Merge pull request #886 from bergwolf/CVE-2019-19921

agent: do not follow link when mounting container proc and sysfs
2025-07-06 12:06:49 +00:00 · 2020-10-09 09:47:30 -05:00 · 2020-10-09 09:47:30 -05:00 · 4f0fe8473b
commit 4f0fe8473b
parent fd7d0ef999 b7147edadb
1 changed files with 15 additions and 0 deletions
--- a/src/agent/rustjail/src/mount.rs
+++ b/src/agent/rustjail/src/mount.rs
@ -205,6 +205,21 @@ pub fn init_rootfs(
                check_proc_mount(m)?;
            }

+            // If the destination already exists and is not a directory, we bail
+            // out This is to avoid mounting through a symlink or similar -- which
+            // has been a "fun" attack scenario in the past.
+            if m.r#type == "proc" || m.r#type == "sysfs" {
+                if let Ok(meta) = fs::symlink_metadata(&m.destination) {
+                    if !meta.is_dir() {
+                        return Err(anyhow!(
+                            "Mount point {} must be ordinary directory: got {:?}",
+                            m.destination,
+                            meta.file_type()
+                        ));
+                    }
+                }
+            }
+
            mount_from(cfd_log, &m, &rootfs, flags, &data, "")?;
            // bind mount won't change mount options, we need remount to make mount options
            // effective.