1f5593
From bf6405284aa3870a39b402309003633a1c230ed9 Mon Sep 17 00:00:00 2001
1f5593
From: Aleksa Sarai <asarai@suse.de>
1f5593
Date: Wed, 9 Jan 2019 13:40:01 +1100
1f5593
Subject: [PATCH 1/1] nsenter: clone /proc/self/exe to avoid exposing host
1f5593
 binary to container
1f5593
1f5593
There are quite a few circumstances where /proc/self/exe pointing to a
1f5593
pretty important container binary is a _bad_ thing, so to avoid this we
1f5593
have to make a copy (preferably doing self-clean-up and not being
1f5593
writeable).
1f5593
1f5593
As a hotfix we require memfd_create(2), but we can always extend this to
1f5593
use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this
1f5593
approach is no page-cache sharing for the runc binary (which overlayfs
1f5593
would give us) but this is far less complicated.
1f5593
1f5593
This is only done during nsenter so that it happens transparently to the
1f5593
Go code, and any libcontainer users benefit from it. This also makes
1f5593
ExtraFiles and --preserve-fds handling trivial (because we don't need to
1f5593
worry about it).
1f5593
1f5593
Fixes: CVE-2019-5736
1f5593
Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
1f5593
Signed-off-by: Aleksa Sarai <asarai@suse.de>
1f5593
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
1f5593
---
1f5593
 libcontainer/nsenter/cloned_binary.c | 221 +++++++++++++++++++++++++++
1f5593
 libcontainer/nsenter/nsexec.c        |  11 ++
1f5593
 2 files changed, 232 insertions(+)
1f5593
 create mode 100644 libcontainer/nsenter/cloned_binary.c
1f5593
1f5593
diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
1f5593
new file mode 100644
1f5593
index 00000000..d9f6093a
1f5593
--- /dev/null
1f5593
+++ b/libcontainer/nsenter/cloned_binary.c
1f5593
@@ -0,0 +1,221 @@
1f5593
+#define _GNU_SOURCE
1f5593
+#include <unistd.h>
1f5593
+#include <stdio.h>
1f5593
+#include <stdlib.h>
1f5593
+#include <stdbool.h>
1f5593
+#include <string.h>
1f5593
+#include <limits.h>
1f5593
+#include <fcntl.h>
1f5593
+#include <errno.h>
1f5593
+
1f5593
+#include <sys/types.h>
1f5593
+#include <sys/stat.h>
1f5593
+#include <sys/vfs.h>
1f5593
+#include <sys/mman.h>
1f5593
+#include <sys/sendfile.h>
1f5593
+#include <sys/syscall.h>
1f5593
+
1f5593
+#include <linux/magic.h>
1f5593
+#include <linux/memfd.h>
1f5593
+
1f5593
+/* Use our own wrapper for memfd_create. */
1f5593
+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
1f5593
+#  define SYS_memfd_create __NR_memfd_create
1f5593
+#endif
1f5593
+#ifndef SYS_memfd_create
1f5593
+#  error "memfd_create(2) syscall not supported by this glibc version"
1f5593
+#endif
1f5593
+int memfd_create(const char *name, unsigned int flags)
1f5593
+{
1f5593
+	return syscall(SYS_memfd_create, name, flags);
1f5593
+}
1f5593
+
1f5593
+/* This comes directly from <linux/fcntl.h>. */
1f5593
+#ifndef F_LINUX_SPECIFIC_BASE
1f5593
+#  define F_LINUX_SPECIFIC_BASE 1024
1f5593
+#endif
1f5593
+#ifndef F_ADD_SEALS
1f5593
+#  define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
1f5593
+#  define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
1f5593
+#endif
1f5593
+#ifndef F_SEAL_SEAL
1f5593
+#  define F_SEAL_SEAL   0x0001	/* prevent further seals from being set */
1f5593
+#  define F_SEAL_SHRINK 0x0002	/* prevent file from shrinking */
1f5593
+#  define F_SEAL_GROW   0x0004	/* prevent file from growing */
1f5593
+#  define F_SEAL_WRITE  0x0008	/* prevent writes */
1f5593
+#endif
1f5593
+
1f5593
+
1f5593
+#define OUR_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
1f5593
+#define OUR_MEMFD_SEALS \
1f5593
+	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
1f5593
+
1f5593
+static void *must_realloc(void *ptr, size_t size)
1f5593
+{
1f5593
+	void *old = ptr;
1f5593
+	do {
1f5593
+		ptr = realloc(old, size);
1f5593
+	} while(!ptr);
1f5593
+	return ptr;
1f5593
+}
1f5593
+
1f5593
+/*
1f5593
+ * Verify whether we are currently in a self-cloned program (namely, is
1f5593
+ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
1f5593
+ * for shmem files), and we want to be sure it's actually sealed.
1f5593
+ */
1f5593
+static int is_self_cloned(void)
1f5593
+{
1f5593
+	int fd, seals;
1f5593
+
1f5593
+	fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
1f5593
+	if (fd < 0)
1f5593
+		return -ENOTRECOVERABLE;
1f5593
+
1f5593
+	seals = fcntl(fd, F_GET_SEALS);
1f5593
+	close(fd);
1f5593
+	return seals == OUR_MEMFD_SEALS;
1f5593
+}
1f5593
+
1f5593
+/*
1f5593
+ * Basic wrapper around mmap(2) that gives you the file length so you can
1f5593
+ * safely treat it as an ordinary buffer. Only gives you read access.
1f5593
+ */
1f5593
+static char *read_file(char *path, size_t *length)
1f5593
+{
1f5593
+	int fd;
1f5593
+	char buf[4096], *copy = NULL;
1f5593
+
1f5593
+	if (!length)
1f5593
+		return NULL;
1f5593
+
1f5593
+	fd = open(path, O_RDONLY | O_CLOEXEC);
1f5593
+	if (fd < 0)
1f5593
+		return NULL;
1f5593
+
1f5593
+	*length = 0;
1f5593
+	for (;;) {
1f5593
+		int n;
1f5593
+
1f5593
+		n = read(fd, buf, sizeof(buf));
1f5593
+		if (n < 0)
1f5593
+			goto error;
1f5593
+		if (!n)
1f5593
+			break;
1f5593
+
1f5593
+		copy = must_realloc(copy, (*length + n) * sizeof(*copy));
1f5593
+		memcpy(copy + *length, buf, n);
1f5593
+		*length += n;
1f5593
+	}
1f5593
+	close(fd);
1f5593
+	return copy;
1f5593
+
1f5593
+error:
1f5593
+	close(fd);
1f5593
+	free(copy);
1f5593
+	return NULL;
1f5593
+}
1f5593
+
1f5593
+/*
1f5593
+ * A poor-man's version of "xargs -0". Basically parses a given block of
1f5593
+ * NUL-delimited data, within the given length and adds a pointer to each entry
1f5593
+ * to the array of pointers.
1f5593
+ */
1f5593
+static int parse_xargs(char *data, int data_length, char ***output)
1f5593
+{
1f5593
+	int num = 0;
1f5593
+	char *cur = data;
1f5593
+
1f5593
+	if (!data || *output != NULL)
1f5593
+		return -1;
1f5593
+
1f5593
+	while (cur < data + data_length) {
1f5593
+		num++;
1f5593
+		*output = must_realloc(*output, (num + 1) * sizeof(**output));
1f5593
+		(*output)[num - 1] = cur;
1f5593
+		cur += strlen(cur) + 1;
1f5593
+	}
1f5593
+	(*output)[num] = NULL;
1f5593
+	return num;
1f5593
+}
1f5593
+
1f5593
+/*
1f5593
+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
1f5593
+ * This is necessary because we are running in a context where we don't have a
1f5593
+ * main() that we can just get the arguments from.
1f5593
+ */
1f5593
+static int fetchve(char ***argv, char ***envp)
1f5593
+{
1f5593
+	char *cmdline = NULL, *environ = NULL;
1f5593
+	size_t cmdline_size, environ_size;
1f5593
+
1f5593
+	cmdline = read_file("/proc/self/cmdline", &cmdline_size);
1f5593
+	if (!cmdline)
1f5593
+		goto error;
1f5593
+	environ = read_file("/proc/self/environ", &environ_size);
1f5593
+	if (!environ)
1f5593
+		goto error;
1f5593
+
1f5593
+	if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
1f5593
+		goto error;
1f5593
+	if (parse_xargs(environ, environ_size, envp) <= 0)
1f5593
+		goto error;
1f5593
+
1f5593
+	return 0;
1f5593
+
1f5593
+error:
1f5593
+	free(environ);
1f5593
+	free(cmdline);
1f5593
+	return -EINVAL;
1f5593
+}
1f5593
+
1f5593
+#define SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
1f5593
+static int clone_binary(void)
1f5593
+{
1f5593
+	int binfd, memfd, err;
1f5593
+	ssize_t sent = 0;
1f5593
+
1f5593
+	memfd = memfd_create(OUR_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
1f5593
+	if (memfd < 0)
1f5593
+		return -ENOTRECOVERABLE;
1f5593
+
1f5593
+	binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
1f5593
+	if (binfd < 0)
1f5593
+		goto error;
1f5593
+
1f5593
+	sent = sendfile(memfd, binfd, NULL, SENDFILE_MAX);
1f5593
+	close(binfd);
1f5593
+	if (sent < 0)
1f5593
+		goto error;
1f5593
+
1f5593
+	err = fcntl(memfd, F_ADD_SEALS, OUR_MEMFD_SEALS);
1f5593
+	if (err < 0)
1f5593
+		goto error;
1f5593
+
1f5593
+	return memfd;
1f5593
+
1f5593
+error:
1f5593
+	close(memfd);
1f5593
+	return -EIO;
1f5593
+}
1f5593
+
1f5593
+int ensure_cloned_binary(void)
1f5593
+{
1f5593
+	int execfd;
1f5593
+	char **argv = NULL, **envp = NULL;
1f5593
+
1f5593
+	/* Check that we're not self-cloned, and if we are then bail. */
1f5593
+	int cloned = is_self_cloned();
1f5593
+	if (cloned > 0 || cloned == -ENOTRECOVERABLE)
1f5593
+		return cloned;
1f5593
+
1f5593
+	if (fetchve(&argv, &envp) < 0)
1f5593
+		return -EINVAL;
1f5593
+
1f5593
+	execfd = clone_binary();
1f5593
+	if (execfd < 0)
1f5593
+		return -EIO;
1f5593
+
1f5593
+	fexecve(execfd, argv, envp);
1f5593
+	return -ENOEXEC;
1f5593
+}
1f5593
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
1f5593
index cb224314..784fd9b0 100644
1f5593
--- a/libcontainer/nsenter/nsexec.c
1f5593
+++ b/libcontainer/nsenter/nsexec.c
1f5593
@@ -528,6 +528,9 @@ void join_namespaces(char *nslist)
1f5593
 	free(namespaces);
1f5593
 }
1f5593
 
1f5593
+/* Defined in cloned_binary.c. */
1f5593
+int ensure_cloned_binary(void);
1f5593
+
1f5593
 void nsexec(void)
1f5593
 {
1f5593
 	int pipenum;
1f5593
@@ -543,6 +546,14 @@ void nsexec(void)
1f5593
 	if (pipenum == -1)
1f5593
 		return;
1f5593
 
1f5593
+	/*
1f5593
+	 * We need to re-exec if we are not in a cloned binary. This is necessary
1f5593
+	 * to ensure that containers won't be able to access the host binary
1f5593
+	 * through /proc/self/exe. See CVE-2019-5736.
1f5593
+	 */
1f5593
+	if (ensure_cloned_binary() < 0)
1f5593
+		bail("could not ensure we are a cloned binary");
1f5593
+
1f5593
 	/* Parse all of the netlink configuration. */
1f5593
 	nl_parse(pipenum, &config);
1f5593
 
1f5593
-- 
1f5593
2.20.1
1f5593