mirror of
https://github.com/opencontainers/runc.git
synced 2026-07-11 06:03:57 +08:00
ci: add lint to forbid the usage of os.Create
os.Create is shorthand for open(O_CREAT|O_TRUNC) *without* O_EXCL, which is incredibly unsafe for us to do when interacting with a container rootfs (especially before pivot_root) as an attacker could swap the target path with a symlink that points to the host filesystem, causing us to delete the contents of or create host files. We did have a similar bug in CVE-2024-45310, but in that case we (luckily) didn't have O_TRUNC set which avoided the worst possible case. However, os.Create does set O_TRUNC and we were using it in scenarios that may have been exploitable. Because of how easy it us for us to accidentally introduce this kind of bug, we should simply not allow the usage of os.Create in our entire codebase. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This commit is contained in:
@@ -1077,7 +1077,7 @@ func (c *Container) criuNotifications(resp *criurpc.CriuResp, process *Process,
|
||||
logrus.Debugf("notify: %s\n", script)
|
||||
switch script {
|
||||
case "post-dump":
|
||||
f, err := os.Create(filepath.Join(c.stateDir, "checkpoint"))
|
||||
f, err := os.Create(filepath.Join(c.stateDir, "checkpoint")) //nolint:forbidigo // this is a host-side operation in a runc-controlled directory
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user