mirror of
https://github.com/opencontainers/runc.git
synced 2026-07-11 06:03:57 +08:00
rootfs: avoid using os.Create for new device inodes
If an attacker were to make the target of a device inode creation be a symlink to some host path, os.Create would happily truncate the target which could lead to all sorts of issues. This exploit is probably not as exploitable because device inodes are usually only bind-mounted for rootless containers, which cannot overwrite important host files (though user files would still be up for grabs). The regular inode creation logic could also theoretically be tricked into changing the access mode and ownership of host files if the newly-created device inode was swapped with a symlink to a host path. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This commit is contained in:
@@ -160,3 +160,23 @@ func SetLinuxPersonality(personality int) error {
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetPtyPeer is a wrapper for ioctl(TIOCGPTPEER).
|
||||
func GetPtyPeer(ptyFd uintptr, unsafePeerPath string, flags int) (*os.File, error) {
|
||||
// Make sure O_NOCTTY is always set -- otherwise runc might accidentally
|
||||
// gain it as a controlling terminal. O_CLOEXEC also needs to be set to
|
||||
// make sure we don't leak the handle either.
|
||||
flags |= unix.O_NOCTTY | unix.O_CLOEXEC
|
||||
|
||||
// There is no nice wrapper for this kind of ioctl in unix.
|
||||
peerFd, _, errno := unix.Syscall(
|
||||
unix.SYS_IOCTL,
|
||||
ptyFd,
|
||||
uintptr(unix.TIOCGPTPEER),
|
||||
uintptr(flags),
|
||||
)
|
||||
if errno != 0 {
|
||||
return nil, os.NewSyscallError("ioctl TIOCGPTPEER", errno)
|
||||
}
|
||||
return os.NewFile(peerFd, unsafePeerPath), nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user