From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001

From: Christian Brauner <christian.brauner@ubuntu.com>

Date: Wed, 25 Jul 2018 19:56:54 +0200

Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

---

 src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---

 src/lxc/utils.c        | 12 ++++++++++++

 src/lxc/utils.h        |  5 +++++

 3 files changed, 49 insertions(+), 3 deletions(-)

ADDENDUM from vdupras@gentoo.org: Original patch from Christian didn't

include LXC_PROC_PID_FD_LEN define, but referenced it. This resulted in

code that doesn't compile. I fetched the definition from the stable-3.0

branch and included it to this patch. Also, this diff is regenerated

from lxc-2.1.1 tag instead of stable-2.0 branch.

diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c

index 6f550f0d..09a342ac 100644

--- a/src/lxc/lxc_user_nic.c

+++ b/src/lxc/lxc_user_nic.c

@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[])

 			exit(EXIT_FAILURE);

 		}

 	} else if (request == LXC_USERNIC_DELETE) {

-		netns_fd = open(args.pid, O_RDONLY);

+		char opath[LXC_PROC_PID_FD_LEN];

+

+		/* Open the path with O_PATH which will not trigger an actual

+		 * open(). Don't report an errno to the caller to not leak

+		 * information whether the path exists or not.

+		 * When stracing setuid is stripped so this is not a concern

+		 * either.

+		 */

+		netns_fd = open(args.pid, O_PATH | O_CLOEXEC);

 		if (netns_fd < 0) {

-			usernic_error("Could not open \"%s\": %s\n", args.pid,

-				      strerror(errno));

+			usernic_error("Failed to open \"%s\"\n", args.pid);

 			exit(EXIT_FAILURE);

 		}

+

+		if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {

+			usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);

+			close(netns_fd);

+			exit(EXIT_FAILURE);

+		}

+

+		ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);

+		if (ret < 0 || (size_t)ret >= sizeof(opath)) {

+			close(netns_fd);

+			exit(EXIT_FAILURE);

+		}

+

+		/* Now get an fd that we can use in setns() calls. */

+		ret = open(opath, O_RDONLY | O_CLOEXEC);

+		if (ret < 0) {

+			usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));

+			close(netns_fd);

+			exit(EXIT_FAILURE);

+		}

+		close(netns_fd);

+		netns_fd = ret;

 	}

 	if (!create_db_dir(LXC_USERNIC_DB)) {

diff --git a/src/lxc/utils.c b/src/lxc/utils.c

index e6a44a51..c2a08a9d 100644

--- a/src/lxc/utils.c

+++ b/src/lxc/utils.c

@@ -2380,6 +2380,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)

 	return has_type;

 }

+bool fhas_fs_type(int fd, fs_type_magic magic_val)

+{

+	int ret;

+	struct statfs sb;

+

+	ret = fstatfs(fd, &sb);

+	if (ret < 0)

+		return false;

+

+	return is_fs_type(&sb, magic_val);

+}

+

 bool lxc_nic_exists(char *nic)

 {

 #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1

diff --git a/src/lxc/utils.h b/src/lxc/utils.h

index e83ed49e..06ec74d7 100644

--- a/src/lxc/utils.h

+++ b/src/lxc/utils.h

@@ -46,11 +46,16 @@

 #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask))

 #endif

+#ifndef NSFS_MAGIC

+#define NSFS_MAGIC 0x6e736673

+#endif

+

 /* Useful macros */

 /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */

 #define LXC_NUMSTRLEN64 21

 #define LXC_LINELEN 4096

 #define LXC_IDMAPLEN 4096

+#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1)

 /* returns 1 on success, 0 if there were any failures */

 extern int lxc_rmdir_onedev(char *path, const char *exclude);

@@ -402,6 +407,7 @@ extern void *must_realloc(void *orig, size_t sz);

 /* __typeof__ should be safe to use with all compilers. */

 typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;

 extern bool has_fs_type(const char *path, fs_type_magic magic_val);

+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);

 extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);

 extern bool lxc_nic_exists(char *nic);

From f2314625c5702cfd25974929599fa439bdac8bdf Mon Sep 17 00:00:00 2001

From: Christian Brauner <christian.brauner@ubuntu.com>

Date: Wed, 25 Jul 2018 19:56:54 +0200

Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

---

 src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---

 src/lxc/utils.c            | 12 ++++++++++++

 src/lxc/utils.h            |  5 +++++

 3 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c

index ec9cd97e..c5beb6c8 100644

--- a/src/lxc/cmd/lxc_user_nic.c

+++ b/src/lxc/cmd/lxc_user_nic.c

@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[])

 			exit(EXIT_FAILURE);

 		}

 	} else if (request == LXC_USERNIC_DELETE) {

-		netns_fd = open(args.pid, O_RDONLY);

+		char opath[LXC_PROC_PID_FD_LEN];

+

+		/* Open the path with O_PATH which will not trigger an actual

+		 * open(). Don't report an errno to the caller to not leak

+		 * information whether the path exists or not.

+		 * When stracing setuid is stripped so this is not a concern

+		 * either.

+		 */

+		netns_fd = open(args.pid, O_PATH | O_CLOEXEC);

 		if (netns_fd < 0) {

-			usernic_error("Could not open \"%s\": %s\n", args.pid,

-				      strerror(errno));

+			usernic_error("Failed to open \"%s\"\n", args.pid);

+			exit(EXIT_FAILURE);

+		}

+

+		if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {

+			usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);

+			close(netns_fd);

+			exit(EXIT_FAILURE);

+		}

+

+		ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);

+		if (ret < 0 || (size_t)ret >= sizeof(opath)) {

+			close(netns_fd);

+			exit(EXIT_FAILURE);

+		}

+

+		/* Now get an fd that we can use in setns() calls. */

+		ret = open(opath, O_RDONLY | O_CLOEXEC);

+		if (ret < 0) {

+			usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));

+			close(netns_fd);

 			exit(EXIT_FAILURE);

 		}

+		close(netns_fd);

+		netns_fd = ret;

 	}

 	if (!create_db_dir(LXC_USERNIC_DB)) {

diff --git a/src/lxc/utils.c b/src/lxc/utils.c

index 26f1b058..69d362dc 100644

--- a/src/lxc/utils.c

+++ b/src/lxc/utils.c

@@ -2548,6 +2548,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)

 	return has_type;

 }

+bool fhas_fs_type(int fd, fs_type_magic magic_val)

+{

+	int ret;

+	struct statfs sb;

+

+	ret = fstatfs(fd, &sb);

+	if (ret < 0)

+		return false;

+

+	return is_fs_type(&sb, magic_val);

+}

+

 bool lxc_nic_exists(char *nic)

 {

 #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1

diff --git a/src/lxc/utils.h b/src/lxc/utils.h

index 7d672b77..fedc395b 100644

--- a/src/lxc/utils.h

+++ b/src/lxc/utils.h

@@ -95,6 +95,10 @@

 #define CGROUP2_SUPER_MAGIC 0x63677270

 #endif

+#ifndef NSFS_MAGIC

+#define NSFS_MAGIC 0x6e736673

+#endif

+

 /* Useful macros */

 /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */

 #define LXC_NUMSTRLEN64 21

@@ -581,6 +585,7 @@ extern void *must_realloc(void *orig, size_t sz);

 /* __typeof__ should be safe to use with all compilers. */

 typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;

 extern bool has_fs_type(const char *path, fs_type_magic magic_val);

+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);

 extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);

 extern bool lxc_nic_exists(char *nic);

 extern int lxc_make_tmpfile(char *template, bool rm);

-- 

2.17.1

# Copyright 1999-2018 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

EAPI=6

PYTHON_COMPAT=( python3_{4,5,6} )

DISTUTILS_OPTIONAL=1

inherit autotools bash-completion-r1 distutils-r1 linux-info versionator flag-o-matic systemd readme.gentoo-r1

DESCRIPTION="LinuX Containers userspace utilities"

HOMEPAGE="https://linuxcontainers.org/"

SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz"

KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86"

LICENSE="LGPL-3"

SLOT="0"

IUSE="cgmanager examples lua python seccomp selinux"

RDEPEND="

	net-libs/gnutls

	sys-libs/libcap

	cgmanager? ( app-admin/cgmanager )

	lua? ( >=dev-lang/lua-5.1:= )

	python? ( ${PYTHON_DEPS} )

	seccomp? ( sys-libs/libseccomp )

	selinux? ( sys-libs/libselinux )"

DEPEND="${RDEPEND}

	app-text/docbook-sgml-utils

	>=sys-kernel/linux-headers-3.2"

RDEPEND="${RDEPEND}

	sys-apps/util-linux

	app-misc/pax-utils

	virtual/awk"

CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE

	~CPUSETS ~CGROUP_CPUACCT

	~CGROUP_SCHED

	~NAMESPACES

	~IPC_NS ~USER_NS ~PID_NS

	~NETLINK_DIAG ~PACKET_DIAG

	~INET_UDP_DIAG ~INET_TCP_DIAG

	~UNIX_DIAG ~CHECKPOINT_RESTORE

	~CGROUP_FREEZER

	~UTS_NS ~NET_NS

	~VETH ~MACVLAN

	~POSIX_MQUEUE

	~!NETPRIO_CGROUP

	~!GRKERNSEC_CHROOT_MOUNT

	~!GRKERNSEC_CHROOT_DOUBLE

	~!GRKERNSEC_CHROOT_PIVOT

	~!GRKERNSEC_CHROOT_CHMOD

	~!GRKERNSEC_CHROOT_CAPS

	~!GRKERNSEC_PROC

	~!GRKERNSEC_SYSFS_RESTRICT

"

ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES:  needed for pts inside container"

ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER:  needed to freeze containers"

ERROR_UTS_NS="CONFIG_UTS_NS:  needed to unshare hostnames and uname info"

ERROR_NET_NS="CONFIG_NET_NS:  needed for unshared network"

ERROR_VETH="CONFIG_VETH:  needed for internal (host-to-container) networking"

ERROR_MACVLAN="CONFIG_MACVLAN:  needed for internal (inter-container) networking"

ERROR_NETLINK_DIAG="CONFIG_NETLINK_DIAG:  needed for lxc-checkpoint"

ERROR_PACKET_DIAG="CONFIG_PACKET_DIAG:  needed for lxc-checkpoint"

ERROR_INET_UDP_DIAG="CONFIG_INET_UDP_DIAG:  needed for lxc-checkpoint"

ERROR_INET_TCP_DIAG="CONFIG_INET_TCP_DIAG:  needed for lxc-checkpoint"

ERROR_UNIX_DIAG="CONFIG_UNIX_DIAG:  needed for lxc-checkpoint"

ERROR_CHECKPOINT_RESTORE="CONFIG_CHECKPOINT_RESTORE:  needed for lxc-checkpoint"

ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE:  needed for lxc-execute command"

ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP:  as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting."

ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT:  some GRSEC features make LXC unusable see postinst notes"

ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE:  some GRSEC features make LXC unusable see postinst notes"

ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT:  some GRSEC features make LXC unusable see postinst notes"

ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD:  some GRSEC features make LXC unusable see postinst notes"

ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS:  some GRSEC features make LXC unusable see postinst notes"

ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC:  this GRSEC feature is incompatible with unprivileged containers"

ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT:  this GRSEC feature is incompatible with unprivileged containers"

DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt)

REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"

pkg_setup() {

	kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES"

	linux-info_pkg_setup

}

src_prepare() {

	eapply "${FILESDIR}"/${PN}-2.0.6-bash-completion.patch

	#558854

	eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch

	eapply "${FILESDIR}"/${PN}-2.1.1-fix-cgroup2-detection.patch

	eapply "${FILESDIR}"/${PN}-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch

	eapply "${FILESDIR}"/${PN}-2.1.1-cve-2018-6556.patch

	eapply_user

	eautoreconf

}

src_configure() {

	append-flags -fno-strict-aliasing

	if use python; then

		#541932

		python_setup "python3*"

		export PKG_CONFIG_PATH="${T}/${EPYTHON}/pkgconfig:${PKG_CONFIG_PATH}"

	fi

	# I am not sure about the --with-rootfs-path

	# /var/lib/lxc is probably more appropriate than

	# /usr/lib/lxc.

	# Note by holgersson: Why is apparmor disabled?

	# --enable-doc is for manpages which is why we don't link it to a "doc"

	# USE flag. We always want man pages.

	econf \

		--localstatedir=/var \

		--bindir=/usr/bin \

		--sbindir=/usr/bin \

		--with-config-path=/var/lib/lxc	\

		--with-rootfs-path=/var/lib/lxc/rootfs \

		--with-distro=gentoo \

		--with-runtime-path=/run \

		--disable-apparmor \

		--disable-werror \

		--enable-doc \

		$(use_enable cgmanager) \

		$(use_enable examples) \

		$(use_enable lua) \

		$(use_enable python) \

		$(use_enable seccomp) \

		$(use_enable selinux)

}

python_compile() {

	distutils-r1_python_compile build_ext -I.. -L../lxc/.libs --no-pkg-config

}

src_compile() {

	default

	if use python; then

		pushd "${S}/src/python-${PN}" > /dev/null

		distutils-r1_src_compile

		popd > /dev/null

	fi

}

src_install() {

	default

	mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die

	# start-ephemeral is no longer a command but removing it here

	# generates QA warnings (still in upstream completion script)

	bashcomp_alias ${PN}-start \

		${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,start-ephemeral,stop,unfreeze,wait}

	if use python; then

		pushd "${S}/src/python-lxc" > /dev/null

		# Unset DOCS. This has been handled by the default target

		unset DOCS

		distutils-r1_src_install

		popd > /dev/null

	fi

	keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc

	find "${D}" -name '*.la' -delete

	# Gentoo-specific additions!

	newinitd "${FILESDIR}/${PN}.initd.7" ${PN}

	# Remember to compare our systemd unit file with the upstream one

	# config/init/systemd/lxc.service.in

	systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service"

	DOC_CONTENTS="

	Starting from version ${PN}-1.1.0-r3, the default lxc path has been

	moved from /etc/lxc to /var/lib/lxc. If you still want to use /etc/lxc

	please add the following to your /etc/lxc/lxc.conf

	  lxc.lxcpath = /etc/lxc

	For openrc, there is an init script provided with the package.

	You _should_ only need to symlink /etc/init.d/lxc to

	/etc/init.d/lxc.configname to start the container defined in

	/etc/lxc/configname.conf.

	Correspondingly, for systemd a service file lxc@.service is installed.

	Enable and start lxc@configname in order to start the container defined

	in /etc/lxc/configname.conf.

	If you want checkpoint/restore functionality, please install criu

	(sys-process/criu)."

	DISABLE_AUTOFORMATTING=true

	readme.gentoo_create_doc

}

pkg_postinst() {

	readme.gentoo_print_elog

}