mirror of
https://github.com/netbirdio/gvisor.git
synced 2026-05-22 17:12:49 -07:00
Ayush Ranjan
d81768d4c8
The peer credential check worked by querying the peer's UID using SO_PEERCRED. However, when sandbox is configured with custom UID/GID mappings, which it is in the following situations: 1. When not using directfs, sandbox has a mapping of only `65534:65534:1`. So all other non-65534 UIDs are unmmaped. 2. When using directfs with userns-remap. The sandbox has the same UID/GID mapping as the container. In these cases, when the root user tries to connect, the host root user is not mapped. Unmapped IDs are translated to overflowuid/gid, which happens to default to 65534. This leads to unexpected results: - Without directfs, this check allows any connection, because sandbox is also running as nobody/65534. - In the directfs+userns-remap case, all connections are denied. This check doesn't really enforce anything. Hence remove it. The real enforcement mechanism is the file mode of the unix domain socket over which the connection happens. The socket file's mode depends on umask, which defaults to 022. Hence only the user which creates the sandbox via `runsc create` has write permission on this socket. So only the sandbox creator or root can connect to the sandbox, as intended. Fixes #9356 PiperOrigin-RevId: 565836818
20 lines
390 B
Python
20 lines
390 B
Python
load("//tools:defs.bzl", "go_library")
|
|
|
|
package(
|
|
default_applicable_licenses = ["//:license"],
|
|
licenses = ["notice"],
|
|
)
|
|
|
|
go_library(
|
|
name = "server",
|
|
srcs = ["server.go"],
|
|
visibility = ["//:sandbox"],
|
|
deps = [
|
|
"//pkg/abi/linux",
|
|
"//pkg/sync",
|
|
"//pkg/unet",
|
|
"//pkg/urpc",
|
|
"@org_golang_x_sys//unix:go_default_library",
|
|
],
|
|
)
|