## memfd-bind ## > **NOTE**: Since runc 1.2.0, runc will now use a private overlayfs mount to > protect the runc binary (if you are on Linux 5.1 or later). This protection > is far more light-weight than memfd-bind, and for most users this should > obviate the need for `memfd-bind` entirely. Rootless containers will still > make a memfd copy (unless you are using `runc` itself inside a user namespace > -- a-la [`rootlesskit`][rootlesskit] -- and are on Linux 5.11 or later), but > `memfd-bind` is not particularly useful for rootless container users anyway > (see [Caveats](#Caveats) for more details). `runc` sometimes has to make a binary copy of itself when constructing a container process in order to defend against certain container runtime attacks such as CVE-2019-5736. This cloned binary only exists until the container process starts (this means for `runc run` and `runc exec`, it only exists for a few hundred milliseconds -- for `runc create` it exists until `runc start` is called). However, because the clone is done using a memfd (or by creating files in directories that are likely to be a `tmpfs`), this can lead to temporary increases in *host* memory usage. Unless you are running on a cgroupv1 system with the cgroupv1 memory controller enabled and the (deprecated) `memory.move_charge_at_immigrate` enabled, there is no effect on the container's memory. However, for certain configurations this can still be undesirable. This daemon allows you to create a sealed memfd copy of the `runc` binary, which will cause `runc` to skip all binary copying, resulting in no additional memory usage for each container process (instead there is a single in-memory copy of the binary). It should be noted that (strictly speaking) this is slightly less secure if you are concerned about Dirty Cow-like 0-day kernel vulnerabilities, but for most users the security benefit is identical. The provided `memfd-bind@.service` file can be used to get systemd to manage this daemon. You can supply the path like so: ```bash systemctl start memfd-bind@$(systemd-escape -p /usr/bin/runc) ``` Thus, there are three ways of protecting against CVE-2019-5736, in order of how much memory usage they can use: * `memfd-bind` only creates a single in-memory copy of the `runc` binary (about 10MB), regardless of how many containers are running. * The classic method of making a copy of the entire `runc` binary during container process setup takes up about 10MB per process spawned inside the container by runc (both pid1 and `runc exec`). [rootlesskit]: https://github.com/rootless-containers/rootlesskit ### Caveats ### There are several downsides with using `memfd-bind` on the `runc` binary: * The `memfd-bind` process needs to continue to run indefinitely in order for the memfd reference to stay alive. If the process is forcefully killed, the bind-mount on top of the `runc` binary will become stale and nobody will be able to execute it (you can use `memfd-bind --cleanup` to clean up the stale mount). * Only root can execute the cloned binary due to permission restrictions on accessing other process's files. More specifically, only users with ptrace privileges over the memfd-bind daemon can access the file (but in practice this is usually only root). * When updating `runc`, the daemon needs to be stopped before the update (so the package manager can access the underlying file) and then restarted after the update.