In order to protect against ptrace(2) and similar attacks on container runtimes when they join namespaces, many runtimes set mm->dumpable to SUID_DUMP_DISABLE. However, doing this means that attempting to set up an unprivileged user namespace will fail because an unprivileged process can no longer access /proc/self/{setgroups,{uid,gid}_map} for the container process (which is the same uid as the runtime process). Fix this by changing pid_getattr to *also* change the owner of regular files that have a mode of 0644 (when the process is not dumpable). This ensures that the important /proc/[pid]/... files mentioned above are properly accessible by a container runtime in a rootless container context. The most blantant issue is that a non-dumpable process in a rootless container context is unable to open /proc/self/setgroups, because it doesn't own the file. int main(void) { prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); unshare(CLONE_NEWUSER); /* This will fail. */ int fd = open("/proc/self/setgroups", O_WRONLY); if (fd < 0) abort(); return 0; }I do agree that failing to open anything in /proc/self/ is more than unexepcted! I cannot judge the patch but my gut feeling tells me that the fix should be somewhere in the open handler.
Maybe that would suffice as a more specific fix (for the special case of /proc/self), but the fact that none of the users and groups are correctly set in /proc/[pid] will cause issues for runC and other container runtimes (because they don't go through /proc/self -- it's accessing /proc/[pid] from another process).
Though I get the feeling that the *correct* fix would be to remove the conditional and *always* change the owner -- maybe I'm missing something but I can't think of the security issue that this code currently fixes (since all of the important permission checks are *in addition* to the generic_permission used for /proc/self/..., which use ptrace_may_access).
-- Aleksa Sarai Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/ _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
