github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-27 15:57:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #891 from bergwolf/CVE-2016-9962

Browse Source 
agent: set init process non-dumpable
This commit is contained in:
Fupan Li 2020-10-09 19:03:24 +08:00 committed by GitHub
commit 3a659a6733
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/agent/rustjail/src/container.rs
View File

@ -456,6 +456,24 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
setrlimit(rl)?; setrlimit(rl)?;
} }
//
// Make the process non-dumpable, to avoid various race conditions that
// could cause processes in namespaces we're joining to access host
// resources (or potentially execute code).
//
// However, if the number of namespaces we are joining is 0, we are not
// going to be switching to a different security context. Thus setting
// ourselves to be non-dumpable only breaks things (like rootless
// containers), which is the recommendation from the kernel folks.
//
// Ref: https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5
//
if !nses.is_empty() {
if let Err(e) = prctl::set_dumpable(false) {
return Err(anyhow!(e).context("set process non-dumpable failed"));
};
}
if userns { if userns {
log_child!(cfd_log, "enter new user namespace"); log_child!(cfd_log, "enter new user namespace");
sched::unshare(CloneFlags::CLONE_NEWUSER)?; sched::unshare(CloneFlags::CLONE_NEWUSER)?;