diff options
Diffstat (limited to '0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch')
| -rw-r--r-- | 0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch | 140 |
1 files changed, 140 insertions, 0 deletions
diff --git a/0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch b/0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch new file mode 100644 index 0000000..383dd43 --- /dev/null +++ b/0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch @@ -0,0 +1,140 @@ +From 64f94112728f35ee76d56fa4cf6dc41bd5cd5d33 Mon Sep 17 00:00:00 2001 +From: zhongtao <zhongtao17@huawei.com> +Date: Sat, 2 Sep 2023 08:56:38 +0000 +Subject: [PATCH 24/33] !2165 preventing the use of insecure isulad tmpdir + directory * preventing the use of insecure isulad tmpdir directory + +--- + src/common/constants.h | 2 + + .../container/leftover_cleanup/cleanup.c | 66 ++++++++++++++++++- + src/daemon/modules/image/oci/utils_images.c | 10 +++ + 3 files changed, 77 insertions(+), 1 deletion(-) + +diff --git a/src/common/constants.h b/src/common/constants.h +index d93bb464..c0417263 100644 +--- a/src/common/constants.h ++++ b/src/common/constants.h +@@ -50,6 +50,8 @@ extern "C" { + + #define TEMP_DIRECTORY_MODE 0700 + ++#define ISULAD_TEMP_DIRECTORY_MODE 0660 ++ + #define CONSOLE_FIFO_DIRECTORY_MODE 0770 + + #define SOCKET_GROUP_DIRECTORY_MODE 0660 +diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c +index 9a38ffc2..f24ec467 100644 +--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c ++++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c +@@ -13,6 +13,8 @@ + * Description: provide cleanup functions + *********************************************************************************/ + #include <sys/mount.h> ++#include <sys/stat.h> ++#include <unistd.h> + + #include "utils.h" + #include "utils_fs.h" +@@ -169,6 +171,67 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su + return true; + } + ++static int isulad_tmpdir_security_check(const char *tmpdir) ++{ ++ struct stat st = { 0 }; ++ ++ if (lstat(tmpdir, &st) != 0) { ++ SYSERROR("Failed to lstat %s", tmpdir); ++ return -1; ++ } ++ ++ if (!S_ISDIR(st.st_mode)) { ++ return -1; ++ } ++ ++ if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) { ++ return -1; ++ } ++ ++ if (st.st_uid != 0) { ++ return -1; ++ } ++ ++ if (S_ISLNK(st.st_mode)) { ++ return -1; ++ } ++ ++ return 0; ++} ++ ++static int recreate_tmpdir(const char *tmpdir) ++{ ++ int ret; ++ struct stat st = { 0 }; ++ ++ if (util_recursive_rmdir(tmpdir, 0)) { ++ ERROR("Failed to remove directory %s", tmpdir); ++ return -1; ++ } ++ ++ if (util_mkdir_p(tmpdir, ISULAD_TEMP_DIRECTORY_MODE)) { ++ ERROR("Failed to create directory %s", tmpdir); ++ return -1; ++ } ++ ++ if (lstat(tmpdir, &st) != 0) { ++ SYSERROR("Failed to lstat %s", tmpdir); ++ return -1; ++ } ++ ++ return ret; ++} ++ ++static int ensure_isulad_tmpdir_security(const char *tmpdir) ++{ ++ if (isulad_tmpdir_security_check(tmpdir) == 0) { ++ return 0; ++ } ++ ++ INFO("iSulad tmpdir does not meet security requirements, recreate it"); ++ return recreate_tmpdir(tmpdir); ++} ++ + static void cleanup_path(char *dir) + { + int nret; +@@ -186,7 +249,8 @@ static void cleanup_path(char *dir) + return; + } + +- if (!util_dir_exists(cleanpath)) { ++ // preventing the use of insecure isulad tmpdir directory ++ if (ensure_isulad_tmpdir_security(cleanpath) != 0) { + return; + } + +diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c +index f8fd1e73..4342db5b 100644 +--- a/src/daemon/modules/image/oci/utils_images.c ++++ b/src/daemon/modules/image/oci/utils_images.c +@@ -630,6 +630,16 @@ int makesure_isulad_tmpdir_perm_right(const char *root_dir) + goto out; + } + ++ if ((st.st_mode & 0777) != TEMP_DIRECTORY_MODE) { ++ ret = -1; ++ goto out; ++ } ++ ++ if (S_ISLNK(st.st_mode)) { ++ ret = -1; ++ goto out; ++ } ++ + // chown to root + ret = lchown(isulad_tmpdir, 0, 0); + if (ret == 0 || (ret == EPERM && st.st_uid == 0 && st.st_gid == 0)) { +-- +2.40.1 + |