Skip to content

Commit

Permalink
Merge pull request #583 from bytedance/fix-vuln
Browse files Browse the repository at this point in the history 
fix container escape vulnerability
  • Loading branch information
@yoloyyh
yoloyyh authored Mar 6, 2024
2 parents 3b9a757 + e4a9219 commit d341fad
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 32 deletions.
45 changes: 17 additions & 28 deletions rasp/librasp/src/comm.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ use std::sync::atomic::{AtomicBool, Ordering};
use std::sync::{Arc, Weak};
use std::thread;
use std::time::Duration;
use std::fs::remove_file;
use std::os::unix::fs::{symlink};

use crossbeam::channel::{bounded, Receiver, SendError, Sender};
use libc::{kill, killpg, SIGKILL};
Expand Down Expand Up @@ -210,37 +212,24 @@ impl RASPComm for ThreadMode {
);
}
}
if self.using_mount {
if let Some(bind_dir) = std::path::Path::new(&self.bind_path.clone()).parent() {
let bind_dir_str = bind_dir.to_str().unwrap();
mount(pid, bind_dir_str, bind_dir_str)?
}
}
if let Some(linking_to) = self.linking_to.clone() {
match std::process::Command::new(settings::RASP_NS_ENTER_BIN())
.args([
"-t",
pid.to_string().as_str(),
"-m",
"-i",
"-n",
"-p",
"/bin/ln",
"-sf",
self.bind_path.as_str(),
linking_to.as_str(),
])
.output()
{
Ok(o) => {
info!("LN {} {:?} {:?}", o.status, o.stdout, o.stderr);
if let Some(link_to) = self.linking_to.clone() {
if self.using_mount {
if let Some(bind_dir) = std::path::Path::new(&self.bind_path.clone()).parent() {

if let Some(link_dir) = std::path::Path::new(&link_to).parent() {
let link_dir_str = link_dir.to_str().unwrap();
let bind_dir_str = bind_dir.to_str().unwrap();
mount(pid, bind_dir_str, link_dir_str)?
}
}
Err(e) => {
error!("LN can not run: {}", e);
return Err(anyhow!("link bind path failed: {}", e));
} else {
if std::path::Path::new(&link_to).exists() {
remove_file(link_to.as_str())?;
}
};
symlink(&self.bind_path.as_str(), link_to.as_str())?;
}
}

Ok(())
}
fn stop_comm(&mut self, _pid: i32, _mnt_namespace: &String) -> AnyhowResult<()> {
Expand Down
10 changes: 6 additions & 4 deletions rasp/librasp/src/manager.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,7 @@ impl RASPManager {
}

let valid_messages_string = serde_json::to_string(&valid_messages)?;
self.write_message_to_config_file(pid, nspid, valid_messages_string)?;
//self.write_message_to_config_file(pid, nspid, valid_messages_string)?;

Ok(())
}
Expand Down Expand Up @@ -315,7 +315,7 @@ impl RASPManager {
let pid = process_info.pid;
let nspid = ProcessInfo::read_nspid(pid)?.ok_or(anyhow!("can not read nspid: {}", pid))?;
// delete config
self.delete_config_file(pid, nspid)?;
// self.delete_config_file(pid, nspid)?;
let attach_result = match runtime_info.name {
"JVM" => match JVMProbeState::inspect_process(process_info)? {
ProbeState::Attached => {
Expand Down Expand Up @@ -745,6 +745,7 @@ impl MntNamespaceTracer {
}

impl RASPManager {
/*
pub fn write_message_to_config_file(
&self,
pid: i32,
Expand All @@ -770,7 +771,6 @@ impl RASPManager {
.as_str(),
]),
)?;
/*
let ns_thread = thread::Builder::new().spawn(move || -> AnyhowResult<()> {
debug!("switch namespace");
libraspserver::ns::switch_namespace(pid);
Expand All @@ -784,9 +784,10 @@ impl RASPManager {
Ok(())
}).unwrap();
ns_thread.join()?;
*/
Ok(())
}
pub fn delete_config_file(&self, pid: i32, nspid: i32) -> AnyhowResult<()> {
let config_path = format!("/var/run/elkeid_rasp/{}.json", nspid);
if Path::new(&config_path).exists() {
Expand All @@ -803,6 +804,7 @@ impl RASPManager {
}
Ok(())
}
*/
}

fn read_dir<P>(path: P) -> AnyhowResult<Vec<fs::DirEntry>>
Expand Down

0 comments on commit d341fad

Please sign in to comment.