mirror of
https://github.com/opencontainers/runc.git
synced 2026-07-11 06:03:57 +08:00
tests: add regression test for CVE-2019-19921 / CVE-2023-27561
We reintroduced this once already because it is quite easy to miss this subtle aspect of proc mounting. The recent migration to securejoin.MkdirAllInRoot could have also inadvertently reintroduced this (though it didn't). Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This commit is contained in:
@@ -199,6 +199,18 @@ function test_mount_order() {
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
# CVE-2023-27561 CVE-2019-19921
|
||||
@test "runc run [/proc is a symlink]" {
|
||||
# Make /proc in the container a symlink.
|
||||
rm -rf rootfs/proc
|
||||
mkdir -p rootfs/bad-proc
|
||||
ln -sf /bad-proc rootfs/proc
|
||||
# This should fail.
|
||||
runc run test_busybox
|
||||
[ "$status" -ne 0 ]
|
||||
[[ "$output" == *"must be mounted on ordinary directory"* ]]
|
||||
}
|
||||
|
||||
@test "runc run [ro /sys/fs/cgroup mounts]" {
|
||||
# Without cgroup namespace.
|
||||
update_config '.linux.namespaces -= [{"type": "cgroup"}]'
|
||||
|
||||
Reference in New Issue
Block a user