CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC hotunplug code

Rewrite multiple hotunplug functions to to use the virProcessRunInMountNamespace helper. This avoids risk of a malicious guest replacing /dev with an absolute symlink, tricking the driver into changing the host OS filesystem. Signed-off-by: N Daniel P. Berrange <berrange@redhat.com>

CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC hotunplug code
Rewrite multiple hotunplug functions to to use the virProcessRunInMountNamespace helper. This avoids risk of a malicious guest replacing /dev with an absolute symlink, tricking the driver into changing the host OS filesystem. Signed-off-by: N Daniel P. Berrange <berrange@redhat.com>
5fc590ad · Daniel P. Berrange · 1cadeafc · 5fc590ad
隐藏空白更改
内联并排

Showing with 39 addition and 40 deletion

src/lxc/lxc_driver.c src/lxc/lxc_driver.c +39 -40

未找到文件。
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -3773,6 +3773,39 @@ lxcDomainAttachDeviceMknod(virLXCDriverPtr driver,
 }
+static int
+lxcDomainAttachDeviceUnlinkHelper(pid_t pid ATTRIBUTE_UNUSED,
+                                  void *opaque)
+{
+    const char *path = opaque;
+    VIR_DEBUG("Unlinking %s", path);
+    if (unlink(path) < 0 && errno != ENOENT) {
+        virReportSystemError(errno,
+                             _("Unable to remove device %s"), path);
+        return -1;
+    }
+    return 0;
+}
+static int
+lxcDomainAttachDeviceUnlink(virDomainObjPtr vm,
+                            char *file)
+{
+    virLXCDomainObjPrivatePtr priv = vm->privateData;
+    if (virProcessRunInMountNamespace(priv->initpid,
+                                      lxcDomainAttachDeviceUnlinkHelper,
+                                      file) < 0) {
+        return -1;
+    }
+    return 0;
+}
 static int
 lxcDomainAttachDeviceDiskLive(virLXCDriverPtr driver,
                              virDomainObjPtr vm,
@@ -4364,8 +4397,7 @@ lxcDomainDetachDeviceDiskLive(virDomainObjPtr vm,
    def = vm->def->disks[idx];
-    if (virAsprintf(&dst, "/proc/%llu/root/dev/%s",
+    if (virAsprintf(&dst, "/dev/%s", def->dst) < 0)
-                    (unsigned long long)priv->initpid, def->dst) < 0)
        goto cleanup;
    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
@@ -4374,11 +4406,8 @@ lxcDomainDetachDeviceDiskLive(virDomainObjPtr vm,
        goto cleanup;
    }
-    VIR_DEBUG("Unlinking %s (backed by %s)", dst, def->src);
+    if (lxcDomainAttachDeviceUnlink(vm, dst) < 0) {
-    if (unlink(dst) < 0 && errno != ENOENT) {
        virDomainAuditDisk(vm, def->src, NULL, "detach", false);
-        virReportSystemError(errno,
-                             _("Unable to remove device %s"), dst);
        goto cleanup;
    }
    virDomainAuditDisk(vm, def->src, NULL, "detach", true);
@@ -4473,7 +4502,6 @@ lxcDomainDetachDeviceHostdevUSBLive(virLXCDriverPtr driver,
    virDomainHostdevDefPtr def = NULL;
    int idx, ret = -1;
    char *dst = NULL;
-    char *vroot = NULL;
    virUSBDevicePtr usb = NULL;
    if ((idx = virDomainHostdevFind(vm->def,
@@ -4484,12 +4512,7 @@ lxcDomainDetachDeviceHostdevUSBLive(virLXCDriverPtr driver,
        goto cleanup;
    }
-    if (virAsprintf(&vroot, "/proc/%llu/root",
+    if (virAsprintf(&dst, "/dev/bus/usb/%03d/%03d",
-                    (unsigned long long)priv->initpid) < 0)
-        goto cleanup;
-    if (virAsprintf(&dst, "%s/dev/bus/usb/%03d/%03d",
-                    vroot,
                    def->source.subsys.u.usb.bus,
                    def->source.subsys.u.usb.device) < 0)
        goto cleanup;
@@ -4504,11 +4527,8 @@ lxcDomainDetachDeviceHostdevUSBLive(virLXCDriverPtr driver,
                                def->source.subsys.u.usb.device, NULL)))
        goto cleanup;
-    VIR_DEBUG("Unlinking %s", dst);
+    if (lxcDomainAttachDeviceUnlink(vm, dst) < 0) {
-    if (unlink(dst) < 0 && errno != ENOENT) {
        virDomainAuditHostdev(vm, def, "detach", false);
-        virReportSystemError(errno,
-                             _("Unable to remove device %s"), dst);
        goto cleanup;
    }
    virDomainAuditHostdev(vm, def, "detach", true);
@@ -4531,7 +4551,6 @@ lxcDomainDetachDeviceHostdevUSBLive(virLXCDriverPtr driver,
 cleanup:
    virUSBDeviceFree(usb);
    VIR_FREE(dst);
-    VIR_FREE(vroot);
    return ret;
 }
@@ -4543,7 +4562,6 @@ lxcDomainDetachDeviceHostdevStorageLive(virDomainObjPtr vm,
    virLXCDomainObjPrivatePtr priv = vm->privateData;
    virDomainHostdevDefPtr def = NULL;
    int idx, ret = -1;
-    char *dst = NULL;
    if (!priv->initpid) {
        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
@@ -4560,22 +4578,14 @@ lxcDomainDetachDeviceHostdevStorageLive(virDomainObjPtr vm,
        goto cleanup;
    }
-    if (virAsprintf(&dst, "/proc/%llu/root/%s",
-                    (unsigned long long)priv->initpid,
-                    def->source.caps.u.storage.block) < 0)
-        goto cleanup;
    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
                       _("devices cgroup isn't mounted"));
        goto cleanup;
    }
-    VIR_DEBUG("Unlinking %s", dst);
+    if (lxcDomainAttachDeviceUnlink(vm, def->source.caps.u.storage.block) < 0) {
-    if (unlink(dst) < 0 && errno != ENOENT) {
        virDomainAuditHostdev(vm, def, "detach", false);
-        virReportSystemError(errno,
-                             _("Unable to remove device %s"), dst);
        goto cleanup;
    }
    virDomainAuditHostdev(vm, def, "detach", true);
@@ -4590,7 +4600,6 @@ lxcDomainDetachDeviceHostdevStorageLive(virDomainObjPtr vm,
    ret = 0;
 cleanup:
-    VIR_FREE(dst);
    return ret;
 }
@@ -4602,7 +4611,6 @@ lxcDomainDetachDeviceHostdevMiscLive(virDomainObjPtr vm,
    virLXCDomainObjPrivatePtr priv = vm->privateData;
    virDomainHostdevDefPtr def = NULL;
    int idx, ret = -1;
-    char *dst = NULL;
    if (!priv->initpid) {
        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
@@ -4619,22 +4627,14 @@ lxcDomainDetachDeviceHostdevMiscLive(virDomainObjPtr vm,
        goto cleanup;
    }
-    if (virAsprintf(&dst, "/proc/%llu/root/%s",
-                    (unsigned long long)priv->initpid,
-                    def->source.caps.u.misc.chardev) < 0)
-        goto cleanup;
    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
                       _("devices cgroup isn't mounted"));
        goto cleanup;
    }
-    VIR_DEBUG("Unlinking %s", dst);
+    if (lxcDomainAttachDeviceUnlink(vm, def->source.caps.u.misc.chardev) < 0) {
-    if (unlink(dst) < 0 && errno != ENOENT) {
        virDomainAuditHostdev(vm, def, "detach", false);
-        virReportSystemError(errno,
-                             _("Unable to remove device %s"), dst);
        goto cleanup;
    }
    virDomainAuditHostdev(vm, def, "detach", true);
@@ -4649,7 +4649,6 @@ lxcDomainDetachDeviceHostdevMiscLive(virDomainObjPtr vm,
    ret = 0;
 cleanup:
-    VIR_FREE(dst);
    return ret;
 }