Resolve symlinks in cp #3214
Resolve symlinks in cp #3214
Conversation
openshift-ci-robot
added
approved
mheon
force-pushed
the
resolve_symlinks_in_cp
branch
from
dc13dfc to
259224c
Compare
|
That looks very painless 👍 Changes LGTM but I'd love to have some tests for #3211. |
|
LGTM |
|
lgtm, test would be nth |
|
Added a test |
mheon
force-pushed
the
resolve_symlinks_in_cp
branch
from
c436e03 to
c959e14
Compare
|
/lgtm |
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
mheon
force-pushed
the
resolve_symlinks_in_cp
branch
from
c959e14 to
ea7739f
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Update: fix here is still vulnerable to races. I need to move copy code inside libpod to avoid them (so we can grab the container lock while copying) |
|
Alright, I think this is "good enough" for a release. There's further work to be done, but that will require a much larger refactor. |
|
/lgtm |
openshift-ci-robot
added
lgtm
|
Hm. Rootless containers don't have CGroups, so we can't pause them. As such, we can't really mitigate for them... Hm. |
|
With any luck, tests will go green now. |
Securejoin ensures that paths are resolved in the container, not on the host. Fixes containers#3211 Signed-off-by: Matthew Heon <[email protected]>
Should fix CVE-2018-15664 for Podman. Signed-off-by: Matthew Heon <[email protected]>
Signed-off-by: Matthew Heon <[email protected]>
Signed-off-by: Matthew Heon <[email protected]>
Signed-off-by: Matthew Heon <[email protected]>
Signed-off-by: Matthew Heon <[email protected]>
Rootless containers can't be paused (no CGroups, so no freezer). We could try and emulate this with a SIGSTOP to all PIDs in the container, but that's inherently racy, so let's avoid it for now. Signed-off-by: Matthew Heon <[email protected]>
|
@mheon How about we fail and say you can not copy on a running container when in rootless mode? |
We can't pause them, so if that's requested, throw an error. Signed-off-by: Matthew Heon <[email protected]>
mheon
force-pushed
the
resolve_symlinks_in_cp
branch
from
c1291b3 to
57d4093
Compare
|
Good idea - pushed another commit. We now error on trying to copy into running rootless container with You can still do this with |
Signed-off-by: Matthew Heon <[email protected]>
|
/lgtm |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
CVE-2019-10152 has been assigned for this issue: |
|
What about the problems outlined in moby/moby#39252 (comment) ? It seems docker is not going to pause containers, for what I understand, because it is a breaking change (e.g. copying big files may stop the process for too long and breaking network connections). Is podman affected by the same issue? |
| } else if err == nil { | ||
| // Only add the defer if we actually paused | ||
| defer func() { | ||
| if err := ctr.Unpause(); err != nil { |
There was a problem hiding this comment.
is it possible that two processes are cp'ing at the same time and one of them unpause the container while the other process is still resolving the symlinks?
There was a problem hiding this comment.
Yep. That's part of why I was looking to move cp into the container.
|
@ret2libc Hm. We should be able to grab that - it's definitely a more elegant solution than this. We'll keep this in for now, but I'll avoid cutting a release with it until we verify if we can swap to the alternative fix - in which case we can revert this. |
|
Yes I like the Moby Solution better, and we need to back port that ASAP as soon as it is merged. |
github-actions
bot
added
the
locked - please file new issue/PR
Fixes CVE-2018-15664 and #3211
Still needs manpage updates, bash completion updates, and a test