1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
From 64f94112728f35ee76d56fa4cf6dc41bd5cd5d33 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Sat, 2 Sep 2023 08:56:38 +0000
Subject: [PATCH 24/33] !2165 preventing the use of insecure isulad tmpdir
directory * preventing the use of insecure isulad tmpdir directory
---
src/common/constants.h | 2 +
.../container/leftover_cleanup/cleanup.c | 66 ++++++++++++++++++-
src/daemon/modules/image/oci/utils_images.c | 10 +++
3 files changed, 77 insertions(+), 1 deletion(-)
diff --git a/src/common/constants.h b/src/common/constants.h
index d93bb464..c0417263 100644
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -50,6 +50,8 @@ extern "C" {
#define TEMP_DIRECTORY_MODE 0700
+#define ISULAD_TEMP_DIRECTORY_MODE 0660
+
#define CONSOLE_FIFO_DIRECTORY_MODE 0770
#define SOCKET_GROUP_DIRECTORY_MODE 0660
diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c
index 9a38ffc2..f24ec467 100644
--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c
+++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c
@@ -13,6 +13,8 @@
* Description: provide cleanup functions
*********************************************************************************/
#include <sys/mount.h>
+#include <sys/stat.h>
+#include <unistd.h>
#include "utils.h"
#include "utils_fs.h"
@@ -169,6 +171,67 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su
return true;
}
+static int isulad_tmpdir_security_check(const char *tmpdir)
+{
+ struct stat st = { 0 };
+
+ if (lstat(tmpdir, &st) != 0) {
+ SYSERROR("Failed to lstat %s", tmpdir);
+ return -1;
+ }
+
+ if (!S_ISDIR(st.st_mode)) {
+ return -1;
+ }
+
+ if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) {
+ return -1;
+ }
+
+ if (st.st_uid != 0) {
+ return -1;
+ }
+
+ if (S_ISLNK(st.st_mode)) {
+ return -1;
+ }
+
+ return 0;
+}
+
+static int recreate_tmpdir(const char *tmpdir)
+{
+ int ret;
+ struct stat st = { 0 };
+
+ if (util_recursive_rmdir(tmpdir, 0)) {
+ ERROR("Failed to remove directory %s", tmpdir);
+ return -1;
+ }
+
+ if (util_mkdir_p(tmpdir, ISULAD_TEMP_DIRECTORY_MODE)) {
+ ERROR("Failed to create directory %s", tmpdir);
+ return -1;
+ }
+
+ if (lstat(tmpdir, &st) != 0) {
+ SYSERROR("Failed to lstat %s", tmpdir);
+ return -1;
+ }
+
+ return ret;
+}
+
+static int ensure_isulad_tmpdir_security(const char *tmpdir)
+{
+ if (isulad_tmpdir_security_check(tmpdir) == 0) {
+ return 0;
+ }
+
+ INFO("iSulad tmpdir does not meet security requirements, recreate it");
+ return recreate_tmpdir(tmpdir);
+}
+
static void cleanup_path(char *dir)
{
int nret;
@@ -186,7 +249,8 @@ static void cleanup_path(char *dir)
return;
}
- if (!util_dir_exists(cleanpath)) {
+ // preventing the use of insecure isulad tmpdir directory
+ if (ensure_isulad_tmpdir_security(cleanpath) != 0) {
return;
}
diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c
index f8fd1e73..4342db5b 100644
--- a/src/daemon/modules/image/oci/utils_images.c
+++ b/src/daemon/modules/image/oci/utils_images.c
@@ -630,6 +630,16 @@ int makesure_isulad_tmpdir_perm_right(const char *root_dir)
goto out;
}
+ if ((st.st_mode & 0777) != TEMP_DIRECTORY_MODE) {
+ ret = -1;
+ goto out;
+ }
+
+ if (S_ISLNK(st.st_mode)) {
+ ret = -1;
+ goto out;
+ }
+
// chown to root
ret = lchown(isulad_tmpdir, 0, 0);
if (ret == 0 || (ret == EPERM && st.st_uid == 0 && st.st_gid == 0)) {
--
2.40.1
|
