From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 9EDEF1FF17C for ; Wed, 9 Jul 2025 14:35:02 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E551EB2F3; Wed, 9 Jul 2025 14:35:08 +0200 (CEST) From: Filip Schauer To: pve-devel@lists.proxmox.com Date: Wed, 9 Jul 2025 14:34:27 +0200 Message-ID: <20250709123435.64796-11-f.schauer@proxmox.com> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250709123435.64796-1-f.schauer@proxmox.com> References: <20250709123435.64796-1-f.schauer@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.015 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_SHORT 0.001 Use of a URL Shortener for very short URL SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH lxcfs v3 10/13] lxc.mount.hook: override env variables from container config X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" This can still break `/bin/sh` if an OCI image injects a different `libc.so.6` with $LD_LIBRARY_PATH. Signed-off-by: Filip Schauer --- Arbitrary code execution is theoretically still possible with a specially crafted OCI image that provides a shared library and points $LD_LIBRARY_PATH to its parent directory. Although the code is confined to the container's namespace, it can still see the host file system. While this may not pose a significant security risk, it is nonetheless suboptimal. I am unsure about the best way to fully mitigate this. Introduced in v3 .../patches/reset-path-to-host-defaults.patch | 38 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 39 insertions(+) create mode 100644 debian/patches/reset-path-to-host-defaults.patch diff --git a/debian/patches/reset-path-to-host-defaults.patch b/debian/patches/reset-path-to-host-defaults.patch new file mode 100644 index 0000000..12f150d --- /dev/null +++ b/debian/patches/reset-path-to-host-defaults.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Filip Schauer +Date: Mon, 23 Jun 2025 13:05:35 +0200 +Subject: [PATCH] lxc.mount.hook: override env variables from container + config + +Without this, if the container config specifies a custom PATH variable +via lxc.environment that omits /usr/bin or /bin, binaries like +`readlink` and `mount` may not be found, causing container startup to +fail. + +Fixes startup breakage with images like `ghcr.io/nixos/nix:latest`. + +This also mitigates arbitrary code execution during container startup +before pivot_root (albeit confined in its own namespace) with a +specially crafted OCI image providing a custom `readlink` or `mount` +binary and pointing the PATH variable to it. + +Signed-off-by: Filip Schauer +--- + share/lxc.mount.hook.in | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/share/lxc.mount.hook.in b/share/lxc.mount.hook.in +index 6fd13b0..a25a5ef 100755 +--- a/share/lxc.mount.hook.in ++++ b/share/lxc.mount.hook.in +@@ -11,6 +11,10 @@ do + shift + done + ++# Set the PATH variable in case it was modified by lxc.environment ++PATH=/usr/bin:/bin ++LD_LIBRARY_PATH= ++ + # We're dealing with mount entries, so expand any symlink + LXC_ROOTFS_MOUNT=$(readlink -f "${LXC_ROOTFS_MOUNT}") + diff --git a/debian/patches/series b/debian/patches/series index bf650b4..f3391c0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ do-not-start-without-lxcfs.patch +reset-path-to-host-defaults.patch -- 2.47.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel