containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Don't mount /dev/tty* inside privileged containers running systemd 

According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take
control over /dev/ttyN if exported, which can cause conflicts with the host's tty
in privileged containers. Thus we will not expose these to privileged containers
in systemd mode, as this is a bad idea according to systemd's maintainers.

Additionally, this commit adds a bats regression test to check that no /dev/ttyN
are present in a privileged container in systemd mode

This fixes https://github.com/containers/podman/issues/15878

Signed-off-by: Dan Čermák <dcermak@suse.com>
This commit is contained in:
Dan Čermák 2022-09-21 23:09:10 +02:00
parent 828fae1297
commit 5a2405ae1b
No known key found for this signature in database
GPG Key ID: 8F8C178E966641D3
4 changed files with 28 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libpod/container_internal_common.go
View File

@ -109,7 +109,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
// If the flag to mount all devices is set for a privileged container, add // If the flag to mount all devices is set for a privileged container, add
// all the devices from the host's machine into the container // all the devices from the host's machine into the container
if c.config.MountAllDevices { if c.config.MountAllDevices {
if err := util.AddPrivilegedDevices(&g); err != nil { systemdMode := false
if c.config.Systemd != nil {
systemdMode = *c.config.Systemd
}
if err := util.AddPrivilegedDevices(&g, systemdMode); err != nil {
return nil, err return nil, err
} }
} }

2
pkg/util/utils_freebsd.go
View File

@ -13,6 +13,6 @@ func GetContainerPidInformationDescriptors() ([]string, error) {
return []string{}, errors.New("this function is not supported on freebsd") return []string{}, errors.New("this function is not supported on freebsd")
} }
func AddPrivilegedDevices(g *generate.Generator) error { func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
return nil return nil
} }

5
pkg/util/utils_linux.go
View File

@ -70,7 +70,7 @@ func FindDeviceNodes() (map[string]string, error) {
return nodes, nil return nodes, nil
} }
func AddPrivilegedDevices(g *generate.Generator) error { func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
hostDevices, err := getDevices("/dev") hostDevices, err := getDevices("/dev")
if err != nil { if err != nil {
return err return err
@ -104,6 +104,9 @@ func AddPrivilegedDevices(g *generate.Generator) error {
} }
} else { } else {
for _, d := range hostDevices { for _, d := range hostDevices {
if systemdMode && strings.HasPrefix(d.Path, "/dev/tty") {
continue
}
g.AddDevice(d) g.AddDevice(d)
} }
// Add resources device - need to clear the existing one first. // Add resources device - need to clear the existing one first.

18
test/system/030-run.bats
View File

@ -901,4 +901,22 @@ $IMAGE--c_ok" \
run_podman rm $ctr_name run_podman rm $ctr_name
} }
@test "podman run --privileged as root with systemd will not mount /dev/tty" {
skip_if_rootless "this test only makes sense as root"
ctr_name="container-$(random_string 5)"
run_podman run --rm -d --privileged --systemd=always --name "$ctr_name" "$IMAGE" /home/podman/pause
TTYs=$(ls /dev/tty*|sed '/^\/dev\/tty$/d')
if [[ $TTYs = "" ]]; then
die "Did not find any /dev/ttyN devices on local host"
else
run_podman exec "$ctr_name" ls /dev/
assert "$(grep tty <<<$output)" = "tty" "There must be no /dev/ttyN devices in the container"
fi
run_podman stop "$ctr_name"
}
# vim: filetype=sh # vim: filetype=sh