Tsanangudzo yekusagadzikana (CVE-2022-0492) mukuita kweiyo cgroups v1 resource yekumisikidza nzira muLinux kernel, iyo inogona kushandiswa kutiza midziyo yakasarudzika, yaburitswa. Dambudziko rave riripo kubva kuLinux kernel 2.6.24 uye yakagadziriswa mukuburitswa kwekernel 5.16.12, 5.15.26, 5.10.97, 5.4.177, 4.19.229, 4.14.266, uye 4.9.301. Unogona kutevera zvakaburitswa zvepakeji zvigadziriso mukugovera pamapeji aya: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
Kusagadzikana uku kunokonzerwa nekukanganisa kwemugadziriso murelease_agent faira inobata iyo inotadza kuita macheki chaiwo paunenge uchimhanyisa mubati neropafadzo dzakazara. Iyo release_agent faira inoshandiswa kutsanangura chirongwa chichaitwa nekernel kana chirongwa chiri muboka chapera. Ichi chirongwa chinomhanya semudzi uye ne "mano" ese mumudzi wemazita. Zvaifungidzirwa kuti maneja chete ndiye aikwanisa kuburitsa_agent marongero, asi chokwadi cheki yacho yaingogumira pakupa mukana kumushandisi wemidzi, izvo zvisina kusarura marongero ari kuchinjwa kubva mumudziyo kana nemushandisi asina kodzero yemutungamiriri (CAP_SYS_ADMIN). )
Pakutanga, chimiro chakadaro hachingadai chakaonekwa sekusagadzikana, asi mamiriro ezvinhu akachinja nekuuya kwemazita emushandisi (mazita emushandisi), izvo zvinokutendera iwe kuti ugadzire vakasiyana midzi vashandisi mumidziyo isingapindire nemudzi mushandisi we. main environment. Saizvozvo, pakurwiswa, zvakaringana kubatanidza yako release_agent handler mumudziyo une mudzi wayo wemushandisi mune yakaparadzana mushandisi ID nzvimbo, iyo, mushure mekupedza maitiro, inozoitwa neropafadzo dzakazara dzenzvimbo huru.
Nekumisikidza, cgroupfs inoiswa mumudziyo mune yekuverenga-chete modhi, asi hapana dambudziko kudzoreredza pseudofs mukunyora modhi kana uine CAP_SYS_ADMIN kodzero kana nekugadzira mudziyo wakagara une yakaparadzana mushandisi nzvimbo uchishandisa iyo unshare system call, umo. CAP_SYS_ADMIN kodzero dziripo dzegaba rakagadzirwa.
Kurwiswa kwacho kunogona kuitwa kana uine ropafadzo dzemidzi mumudziyo uri wega kana uchimhanyisa mudziyo usina no_new_privs mureza, unorambidza kuwana mamwe maropafadzo. Iyo sisitimu inofanirwa kuve nerutsigiro rwemazita emushandisi akagoneswa (akagoneswa nekusarudzika muUbuntu neFedora, asi asina kuisirwa muDebian neRHEL) uye kuwana midzi cgroup v1 (semuenzaniso, Docker inomhanyisa midziyo mumudzi RDMA cgroup). Kurwiswa kwacho kunogonekawo kana uine CAP_SYS_ADMIN ropafadzo, mune iyo nyaya tsigiro yemazita emushandisi uye kuwana cgroup v1 midzi hierarchy haidiwi.
Pamusoro pekupukunyuka kubva mumudziyo wakasarudzika, kusazvibata kunobvumirawo maitiro akatangwa nemushandisi asina "kugona" kana chero mushandisi ane CAP_DAC_OVERRIDE kodzero (kurwiswa kunoda kuwana faira /sys/fs/cgroup/*/release_agent, ane midzi) kuwana mukana kune ese systemic "mano".
Izvo zvinocherechedzwa kuti kusazvibata hakugone kushandiswa kana uchishandisa Seccomp, AppArmor kana SELinux nzira dzekudzivirira yekuwedzera kuparadzaniswa kwemidziyo, sezvo Seccomp ichivharira kupinda kune iyo unshare () system kufona, uye AppArmor neSELinux hazvibvumidze kukwira cgroupfs mune yekunyora modhi.
Source: opennet.ru