Kusagadzikana (CVE-2022-31214) kwakaonekwa muFirejail application yekuzviparadzanisa nevamwe iyo inobvumira mushandisi wepano kuwana midzi ropafadzo pane iyo host system. Iko kune kushanda kwekushandisa kunowanikwa munharaunda yeruzhinji, yakaedzwa mukuburitswa kwazvino kweOpenSUSE, Debian, Arch, Gentoo uye Fedora ine firejail utility yakaiswa. Nyaya yacho yakagadziriswa mufirejail 0.9.70 kuburitswa. Sechishandiso chekudzivirira, unogona kuseta iyo "join aiwa" uye "force-nonewprivs hongu" paramita muzvirongwa (/etc/firejail/firejail.config).
Firejail inoshandisa nzvimbo dzemazita, AppArmor, uye sisitimu yekufona kusefa (seccomp-bpf) muLinux yekuzviparadzanisa nevamwe, asi inoda ropafadzo dzakakwirira kumisikidza kuuraya kwakazvimirira, iyo yainowana kuburikidza nekusunga kune utility mureza suid mudzi kana kumhanya ne sudo. Kusagadzikana kunokonzerwa nekukanganisika mune logic ye "--join = " sarudzo, inoitirwa kubatanidza kune yagara ichimhanya yakasarudzika nharaunda (inofananidzwa nemirairo yekupinda yenzvimbo yesandbox) nenharaunda iri kutsanangurwa ne process ID inoshanda mairi. Munguva ye pre-ropafadzo reset chikamu, firejail inosarudza ropafadzo dzemaitiro akataurwa uye inoashandisa kune nzira itsva yakabatana nenharaunda uchishandisa "-join" sarudzo.
Isati yabatana, inotarisa kana iyo yakatsanangurwa maitiro ari kushanda munzvimbo yemoto. Iyi cheki inoongorora kuvepo kwefaira /run/firejail/mnt/join. Kushandisa kusazvibata, munhu anorwisa anogona kutevedzera manyepo, asiri ega emoto jeri achishandisa gomo namespace, obva abatanidza kwairi achishandisa "--join" sarudzo. Kana zvigadziriso zvikasagonesa modhi yekurambidza kutorwa kwemamwe maropafadzo mumaitiro matsva (prctl NO_NEW_PRIVS), firejail ichabatanidza mushandisi kune dummy nharaunda uye kuyedza kuisa iyo mushandisi mazita enzvimbo yeinit process (PID 1).
Nekuda kweizvozvo, maitiro akabatana kuburikidza ne "firejail -join" inozopedzisira yave mushandisi yepakutanga mushandisi ID namespace ine maropafadzo asina kuchinjika, asi mune imwe nzvimbo yegomo nzvimbo, inodzorwa zvizere neanorwisa. Anorwisa anogonawo kuita setuid-midzi zvirongwa munzvimbo yegomo yaakagadzira, iyo inobvumira, semuenzaniso, kushandura iyo /etc/sudoers marongero kana PAM paramita mune yake faira rekutonga uye kukwanisa kuita mirairo ine midzi kodzero uchishandisa sudo kana su utilities.
Source: opennet.ru