Skip to content

Commit

Permalink
CVE-2024-9407: validate "bind-propagation" flag settings
Browse files Browse the repository at this point in the history
CVE-2024-9407: validate that the value for the "bind-propagation" flag
when handling "bind" and "cache" mounts in `buildah run` or in RUN
instructions is one of the values that we would accept without the
"bind-propagation=" prefix.

Signed-off-by: Nalin Dahyabhai <[email protected]>
  • Loading branch information
nalind committed Oct 1, 2024
1 parent 4aeddcc commit 732f770
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 0 deletions.
12 changes: 12 additions & 0 deletions internal/volumes/volumes.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
if !hasArgValue {
return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)
}
switch argValue {
default:
return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
case "shared", "rshared", "private", "rprivate", "slave", "rslave":
// this should be the relevant parts of the same list of options we accepted above
}
newMount.Options = append(newMount.Options, argValue)
case "src", "source":
if !hasArgValue {
Expand Down Expand Up @@ -276,6 +282,12 @@ func GetCacheMount(args []string, _ storage.Store, _ string, additionalMountPoin
if !hasArgValue {
return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)
}
switch argValue {
default:
return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
case "shared", "rshared", "private", "rprivate", "slave", "rslave":
// this should be the relevant parts of the same list of options we accepted above
}
newMount.Options = append(newMount.Options, argValue)
case "id":
if !hasArgValue {
Expand Down
25 changes: 25 additions & 0 deletions tests/bud.bats
Original file line number Diff line number Diff line change
Expand Up @@ -6946,3 +6946,28 @@ _EOF
run_buildah run testctr -- sh -c 'cd podman-tag && git ls-remote --tags origin v5.0.0^{} | cut -f1'
assert "$output" = "$local_head_hash"
}

@test "build-validates-bind-bind-propagation" {
_prefetch alpine

cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
FROM alpine as base
FROM alpine
RUN --mount=type=bind,from=base,source=/,destination=/var/empty,rw,bind-propagation=suid pwd
_EOF

run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
expect_output --substring "invalid mount option"
}

@test "build-validates-cache-bind-propagation" {
_prefetch alpine

cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
FROM alpine
RUN --mount=type=cache,destination=/var/empty,rw,bind-propagation=suid pwd
_EOF

run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
expect_output --substring "invalid mount option"
}

0 comments on commit 732f770

Please sign in to comment.