From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id B26C09282E
 for <pve-devel@lists.proxmox.com>; Tue, 13 Sep 2022 09:38:09 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id A06A01E5D1
 for <pve-devel@lists.proxmox.com>; Tue, 13 Sep 2022 09:37:39 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Tue, 13 Sep 2022 09:37:38 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 8246C437A8
 for <pve-devel@lists.proxmox.com>; Tue, 13 Sep 2022 09:37:38 +0200 (CEST)
Date: Tue, 13 Sep 2022 09:37:29 +0200
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Leo Nunner <l.nunner@proxmox.com>, Proxmox VE development discussion
 <pve-devel@lists.proxmox.com>, Thomas Lamprecht <t.lamprecht@proxmox.com>
References: <20220912122539.85794-1-l.nunner@proxmox.com>
 <1662985982.t6rahmo5l4.astroid@nora.none>
 <49d3280a-3144-1411-3911-1f2138476116@proxmox.com>
In-Reply-To: <49d3280a-3144-1411-3911-1f2138476116@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid)
Message-Id: <1663054348.eenwetkj80.astroid@nora.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.160 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Subject: Re: [pve-devel] [PATCH v2 container] fix #4192: revamp check for
 systemd version
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2022 07:38:09 -0000

On September 12, 2022 4:01 pm, Thomas Lamprecht wrote:
> Am 12/09/2022 um 14:41 schrieb Fabian Gr=C3=BCnbichler:
>>> Instead of iterating through several folders, it might just be easier t=
o
>>> check the ldd output of /sbin/init and getting the version from there.
>>> Furthermore, the regex for checking the version has been adapted so tha=
t
>>> it's more precise.
>> ldd is not suited for this purpose for security reasons, since /sbin/ini=
t=20
>> is a user/attacker-controlled binary in this case and we are only in a=20
>> chroot while doing the setup, not really containerized. given a crafted=20
>> container template/backup archive/.. this could execute arbitrary code.
>>=20
>> it's manpage suggests using
>>=20
>>  objdump -p /path/to/binary
>>=20
>> and looking at the lines with "NEEDED", which seems to me should be fine=
=20
>> for what we want to achieve here =F0=9F=98=84
>>=20
>=20
> tbf, I suggested using something like ldd here, but I mostly meant if we =
actually
> need to further extend this than simply checking three instead of two pat=
hs.
>=20
> But I actually like the much shorter code, so from that POV it could be a=
 nicer
> option, but it makes us dependent on actually executing code from the CT =
archive,
> which also assumes the availability of something like ldd or objdump, whi=
ch may
> not be the case in all templates?

yeah, objdump from the host would need to be used (else we'd be back to=20
square one and execute code from the container template/backup=20
archive/.. without adequate protection). probably needs additional=20
safeguards like resolving /sbin/init from the system with checks to=20
prevent escape from the container /.

> Two small nits w.r.t. to the v2 still inline.
>=20
> Am 12/09/2022 um 14:25 schrieb Leo Nunner:
>> +    my $version =3D undef;
>> +    PVE::Tools::run_command(
>> +	[
>> +	    'ldd',
>> +	    '/sbin/init'
>> +	],
>=20
> you can put the array ref in one line, e.g., with Fabian relayed manpage
> suggestion it'd be fine to do:
>=20
>     [ 'objdump', '-p', '/sbin/init' ],

see above ;) the whole thing would need to be revamped to no longer=20
happen in "protected_call" context, but instead in host context without=20
chroot, except for the symlink resolve part. at that point it might not=20
be nicer anymoe than the original approach of checking a few paths,=20
although it would have the benefit of being much more future-proof=20
w.r.t. distros/upstream/.. deciding on new funny places to put that=20
library ;)

>> +	outfunc =3D> sub {
>> +	    my $line =3D shift;
>> +	    if ($line =3D~ /^\s*libsystemd-shared-(\d+)(?:\.[a-zA-Z0-9]*)?\.so=
/) {
>> +		$version =3D $1;
>> +	    }},
>> +	errmsg =3D> "ldd on /sbin/init failed"
>=20
> above is missing a trailing comma, which would ensure that any possible a=
ddition of an
> option in the future won't need to touch an unrelated line.
>=20
>> +    );
>> +
>> +    return $version;
>>  }
>=20
>=20