Be aware of security hardened mount points #1340
Merged
Commits on Aug 11, 2023
-
Otherwise https://www.shellcheck.net/ would complain: Line 218: source <(echo "$output") ^---------------^ SC1090 (warning): ShellCheck can't follow non-constant source. Use a directive to specify location. See: https://www.shellcheck.net/wiki/SC1090 containers#1347
-
Otherwise https://www.shellcheck.net/ would complain Line 110: for ((i = ${num_of_retries}; i > 0; i--)); do ^---------------^ SC2004 (style): $/${} is unnecessary on arithmetic variables. See: https://www.shellcheck.net/wiki/SC2004 containers#1347
-
cmd/initContainer: Be aware of security hardened mount points
Sometimes locations such as /var/lib/flatpak, /var/lib/systemd/coredump and /var/log/journal sit on security hardened mount points that are marked as 'nosuid,nodev,noexec' [1]. In such cases, when Toolbx is used rootless, an attempt to bind mount these locations read-only at runtime with mount(8) fails because of permission problems: # mount --rbind -o ro <source> <containerPath> mount: <containerPath>: filesystem was mounted, but any subsequent operation failed: Unknown error 5005. (Note that the above error message from mount(8) was subsequently improved to show something more meaningful than 'Unknown error' [2].) The problem is that 'init-container' is running inside the container's mount and user namespace, and the source paths were mounted inside the host's namespace with 'nosuid,nodev,noexec'. The above mount(8) call tries to remove the 'nosuid,nodev,noexec' flags from the mount point and replace them with only 'ro', which is something that can't be done from a child namespace. Note that this doesn't fail when Toolbx is running as root. This is because the container uses the host's user namespace and is able to remove the 'nosuid,nodev,noexec' flags from the mount point and replace them with only 'ro'. Even though it doesn't fail, the flags shouldn't get replaced like that inside the container, because it removes the security hardening of those mount points. There's actually no benefit in bind mounting these paths as read-only. It was historically done this way 'just to be safe' because a user isn't expected to write to these locations from inside a container. However, Toolbx doesn't intend to provide any heightened security beyond what's already available on the host. Hence, it's better to get out of the way and leave it to the permissions on the source location from the host operating system to guard the castle. This is accomplished by not passing any file system options to mount(8) [1]. Based on an idea from Si. [1] https://man7.org/linux/man-pages/man8/mount.8.html [2] util-linux commit 9420ca34dc8b6f0f util-linux/util-linux@9420ca34dc8b6f0f util-linux/util-linux#2376 containers#911
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.