new file mode 100644

@@ -0,0 +1,337 @@

+From 39eeb1c74f3ea41488b888bb038b619e88d3619f Mon Sep 17 00:00:00 2001

+From: Aleksa Sarai <asarai@suse.de>

+Date: Wed, 9 Jan 2019 13:40:01 +1100

+Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary

+ to container

+

+There are quite a few circumstances where /proc/self/exe pointing to a

+pretty important container binary is a _bad_ thing, so to avoid this we

+have to make a copy (preferably doing self-clean-up and not being

+writeable).

+

+We require memfd_create(2) -- though there is an O_TMPFILE fallback --

+but we can always extend this to use a scratch MNT_DETACH overlayfs or

+tmpfs. The main downside to this approach is no page-cache sharing for

+the runc binary (which overlayfs would give us) but this is far less

+complicated.

+

+This is only done during nsenter so that it happens transparently to the

+Go code, and any libcontainer users benefit from it. This also makes

+ExtraFiles and --preserve-fds handling trivial (because we don't need to

+worry about it).

+

+Fixes: CVE-2019-5736

+Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>

+Signed-off-by: Aleksa Sarai <asarai@suse.de>

+---

+ libcontainer/nsenter/cloned_binary.c | 268 +++++++++++++++++++++++++++++++++++

+ libcontainer/nsenter/nsexec.c        |  11 ++

+ 2 files changed, 279 insertions(+)

+ create mode 100644 libcontainer/nsenter/cloned_binary.c

+

+diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c

+new file mode 100644

+index 0000000..c8a42c2

+--- /dev/null

+@@ -0,0 +1,268 @@

++/*

++ * Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>

++ * Copyright (C) 2019 SUSE LLC

++ *

++ * Licensed under the Apache License, Version 2.0 (the "License");

++ * you may not use this file except in compliance with the License.

++ * You may obtain a copy of the License at

++ *

++ *     http://www.apache.org/licenses/LICENSE-2.0

++ *

++ * Unless required by applicable law or agreed to in writing, software

++ * distributed under the License is distributed on an "AS IS" BASIS,

++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

++ * See the License for the specific language governing permissions and

++ * limitations under the License.

++ */

++

++#define _GNU_SOURCE

++#include <unistd.h>

++#include <stdio.h>

++#include <stdlib.h>

++#include <stdbool.h>

++#include <string.h>

++#include <limits.h>

++#include <fcntl.h>

++#include <errno.h>

++

++#include <sys/types.h>

++#include <sys/stat.h>

++#include <sys/vfs.h>

++#include <sys/mman.h>

++#include <sys/sendfile.h>

++#include <sys/syscall.h>

++

++/* Use our own wrapper for memfd_create. */

++#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)

++#  define SYS_memfd_create __NR_memfd_create

++#endif

++#ifdef SYS_memfd_create

++#  define HAVE_MEMFD_CREATE

++/* memfd_create(2) flags -- copied from <linux/memfd.h>. */

++#  ifndef MFD_CLOEXEC

++#    define MFD_CLOEXEC       0x0001U

++#    define MFD_ALLOW_SEALING 0x0002U

++#  endif

++int memfd_create(const char *name, unsigned int flags)

++{

++	return syscall(SYS_memfd_create, name, flags);

++}

++#endif

++

++/* This comes directly from <linux/fcntl.h>. */

++#ifndef F_LINUX_SPECIFIC_BASE

++#  define F_LINUX_SPECIFIC_BASE 1024

++#endif

++#ifndef F_ADD_SEALS

++#  define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)

++#  define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)

++#endif

++#ifndef F_SEAL_SEAL

++#  define F_SEAL_SEAL   0x0001	/* prevent further seals from being set */

++#  define F_SEAL_SHRINK 0x0002	/* prevent file from shrinking */

++#  define F_SEAL_GROW   0x0004	/* prevent file from growing */

++#  define F_SEAL_WRITE  0x0008	/* prevent writes */

++#endif

++

++#define RUNC_SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */

++#ifdef HAVE_MEMFD_CREATE

++#  define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"

++#  define RUNC_MEMFD_SEALS \

++	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)

++#endif

++

++static void *must_realloc(void *ptr, size_t size)

++{

++	void *old = ptr;

++	do {

++		ptr = realloc(old, size);

++	} while(!ptr);

++	return ptr;

++}

++

++/*

++ * Verify whether we are currently in a self-cloned program (namely, is

++ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather

++ * for shmem files), and we want to be sure it's actually sealed.

++ */

++static int is_self_cloned(void)

++{

++	int fd, ret, is_cloned = 0;

++

++	fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);

++	if (fd < 0)

++		return -ENOTRECOVERABLE;

++

++#ifdef HAVE_MEMFD_CREATE

++	ret = fcntl(fd, F_GET_SEALS);

++	is_cloned = (ret == RUNC_MEMFD_SEALS);

++#else

++	struct stat statbuf = {0};

++	ret = fstat(fd, &statbuf);

++	if (ret >= 0)

++		is_cloned = (statbuf.st_nlink == 0);

++#endif

++	close(fd);

++	return is_cloned;

++}

++

++/*

++ * Basic wrapper around mmap(2) that gives you the file length so you can

++ * safely treat it as an ordinary buffer. Only gives you read access.

++ */

++static char *read_file(char *path, size_t *length)

++{

++	int fd;

++	char buf[4096], *copy = NULL;

++

++	if (!length)

++		return NULL;

++

++	fd = open(path, O_RDONLY | O_CLOEXEC);

++	if (fd < 0)

++		return NULL;

++

++	*length = 0;

++	for (;;) {

++		int n;

++

++		n = read(fd, buf, sizeof(buf));

++		if (n < 0)

++			goto error;

++		if (!n)

++			break;

++

++		copy = must_realloc(copy, (*length + n) * sizeof(*copy));

++		memcpy(copy + *length, buf, n);

++		*length += n;

++	}

++	close(fd);

++	return copy;

++

++error:

++	close(fd);

++	free(copy);

++	return NULL;

++}

++

++/*

++ * A poor-man's version of "xargs -0". Basically parses a given block of

++ * NUL-delimited data, within the given length and adds a pointer to each entry

++ * to the array of pointers.

++ */

++static int parse_xargs(char *data, int data_length, char ***output)

++{

++	int num = 0;

++	char *cur = data;

++

++	if (!data || *output != NULL)

++		return -1;

++

++	while (cur < data + data_length) {

++		num++;

++		*output = must_realloc(*output, (num + 1) * sizeof(**output));

++		(*output)[num - 1] = cur;

++		cur += strlen(cur) + 1;

++	}

++	(*output)[num] = NULL;

++	return num;

++}

++

++/*

++ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.

++ * This is necessary because we are running in a context where we don't have a

++ * main() that we can just get the arguments from.

++ */

++static int fetchve(char ***argv, char ***envp)

++{

++	char *cmdline = NULL, *environ = NULL;

++	size_t cmdline_size, environ_size;

++

++	cmdline = read_file("/proc/self/cmdline", &cmdline_size);

++	if (!cmdline)

++		goto error;

++	environ = read_file("/proc/self/environ", &environ_size);

++	if (!environ)

++		goto error;

++

++	if (parse_xargs(cmdline, cmdline_size, argv) <= 0)

++		goto error;

++	if (parse_xargs(environ, environ_size, envp) <= 0)

++		goto error;

++

++	return 0;

++

++error:

++	free(environ);

++	free(cmdline);

++	return -EINVAL;

++}

++

++static int clone_binary(void)

++{

++	int binfd, memfd;

++	ssize_t sent = 0;

++

++#ifdef HAVE_MEMFD_CREATE

++	memfd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);

++#else

++	memfd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0711);

++#endif

++	if (memfd < 0)

++		return -ENOTRECOVERABLE;

++

++	binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);

++	if (binfd < 0)

++		goto error;

++

++	sent = sendfile(memfd, binfd, NULL, RUNC_SENDFILE_MAX);

++	close(binfd);

++	if (sent < 0)

++		goto error;

++

++#ifdef HAVE_MEMFD_CREATE

++	int err = fcntl(memfd, F_ADD_SEALS, RUNC_MEMFD_SEALS);

++	if (err < 0)

++		goto error;

++#else

++	/* Need to re-open "memfd" as read-only to avoid execve(2) giving -EXTBUSY. */

++	int newfd;

++	char *fdpath = NULL;

++

++	if (asprintf(&fdpath, "/proc/self/fd/%d", memfd) < 0)

++		goto error;

++	newfd = open(fdpath, O_RDONLY | O_CLOEXEC);

++	free(fdpath);

++	if (newfd < 0)

++		goto error;

++

++	close(memfd);

++	memfd = newfd;

++#endif

++	return memfd;

++

++error:

++	close(memfd);

++	return -EIO;

++}

++

++int ensure_cloned_binary(void)

++{

++	int execfd;

++	char **argv = NULL, **envp = NULL;

++

++	/* Check that we're not self-cloned, and if we are then bail. */

++	int cloned = is_self_cloned();

++	if (cloned > 0 || cloned == -ENOTRECOVERABLE)

++		return cloned;

++

++	if (fetchve(&argv, &envp) < 0)

++		return -EINVAL;

++

++	execfd = clone_binary();

++	if (execfd < 0)

++		return -EIO;

++

++	fexecve(execfd, argv, envp);

++	return -ENOEXEC;

++}

+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c

+index 197e6d0..43f4b94 100644

+--- a/libcontainer/nsenter/nsexec.c

+@@ -431,6 +431,9 @@ void join_namespaces(char *nslist)

+ 	free(namespaces);

+ }

+ 

++/* Defined in cloned_binary.c. */

++extern int ensure_cloned_binary(void);

++

+ void nsexec(void)

+ {

+ 	int pipenum;

+@@ -446,6 +449,14 @@ void nsexec(void)

+ 	if (pipenum == -1)

+ 		return;

+ 

++	/*

++	 * We need to re-exec if we are not in a cloned binary. This is necessary

++	 * to ensure that containers won't be able to access the host binary

++	 * through /proc/self/exe. See CVE-2019-5736.

++	 */

++	if (ensure_cloned_binary() < 0)

++		bail("could not ensure we are a cloned binary");

++

+ 	/* Parse all of the netlink configuration. */

+ 	nl_parse(pipenum, &config);

+ 

+-- 

+2.7.4

+

@@ -1,7 +1,7 @@

 Summary:	CLI tool for spawning and running containers per OCI spec.

 Name:		runc

 Version:	1.0.0.rc4

-Release:	1%{?dist}

+Release:	2%{?dist}

 License:	ASL 2.0

 URL:		https://runc.io/

 Source0:	https://github.com/opencontainers/runc/archive/%{name}-1.0.0-rc4.tar.gz

@@ -16,6 +16,7 @@ Source4:	https://github.com/golang/sys/archive/golang-sys-07c182904dbd53199946ba

 %define sha1 golang-sys=940b297797b1defc11d67820a92becefeaa88f59

 Source5:	https://github.com/golang/crypto/archive/golang-crypto-eb71ad9bd329b5ac0fd0148dd99bd62e8be8e035.zip

 %define sha1 golang-crypto=775ab62e664ee2c89f624d5be6c55775360653ee

+Source6:        CVE-2019-5736.patch

 Group:		Virtualization/Libraries

 Vendor:		VMware, Inc.

 Distribution: 	Photon

@@ -65,6 +66,7 @@ cp -r . ../build/src/github.com/opencontainers/runc

 cd ../build

 export GOPATH=$GOPATH:`pwd`

 cd src/github.com/opencontainers/runc

+patch -p1 < %{SOURCE6}

 make %{?_smp_mflags}

 %install

@@ -76,6 +78,8 @@ make install BINDIR=%{buildroot}%{_sbindir}

 %{_sbindir}/runc

 %changelog

+*   Mon Feb 11 2019 Bo Gan <ganb@vmware.com> 1.0.0.rc4-2

+-   Fix CVE-2019-5736

 *   Tue Aug 22 2017 Dheeraj Shetty <dheerajs@vmware.com> 1.0.0.rc4-1

 -   Update runc package to 1.0.0.rc4.

 *   Tue Apr 25 2017 Vinay Kulkarni <kulkarniv@vmware.com> 0.1.1-1