.h>
0678ad
+#include <errno.h>
0678ad
+
0678ad
+#include <sys/types.h>
0678ad
+#include <sys/stat.h>
0678ad
+#include <sys/vfs.h>
0678ad
+#include <sys/mman.h>
0678ad
+#include <sys/sendfile.h>
0678ad
+#include <sys/syscall.h>
0678ad
+
0678ad
+#include <linux/magic.h>
0678ad
+#include <linux/memfd.h>
0678ad
+
0678ad
+/* Use our own wrapper for memfd_create. */
0678ad
+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
0678ad
+#  define SYS_memfd_create __NR_memfd_create
0678ad
+#endif
0678ad
+#ifndef SYS_memfd_create
0678ad
+#  error "memfd_create(2) syscall not supported by this glibc version"
0678ad
+#endif
0678ad
+int memfd_create(const char *name, unsigned int flags)
0678ad
+{
0678ad
+	return syscall(SYS_memfd_create, name, flags);
0678ad
+}
0678ad
+
0678ad
+/* This comes directly from <linux/fcntl.h>. */
0678ad
+#ifndef F_LINUX_SPECIFIC_BASE
0678ad
+#  define F_LINUX_SPECIFIC_BASE 1024
0678ad
+#endif
0678ad
+#ifndef F_ADD_SEALS
0678ad
+#  define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
0678ad
+#  define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
0678ad
+#endif
0678ad
+#ifndef F_SEAL_SEAL
0678ad
+#  define F_SEAL_SEAL   0x0001	/* prevent further seals from being set */
0678ad
+#  define F_SEAL_SHRINK 0x0002	/* prevent file from shrinking */
0678ad
+#  define F_SEAL_GROW   0x0004	/* prevent file from growing */
0678ad
+#  define F_SEAL_WRITE  0x0008	/* prevent writes */
0678ad
+#endif
0678ad
+
0678ad
+
0678ad
+#define OUR_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
0678ad
+#define OUR_MEMFD_SEALS \
0678ad
+	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
0678ad
+
0678ad
+static void *must_realloc(void *ptr, size_t size)
0678ad
+{
0678ad
+	void *old = ptr;
0678ad
+	do {
0678ad
+		ptr = realloc(old, size);
0678ad
+	} while(!ptr);
0678ad
+	return ptr;
0678ad
+}
0678ad
+
0678ad
+/*
0678ad
+ * Verify whether we are currently in a self-cloned program (namely, is
0678ad
+ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
0678ad
+ * for shmem files), and we want to be sure it's actually sealed.
0678ad
+ */
0678ad
+static int is_self_cloned(void)
0678ad
+{
0678ad
+	int fd, seals;
0678ad
+
0678ad
+	fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
0678ad
+	if (fd < 0)
0678ad
+		return -ENOTRECOVERABLE;
0678ad
+
0678ad
+	seals = fcntl(fd, F_GET_SEALS);
0678ad
+	close(fd);
0678ad
+	return seals == OUR_MEMFD_SEALS;
0678ad
+}
0678ad
+
0678ad
+/*
0678ad
+ * Basic wrapper around mmap(2) that gives you the file length so you can
0678ad
+ * safely treat it as an ordinary buffer. Only gives you read access.
0678ad
+ */
0678ad
+static char *read_file(char *path, size_t *length)
0678ad
+{
0678ad
+	int fd;
0678ad
+	char buf[4096], *copy = NULL;
0678ad
+
0678ad
+	if (!length)
0678ad
+		return NULL;
0678ad
+
0678ad
+	fd = open(path, O_RDONLY | O_CLOEXEC);
0678ad
+	if (fd < 0)
0678ad
+		return NULL;
0678ad
+
0678ad
+	*length = 0;
0678ad
+	for (;;) {
0678ad
+		int n;
0678ad
+
0678ad
+		n = read(fd, buf, sizeof(buf));
0678ad
+		if (n < 0)
0678ad
+			goto error;
0678ad
+		if (!n)
0678ad
+			break;
0678ad
+
0678ad
+		copy = must_realloc(copy, (*length + n) * sizeof(*copy));
0678ad
+		memcpy(copy + *length, buf, n);
0678ad
+		*length += n;
0678ad
+	}
0678ad
+	close(fd);
0678ad
+	return copy;
0678ad
+
0678ad
+error:
0678ad
+	close(fd);
0678ad
+	free(copy);
0678ad
+	return NULL;
0678ad
+}
0678ad
+
0678ad
+/*
0678ad
+ * A poor-man's version of "xargs -0". Basically parses a given block of
0678ad
+ * NUL-delimited data, within the given length and adds a pointer to each entry
0678ad
+ * to the array of pointers.
0678ad
+ */
0678ad
+static int parse_xargs(char *data, int data_length, char ***output)
0678ad
+{
0678ad
+	int num = 0;
0678ad
+	char *cur = data;
0678ad
+
0678ad
+	if (!data || *output != NULL)
0678ad
+		return -1;
0678ad
+
0678ad
+	while (cur < data + data_length) {
0678ad
+		num++;
0678ad
+		*output = must_realloc(*output, (num + 1) * sizeof(**output));
0678ad
+		(*output)[num - 1] = cur;
0678ad
+		cur += strlen(cur) + 1;
0678ad
+	}
0678ad
+	(*output)[num] = NULL;
0678ad
+	return num;
0678ad
+}
0678ad
+
0678ad
+/*
0678ad
+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
0678ad
+ * This is necessary because we are running in a context where we don't have a
0678ad
+ * main() that we can just get the arguments from.
0678ad
+ */
0678ad
+static int fetchve(char ***argv, char ***envp)
0678ad
+{
0678ad
+	char *cmdline = NULL, *environ = NULL;
0678ad
+	size_t cmdline_size, environ_size;
0678ad
+
0678ad
+	cmdline = read_file("/proc/self/cmdline", &cmdline_size);
0678ad
+	if (!cmdline)
0678ad
+		goto error;
0678ad
+	environ = read_file("/proc/self/environ", &environ_size);
0678ad
+	if (!environ)
0678ad
+		goto error;
0678ad
+
0678ad
+	if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
0678ad
+		goto error;
0678ad
+	if (parse_xargs(environ, environ_size, envp) <= 0)
0678ad
+		goto error;
0678ad
+
0678ad
+	return 0;
0678ad
+
0678ad
+error:
0678ad
+	free(environ);
0678ad
+	free(cmdline);
0678ad
+	return -EINVAL;
0678ad
+}
0678ad
+
0678ad
+#define SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
0678ad
+static int clone_binary(void)
0678ad
+{
0678ad
+	int binfd, memfd, err;
0678ad
+	ssize_t sent = 0;
0678ad
+
0678ad
+	memfd = memfd_create(OUR_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
0678ad
+	if (memfd < 0)
0678ad
+		return -ENOTRECOVERABLE;
0678ad
+
0678ad
+	binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
0678ad
+	if (binfd < 0)
0678ad
+		goto error;
0678ad
+
0678ad
+	sent = sendfile(memfd, binfd, NULL, SENDFILE_MAX);
0678ad
+	close(binfd);
0678ad
+	if (sent < 0)
0678ad
+		goto error;
0678ad
+
0678ad
+	err = fcntl(memfd, F_ADD_SEALS, OUR_MEMFD_SEALS);
0678ad
+	if (err < 0)
0678ad
+		goto error;
0678ad
+
0678ad
+	return memfd;
0678ad
+
0678ad
+error:
0678ad
+	close(memfd);
0678ad
+	return -EIO;
0678ad
+}
0678ad
+
0678ad
+int ensure_cloned_binary(void)
0678ad
+{
0678ad
+	int execfd;
0678ad
+	char **argv = NULL, **envp = NULL;
0678ad
+
0678ad
+	/* Check that we're not self-cloned, and if we are then bail. */
0678ad
+	int cloned = is_self_cloned();
0678ad
+	if (cloned > 0 || cloned == -ENOTRECOVERABLE)
0678ad
+		return cloned;
0678ad
+
0678ad
+	if (fetchve(&argv, &envp) < 0)
0678ad
+		return -EINVAL;
0678ad
+
0678ad
+	execfd = clone_binary();
0678ad
+	if (execfd < 0)
0678ad
+		return -EIO;
0678ad
+
0678ad
+	fexecve(execfd, argv, envp);
0678ad
+	return -ENOEXEC;
0678ad
+}
0678ad
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
0678ad
index 0a10f802..814c738d 100644
0678ad
--- a/libcontainer/nsenter/nsexec.c
0678ad
+++ b/libcontainer/nsenter/nsexec.c
0678ad
@@ -420,6 +420,9 @@ void join_namespaces(char *nslist)
0678ad
 	free(namespaces);
0678ad
 }
0678ad
 
0678ad
+/* Defined in cloned_binary.c. */
0678ad
+int ensure_cloned_binary(void);
0678ad
+
0678ad
 void nsexec(void)
0678ad
 {
0678ad
 	int pipenum;
0678ad
@@ -435,6 +438,14 @@ void nsexec(void)
0678ad
 	if (pipenum == -1)
0678ad
 		return;
0678ad
 
0678ad
+	/*
0678ad
+	 * We need to re-exec if we are not in a cloned binary. This is necessary
0678ad
+	 * to ensure that containers won't be able to access the host binary
0678ad
+	 * through /proc/self/exe. See CVE-2019-5736.
0678ad
+	 */
0678ad
+	if (ensure_cloned_binary() < 0)
0678ad
+		bail("could not ensure we are a cloned binary");
0678ad
+
0678ad
 	/* make the process non-dumpable */
0678ad
 	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
0678ad
 		bail("failed to set process as non-dumpable");
0678ad
-- 
0678ad
2.20.1
0678ad