diff options
| author | Daniel Golle | 2020-08-13 00:22:11 +0000 |
|---|---|---|
| committer | Daniel Golle | 2020-08-13 09:21:54 +0000 |
| commit | 80c951668c0e3bd66888302a5b3f12c7324d9c82 (patch) | |
| tree | 5ad2762df9bd4ade3d26a0eaaafe8c5561a19950 | |
| parent | fad899769e1411cc273785461f073a0f7931b9a0 (diff) | |
| download | procd-80c951668c0e3bd66888302a5b3f12c7324d9c82.tar.gz | |
cgroups: restrict allowed keys in 'unified' section
Prevent specifying directories by banning the use of '/' characters
and disallow some internal cgroup.* files as suggested in [1].
[1]: https://github.com/opencontainers/runtime-spec/pull/1040
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
| -rw-r--r-- | jail/cgroups.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/jail/cgroups.c b/jail/cgroups.c index 97583b3..ab88643 100644 --- a/jail/cgroups.c +++ b/jail/cgroups.c @@ -721,6 +721,14 @@ static int parseOCIlinuxcgroups_unified(struct blob_attr *msg) if (blobmsg_type(cur) != BLOBMSG_TYPE_STRING) return EINVAL; + /* restrict keys */ + if (strchr(blobmsg_name(cur), '/') || + !strcmp(blobmsg_name(cur), "cgroup.subtree_control") || + !strcmp(blobmsg_name(cur), "cgroup.procs") || + !strcmp(blobmsg_name(cur), "cgroup.threads") || + !strcmp(blobmsg_name(cur), "cgroup.freeze")) + return EINVAL; + cgroups_set(blobmsg_name(cur), blobmsg_get_string(cur)); } |