CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC chardev hostdev hotplug

Rewrite lxcDomainAttachDeviceHostdevMiscLive function to use the virProcessRunInMountNamespace helper. This avoids risk of a malicious guest replacing /dev with a absolute symlink, tricking the driver into changing the host OS filesystem. Signed-off-by: N Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit 1cadeafc) Conflicts: src/lxc/lxc_driver.c: OOM + cgroups error reporting

CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC chardev hostdev hotplug
Rewrite lxcDomainAttachDeviceHostdevMiscLive function to use the virProcessRunInMountNamespace helper. This avoids risk of a malicious guest replacing /dev with a absolute symlink, tricking the driver into changing the host OS filesystem. Signed-off-by: N Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit 1cadeafc) Conflicts: src/lxc/lxc_driver.c: OOM + cgroups error reporting
0e9fee68 · Daniel P. Berrange · 9849cf6d · 0e9fee68
隐藏空白更改
内联并排

Showing with 21 addition and 48 deletion

src/lxc/lxc_driver.c src/lxc/lxc_driver.c +21 -48

未找到文件。
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -3635,11 +3635,7 @@ lxcDomainAttachDeviceHostdevMiscLive(virLXCDriverPtr driver,
    virLXCDomainObjPrivatePtr priv = vm->privateData;
    virDomainHostdevDefPtr def = dev->data.hostdev;
    int ret = -1;
-    char *dst = NULL;
-    char *vroot = NULL;
    struct stat sb;
-    bool created = false;
-    mode_t mode = 0;

    if (!def->source.caps.u.misc.chardev) {
        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
@@ -3667,16 +3663,14 @@ lxcDomainAttachDeviceHostdevMiscLive(virLXCDriverPtr driver,
        goto cleanup;
    }

-    if (virAsprintf(&vroot, "/proc/%llu/root",
-                    (unsigned long long)priv->initpid) < 0) {
-        virReportOOMError();
-        goto cleanup;
-    }
-
-    if (virAsprintf(&dst, "%s/%s",
-                    vroot,
-                    def->source.caps.u.misc.chardev) < 0) {
-        virReportOOMError();
+    if (virCgroupAllowDevice(priv->cgroup,
+                             'c',
+                             major(sb.st_rdev),
+                             minor(sb.st_rdev),
+                             VIR_CGROUP_DEVICE_RWM) < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Unable to allow device %s"),
+                       def->source.caps.u.misc.chardev);
        goto cleanup;
    }

@@ -3685,36 +3679,19 @@ lxcDomainAttachDeviceHostdevMiscLive(virLXCDriverPtr driver,
        goto cleanup;
    }

-    if (lxcContainerSetupHostdevCapsMakePath(dst) < 0) {
-        virReportSystemError(errno,
-                             _("Unable to create directory for device %s"),
-                             dst);
-        goto cleanup;
-    }
-
-    mode = 0700 | S_IFCHR;
-
-    VIR_DEBUG("Creating dev %s (%d,%d)",
-              def->source.caps.u.misc.chardev,
-              major(sb.st_rdev), minor(sb.st_rdev));
-    if (mknod(dst, mode, sb.st_rdev) < 0) {
-        virReportSystemError(errno,
-                             _("Unable to create device %s"),
-                             dst);
-        goto cleanup;
-    }
-    created = true;
-
-    if (virSecurityManagerSetHostdevLabel(driver->securityManager,
-                                          vm->def, def, vroot) < 0)
-        goto cleanup;
-
-    if (virCgroupAllowDevicePath(priv->cgroup, def->source.caps.u.misc.chardev,
-                                 VIR_CGROUP_DEVICE_RW |
-                                 VIR_CGROUP_DEVICE_MKNOD) != 0) {
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("cannot allow device %s for domain %s"),
-                       def->source.caps.u.misc.chardev, vm->def->name);
+    if (lxcDomainAttachDeviceMknod(driver,
+                                   0700 | S_IFBLK,
+                                   sb.st_rdev,
+                                   vm,
+                                   dev,
+                                   def->source.caps.u.misc.chardev) < 0) {
+        if (virCgroupDenyDevice(priv->cgroup,
+                                'c',
+                                major(sb.st_rdev),
+                                minor(sb.st_rdev),
+                                VIR_CGROUP_DEVICE_RWM) < 0)
+            VIR_WARN("cannot deny device %s for domain %s",
+                     def->source.caps.u.storage.block, vm->def->name);
        goto cleanup;
    }

@@ -3724,10 +3701,6 @@ lxcDomainAttachDeviceHostdevMiscLive(virLXCDriverPtr driver,

 cleanup:
    virDomainAuditHostdev(vm, def, "attach", ret == 0);
-    if (dst && created && ret < 0)
-        unlink(dst);
-    VIR_FREE(dst);
-    VIR_FREE(vroot);
    return ret;
 }