Commits on Jan 20, 2023

1. Match VT device paths to be blocked from mounting exactly …

   As @mheon pointed out in PR containers#17055[^1], isVirtualConsoleDevice() does
   not only matches VT device paths but also devices named like
   /dev/tty0abcd.
   This causes that non VT device paths named /dev/tty[0-9]+[A-Za-z]+ are
   not mounted into privileged container and systemd containers accidentally.
   
   This is an unlikely issue because the Linux kernel does not use device
   paths like that.
   To make it failproof and prevent issues in unlikely scenarios, change
   isVirtualConsoleDevice() to exactly match ^/dev/tty[0-9]+$ paths.
   
   Because it is not possible to match this path exactly with Glob syntax,
   the path is now checked with strings.TrimPrefix() and
   strconv.ParseUint().
   ParseUint uses a bitsize of 16, this is sufficient because the max
   number of TTY devices is 512 in Linux 6.1.5.
   (Checked via 'git grep -e '#define' --and -e 'TTY_MINORS').
   
   The commit also adds a unit-test for isVirtualConsoleDevice().
   
   Fixes: f4c81b0 ("Only prevent VTs to be mounted inside...")
   
   [^1]: containers#17055 (comment)
   
   Signed-off-by: Fabian Holler <mail@fholler.de>

   

   fho committed Jan 20, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for ed0249f
   • Browse repository at this point

   Copy the full SHA

   ed0249f View commit details

   Browse the repository at this point in the history