tests: add regression test for CVE-2019-19921 / CVE-2023-27561

We reintroduced this once already because it is quite easy to miss this
subtle aspect of proc mounting. The recent migration to
securejoin.MkdirAllInRoot could have also inadvertently reintroduced
this (though it didn't).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This commit is contained in:
Aleksa Sarai
2024-09-13 15:24:15 +10:00
parent 7c2e69f1c4
commit 457e1ffa4c
+12
View File
@@ -199,6 +199,18 @@ function test_mount_order() {
[ "$status" -eq 0 ]
}
# CVE-2023-27561 CVE-2019-19921
@test "runc run [/proc is a symlink]" {
# Make /proc in the container a symlink.
rm -rf rootfs/proc
mkdir -p rootfs/bad-proc
ln -sf /bad-proc rootfs/proc
# This should fail.
runc run test_busybox
[ "$status" -ne 0 ]
[[ "$output" == *"must be mounted on ordinary directory"* ]]
}
@test "runc run [ro /sys/fs/cgroup mounts]" {
# Without cgroup namespace.
update_config '.linux.namespaces -= [{"type": "cgroup"}]'