summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2022-04-14 10:21:12 -0400
committerGitHub <noreply@github.com>2022-04-14 10:21:12 -0400
commit53b984f20fef3a66269029f10c6cd16d7b80fd4e (patch)
tree723ab69cbdc00d49bb2fd804004bdbe4e6ebb41b
parent90293da292d081b8d1e9670b6105cfb01d621b68 (diff)
parent2a75164e23c98c2b2f6f1267b0839bb8ab9ccf48 (diff)
downloadpodman-53b984f20fef3a66269029f10c6cd16d7b80fd4e.tar.gz
podman-53b984f20fef3a66269029f10c6cd16d7b80fd4e.tar.bz2
podman-53b984f20fef3a66269029f10c6cd16d7b80fd4e.zip
Merge pull request #13874 from vrothberg/test-for-CVE-2022-1227
add a regression test for CVE-2022-1227
-rw-r--r--test/system/030-run.bats24
1 files changed, 24 insertions, 0 deletions
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index 72e4a2bc8..aba18badb 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -821,4 +821,28 @@ EOF
run_podman run --rm $IMAGE cat /proc/self/oom_score_adj
is "$output" "$current_oom_score_adj" "different oom_score_adj in the container"
}
+
+# CVE-2022-1227 : podman top joins container mount NS and uses nsenter from image
+@test "podman top does not use nsenter from image" {
+ tmpdir=$PODMAN_TMPDIR/build-test
+ mkdir -p $tmpdir
+ tmpbuilddir=$tmpdir/build
+ mkdir -p $tmpbuilddir
+ dockerfile=$tmpbuilddir/Dockerfile
+ cat >$dockerfile <<EOF
+FROM $IMAGE
+RUN rm /usr/bin/nsenter; \
+echo -e "#!/bin/sh\nfalse" >> /usr/bin/nsenter; \
+chmod +x /usr/bin/nsenter
+EOF
+
+ test_image="cve_2022_1227_test"
+ run_podman build -t $test_image $tmpbuilddir
+ run_podman run -d --userns=keep-id $test_image top
+ ctr="$output"
+ run_podman top $ctr huser,user
+ run_podman rm -f -t0 $ctr
+ run_podman rmi $test_image
+}
+
# vim: filetype=sh