Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix container escape vulnerability #583

Merged
merged 1 commit into from
Mar 6, 2024
Merged

fix container escape vulnerability #583

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 17 additions & 28 deletions rasp/librasp/src/comm.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ use std::sync::atomic::{AtomicBool, Ordering};
use std::sync::{Arc, Weak};
use std::thread;
use std::time::Duration;
use std::fs::remove_file;
use std::os::unix::fs::{symlink};

use crossbeam::channel::{bounded, Receiver, SendError, Sender};
use libc::{kill, killpg, SIGKILL};
Expand Down Expand Up @@ -210,37 +212,24 @@ impl RASPComm for ThreadMode {
);
}
}
if self.using_mount {
if let Some(bind_dir) = std::path::Path::new(&self.bind_path.clone()).parent() {
let bind_dir_str = bind_dir.to_str().unwrap();
mount(pid, bind_dir_str, bind_dir_str)?
}
}
if let Some(linking_to) = self.linking_to.clone() {
match std::process::Command::new(settings::RASP_NS_ENTER_BIN())
.args([
"-t",
pid.to_string().as_str(),
"-m",
"-i",
"-n",
"-p",
"/bin/ln",
"-sf",
self.bind_path.as_str(),
linking_to.as_str(),
])
.output()
{
Ok(o) => {
info!("LN {} {:?} {:?}", o.status, o.stdout, o.stderr);
if let Some(link_to) = self.linking_to.clone() {
if self.using_mount {
if let Some(bind_dir) = std::path::Path::new(&self.bind_path.clone()).parent() {

if let Some(link_dir) = std::path::Path::new(&link_to).parent() {
let link_dir_str = link_dir.to_str().unwrap();
let bind_dir_str = bind_dir.to_str().unwrap();
mount(pid, bind_dir_str, link_dir_str)?
}
}
Err(e) => {
error!("LN can not run: {}", e);
return Err(anyhow!("link bind path failed: {}", e));
} else {
if std::path::Path::new(&link_to).exists() {
remove_file(link_to.as_str())?;
}
};
symlink(&self.bind_path.as_str(), link_to.as_str())?;
}
}

Ok(())
}
fn stop_comm(&mut self, _pid: i32, _mnt_namespace: &String) -> AnyhowResult<()> {
Expand Down
10 changes: 6 additions & 4 deletions rasp/librasp/src/manager.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,7 @@ impl RASPManager {
}

let valid_messages_string = serde_json::to_string(&valid_messages)?;
self.write_message_to_config_file(pid, nspid, valid_messages_string)?;
//self.write_message_to_config_file(pid, nspid, valid_messages_string)?;

Ok(())
}
Expand Down Expand Up @@ -315,7 +315,7 @@ impl RASPManager {
let pid = process_info.pid;
let nspid = ProcessInfo::read_nspid(pid)?.ok_or(anyhow!("can not read nspid: {}", pid))?;
// delete config
self.delete_config_file(pid, nspid)?;
// self.delete_config_file(pid, nspid)?;
let attach_result = match runtime_info.name {
"JVM" => match JVMProbeState::inspect_process(process_info)? {
ProbeState::Attached => {
Expand Down Expand Up @@ -745,6 +745,7 @@ impl MntNamespaceTracer {
}

impl RASPManager {
/*
pub fn write_message_to_config_file(
&self,
pid: i32,
Expand All @@ -770,7 +771,6 @@ impl RASPManager {
.as_str(),
]),
)?;
/*
let ns_thread = thread::Builder::new().spawn(move || -> AnyhowResult<()> {
debug!("switch namespace");
libraspserver::ns::switch_namespace(pid);
Expand All @@ -784,9 +784,10 @@ impl RASPManager {
Ok(())
}).unwrap();
ns_thread.join()?;
*/

Ok(())
}

pub fn delete_config_file(&self, pid: i32, nspid: i32) -> AnyhowResult<()> {
let config_path = format!("/var/run/elkeid_rasp/{}.json", nspid);
if Path::new(&config_path).exists() {
Expand All @@ -803,6 +804,7 @@ impl RASPManager {
}
Ok(())
}
*/
}

fn read_dir<P>(path: P) -> AnyhowResult<Vec<fs::DirEntry>>
Expand Down
Loading