b5ed98
From bf6405284aa3870a39b402309003633a1c230ed9 Mon Sep 17 00:00:00 2001
b5ed98
From: Aleksa Sarai <asarai@suse.de>
b5ed98
Date: Wed, 9 Jan 2019 13:40:01 +1100
b5ed98
Subject: [PATCH 1/1] nsenter: clone /proc/self/exe to avoid exposing host
b5ed98
 binary to container
b5ed98
b5ed98
There are quite a few circumstances where /proc/self/exe pointing to a
b5ed98
pretty important container binary is a _bad_ thing, so to avoid this we
b5ed98
have to make a copy (preferably doing self-clean-up and not being
b5ed98
writeable).
b5ed98
b5ed98
As a hotfix we require memfd_create(2), but we can always extend this to
b5ed98
use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this
b5ed98
approach is no page-cache sharing for the runc binary (which overlayfs
b5ed98
would give us) but this is far less complicated.
b5ed98
b5ed98
This is only done during nsenter so that it happens transparently to the
b5ed98
Go code, and any libcontainer users benefit from it. This also makes
b5ed98
ExtraFiles and --preserve-fds handling trivial (because we don't need to
b5ed98
worry about it).
b5ed98
b5ed98
Fixes: CVE-2019-5736
b5ed98
Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
b5ed98
Signed-off-by: Aleksa Sarai <asarai@suse.de>
b5ed98
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
b5ed98
---
b5ed98
 libcontainer/nsenter/cloned_binary.c | 221 +++++++++++++++++++++++++++
b5ed98
 libcontainer/nsenter/nsexec.c        |  11 ++
b5ed98
 2 files changed, 232 insertions(+)
b5ed98
 create mode 100644 libcontainer/nsenter/cloned_binary.c
b5ed98
b5ed98
diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
b5ed98
new file mode 100644
b5ed98
index 00000000..d9f6093a
b5ed98
--- /dev/null
b5ed98
+++ b/libcontainer/nsenter/cloned_binary.c
b5ed98
@@ -0,0 +1,221 @@
b5ed98
+#define _GNU_SOURCE
b5ed98
+#include <unistd.h>
b5ed98
+#include <stdio.h>
b5ed98
+#include <stdlib.h>
b5ed98
+#include <stdbool.h>
b5ed98
+#include <string.h>
b5ed98
+#include <limits.h>
b5ed98
+#include <fcntl.h>
b5ed98
+#include <errno.h>
b5ed98
+
b5ed98
+#include <sys/types.h>
b5ed98
+#include <sys/stat.h>
b5ed98
+#include <sys/vfs.h>
b5ed98
+#include <sys/mman.h>
b5ed98
+#include <sys/sendfile.h>
b5ed98
+#include <sys/syscall.h>
b5ed98
+
b5ed98
+#include <linux/magic.h>
b5ed98
+#include <linux/memfd.h>
b5ed98
+
b5ed98
+/* Use our own wrapper for memfd_create. */
b5ed98
+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
b5ed98
+#  define SYS_memfd_create __NR_memfd_create
b5ed98
+#endif
b5ed98
+#ifndef SYS_memfd_create
b5ed98
+#  error "memfd_create(2) syscall not supported by this glibc version"
b5ed98
+#endif
b5ed98
+int memfd_create(const char *name, unsigned int flags)
b5ed98
+{
b5ed98
+	return syscall(SYS_memfd_create, name, flags);
b5ed98
+}
b5ed98
+
b5ed98
+/* This comes directly from <linux/fcntl.h>. */
b5ed98
+#ifndef F_LINUX_SPECIFIC_BASE
b5ed98
+#  define F_LINUX_SPECIFIC_BASE 1024
b5ed98
+#endif
b5ed98
+#ifndef F_ADD_SEALS
b5ed98
+#  define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
b5ed98
+#  define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
b5ed98
+#endif
b5ed98
+#ifndef F_SEAL_SEAL
b5ed98
+#  define F_SEAL_SEAL   0x0001	/* prevent further seals from being set */
b5ed98
+#  define F_SEAL_SHRINK 0x0002	/* prevent file from shrinking */
b5ed98
+#  define F_SEAL_GROW   0x0004	/* prevent file from growing */
b5ed98
+#  define F_SEAL_WRITE  0x0008	/* prevent writes */
b5ed98
+#endif
b5ed98
+
b5ed98
+
b5ed98
+#define OUR_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
b5ed98
+#define OUR_MEMFD_SEALS \
b5ed98
+	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
b5ed98
+
b5ed98
+static void *must_realloc(void *ptr, size_t size)
b5ed98
+{
b5ed98
+	void *old = ptr;
b5ed98
+	do {
b5ed98
+		ptr = realloc(old, size);
b5ed98
+	} while(!ptr);
b5ed98
+	return ptr;
b5ed98
+}
b5ed98
+
b5ed98
+/*
b5ed98
+ * Verify whether we are currently in a self-cloned program (namely, is
b5ed98
+ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
b5ed98
+ * for shmem files), and we want to be sure it's actually sealed.
b5ed98
+ */
b5ed98
+static int is_self_cloned(void)
b5ed98
+{
b5ed98
+	int fd, seals;
b5ed98
+
b5ed98
+	fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
b5ed98
+	if (fd < 0)
b5ed98
+		return -ENOTRECOVERABLE;
b5ed98
+
b5ed98
+	seals = fcntl(fd, F_GET_SEALS);
b5ed98
+	close(fd);
b5ed98
+	return seals == OUR_MEMFD_SEALS;
b5ed98
+}
b5ed98
+
b5ed98
+/*
b5ed98
+ * Basic wrapper around mmap(2) that gives you the file length so you can
b5ed98
+ * safely treat it as an ordinary buffer. Only gives you read access.
b5ed98
+ */
b5ed98
+static char *read_file(char *path, size_t *length)
b5ed98
+{
b5ed98
+	int fd;
b5ed98
+	char buf[4096], *copy = NULL;
b5ed98
+
b5ed98
+	if (!length)
b5ed98
+		return NULL;
b5ed98
+
b5ed98
+	fd = open(path, O_RDONLY | O_CLOEXEC);
b5ed98
+	if (fd < 0)
b5ed98
+		return NULL;
b5ed98
+
b5ed98
+	*length = 0;
b5ed98
+	for (;;) {
b5ed98
+		int n;
b5ed98
+
b5ed98
+		n = read(fd, buf, sizeof(buf));
b5ed98
+		if (n < 0)
b5ed98
+			goto error;
b5ed98
+		if (!n)
b5ed98
+			break;
b5ed98
+
b5ed98
+		copy = must_realloc(copy, (*length + n) * sizeof(*copy));
b5ed98
+		memcpy(copy + *length, buf, n);
b5ed98
+		*length += n;
b5ed98
+	}
b5ed98
+	close(fd);
b5ed98
+	return copy;
b5ed98
+
b5ed98
+error:
b5ed98
+	close(fd);
b5ed98
+	free(copy);
b5ed98
+	return NULL;
b5ed98
+}
b5ed98
+
b5ed98
+/*
b5ed98
+ * A poor-man's version of "xargs -0". Basically parses a given block of
b5ed98
+ * NUL-delimited data, within the given length and adds a pointer to each entry
b5ed98
+ * to the array of pointers.
b5ed98
+ */
b5ed98
+static int parse_xargs(char *data, int data_length, char ***output)
b5ed98
+{
b5ed98
+	int num = 0;
b5ed98
+	char *cur = data;
b5ed98
+
b5ed98
+	if (!data || *output != NULL)
b5ed98
+		return -1;
b5ed98
+
b5ed98
+	while (cur < data + data_length) {
b5ed98
+		num++;
b5ed98
+		*output = must_realloc(*output, (num + 1) * sizeof(**output));
b5ed98
+		(*output)[num - 1] = cur;
b5ed98
+		cur += strlen(cur) + 1;
b5ed98
+	}
b5ed98
+	(*output)[num] = NULL;
b5ed98
+	return num;
b5ed98
+}
b5ed98
+
b5ed98
+/*
b5ed98
+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
b5ed98
+ * This is necessary because we are running in a context where we don't have a
b5ed98
+ * main() that we can just get the arguments from.
b5ed98
+ */
b5ed98
+static int fetchve(char ***argv, char ***envp)
b5ed98
+{
b5ed98
+	char *cmdline = NULL, *environ = NULL;
b5ed98
+	size_t cmdline_size, environ_size;
b5ed98
+
b5ed98
+	cmdline = read_file("/proc/self/cmdline", &cmdline_size);
b5ed98
+	if (!cmdline)
b5ed98
+		goto error;
b5ed98
+	environ = read_file("/proc/self/environ", &environ_size);
b5ed98
+	if (!environ)
b5ed98
+		goto error;
b5ed98
+
b5ed98
+	if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
b5ed98
+		goto error;
b5ed98
+	if (parse_xargs(environ, environ_size, envp) <= 0)
b5ed98
+		goto error;
b5ed98
+
b5ed98
+	return 0;
b5ed98
+
b5ed98
+error:
b5ed98
+	free(environ);
b5ed98
+	free(cmdline);
b5ed98
+	return -EINVAL;
b5ed98
+}
b5ed98
+
b5ed98
+#define SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
b5ed98
+static int clone_binary(void)
b5ed98
+{
b5ed98
+	int binfd, memfd, err;
b5ed98
+	ssize_t sent = 0;
b5ed98
+
b5ed98
+	memfd = memfd_create(OUR_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
b5ed98
+	if (memfd < 0)
b5ed98
+		return -ENOTRECOVERABLE;
b5ed98
+
b5ed98
+	binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
b5ed98
+	if (binfd < 0)
b5ed98
+		goto error;
b5ed98
+
b5ed98
+	sent = sendfile(memfd, binfd, NULL, SENDFILE_MAX);
b5ed98
+	close(binfd);
b5ed98
+	if (sent < 0)
b5ed98
+		goto error;
b5ed98
+
b5ed98
+	err = fcntl(memfd, F_ADD_SEALS, OUR_MEMFD_SEALS);
b5ed98
+	if (err < 0)
b5ed98
+		goto error;
b5ed98
+
b5ed98
+	return memfd;
b5ed98
+
b5ed98
+error:
b5ed98
+	close(memfd);
b5ed98
+	return -EIO;
b5ed98
+}
b5ed98
+
b5ed98
+int ensure_cloned_binary(void)
b5ed98
+{
b5ed98
+	int execfd;
b5ed98
+	char **argv = NULL, **envp = NULL;
b5ed98
+
b5ed98
+	/* Check that we're not self-cloned, and if we are then bail. */
b5ed98
+	int cloned = is_self_cloned();
b5ed98
+	if (cloned > 0 || cloned == -ENOTRECOVERABLE)
b5ed98
+		return cloned;
b5ed98
+
b5ed98
+	if (fetchve(&argv, &envp) < 0)
b5ed98
+		return -EINVAL;
b5ed98
+
b5ed98
+	execfd = clone_binary();
b5ed98
+	if (execfd < 0)
b5ed98
+		return -EIO;
b5ed98
+
b5ed98
+	fexecve(execfd, argv, envp);
b5ed98
+	return -ENOEXEC;
b5ed98
+}
b5ed98
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
b5ed98
index cb224314..784fd9b0 100644
b5ed98
--- a/libcontainer/nsenter/nsexec.c
b5ed98
+++ b/libcontainer/nsenter/nsexec.c
b5ed98
@@ -528,6 +528,9 @@ void join_namespaces(char *nslist)
b5ed98
 	free(namespaces);
b5ed98
 }
b5ed98
 
b5ed98
+/* Defined in cloned_binary.c. */
b5ed98
+int ensure_cloned_binary(void);
b5ed98
+
b5ed98
 void nsexec(void)
b5ed98
 {
b5ed98
 	int pipenum;
b5ed98
@@ -543,6 +546,14 @@ void nsexec(void)
b5ed98
 	if (pipenum == -1)
b5ed98
 		return;
b5ed98
 
b5ed98
+	/*
b5ed98
+	 * We need to re-exec if we are not in a cloned binary. This is necessary
b5ed98
+	 * to ensure that containers won't be able to access the host binary
b5ed98
+	 * through /proc/self/exe. See CVE-2019-5736.
b5ed98
+	 */
b5ed98
+	if (ensure_cloned_binary() < 0)
b5ed98
+		bail("could not ensure we are a cloned binary");
b5ed98
+
b5ed98
 	/* Parse all of the netlink configuration. */
b5ed98
 	nl_parse(pipenum, &config);
b5ed98
 
b5ed98
-- 
b5ed98
2.20.1
b5ed98