Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

harden container hostpath cleanup #2474

Closed
bergwolf opened this issue Feb 19, 2020 · 0 comments · Fixed by #2475
Closed

harden container hostpath cleanup #2474

bergwolf opened this issue Feb 19, 2020 · 0 comments · Fixed by #2475
Labels
bug Incorrect behaviour needs-review Needs to be assessed by the team. security Potential or actual security issue

Comments

@bergwolf
Copy link
Member

Description of problem

A container's host path might be changed by the guest to point to some other places by placing a symlink there. kata runtime should not follow link when unmounting them otherwise we might end up unmounting some other mountpoints unexpectedly.
@bergwolf bergwolf added bug Incorrect behaviour needs-review Needs to be assessed by the team. labels Feb 19, 2020
bergwolf added a commit to bergwolf/kata-runtime that referenced this issue Feb 19, 2020
@bergwolf
vc: do not follow symlink when umounting contanier host path
61a974b 
So that if a guest changes it, we do not end up
propergating the error.

Fixes: kata-containers#2474
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
@bergwolf bergwolf mentioned this issue Feb 19, 2020
Merged
bergwolf added a commit to bergwolf/kata-runtime that referenced this issue Feb 19, 2020
@bergwolf
vc: do not follow symlink when umounting contanier host path
5bf3231 
So that if a guest changes it, we do not end up
propergating the error.

Fixes: kata-containers#2474
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
evanfoster pushed a commit to evanfoster/runtime that referenced this issue Mar 9, 2020
@bergwolf
vc: do not follow symlink when umounting contanier host path
f25d5be 
So that if a guest changes it, we do not end up
propergating the error.

Fixes: kata-containers#2474
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
bergwolf added a commit that referenced this issue May 29, 2020
@bergwolf
vc: do not follow symlink when umounting contanier host path
2465ee9 
So that if a guest changes it, we do not end up
propergating the error.

Fixes: #2474
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
@jodh-intel jodh-intel added the security Potential or actual security issue label May 29, 2020
bergwolf added a commit to bergwolf/kata-runtime that referenced this issue Jun 3, 2020
@bergwolf
vc: do not follow symlink when umounting contanier host path
11f4560 
So that if a guest changes it, we do not end up
propergating the error.

Fixes: kata-containers#2474
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
amshinde pushed a commit to amshinde/kata-runtime that referenced this issue Jun 4, 2020
@bergwolf @amshinde
vc: do not follow symlink when umounting contanier host path
bac553d 
So that if a guest changes it, we do not end up
propergating the error.

Fixes: kata-containers#2474
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
(cherry picked from commit 5bf3231)
@jiangliu jiangliu mentioned this issue Jan 12, 2022
Merged
@tatianab tatianab mentioned this issue Nov 8, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Incorrect behaviour needs-review Needs to be assessed by the team. security Potential or actual security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

vc: do not follow symlink when umounting contanier host path bergwolf/kata-runtime
2 participants
@bergwolf @jodh-intel