From: Daniel Golle <daniel@makrotopia.org>
Date: Thu, 13 Aug 2020 00:22:11 +0000 (+0100)
Subject: cgroups: restrict allowed keys in 'unified' section
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=80c951668c0e3bd66888302a5b3f12c7324d9c82;p=project%2Fprocd.git

cgroups: restrict allowed keys in 'unified' section

Prevent specifying directories by banning the use of '/' characters
and disallow some internal cgroup.* files as suggested in [1].

[1]: https://github.com/opencontainers/runtime-spec/pull/1040

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---

diff --git a/jail/cgroups.c b/jail/cgroups.c
index 97583b3..ab88643 100644
--- a/jail/cgroups.c
+++ b/jail/cgroups.c
@@ -721,6 +721,14 @@ static int parseOCIlinuxcgroups_unified(struct blob_attr *msg)
 		if (blobmsg_type(cur) != BLOBMSG_TYPE_STRING)
 			return EINVAL;
 
+		/* restrict keys */
+		if (strchr(blobmsg_name(cur), '/') ||
+		    !strcmp(blobmsg_name(cur), "cgroup.subtree_control") ||
+		    !strcmp(blobmsg_name(cur), "cgroup.procs") ||
+		    !strcmp(blobmsg_name(cur), "cgroup.threads") ||
+		    !strcmp(blobmsg_name(cur), "cgroup.freeze"))
+			return EINVAL;
+
 		cgroups_set(blobmsg_name(cur), blobmsg_get_string(cur));
 	}