-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add containerenv information to /run/.containerenv #8476
Conversation
containerenv := fmt.Sprintf(`\ | ||
engine="podman-%s" | ||
name=%q | ||
id=%q |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exposing ID by default might be potentially dangerous. Could this be optional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please explain how container ID is risky?
We can add something to containers.conf to disable this, but I am not sure it is worth the effort.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An attacker might want to know the container ID to determine the path of the attacker-crafted malicious file in the container rootfs.
Such path would be useful for the attacker when the attacker somehow managed to gain write access to e.g. /sys/kernel/uevent_helper.
I'm a little iffy about exposing full version numbers. Usual practice for
hardening is to disable that wherever possible to make it harder to
identify if your instance is affected by vulnerabilities. Full image ID
also has the same issue. I would not do those by default.
Also, I think your leading \ in the string you write to the file is
unnecessary.
…On Wed, Nov 25, 2020, 09:05 Akihiro Suda ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In libpod/container_internal_linux.go
<#8476 (comment)>:
> // Empty string for now, but we may consider populating this later
- containerenvPath, err := c.writeStringToRundir(".containerenv", "")
+ // Populate the .containerenv with container information
+ containerenv := fmt.Sprintf(`\
+engine="podman-%s"
+name=%q
+id=%q
Exposing ID by default might be potentially dangerous. Could this be
optional?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#8476 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB3AOCHEVE2EQA2GPH4N4X3SRUFK3ANCNFSM4UCI5TNA>
.
|
I am not crazy about security by obscurity. It is likely pretty easier for the processes within a container to figure out if the system is vulnerable. Doing a checksum of a couple of executables makes it easy to figure out if you are vulnerable. |
43c2412
to
9178ca9
Compare
As long as images have the package (eg., RPM) database, then one can just do |
@debarshiray You want these fields for logging, and better reporting to the user, what is going on, correct? |
Couple nits in docs. Once that and the security question is solved, LGTM. |
Yes, correct. eg., there is an interest to customize the shell prompt and such things to indicate which container and/or image is in play. |
66ddb97
to
af8e491
Compare
/hold |
bfd07b2
to
26d1bdc
Compare
We have been asked to leak some information into the container to indicate: * The name and id of the container * The version of podman used to launch the container * The image name and ID the container is based on. * Whether the container engine is running in rootless mode. Fixes: containers#6192 Signed-off-by: Daniel J Walsh <[email protected]>
/hold cancel |
@containers/podman-maintainers PTAL |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: AkihiroSuda, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
LGTM |
/lgtm |
We have been asked to leak some information into the container
to indicate:
Fixes: #6192
Signed-off-by: Daniel J Walsh [email protected]