Commit Graph

2957 Commits

Author SHA1 Message Date
Aleksa Sarai fb875cb9bc rootfs: avoid using os.Create for new device inodes
If an attacker were to make the target of a device inode creation be a
symlink to some host path, os.Create would happily truncate the target
which could lead to all sorts of issues. This exploit is probably not as
exploitable because device inodes are usually only bind-mounted for
rootless containers, which cannot overwrite important host files (though
user files would still be up for grabs).

The regular inode creation logic could also theoretically be tricked
into changing the access mode and ownership of host files if the
newly-created device inode was swapped with a symlink to a host path.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 19:12:39 +11:00
Aleksa Sarai 4371d08af8 console: verify /dev/pts/ptmx before use
This is primarily done out of an abudance of caution against runc exec
being attacked by a container where /dev/pts/ptmx has been replaced with
some other bad inode (a disconnected NFS handle, a symlink that goes
through a leaked runc file descriptor to reference a host ptmx, etc).

Unfortunately, we cannot trivially verify that /dev/pts/ptmx is actually
the /dev/pts from the container without storing stuff like the fsid in
the runc state.json, which is probably not worth the extra effort. This
should at least avoid the most concerning cases.

Reported-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 19:12:39 +11:00
Aleksa Sarai 3b2c56b533 console: avoid trivial symlink attacks for /dev/console
An attacker could make /dev/console a symlink. This presents two
possible issues:

 1. os.Create will happily truncate targets, which could have resulted
    in a worse version of CVE-2024-4531. Luckily, this all happens after
    pivot_root(2) so the scope of that particular attack is fairly
    limited (you are unlikely to be able to easily access host rootfs
    files -- though it might be possible to take advantage of leaks such
    as in CVE-2024-21626). However, O_CREAT|O_NOFOLLOW is what we should
    be doing for all file creations.

 2. Because we passed /dev/console as the only mount path (as opposed to
    using a /proc/self/fd/$n path), an attacker could swap the symlink
    to point to any other path and thus cause us to mount over some
    other path. This is not as big of a problem because all the mounts
    are in the container namespace after pivot_root(2), and users
    usually can create arbitrary mount targets inside the container.

These issues don't seem particularly exploitable, but they deserve to be
hardened regardless.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 19:12:39 +11:00
Aleksa Sarai fe3794db4a console: add fallback for pre-TIOCGPTPEER kernels
The pty driver has very consistent allocation rules for the major:minor
numbers of /dev/pts/$n inodes, so it is possible to somewhat safely open
/dev/pts/* paths if we validate that the inode is the one we expect.

It is possible for an attacker to have over-mounted a pts peer from a
different devpts instance, but to fix this would require more tracking
of devpts instances than runc currently can do.

This means runc should continue to work on very old kernels.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 19:12:38 +11:00
Aleksa Sarai 967c632b37 console: use TIOCGPTPEER when allocating peer PTY
When opening the peer end of a pty, the old kernel API required us to
open /dev/pts/$num inside the container (at least since we fixed console
handling many years ago in commit 244c9fc426 ("*: console rewrite")).

The problem is that in a hostile container it is possible for
/dev/pts/$num to be an attacker-controlled symlink that runc can be
tricked into resolving when doing bind-mounts. This allows the attacker
to (among other things) persist /proc/... entries that are later masked
by runc, allowing an attacker to escape through the kernel.core_pattern
sysctl (/proc/sys/kernel/core_pattern). This is the original issue
reported by Lei Wang and Li Fu Bang in CVE-2025-52565.

However, it should be noted that this is not entirely a newly-discovered
problem. Way back in Linux 4.13 (2017), I added the TIOCGPTPEER ioctl,
which allows us to get a pty peer without touching the /dev/pts inside
the container. The original threat model was around an attacker
replacing /dev/pts/$n or /dev/pts/ptmx with some malicious inode (a DoS
inode, or possibly a PTY they wanted a confused deputy to operate on).
Unfortunately, there was no practical way for runc to cache a safe
O_PATH handle to /dev/pts/ptmx (unlike other runtimes like LXC, which
switched to TIOCGPTPEER way back in 2017). Since it wasn't clear how we
could protect against the main attack TIOCGPTPEER was meant to protect
against, we never switched to it (even though I implemented it
specifically to harden container runtimes).

Unfortunately, It turns out that mount *sources* are a threat we didn't
fully consider. Since TIOCGPTPEER already solves this problem entirely
for us in a race free way, we should just use that. In a later patch, we
will add some hardening for /dev/pts/$num opening to maintain support
for very old kernels (Linux 4.13 is very old at this point, but RHEL 7
is still kicking and is stuck on Linux 3.10).

Fixes: GHSA-qw9x-cqr3-wc7r CVE-2025-52565
Reported-by: Lei Wang <ssst0n3@gmail.com> (CVE-2025-52565)
Reported-by: lfbzhm <lifubang@acmcoder.com> (CVE-2025-52565)
Reported-by: Aleksa Sarai <cyphar@cyphar.com> (TIOCGPTPEER)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 19:12:38 +11:00
Kir Kolyshkin d1affbb8d3 libct: maskPaths: don't rely on ENOTDIR for mount
Currently, we rely on mount returning ENOTDIR when the destination is a
directory (and so mount tells us that the source is not), and fall back
to read-only tmpfs bind mount for such cases.

Theoretically, ENOTDIR can also be returned in some other cases,
resulting in the wrong type of mount being used.

Let's be more straightforward here -- call fstat on destination file
descriptor, and use the proper mount depending on whether it is a
directory.

Reported-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-05 19:12:38 +11:00
Kir Kolyshkin 32bce3d31a libct: maskPaths: only ignore ENOENT on mount dest
When mounting a path being masked, the /dev/null might disappear from
under us, and mount (even on an opened /dev/null file descriptor) will
return ENOENT, which we deliberately ignore, as there's no need to mask
non-existent paths.

Let's open the destination path and ignore ENOENT during open, then
mount via the destination file descriptor, not ignoring ENOENT.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-05 19:12:38 +11:00
Kir Kolyshkin ecf3b2d7ab libct: add/use isDevNull, verifyDevNull
The /dev/null in a container should not be trusted, because when /dev
is a bind mount, /dev/null is not created by runc itself.

1. Add isDevNull which checks the fd minor/major and device type,
   and verifyDevNull which does the stat and the check.

2. Rewrite maskPath to open and check /dev/null, and use its fd to
   perform mounts. Move the loop over the MaskPaths into the function,
   and rename it to maskPaths.

3. reOpenDevNull: use verifyDevNull and isDevNull.

4. fixStdioPermissions: use isDevNull instead of stat.

Fixes: GHSA-9493-h29p-rfm2 CVE-2025-31133
Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 19:12:38 +11:00
Aleksa Sarai 07fb281f0c *: switch to safer securejoin.Reopen
filepath-securejoin v0.3 gave us a much safer re-open primitive, we
should use it to avoid any theoretical attacks. Rather than using it
direcly, add a small pathrs wrapper to make libpathrs migrations in the
future easier...

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 19:12:37 +11:00
Aleksa Sarai adf26e11fb internal: move utils.MkdirAllInRoot to internal/pathrs
We will have more wrappers around filepath-securejoin, and so move them
to their own specific package so that we can eventually use libpathrs
fairly cleanly (by swapping out the implementation).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 19:12:37 +11:00
lfbzhm bf5aeecc03 Merge pull request #4921 from marquiz/release-1.4
[1.4] libcontainer/intelrdt: add support for EnableMonitoring field
2025-10-08 17:05:38 +08:00
Markus Lehtonen 1f9157d68d libcontainer/intelrdt: add support for EnableMonitoring field
The linux.intelRdt.enableMonitoring field enables the creation of
a per-container monitoring group. The monitoring group is removed when
the container is destroyed.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
(cherry picked from commit 7aa4e1a63d)
2025-10-08 10:46:21 +03:00
Kir Kolyshkin d792f9fdb1 [1.4] runc exec: use CLONE_INTO_CGROUP when available
It makes sense to make runc exec benefit from clone2(CLONE_INTO_CGROUP),
if it is available. Since it requires a recent kernel and might not work,
implement a fallback to older way of joining the cgroup.

Based on:
 - https://go-review.googlesource.com/c/go/+/417695
 - https://github.com/coreos/go-systemd/pull/458
 - https://github.com/opencontainers/cgroups/pull/26
 - https://github.com/opencontainers/runc/pull/4822

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5af4dd4e64)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-08 18:40:18 +11:00
Kir Kolyshkin 3338251984 [1.4] libct: use manager.AddPid to add exec to cgroup
The main benefit here is when we are using a systemd cgroup driver,
we actually ask systemd to add a PID, rather than doing it ourselves.
This way, we can add rootless exec PID to a cgroup.

This requires newer opencontainers/cgroups and coreos/go-systemd.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 37b5acc2d7)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-08 18:40:17 +11:00
Kir Kolyshkin 7db9930fab [1.4] libct: move exec sub-cgroup handling down the line
Remove cgroupPaths field from struct setnsProcess, because:
 - we can get base cgroup paths from p.manager.GetPaths();
 - we can get sub-cgroup paths from p.process.SubCgroupPaths.

But mostly because we are going to need separate cgroup paths when
adopting cgroups.AddPid.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5730a141f1)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-08 18:38:56 +11:00
Kir Kolyshkin f19a4c7122 [1.4] libct: split addIntoCgroup into V1 and V2
The main idea is to maintain the code separately (and eventually kill V1
implementation).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5560020cbb)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-08 18:38:56 +11:00
Kir Kolyshkin 207a497ce1 [1.4] libct: factor out addIntoCgroup from setnsProcess.start
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b39e0d6468)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-08 18:38:56 +11:00
Antti Kervinen 910f134598 [1.4] Add memory policy support
Implement support for Linux memory policy in OCI spec PR:
https://github.com/opencontainers/runtime-spec/pull/1282

Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
(cherry picked from commit eda7bdf80c)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-08 13:55:50 +11:00
Markus Lehtonen 12ed7f7315 [1.4] events/intelrdt: report full schemata
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
(cherry picked from commit 7be025fff3)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-08 13:55:50 +11:00
Markus Lehtonen 517e7996d2 [1.4] libcontainer/intelrdt: add support for Schemata field
Implement support for the linux.intelRdt.schemata field of the spec.
This allows management of the "schemata" file in the resctrl group in a
generic way.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
(cherry picked from commit 41553216ee)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-08 13:55:50 +11:00
Markus Lehtonen 3009f9d7d0 [1.4] libcontainer/intelrdt: refactor tests
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
(cherry picked from commit 3867f826da)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-08 13:55:50 +11:00
Aleksa Sarai fb0268a004 libcontainer: remove deprecated package "userns"
This package was marked deprecated in commit 9b60a93cf3
("libcontainer/userns: migrate to github.com/moby/sys/userns"), which
was included in runc 1.2. Users have thus had a year to migrate to
github.com/moby/sys/userns and it's okay for us to remove this wrapper
package.

(Cherry-pick of commit e4f99b5c95b8f49434452edff82e73547c7a8252.)

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-04 14:39:19 +10:00
lifubang a6efa62d5e libct: setup personality before initializing seccomp
Set the process personality early to ensure it takes effect before
seccomp is initialized. If seccomp filters are applied first and they
block personality-related system calls (e.g., `personality(2)`),
subsequent attempts to set the personality will fail.

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit f7dda6e6dc)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-09-27 08:20:04 +00:00
Tycho Andersen bce56e0072 libcontainer/validator: allow setting user.* sysctls inside userns
These sysctls are all per-userns (termed `ucounts` in the kernel code) are
settable with CAP_SYS_RESOURCE in the user namespace.

Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
(cherry picked from commit 70d88bc449)
2025-09-15 08:46:53 -06:00
Kir Kolyshkin 8483c697a7 Merge pull request #4735 from ningmingxiao/fix_start
bug:fix runc delete run before delete exec.fifo
2025-09-02 22:35:59 -07:00
Aleksa Sarai 779c9e1d9a libct: user: remove deprecated module
libcontainer/user was marked as deprecated in d9ea71bf96 ("deprecate
libcontainer/user") and users have had plenty of time to migrate to
github.com/moby/sys/user.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-03 00:45:15 +10:00
Rodrigo Campos 7a982f4282 Merge pull request #4854 from marquiz/devel/rdt-root-clos
libcontainer/intelrdt: support explicit assignment to root CLOS
2025-08-29 07:17:43 -03:00
Markus Lehtonen 762819496e libcontainer/configs/validate: add doc.go
Add package comment to make revive pass muster.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-29 12:36:04 +03:00
Markus Lehtonen ba68a17ad1 libcontainer/configs: add validator unit tests for intelRdt
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-28 14:11:07 +03:00
Markus Lehtonen b8a83ac255 libcontainer/intelrdt: support explicit assignment to root CLOS
Makes it possible e.g. to enable monitoring
(linux.intelRdt.enableMonitoring) without creating a CLOS (resctrl
group) for the container.

Implements https://github.com/opencontainers/runtime-spec/pull/1289.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-28 14:08:37 +03:00
Kir Kolyshkin 89e59902c4 Modernize code for Go 1.24
Brought to you by

	modernize -fix -test ./...

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-27 19:11:02 -07:00
Kir Kolyshkin 237cc9806a libct/sys/rlimit_linux: drop go:build tag
This is not needed since commit 16d73367 which sets 1.23 to be a
minimally required Go version.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-27 19:09:58 -07:00
Aleksa Sarai 121192ade6 libct: reset CPU affinity by default
In certain deployments, it's possible for runc to be spawned by a
process with a restrictive cpumask (such as from a systemd unit with
CPUAffinity=... configured) which will be inherited by runc and thus the
container process by default.

The cpuset cgroup used to reconfigure the cpumask automatically for
joining processes, but kcommit da019032819a ("sched: Enforce user
requested affinity") changed this behaviour in Linux 6.2.

The solution is to try to emulate the expected behaviour by resetting
our cpumask to correspond with the configured cpuset (in the case of
"runc exec", if the user did not configure an alternative one). Normally
we would have to parse /proc/stat and /sys/fs/cgroup, but luckily
sched_setaffinity(2) will transparently convert an all-set cpumask (even
if it has more entries than the number of CPUs on the system) to the
correct value for our usecase.

For some reason, in our CI it seems that rootless --systemd-cgroup
results in the cpuset (presumably temporarily?) being configured such
that sched_setaffinity(2) will allow the full set of CPUs. For this
particular case, all we care about is that it is different to the
original set, so include some special-casing (but we should probably
investigate this further...).

Reported-by: ningmingxiao <ning.mingxiao@zte.com.cn>
Reported-by: Martin Sivak <msivak@redhat.com>
Reported-by: Peter Hunt <pehunt@redhat.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-08-28 08:25:46 +10:00
Rodrigo Campos a746c53cef Merge pull request #4831 from marquiz/devel/rdt-root
libcontainer/intelrdt: refactor path handling
2025-08-24 02:15:54 -03:00
lfbzhm d2e86c05c8 Merge pull request #4765 from kolyshkin/criu-nits
Refactor/improve prepareCriuRestoreMounts
2025-08-24 13:06:22 +08:00
Markus Lehtonen 620956c21c libcontainer/intelrdt: use Mkdir/Remove instead of MkdirAll/RemoveAll
The more restricted Mkdir and Rmdir are sufficient in resctrl fs.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-06 10:43:01 +03:00
Markus Lehtonen 3a962655f8 libcontainer/intelrdt: use SecureJoin in NewManager
Protects against invalid (non-validated) CLOS names.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-04 09:42:37 +03:00
Markus Lehtonen f73e28371f libcontainer/intelrdt: refactor path handling
Also, use GetPath() in Apply to get the resctrl group path, similar to
other methods of intelRdtManager.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-01 15:04:50 +03:00
Markus Lehtonen e846add595 libcontainer/configs/validate: check that intelrdt is enabled
If intelRdt is specified in the spec, check that the resctrl fs is
actually mounted. Fixes e.g. the case where "intelRdt.closID" is
specified but runc silently ignores this if resctrl is not mounted.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-01 10:03:54 +03:00
Aleksa Sarai 3620185d06 rootfs: remove /proc/net/dev from allowed overmount list
This was added in 2ee9cbbd12 ("It's /proc/stat, not /proc/stats") with
no actual justification, and doesn't really make much sense on further
inspection:

 * /proc/net is a symlink to "self/net", which means that /proc/net/dev
   is a per-process file, and so overmounting it would only affect pid1.
   Any other program that cares about /proc/net/dev would see their own
   process's configuration, and unprivileged processes wouldn't be able
   to see /proc/1/... data anyway.

   In addition, the fact that this is a symlink means that runc will
   deny the overmount because /proc/1/net/dev is not in the proc
   overmount allowlist. This means that this has not worked for many
   years, and probably never worked in the first place.

 * /proc/self/net is already namespaced with network namespaces, so the
   primary argument for allowing /proc overmounts (lxcfs-like masking of
   procfs files to emulate namespacing for files that are not properly
   namespaced for containers -- such as /proc/cpuinfo) is moot.

   It goes without saying that lxcfs has never overmounted
   /proc/self/net/... files, so the general "because lxcfs"
   justification doesn't hold water either.

 * The kernel has slowly been moving towards blocking overmounts in
   /proc/self/. Linux 6.12 blocked overmounts for fd, fdinfo, and
   map_files; future Linux versions will probably end up blocking
   everything under /proc/self/.

Fixes: 2ee9cbbd12 ("It's /proc/stat, not /proc/stats")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-07-20 15:40:37 +10:00
jokemanfire 859feb8e44 build(seccomp): Add audit support for loong64
Co-authored-by: Rodrigo Campos <rata@users.noreply.github.com>
Signed-off-by: jokemanfire <hu.dingyang@zte.com.cn>
2025-07-16 09:39:11 +08:00
lfbzhm 4d4cedd650 Merge pull request #4796 from astrawind/fix/seccomp-agent-conn-leak
libcontainer: close seccomp agent connection to prevent resource leaks
2025-07-04 00:08:21 +08:00
Pavel Liubimov aa0e7989c4 libcontainer: close seccomp agent connection to prevent resource leaks
Add missing defer conn.Close().

Signed-off-by: Pavel Liubimov <prlyubimov@gmail.com>
2025-07-01 12:31:55 +03:00
lfbzhm 94dc2be608 Merge pull request #4757 from HirazawaUi/fix-unable-delete
Preventing containers from being unable to be deleted
2025-06-20 16:59:21 +08:00
Sebastiaan van Stijn ff2494b98d Merge pull request #4785 from kolyshkin/cgroups-v003
deps: bump cgroups to v0.0.3, fix a few regressions
2025-06-19 21:28:00 +02:00
Kir Kolyshkin 71bd84f32e Merge pull request #4784 from kolyshkin/cgr-fup
cgroups separation followup
2025-06-19 10:32:33 -07:00
Kir Kolyshkin f24aa06ef6 libct: State: ensure Resources is not nil
Since opencontainers/cgroups v0.0.2 (commit b206a015), all stuct
Resources fields are annotated with "omitempty" attribute.
As a result, the loaded configuration may have Resources == nil.

It is totally OK (rootless containers may have no resources configured)
except since commit 6c5441e5, cgroup v1 fs manager requires Resources to
be set in the call to NewManager (this is a cgroup v1 deficiency,
or maybe our implementation deficiency, or both).

To work around this, let's add code to ensure Resources is never nil
after loading from state.json.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-19 10:24:16 -07:00
HirazawaUi 1b39997e73 Preventing containers from being unable to be deleted
Signed-off-by: HirazawaUi <695097494plus@gmail.com>
2025-06-19 20:17:50 +08:00
Kir Kolyshkin d22a42113d libct/configs: stop using deprecated id
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-18 18:14:54 -07:00
Kir Kolyshkin b25bcaa8b3 libct/configs: fix/improve deprecation notices
The per-file deprecation in cgroup_deprecated.go is not working,
let's replace it.

Link to Hooks.Run in Hook.Run deprecation notice.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-18 18:14:46 -07:00