An bayyana cikakkun bayanai game da rauni (CVE-2022-0492) a cikin aiwatar da tsarin iyakance albarkatu na ƙungiyoyi v1 a cikin Linux kernel, waɗanda za a iya amfani da su don tserewa kwantena keɓe. Matsalar ta kasance tun daga Linux kernel 2.6.24 kuma an daidaita shi a cikin sakin kernel 5.16.12, 5.15.26, 5.10.97, 5.4.177, 4.19.229, 4.14.266, da 4.9.301. Kuna iya bin wallafe-wallafen sabuntawar fakiti a cikin rabawa akan waɗannan shafuka: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
Lalacewar ta samo asali ne saboda kuskuren tunani a cikin mai sarrafa fayil na release_agent wanda ya kasa yin binciken da ya dace lokacin gudanar da mai sarrafa tare da cikakkun gata. Ana amfani da fayil ɗin release_agent don ayyana shirin da kernel zai aiwatar lokacin da aka ƙare tsari a cikin ƙungiyar. Wannan shirin yana gudana azaman tushen kuma tare da duk "ikon" a cikin tushen suna. An ɗauka cewa ma'aikaci ne kawai ke da damar yin amfani da saitin release_agent, amma a zahiri an iyakance bincikar don ba da dama ga tushen mai amfani, wanda bai ware saitin da ake canza shi daga akwati ko ta tushen mai amfani ba tare da haƙƙin gudanarwa ba (CAP_SYS_ADMIN) ).
A baya can, irin wannan fasalin ba za a iya gane shi azaman rauni ba, amma yanayin ya canza tare da zuwan wuraren sunan mai amfani (masu amfani da sunan mai amfani), wanda ke ba ku damar ƙirƙirar masu amfani daban-daban a cikin kwantena waɗanda ba su zo tare da tushen mai amfani da tushen ba. babban muhalli. Saboda haka, don harin, ya isa ya haɗa mai sarrafa release_agent a cikin akwati wanda ke da tushen mai amfani da shi a cikin keɓantaccen wurin ID na mai amfani, wanda, bayan kammala aikin, za a aiwatar da shi tare da cikakken gata na babban mahalli.
Ta hanyar tsohuwa, ana ɗora ƙungiyoyin a cikin akwati a yanayin karantawa kawai, amma babu matsala sake hawa wannan pseudofs a yanayin rubutu idan kuna da haƙƙin CAP_SYS_ADMIN ko ta hanyar ƙirƙirar akwati mai gida tare da keɓantaccen sunan mai amfani ta amfani da kiran tsarin da ba a raba, wanda a ciki yake. Akwai haƙƙin CAP_SYS_ADMIN don kwandon da aka ƙirƙira.
Ana iya kai harin idan kuna da tushen gata a cikin keɓaɓɓen akwati ko lokacin gudanar da akwati ba tare da tutar no_new_privs ba, wanda ya hana samun ƙarin gata. Dole ne tsarin ya sami goyan baya ga wuraren sunan mai amfani da aka kunna (wanda aka kunna ta tsohuwa a cikin Ubuntu da Fedora, amma ba a kunna shi a cikin Debian da RHEL ba) kuma suna da damar zuwa tushen cgroup v1 (misali, Docker yana gudanar da kwantena a cikin tushen RDMA cgroup). Har ila yau harin yana yiwuwa idan kuna da gata na CAP_SYS_ADMIN, wanda hakan ba a buƙatar tallafi ga wuraren sunan mai amfani da samun damar shiga rukunin tushen cgroup v1.
Baya ga tserewa daga keɓaɓɓen akwati, raunin kuma yana ba da damar aiwatar da aiwatar da tushen mai amfani ba tare da “iko” ko kowane mai amfani da haƙƙin CAP_DAC_OVERRIDE (harrin yana buƙatar samun dama ga fayil / sys/fs/cgroup/*/release_agent), wanda shine mallakar tushen) don samun damar yin amfani da duk "karfin" tsarin.
An lura cewa ba za a iya amfani da raunin rauni yayin amfani da hanyoyin kariya na Seccomp, AppArmor ko SELinux don ƙarin warewar kwantena, tun da Seccomp ya toshe damar yin amfani da kiran tsarin unshare (), kuma AppArmor da SELinux ba sa ƙyale hawan cgroupfs a cikin yanayin rubutu.
source: budenet.ru