From 64f94112728f35ee76d56fa4cf6dc41bd5cd5d33 Mon Sep 17 00:00:00 2001 From: zhongtao Date: Sat, 2 Sep 2023 08:56:38 +0000 Subject: [PATCH 24/33] !2165 preventing the use of insecure isulad tmpdir directory * preventing the use of insecure isulad tmpdir directory --- src/common/constants.h | 2 + .../container/leftover_cleanup/cleanup.c | 66 ++++++++++++++++++- src/daemon/modules/image/oci/utils_images.c | 10 +++ 3 files changed, 77 insertions(+), 1 deletion(-) diff --git a/src/common/constants.h b/src/common/constants.h index d93bb464..c0417263 100644 --- a/src/common/constants.h +++ b/src/common/constants.h @@ -50,6 +50,8 @@ extern "C" { #define TEMP_DIRECTORY_MODE 0700 +#define ISULAD_TEMP_DIRECTORY_MODE 0660 + #define CONSOLE_FIFO_DIRECTORY_MODE 0770 #define SOCKET_GROUP_DIRECTORY_MODE 0660 diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c index 9a38ffc2..f24ec467 100644 --- a/src/daemon/modules/container/leftover_cleanup/cleanup.c +++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c @@ -13,6 +13,8 @@ * Description: provide cleanup functions *********************************************************************************/ #include +#include +#include #include "utils.h" #include "utils_fs.h" @@ -169,6 +171,67 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su return true; } +static int isulad_tmpdir_security_check(const char *tmpdir) +{ + struct stat st = { 0 }; + + if (lstat(tmpdir, &st) != 0) { + SYSERROR("Failed to lstat %s", tmpdir); + return -1; + } + + if (!S_ISDIR(st.st_mode)) { + return -1; + } + + if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) { + return -1; + } + + if (st.st_uid != 0) { + return -1; + } + + if (S_ISLNK(st.st_mode)) { + return -1; + } + + return 0; +} + +static int recreate_tmpdir(const char *tmpdir) +{ + int ret; + struct stat st = { 0 }; + + if (util_recursive_rmdir(tmpdir, 0)) { + ERROR("Failed to remove directory %s", tmpdir); + return -1; + } + + if (util_mkdir_p(tmpdir, ISULAD_TEMP_DIRECTORY_MODE)) { + ERROR("Failed to create directory %s", tmpdir); + return -1; + } + + if (lstat(tmpdir, &st) != 0) { + SYSERROR("Failed to lstat %s", tmpdir); + return -1; + } + + return ret; +} + +static int ensure_isulad_tmpdir_security(const char *tmpdir) +{ + if (isulad_tmpdir_security_check(tmpdir) == 0) { + return 0; + } + + INFO("iSulad tmpdir does not meet security requirements, recreate it"); + return recreate_tmpdir(tmpdir); +} + static void cleanup_path(char *dir) { int nret; @@ -186,7 +249,8 @@ static void cleanup_path(char *dir) return; } - if (!util_dir_exists(cleanpath)) { + // preventing the use of insecure isulad tmpdir directory + if (ensure_isulad_tmpdir_security(cleanpath) != 0) { return; } diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c index f8fd1e73..4342db5b 100644 --- a/src/daemon/modules/image/oci/utils_images.c +++ b/src/daemon/modules/image/oci/utils_images.c @@ -630,6 +630,16 @@ int makesure_isulad_tmpdir_perm_right(const char *root_dir) goto out; } + if ((st.st_mode & 0777) != TEMP_DIRECTORY_MODE) { + ret = -1; + goto out; + } + + if (S_ISLNK(st.st_mode)) { + ret = -1; + goto out; + } + // chown to root ret = lchown(isulad_tmpdir, 0, 0); if (ret == 0 || (ret == EPERM && st.st_uid == 0 && st.st_gid == 0)) { -- 2.40.1