Merge pull request #5154 from hashicorp/f-revert-exec-devs

drivers/exec: restrict devices exposed to tasks
2019-01-08 12:43:06 -05:00 · 2019-01-08 12:43:06 -05:00 · 8f20bc8ce2
parent c24f4f94c1 d19b92edec
commit 8f20bc8ce2
1 changed files with 32 additions and 5 deletions
--- a/drivers/shared/executor/executor_linux.go
+++ b/drivers/shared/executor/executor_linux.go
@ -484,6 +484,13 @@ func configureCapabilities(cfg *lconfigs.Config, command *ExecCommand) error {
 	return nil
 }

+// configureIsolation prepares the isolation primitives of the container.
+// The process runs in a container configured with the following:
+//
+// * the task directory as the chroot
+// * dedicated mount points namespace, but shares the PID, User, domain, network namespaces with host
+// * small subset of devices (e.g. stdout/stderr/stdin, tty, shm, pts); default to using the same set of devices as Docker
+// * some special filesystems: `/proc`, `/sys`.  Some case is given to avoid exec escaping or setting malicious values through them.
 func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 	defaultMountFlags := syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV

@ -506,9 +513,7 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 		"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
 	}

-	// we bind-mount /dev to preserve pre-0.9 behavior; so avoid setting up individual devices
-	cfg.Devices = []*lconfigs.Device{}
-
+	cfg.Devices = lconfigs.DefaultAutoCreatedDevices
 	if len(command.Devices) > 0 {
 		devs, err := cmdDevices(command.Devices)
 		if err != nil {
@ -519,9 +524,11 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {

 	cfg.Mounts = []*lconfigs.Mount{
 		{
-			Source:      "dev",
+			Source:      "tmpfs",
 			Destination: "/dev",
-			Device:      "devtmpfs",
+			Device:      "tmpfs",
+			Flags:       syscall.MS_NOSUID | syscall.MS_STRICTATIME,
+			Data:        "mode=755",
 		},
 		{
 			Source:      "proc",
@ -529,6 +536,26 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 			Device:      "proc",
 			Flags:       defaultMountFlags,
 		},
+		{
+			Source:      "devpts",
+			Destination: "/dev/pts",
+			Device:      "devpts",
+			Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
+			Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
+		},
+		{
+			Device:      "tmpfs",
+			Source:      "shm",
+			Destination: "/dev/shm",
+			Data:        "mode=1777,size=65536k",
+			Flags:       defaultMountFlags,
+		},
+		{
+			Source:      "mqueue",
+			Destination: "/dev/mqueue",
+			Device:      "mqueue",
+			Flags:       defaultMountFlags,
+		},
 		{
 			Source:      "sysfs",
 			Destination: "/sys",