Seal /proc/self/exe to protect against CVE-2019-5736 (#343)

2024-05-10 09:36:13 +02:00 · 2021-10-01 02:47:08 +03:00 · 2021-10-01 02:47:08 +03:00 · 6cb89fcdfa
parent c206d88e63
commit 6cb89fcdfa
3 changed files with 25 additions and 0 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -948,6 +948,16 @@ dependencies = [
 "winapi 0.3.9",
 ]

+[[package]]
+name = "pentacle"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e26ee4fbe38a973890ca68cace434e192d88f3703099fd64f799f3d6043ee7b6"
+dependencies = [
+ "libc",
+ "log",
+]
+
 [[package]]
 name = "pin-project-lite"
 version = "0.2.7"
@ -1519,6 +1529,7 @@ dependencies = [
 "nix",
 "oci-spec",
 "once_cell",
+ "pentacle",
 "prctl",
 "procfs",
 "quickcheck",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -50,6 +50,7 @@ tabwriter = "1"
 fastrand = "1.4.1"
 crossbeam-channel = "0.5"
 seccomp = { version = "0.1.0", path = "./seccomp" }
+pentacle = "1.0.0"

 [dev-dependencies]
 # TODO: Fetch from crate.io instead of git when next release oci-spec-rs
--- a/src/main.rs
+++ b/src/main.rs
@ -6,6 +6,7 @@ use std::fs;
 use std::path::PathBuf;

 use anyhow::bail;
+use anyhow::Context;
 use anyhow::Result;
 use clap::{crate_version, Clap};

@ -86,6 +87,18 @@ enum SubCommand {
 /// This is the entry point in the container runtime. The binary is run by a high-level container runtime,
 /// with various flags passed. This parses the flags, creates and manages appropriate resources.
 fn main() -> Result<()> {
+    // A malicious container can gain access to the host machine by modifying youki's host
+    // binary and infect it with malicious code. This vulnerability was first discovered
+    // in runc and was assigned as CVE-2019-5736, but it also affects youki.
+    //
+    // The fix is to copy /proc/self/exe in an anonymous file descriptor (created via memfd_create),
+    // seal it and re-execute it. Because the final step is re-execution, this needs to be done at
+    // the beginning of this process.
+    //
+    // Ref: https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
+    // Ref: https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
+    pentacle::ensure_sealed().context("Failed to seal /proc/self/exe")?;
+
    let opts = Opts::parse();

    if let Err(e) = youki::logger::init(opts.log) {