diff options
author | Valentin Rothberg <vrothberg@redhat.com> | 2022-04-14 14:17:57 +0200 |
---|---|---|
committer | Valentin Rothberg <vrothberg@redhat.com> | 2022-04-14 14:42:12 +0200 |
commit | 2a75164e23c98c2b2f6f1267b0839bb8ab9ccf48 (patch) | |
tree | 723ab69cbdc00d49bb2fd804004bdbe4e6ebb41b | |
parent | 90293da292d081b8d1e9670b6105cfb01d621b68 (diff) | |
download | podman-2a75164e23c98c2b2f6f1267b0839bb8ab9ccf48.tar.gz podman-2a75164e23c98c2b2f6f1267b0839bb8ab9ccf48.tar.bz2 podman-2a75164e23c98c2b2f6f1267b0839bb8ab9ccf48.zip |
add a regression test for CVE-2022-1227
Will also be included in the upcoming backports.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
-rw-r--r-- | test/system/030-run.bats | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 72e4a2bc8..aba18badb 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -821,4 +821,28 @@ EOF run_podman run --rm $IMAGE cat /proc/self/oom_score_adj is "$output" "$current_oom_score_adj" "different oom_score_adj in the container" } + +# CVE-2022-1227 : podman top joins container mount NS and uses nsenter from image +@test "podman top does not use nsenter from image" { + tmpdir=$PODMAN_TMPDIR/build-test + mkdir -p $tmpdir + tmpbuilddir=$tmpdir/build + mkdir -p $tmpbuilddir + dockerfile=$tmpbuilddir/Dockerfile + cat >$dockerfile <<EOF +FROM $IMAGE +RUN rm /usr/bin/nsenter; \ +echo -e "#!/bin/sh\nfalse" >> /usr/bin/nsenter; \ +chmod +x /usr/bin/nsenter +EOF + + test_image="cve_2022_1227_test" + run_podman build -t $test_image $tmpbuilddir + run_podman run -d --userns=keep-id $test_image top + ctr="$output" + run_podman top $ctr huser,user + run_podman rm -f -t0 $ctr + run_podman rmi $test_image +} + # vim: filetype=sh |