README
¶
Runc-dmz
runc-dmz is a small and very simple binary used to execute the container's entrypoint.
Making it small
To make it small we use the Linux kernel's nolibc include files, so we don't use the libc.
A full cp of it is here in nolibc/, but removing the Makefile that is GPL. DO NOT FORGET to
remove the GPL code if updating the nolibc/ directory.
The current version in that folder is from Linux 6.6-rc3 tag (556fb7131e03b0283672fb40f6dc2d151752aaa7).
It also support all the architectures we support in runc.
If the GOARCH we use for compiling doesn't support nolibc, it fallbacks to using the C stdlib.
SELinux compatibility issue and a workaround
Older SELinux policy can prevent runc to execute the dmz binary. The issue is fixed in container-selinux v2.224.0. Yet, some older distributions may not have the fix, so runc has a runtime workaround of disabling dmz if it finds that SELinux is in enforced mode and the container SELinux label is set.
Distributions that have a sufficiently new container-selinux can disable the
workaround by building runc with the runc_dmz_selinux_nocompat build flag,
essentially allowing dmz to be used together with SELinux.
Documentation
¶
Index ¶
- Variables
- func Binary(tmpDir string) (*os.File, error)
- func CloneBinary(src io.Reader, size int64, name, tmpDir string) (*os.File, error)
- func CloneSelfExe(tmpDir string) (*os.File, error)
- func IsCloned(exe *os.File) bool
- func IsSelfExeCloned() bool
- func WorksWithSELinux(c *configs.Config) bool
- type SealFunc
Constants ¶
This section is empty.
Variables ¶
var ErrNoDmzBinary = errors.New("runc-dmz binary not embedded in this program")
ErrNoDmzBinary is returned by Binary when there is no runc-dmz binary embedded in the runc program.
Functions ¶
func Binary ¶
Binary returns a cloned copy (see CloneBinary) of a very minimal C program that just does an execve() of its arguments. This is used in the final execution step of the container execution as an intermediate process before the container process is execve'd. This allows for protection against CVE-2019-5736 without requiring a complete copy of the runc binary. Each call to Binary will return a new copy.
If the runc-dmz binary is not embedded into the runc binary, Binary will return ErrNoDmzBinary as the error.
func CloneBinary ¶
CloneBinary creates a "sealed" clone of a given binary, which can be used to thwart attempts by the container process to gain access to host binaries through procfs magic-link shenanigans. For more details on why this is necessary, see CVE-2019-5736.
func CloneSelfExe ¶
CloneSelfExe makes a clone of the current process's binary (through /proc/self/exe). This binary can then be used for "runc init" in order to make sure the container process can never resolve the original runc binary. For more details on why this is necessary, see CVE-2019-5736.
func IsSelfExeCloned ¶
func IsSelfExeCloned() bool
IsSelfExeCloned returns whether /proc/self/exe is a cloned binary that can be guaranteed to be safe. This means that it must be a sealed memfd. Other types of clones cannot be completely verified as safe.
func WorksWithSELinux ¶
WorksWithSELinux tells whether runc-dmz can work with SELinux.
Older SELinux policy can prevent runc to execute the dmz binary. The issue is fixed in container-selinux >= 2.224.0:
- https://github.com/containers/container-selinux/issues/274
- https://github.com/containers/container-selinux/pull/280
Alas, there is is no easy way to do a runtime check if dmz works with SELinux, so the below workaround is enabled by default. It results in disabling dmz in case container SELinux label is set and the selinux is in enforced mode.
Newer distributions that have the sufficiently new container-selinux version can build runc with runc_dmz_selinux_nocompat build flag to disable this workaround (essentially allowing dmz to be used together with SELinux).
Source Files