1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
#!/usr/bin/env bats -*- bats -*-
#
# Tests #2730 - regular users are not able to read/write container storage
# Tests #6957 - /sys/dev (et al) are masked from unprivileged containers
#
load helpers
@test "podman container storage is not accessible by unprivileged users" {
skip_if_rootless "test meaningless without suid"
skip_if_remote
run_podman run --name c_uidmap --uidmap 0:10000:10000 $IMAGE true
run_podman run --name c_uidmap_v --uidmap 0:10000:10000 -v foo:/foo $IMAGE true
run_podman run --name c_mount $IMAGE \
sh -c "echo hi > /myfile;mkdir -p /mydir/mysubdir; chmod 777 /myfile /mydir /mydir/mysubdir"
run_podman mount c_mount
mount_path=$output
# Do all the work from within a test script. Since we'll be invoking it
# as a user, the parent directory must be world-readable.
test_script=$PODMAN_TMPDIR/fail-if-writable
cat >$test_script <<"EOF"
#!/usr/bin/env bash
path="$1"
die() {
echo "#/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv" >&2
echo "#| FAIL: $*" >&2
echo "#\\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^" >&2
# Show permissions of directories from here on up
while expr "$path" : "/var/lib/containers" >/dev/null; do
echo "#| $(ls -ld $path)"
path=$(dirname $path)
done
exit 1
}
parent=$(dirname "$path")
if chmod +w $parent; then
die "Able to chmod $parent"
fi
if chmod +w "$path"; then
die "Able to chmod $path"
fi
if [ -d "$path" ]; then
if ls "$path" >/dev/null; then
die "Able to run 'ls $path' without error"
fi
if echo hi >"$path"/test; then
die "Able to write to file under $path"
fi
else
# Plain file
if cat "$path" >/dev/null; then
die "Able to read $path"
fi
if echo hi >"$path"; then
die "Able to write to $path"
fi
fi
exit 0
EOF
chmod 755 $PODMAN_TMPDIR $test_script
# get podman image and container storage directories
run_podman info --format '{{.Store.GraphRoot}}'
is "$output" "/var/lib/containers/storage" "GraphRoot in expected place"
GRAPH_ROOT="$output"
run_podman info --format '{{.Store.RunRoot}}'
is "$output" ".*/run/containers/storage" "RunRoot in expected place"
RUN_ROOT="$output"
# The main test: find all world-writable files or directories underneath
# container storage, run the test script as a nonroot user, and try to
# access each path.
find $GRAPH_ROOT $RUN_ROOT \! -type l -perm -o+w -print | while read i; do
dprint " o+w: $i"
# use chroot because su fails if uid/gid don't exist or have no shell
# For development: test all this by removing the "--userspec x:x"
chroot --userspec 1000:1000 / $test_script "$i"
done
# Done. Clean up.
rm -f $test_script
run_podman umount c_mount
run_podman rm c_mount
run_podman rm c_uidmap c_uidmap_v
}
# #6957 - mask out /proc/acpi, /sys/dev, and other sensitive system files
@test "sensitive mount points are masked without --privileged" {
# Weird error, maybe a flake?
# can only attach to created or running containers: container state improper
# https://github.com/containers/podman/pull/7111#issuecomment-666858715
skip_if_remote "FIXME: Weird flake"
# FIXME: this should match the list in pkg/specgen/generate/config_linux.go
local -a mps=(
/proc/acpi
/proc/kcore
/proc/keys
/proc/latency_stats
/proc/timer_list
/proc/timer_stats
/proc/sched_debug
/proc/scsi
/sys/firmware
/sys/fs/selinux
/sys/dev/block
)
# Some of the above may not exist on our host. Find only the ones that do.
local -a subset=()
for mp in ${mps[@]}; do
if [ -e $mp ]; then
subset+=($mp)
fi
done
# Run 'stat' on all the files, plus /dev/null. Get path, file type,
# number of links, major, and minor (see below for why). Do it all
# in one go, to avoid multiple podman-runs
run_podman run --rm $IMAGE stat -c'%n:%F:%h:%T:%t' /dev/null ${subset[@]}
local devnull=
for result in "${lines[@]}"; do
# e.g. /proc/acpi:character special file:1:3:1
local IFS=:
read path type nlinks major minor <<<"$result"
if [[ $path = "/dev/null" ]]; then
# /dev/null is our reference point: masked *files* (not directories)
# will be created as /dev/null clones.
# This depends on 'stat' returning results in argv order,
# so /dev/null is first, so we have a reference for others.
# If that ever breaks, this test will have to be done in two passes.
devnull="$major:$minor"
elif [[ $type = "character special file" ]]; then
# Container file is a character device: it must match /dev/null
is "$major:$minor" "$devnull" "$path: major/minor matches /dev/null"
elif [[ $type = "directory" ]]; then
# Directories: must be empty (only two links).
# FIXME: this is a horrible almost-worthless test! It does not
# actually check for files in the directory (expect: zero),
# merely for the nonexistence of any subdirectories! It relies
# on the observed (by Ed) fact that all the masked directories
# contain further subdirectories on the host. If there's ever
# a new masked directory that contains only files, this test
# will silently pass without any indication of error.
# If you can think of a better way to do this check,
# please feel free to fix it.
is "$nlinks" "2" "$path: directory link count"
else
die "$path: Unknown file type '$type'"
fi
done
}
# vim: filetype=sh
|