Iinkcukacha zokuba sesichengeni (CVE-2022-0492) ekuphunyezweni kwenkqubo yonyino lwezixhobo ze-cgroups v1 kwi-Linux kernel, enokusetyenziswa ukubaleka izikhongozeli ezizimeleyo, ziye zabhengezwa. Ingxaki ikhona ukususela kwi-Linux kernel 2.6.24 kwaye yalungiswa kwi-kernel release 5.16.12, 5.15.26, 5.10.97, 5.4.177, 4.19.229, 4.14.266, kunye ne-4.9.301. Unokulandela upapasho lohlaziyo lwephakheji kunikezelo kula maphepha: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
Ukuba sesichengeni kungenxa yemposiso yengqiqo kwirelease_agent yesibambi sefayile esilela ukwenza uhlolo olululo xa uqhuba isibambi ngamalungelo apheleleyo. Ifayile ye-release_agent isetyenziselwa ukuchaza inkqubo eza kuphunyezwa yi-kernel xa inkqubo kwiqela iphelile. Le nkqubo iqhuba njengengcambu kunye nazo zonke "izakhono" kwindawo yegama lengcambu. Kwacingelwa ukuba ngumlawuli kuphela onokufikelela kwi-release_agent setting, kodwa eneneni iitshekhi bezilinganiselwe ekunikeni ufikelelo kumsebenzisi oyingcambu, nto leyo engazange ikhuphele ngaphandle isicwangciso sokutshintshwa kwisikhongozeli okanye ngumsebenzisi wengcambu ngaphandle kwamalungelo omlawuli (CAP_SYS_ADMIN ).
Ngaphambili, umsebenzi onje ubungazukubonwa njengobuthathaka, kodwa imeko itshintshile ngokufika kwezithuba zamagama abasebenzisi (izithuba zamagama zomsebenzisi), ezikuvumela ukuba wenze abasebenzisi beengcambu abahlukeneyo kwizikhongozeli ezingadibaniyo nengcambu yomsebenzisi. indawo engundoqo. Ngokufanelekileyo, kuhlaselo, kwanele ukudibanisa i-release_agent handler kwisitya esinomsebenzisi wayo oyingcambu kwindawo eyahlukileyo ye-ID yomsebenzisi, eya kuthi, emva kokugqiba inkqubo, iqhutywe ngamalungelo apheleleyo ommandla oyintloko.
Ngokungagqibekanga, i-cgroupfs ixhonywe kwisikhongozelo kwindlela yokufunda-kuphela, kodwa akukho ngxaki yokunyusela kwakhona oku pseudofs kwindlela yokubhala ukuba unamalungelo CAP_SYS_ADMIN okanye ngokwenza isikhongozeli esinendlwane esinesithuba samagama somsebenzisi esahlukileyo usebenzisa inkqubo yokufowuna engabelana ngayo, apho CAP_SYS_ADMIN amalungelo ayafumaneka kwisikhongozeli esiyiliweyo.
Uhlaselo lunokwenziwa ukuba unamalungelo engcambu kwisikhongozeli esisecaleni okanye xa uqhuba isikhongozeli ngaphandle kwe no_new_privs iflegi, ethintela ukufumana amalungelo awongezelelweyo. Inkqubo kufuneka ibe nenkxaso yeendawo zamagama zomsebenzisi ezenziweyo (ezenziwe ngokungagqibekanga kwi-Ubuntu kunye ne-Fedora, kodwa ayivulwanga kwi-Debian kunye ne-RHEL) kwaye ibe nofikelelo kwiqela leengcambu ze-v1 (umzekelo, i-Docker iqhuba izikhongozeli kwi-root RDMA cgroup). Uhlaselo luyenzeka ukuba unamalungelo CAP_SYS_ADMIN, apho inkxaso yeendawo zamagama abasebenzisi kunye nofikelelo kwiqela leqela v1 leqela leengcambu alifuneki.
Ukongeza ekubalekeni kwisikhongozeli esisecaleni, ubungozi bukwavumela iinkqubo eziqaliswe ngumsebenzisi wengcambu ngaphandle kwe "capabilities" okanye nawuphi na umsebenzisi onamalungelo CAP_DAC_OVERRIDE (uhlaselo lufuna ukufikelela kwifayile /sys/fs/cgroup/*/release_agent, eyi owned by root) ukufumana ufikelelo kuzo zonke "izakhono" zenkqubo.
Kuqatshelwe ukuba ubuthathaka abunakusetyenziswa xa usebenzisa i-Seccomp, i-AppArmor okanye iindlela ze-SELinux zokhuseleko olongezelelweyo lwezikhongozeli, kuba i-Seccomp ivala ukufikelela kwi-unshare () ifowuni yenkqubo, kwaye i-AppArmor kunye ne-SELinux azivumeli ukunyuswa kwe-cgroupfs kwindlela yokubhala.
umthombo: opennet.ru