cgroups: restrict allowed keys in 'unified' section

Prevent specifying directories by banning the use of '/' characters
and disallow some internal cgroup.* files as suggested in [1].

[1]: https://github.com/opencontainers/runtime-spec/pull/1040

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/jail/cgroups.c b/jail/cgroups.c
index 97583b3e0e53adca4d074ef78e7692fd970b1037..ab886434822c81ba414ae44c420180a6840ae97a 100644 (file)
--- a/jail/cgroups.c
+++ b/jail/cgroups.c
@@ -721,6 +721,14 @@ static int parseOCIlinuxcgroups_unified(struct blob_attr *msg)
                if (blobmsg_type(cur) != BLOBMSG_TYPE_STRING)
                        return EINVAL;
 
+               /* restrict keys */
+               if (strchr(blobmsg_name(cur), '/') ||
+                   !strcmp(blobmsg_name(cur), "cgroup.subtree_control") ||
+                   !strcmp(blobmsg_name(cur), "cgroup.procs") ||
+                   !strcmp(blobmsg_name(cur), "cgroup.threads") ||
+                   !strcmp(blobmsg_name(cur), "cgroup.freeze"))
+                       return EINVAL;
+
                cgroups_set(blobmsg_name(cur), blobmsg_get_string(cur));
        }