Merge pull request containerd#9287 from lengrongfu/feat/add-warning-u…

…se-inheritable add warning use inheritable Capabilities
henry118 · Nov 4, 2023 · bd2db42 · bd2db42
2 parents 33fab02 + df19888
commit bd2db42
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 0 deletions.
diff --git a/pkg/cri/server/service.go b/pkg/cri/server/service.go
@@ -417,6 +417,9 @@ func loadBaseOCISpecs(config *criconfig.Config) (map[string]*oci.Spec, error) {
 			return nil, fmt.Errorf("failed to load base OCI spec from file: %s: %w", cfg.BaseRuntimeSpec, err)
 		}
 
+		if spec.Process != nil && spec.Process.Capabilities != nil && len(spec.Process.Capabilities.Inheritable) > 0 {
+			log.L.WithField("base_runtime_spec", cfg.BaseRuntimeSpec).Warn("Provided base runtime spec includes inheritable capabilities, which may be unsafe. See CVE-2022-24769 for more details.")
+		}
 		specs[cfg.BaseRuntimeSpec] = spec
 	}
 

diff --git a/pkg/cri/server/service_test.go b/pkg/cri/server/service_test.go
@@ -17,7 +17,9 @@
 package server
 
 import (
+	"bytes"
 	"encoding/json"
+	"io"
 	"os"
 	"testing"
 
@@ -33,6 +35,9 @@ import (
 	servertesting "github.com/containerd/containerd/v2/pkg/cri/testing"
 	ostesting "github.com/containerd/containerd/v2/pkg/os/testing"
 	"github.com/containerd/containerd/v2/pkg/registrar"
+	"github.com/containerd/log"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
 )
 
 // newTestCRIService creates a fake criService for test.
@@ -82,3 +87,57 @@ func TestLoadBaseOCISpec(t *testing.T) {
 	assert.Equal(t, "1.0.2", out.Version)
 	assert.Equal(t, "default", out.Hostname)
 }
+
+func Test_loadBaseOCISpecs(t *testing.T) {
+	spec := oci.Spec{
+		Version:  "1.0.2",
+		Hostname: "default",
+		Process: &specs.Process{
+			Capabilities: &specs.LinuxCapabilities{
+				Inheritable: []string{"CAP_NET_RAW"},
+			},
+		},
+	}
+	file, err := os.CreateTemp("", "spec-test-")
+	require.NoError(t, err)
+	defer func() {
+		assert.NoError(t, file.Close())
+		assert.NoError(t, os.RemoveAll(file.Name()))
+	}()
+	err = json.NewEncoder(file).Encode(&spec)
+	require.NoError(t, err)
+	config := criconfig.Config{}
+	config.Runtimes = map[string]criconfig.Runtime{
+		"runc": {BaseRuntimeSpec: file.Name()},
+	}
+	var buffer bytes.Buffer
+	logger := &logrus.Logger{
+		Out:          &buffer,
+		Formatter:    new(logrus.TextFormatter),
+		Hooks:        make(logrus.LevelHooks),
+		Level:        logrus.InfoLevel,
+		ExitFunc:     os.Exit,
+		ReportCaller: false,
+	}
+	log.L = logrus.NewEntry(logger)
+	tests := []struct {
+		name    string
+		args    *criconfig.Config
+		message string
+	}{
+		{
+			name:    "args is not nil,print warning",
+			args:    &config,
+			message: "Provided base runtime spec includes inheritable capabilities, which may be unsafe. See CVE-2022-24769 for more details.",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			loadBaseOCISpecs(tt.args)
+			readAll, _ := io.ReadAll(&buffer)
+			if tt.message != "" {
+				assert.Contains(t, string(readAll), tt.message)
+			}
+		})
+	}
+}