Re: [pve-devel] [PATCH v2 container] fix #4192: revamp check for systemd version

From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH v2 container] fix #4192: revamp check for systemd version
Date: Mon, 12 Sep 2022 14:41:55 +0200	[thread overview]
Message-ID: <1662985982.t6rahmo5l4.astroid@nora.none> (raw)
In-Reply-To: <20220912122539.85794-1-l.nunner@proxmox.com>

On September 12, 2022 2:25 pm, Leo Nunner wrote:
> Instead of iterating through several folders, it might just be easier to
> check the ldd output of /sbin/init and getting the version from there.
> Furthermore, the regex for checking the version has been adapted so that
> it's more precise.

ldd is not suited for this purpose for security reasons, since /sbin/init 
is a user/attacker-controlled binary in this case and we are only in a 
chroot while doing the setup, not really containerized. given a crafted 
container template/backup archive/.. this could execute arbitrary code.

it's manpage suggests using

 objdump -p /path/to/binary

and looking at the lines with "NEEDED", which seems to me should be fine 
for what we want to achieve here :)

> 
> Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
> ---
> This solution does actually feel cleaner than manually checking all the folders
> every time.
> 
>  src/PVE/LXC/Setup/Base.pm | 27 +++++++++++++++++----------
>  1 file changed, 17 insertions(+), 10 deletions(-)
> 
> diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
> index cc12914..44b88d9 100644
> --- a/src/PVE/LXC/Setup/Base.pm
> +++ b/src/PVE/LXC/Setup/Base.pm
> @@ -514,19 +514,26 @@ sub clear_machine_id {
>      }
>  }
>  
> -# tries to guess the systemd (major) version based on the existence of
> -# (/usr)?/lib/systemd/libsystemd-shared<version>.so. It was introduced in v231.
> +# tries to guess the systemd (major) version based on the
> +# libsystemd-shared<version>.so linked with /sbin/init
>  sub get_systemd_version {
>      my ($self) = @_;
>  
> -    my $sd_lib_dir = $self->ct_is_directory("/lib/systemd") ?
> -	"/lib/systemd" : "/usr/lib/systemd";
> -    my $libsd = PVE::Tools::dir_glob_regex($sd_lib_dir, "libsystemd-shared-.+\.so");
> -    if (defined($libsd) && $libsd =~ /libsystemd-shared-(\d+)(?:\..*)?\.so/) {
> -	return $1;
> -    }
> -
> -    return undef;
> +    my $version = undef;
> +    PVE::Tools::run_command(
> +	[
> +	    'ldd',
> +	    '/sbin/init'
> +	],
> +	outfunc => sub {
> +	    my $line = shift;
> +	    if ($line =~ /^\s*libsystemd-shared-(\d+)(?:\.[a-zA-Z0-9]*)?\.so/) {
> +		$version = $1;
> +	    }},
> +	errmsg => "ldd on /sbin/init failed"
> +    );
> +
> +    return $version;
>  }
>  
>  sub unified_cgroupv2_support {
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 