|
|
|
|
|
|
by uvuv
2409 days ago
|
|
|
Hi, OP here.
You're correct on the symlink point, they're the reason chrooting is needed, as they caused several vulnerabilities in Docker and Podman cp in the past. The good news is that there is a new syscall designed to solve that exact problem, openat2(), which you'll be able use to restrict path resolution when opening files (https://lwn.net/Articles/796868/). It will make helper processes and chrooting to the container redundant. Running helper processes entirely in the container is actually quite problematic, since they will be visible to proceses in the container that could try to affect their output. This solution though is used in Kubernetes, and it resulted in 4 vulnerabilities in the last year. Ariel Zelivansky and I just gave a talk on the security of the cp command in KubeCon, you can check out the slides here (https://kccncna19.sched.com/event/d229f00f143036f7c488144e60...) for more information. As for the fix, I'm pretty sure newer Golang versions stopped dynamiclly loading libraries at runtime, which is nice. I Should have included that in the post but forgot. |
|
|
Regardless, openat2 looks like a much better solution. I hope it's backported to LTS distros so I can start relying on it before 2035...