Excessive privileges In github.com/opencontainers/runc
Description
rootless: /sys/fs/cgroup is writable when cgroupns isn't unshared in runc
Impact
It was found that rootless runc makes /sys/fs/cgroup writable in following conditons:
when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl)
or, when runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare)
A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... on the host .
Other users's cgroup hierarchies are not affected.
Patches
v1.1.5 (planned)
Workarounds
Condition 1: Unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts.
Condition 2 (very rare): add /sys/fs/cgroup to maskedPaths
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 1.1.5 | ||
go | v1.1.5 | ||
 debian 11 | 1.0.0~rc93+ds1-5+deb11u4 | ||
debian 12 | 1.1.5+ds1-1 | ||
debian 13 | 1.1.5+ds1-1 | ||
debian 14 | 1.1.5+ds1-1 | ||
 rpm rhel7 | - | - | |
rpm rhel8 | - | - | |
rpm rhel9 | 4:1.1.9-1.el9 |
Aliases
References