beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

daemon: *: refactored container resource path generation

Browse source 
This patch is a preventative patch, it fixes possible future
vulnerabilities regarding unsantised paths. Due to several recent
vulnerabilities, wherein the docker daemon could be fooled into
accessing data from the host (rather than a container), this patch
was created to try and mitigate future possible vulnerabilities in
the same vein.

Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This commit is contained in:
cyphar 2014-05-12 06:49:46 +10:00
parent 79ca77f3e8
commit 0fb507dc23
2 changed files with 24 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
daemon/container.go
View file

@ -9,6 +9,7 @@ import (
"log"
"os"
"path"
"path/filepath"
"strings"
"sync"
"syscall"
@ -89,7 +90,7 @@ func (container *Container) Inject(file io.Reader, pth string) error {
defer container.Unmount()
// Return error if path exists
destPath := path.Join(container.basefs, pth)
destPath := container.getResourcePath(pth)
if _, err := os.Stat(destPath); err == nil {
// Since err is nil, the path could be stat'd and it exists
return fmt.Errorf("%s exists", pth)
@ -101,7 +102,7 @@ func (container *Container) Inject(file io.Reader, pth string) error {
}
// Make sure the directory exists
if err := os.MkdirAll(path.Join(container.basefs, path.Dir(pth)), 0755); err != nil {
if err := os.MkdirAll(container.getResourcePath(path.Dir(pth)), 0755); err != nil {
return err
}
@ -170,6 +171,16 @@ func (container *Container) WriteHostConfig() (err error) {
return ioutil.WriteFile(container.hostConfigPath(), data, 0666)
}
func (container *Container) getResourcePath(path string) string {
cleanPath := filepath.Join("/", path)
return filepath.Join(container.basefs, cleanPath)
}
func (container *Container) getRootResourcePath(path string) string {
cleanPath := filepath.Join("/", path)
return filepath.Join(container.root, cleanPath)
}
func populateCommand(c *Container, env []string) error {
var (
en *execdriver.Network
@ -344,7 +355,7 @@ func (container *Container) StderrLogPipe() io.ReadCloser {
}
func (container *Container) buildHostnameFile() error {
container.HostnamePath = path.Join(container.root, "hostname")
container.HostnamePath = container.getRootResourcePath("hostname")
if container.Config.Domainname != "" {
return ioutil.WriteFile(container.HostnamePath, []byte(fmt.Sprintf("%s.%s\n", container.Config.Hostname, container.Config.Domainname)), 0644)
}
@ -356,7 +367,7 @@ func (container *Container) buildHostnameAndHostsFiles(IP string) error {
return err
}
container.HostsPath = path.Join(container.root, "hosts")
container.HostsPath = container.getRootResourcePath("hosts")
extraContent := make(map[string]string)
@ -674,7 +685,7 @@ func (container *Container) Unmount() error {
}
func (container *Container) logPath(name string) string {
return path.Join(container.root, fmt.Sprintf("%s-%s.log", container.ID, name))
return container.getRootResourcePath(fmt.Sprintf("%s-%s.log", container.ID, name))
}
func (container *Container) ReadLog(name string) (io.Reader, error) {
@ -682,11 +693,11 @@ func (container *Container) ReadLog(name string) (io.Reader, error) {
}
func (container *Container) hostConfigPath() string {
return path.Join(container.root, "hostconfig.json")
return container.getRootResourcePath("hostconfig.json")
}
func (container *Container) jsonPath() string {
return path.Join(container.root, "config.json")
return container.getRootResourcePath("config.json")
}
// This method must be exported to be used from the lxc template
@ -748,10 +759,7 @@ func (container *Container) Copy(resource string) (io.ReadCloser, error) {
var filter []string
// Ensure path is local to container basefs
resource = path.Join("/", resource)
basePath := path.Join(container.basefs, resource)
basePath := container.getResourcePath(resource)
stat, err := os.Stat(basePath)
if err != nil {
container.Unmount()
@ -849,7 +857,7 @@ func (container *Container) setupContainerDns() error {
} else if len(daemon.config.DnsSearch) > 0 {
dnsSearch = daemon.config.DnsSearch
}
container.ResolvConfPath = path.Join(container.root, "resolv.conf")
container.ResolvConfPath = container.getRootResourcePath("resolv.conf")
return resolvconf.Build(container.ResolvConfPath, dns, dnsSearch)
} else {
container.ResolvConfPath = "/etc/resolv.conf"
@ -987,12 +995,12 @@ func (container *Container) setupWorkingDirectory() error {
if container.Config.WorkingDir != "" {
container.Config.WorkingDir = path.Clean(container.Config.WorkingDir)
pthInfo, err := os.Stat(path.Join(container.basefs, container.Config.WorkingDir))
pthInfo, err := os.Stat(container.getResourcePath(container.Config.WorkingDir))
if err != nil {
if !os.IsNotExist(err) {
return err
}
if err := os.MkdirAll(path.Join(container.basefs, container.Config.WorkingDir), 0755); err != nil {
if err := os.MkdirAll(container.getResourcePath(container.Config.WorkingDir), 0755); err != nil {
return err
}
}

4
daemon/volumes.go
View file

@ -94,11 +94,11 @@ func applyVolumesFrom(container *Container) error {
if _, exists := container.Volumes[volPath]; exists {
continue
}
stat, err := os.Stat(filepath.Join(c.basefs, volPath))
stat, err := os.Stat(c.getResourcePath(volPath))
if err != nil {
return err
}
if err := createIfNotExists(filepath.Join(container.basefs, volPath), stat.IsDir()); err != nil {
if err := createIfNotExists(container.getResourcePath(volPath), stat.IsDir()); err != nil {
return err
}
container.Volumes[volPath] = id