Описание
Youki: If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.
Summary
If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.
Details
For security reasons, container creation should be prohibited if /proc or /sys in the rootfs is a symbolic link.
I verified this behavior with youki.
When /proc or /sys is a symbolic link, runc fails to create the container, whereas youki successfully creates it.
This is the fix related to this issue in runc.
- https://github.com/opencontainers/runc/pull/3756
- https://github.com/opencontainers/runc/pull/3773
- https://github.com/opencontainers/runc/blob/main/libcontainer/rootfs_linux.go#L590
- https://github.com/opencontainers/runc/blob/main/tests/integration/mask.bats#L60
Impact
The following advisory appears to be related to this vulnerability:
Пакеты
youki
< 0.5.5
0.5.5
Связанные уязвимости
Youki is a container runtime written in Rust. Prior to version 0.5.5, if /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. This issue has been patched in version 0.5.5.