Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workloads can modify systemd user services by means of mounting the device's file system and escaping SELinux. #224

Open
jordigilh opened this issue Aug 4, 2022 · 2 comments
Open

Workloads can modify systemd user services by means of mounting the device's file system and escaping SELinux. #224

jordigilh opened this issue Aug 4, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@jordigilh
Copy link
Contributor

jordigilh commented Aug 4, 2022
edited
Loading

Steps to reproduce:

  • Run this workload:
apiVersion: management.project-flotta.io/v1alpha1
kind: EdgeWorkload
metadata:
  name: mount
  annotations:
    podman/run.oci.keep_original_groups: "1"
spec:
  deviceSelector:
    matchLabels:
      app: mount
  type: pod
  pod:
    spec:
      containers:
      - image: docker.io/eloycoto/logexample
        name: fedora
        volumeMounts:
        - mountPath: /home/flotta/
          name: home
        securityContext:
          seLinuxOptions:
            type: 'spc_t'
      restartPolicy: Always      
      volumes:
      - name: home
        hostPath:
          path: /var/home/flotta
          type: File
  • Label the edgeworkload with app=mount so that the workload will run in the device
  • SSH to the device and then su into the flotta user: su -l flotta -s /bin/bash
  • Run a shell inside the container that runs the worlkoad: podman exec -it mount-fedora bash
  • Remove the soft link mount.service found in /home/flotta/.config/systemd/user/default.target.wants/
[root@mount /]# ls -la /home/flotta/.config/systemd/user/default.target.wants
total 0
drwxr-xr-x. 2 root root  27 Aug  4 22:23 .
drwxr-xr-x. 4 root root 121 Aug  4 22:23 ..
lrwxrwxrwx. 1 root root  51 Aug  4 22:23 mount.service -> /var/home/flotta/.config/systemd/user/mount.service
[root@mount /]# rm /home/flotta/.config/systemd/user/default.target.wants/mount.service 
rm: remove symbolic link '/home/flotta/.config/systemd/user/default.target.wants/mount.service'? y
[root@mount /]#
  • Exit the container and check that the file has been deleted:
[flotta@fedora user]$ ls -la default.target.wants/
total 0
drwxr-xr-x. 2 flotta flotta  6 Aug  4 18:11 .
drwxr-xr-x. 4 flotta flotta 83 Aug  4 18:12 ..
  • Wait until the agent deletes the workload:
Aug 04 18:12:09 fedora yggdrasild[841]: [yggdrasild] 2022/08/04 18:12:09 /usr/libexec/yggdrasil/device-worker: workload not found: mount. Removing. DeviceID: 4233c45699b644b79107306e74bccbc5;
Aug 04 18:12:20 fedora yggdrasild[841]: [yggdrasild] 2022/08/04 18:12:20 /usr/libexec/yggdrasil/device-worker: workload mount removed. DeviceID: 4233c45699b644b79107306e74bccbc5;

Note: As a side effect, the edgeworkload is removed from the control plane as well as from the device.
@jordigilh jordigilh added the bug Something isn't working label Aug 4, 2022
@jordigilh
Copy link
Contributor Author

Note that the side effect is due to uncommited code and it is not a reproducible outcome. However the fact that the container can modify the host's files is still applicable.

@jordigilh
Copy link
Contributor Author

After discussing this issue with flotta members (@masayag @eloycoto @pkliczewski @tupyy ) we resolved in documenting this use case and suggesting using OPA (validating webhooks) to prevent workloads from mounting paths that are not allowed based on each deployment use case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jordigilh