Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using fexecve to protect the entrypoint of the container #62

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

lifubang
Copy link
Owner

@lifubang lifubang commented Jan 22, 2024

In https://man7.org/linux/man-pages/man3/fexecve.3.html:

   The idea behind fexecve() is to allow the caller to verify
   (checksum) the contents of an executable before executing it.
   Simply opening the file, checksumming the contents, and then
   doing an execve(2) would not suffice, since, between the two
   steps, the filename, or a directory prefix of the pathname, could
   have been exchanged (by, for example, modifying the target of a
   symbolic link).  fexecve() does not mitigate the problem that the
   contents of a file could be changed between the checksumming and
   the call to fexecve(); for that, the solution is to ensure that
   the permissions on the file prevent it from being modified by
   malicious users.

and:

   If fd refers to a script (i.e., it is an executable text file
   that names a script interpreter with a first line that begins
   with the characters #!)  and the close-on-exec flag has been set
   for fd, then fexecve() fails with the error ENOENT.  This error
   occurs because, by the time the script interpreter is executed,
   fd has already been closed because of the close-on-exec flag.
   Thus, the close-on-exec flag can't be set on fd if it refers to a
   script, leading to the problems described in NOTES.

So, if the type entrypoint of container if a binary format, we can open it as a fd with close-on-exec flag and use execveat(like fexecve) to
start/exec the container process, if a malicious process modify the entrypoint to a Shebang script, execveat will return ENOENT.

So, let's check the original entrypoint of the container, if it is a Shebang script, solve it to get the final real binary file, and check whether it is in the container or not. After we open it as a fd with close-on-exec flag, the malicious process can only modify the final real binary's content, but can't change it to a symbol link. So maybe we can use it to defeat CVE-2019-5736.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant