Comments (3)
cyphar
commented on May 11, 2024
1
Looks like there needs to be more file descriptors marked as O_CLOEXEC (I would suggest that you make it the default).
from crun.
leoluk
commented on May 11, 2024
PoC using /sys/module/apparmor/parameters/enabled on Ubuntu 18.04 with crun:
mkdir -p rootfs/sys/module/apparmor/parameters
echo N > rootfs/sys/module/apparmor/parameters/enabled
cat <<EOF > Dockerfile
FROM busybox
ADD rootfs /
VOLUME /sys/module
EOF
docker build -t poc .
docker run --runtime=crun --security-opt "apparmor=docker-default" -it busybox
# container runs unconfined
from crun.
giuseppe
commented on May 11, 2024
yeah, there is a function to mark all fds as O_CLOEXEC but it runs too late. It needs to run before the pivot_root. In addition to that, I'll check what fds are leaked and already open them with O_CLOEXEC
from crun.
Related Issues (20)
- regression: podman run, volume noexec HOT 3
- Error: configured runtime does not support checkpoint/restore HOT 1
- v1.11.1 does not support Ubuntu 20.04 HOT 8
- Issue in permissions checking in https://github.com/containers/crun/blob/main/src/libcrun/ebpf.c#L220 ? HOT 2
- nested podman rootless containers fails with Error: crun: cannot open sd-bus: No such file or directory
- add lxd syscall interception like future HOT 5
- Use /proc/self/attr/apparmor/exec for AppArmor profiles HOT 1
- Issues with nested containers and systemd HOT 7
- use SystemdCgroup running in ubuntu error HOT 3
- need crun container start without overlayfs HOT 1
- Checkpoint number of arguments HOT 4
- [podman-next] `podman container restore` fails: Can't fstat inherit fd 6: Bad file descriptor HOT 2
- no documents about no_subreaper HOT 3
- crun list segfault (1.12) HOT 5
- Can't use hugepage if UserNamespaceSupport is enabled HOT 17
- about crun-1.12-linux-amd64-disable-systemd and crun-1.12-linux-amd64 HOT 1
- Crun self clone and mount the /tmp/crun.c8hM4O to root dev
- crun doesn't use apparmor stacking if confined and nnp set
- Does crun really need CAP_SYS_RESOURCE HOT 1
- Device permissions are changed when using a userns (rootful container) HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crun.