Add containerenv information to /run/.containerenv #8476
Conversation
openshift-ci-robot
added
the
approved
| containerenv := fmt.Sprintf(`\ | ||
| engine="podman-%s" | ||
| name=%q | ||
| id=%q |
There was a problem hiding this comment.
Exposing ID by default might be potentially dangerous. Could this be optional?
There was a problem hiding this comment.
Please explain how container ID is risky?
We can add something to containers.conf to disable this, but I am not sure it is worth the effort.
There was a problem hiding this comment.
An attacker might want to know the container ID to determine the path of the attacker-crafted malicious file in the container rootfs.
Such path would be useful for the attacker when the attacker somehow managed to gain write access to e.g. /sys/kernel/uevent_helper.
|
I'm a little iffy about exposing full version numbers. Usual practice for
hardening is to disable that wherever possible to make it harder to
identify if your instance is affected by vulnerabilities. Full image ID
also has the same issue. I would not do those by default.
Also, I think your leading \ in the string you write to the file is
unnecessary.
…On Wed, Nov 25, 2020, 09:05 Akihiro Suda ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In libpod/container_internal_linux.go
<#8476 (comment)>:
> // Empty string for now, but we may consider populating this later
- containerenvPath, err := c.writeStringToRundir(".containerenv", "")
+ // Populate the .containerenv with container information
+ containerenv := fmt.Sprintf(`\
+engine="podman-%s"
+name=%q
+id=%q
Exposing ID by default might be potentially dangerous. Could this be
optional?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#8476 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB3AOCHEVE2EQA2GPH4N4X3SRUFK3ANCNFSM4UCI5TNA>
.
|
|
I am not crazy about security by obscurity. It is likely pretty easier for the processes within a container to figure out if the system is vulnerable. Doing a checksum of a couple of executables makes it easy to figure out if you are vulnerable. |
rhatdan
force-pushed
the
containerenv
branch
from
43c2412 to
9178ca9
Compare
As long as images have the package (eg., RPM) database, then one can just do |
|
@debarshiray You want these fields for logging, and better reporting to the user, what is going on, correct? |
|
Couple nits in docs. Once that and the security question is solved, LGTM. |
Yes, correct. eg., there is an interest to customize the shell prompt and such things to indicate which container and/or image is in play. |
rhatdan
force-pushed
the
containerenv
branch
8 times, most recently
from
66ddb97 to
af8e491
Compare
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
rhatdan
force-pushed
the
containerenv
branch
3 times, most recently
from
bfd07b2 to
26d1bdc
Compare
We have been asked to leak some information into the container to indicate: * The name and id of the container * The version of podman used to launch the container * The image name and ID the container is based on. * Whether the container engine is running in rootless mode. Fixes: containers#6192 Signed-off-by: Daniel J Walsh <[email protected]>
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
@containers/podman-maintainers PTAL |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: AkihiroSuda, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
LGTM |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
We have been asked to leak some information into the container
to indicate:
Fixes: #6192
Signed-off-by: Daniel J Walsh [email protected]