fix CVE-2019-5736 with the least memory

Signed-off-by: Lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>

libcontainer/container_linux.go

@@ -28,6 +28,7 @@ import (
 	"github.com/opencontainers/runtime-spec/specs-go"
 
 	"github.com/golang/protobuf/proto"
+	"github.com/pborman/uuid"
 	"github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink/nl"
 	"golang.org/x/sys/unix"
@@ -460,7 +461,42 @@ func (c *linuxContainer) newParentProcess(p *Process) (parentProcess, error) {
 	return c.newInitProcess(p, cmd, parentPipe, childPipe)
 }
 
+func runcInTmp() (string, error) {
+	runc, err := os.Readlink("/proc/self/exe")
+	if err != nil {
+		return "", err
+	}
+	id := uuid.New()
+	temp := fmt.Sprintf("/tmp/runc.%s", id)
+
+	sf, err := unix.Open(runc, unix.O_RDONLY, 0)
+	if err != nil {
+		return "", err
+	}
+	defer unix.Close(sf)
+	df, err := unix.Open(temp, unix.O_CREAT|unix.O_WRONLY, 0)
+	if err != nil {
+		return "", err
+	}
+	_, err = syscall.Sendfile(df, sf, nil, 0x7FFFF000)
+	if err == nil {
+		unix.Close(df)
+		// chmod temp runc r-x silently
+		os.Chmod(temp, 0500)
+	} else {
+		unix.Close(df)
+	}
+	return temp, err
+}
+
 func (c *linuxContainer) commandTemplate(p *Process, childPipe *os.File) (*exec.Cmd, error) {
+	tmp, err := runcInTmp()
+	if err != nil {
+		return nil, err
+	}
+	// use temp runc binary file in /tmp
+	c.initPath = tmp
+	c.initArgs[0] = tmp
 	cmd := exec.Command(c.initPath, c.initArgs[1:]...)
 	cmd.Args[0] = c.initArgs[0]
 	cmd.Stdin = p.Stdin

libcontainer/nsenter/nsexec.c

@@ -557,8 +557,11 @@ void nsexec(void)
 	 * to ensure that containers won't be able to access the host binary
 	 * through /proc/self/exe. See CVE-2019-5736.
 	 */
-	if (ensure_cloned_binary() < 0)
-		bail("could not ensure we are a cloned binary");
+	/*
+	 * Revert it first to test my code
+	*/
+	//if (ensure_cloned_binary() < 0)
+	//	bail("could not ensure we are a cloned binary");
 
 	/* Parse all of the netlink configuration. */
 	nl_parse(pipenum, &config);

libcontainer/process_linux.go

@@ -78,6 +78,8 @@ func (p *setnsProcess) signal(sig os.Signal) error {
 func (p *setnsProcess) start() (err error) {
 	defer p.parentPipe.Close()
 	err = p.cmd.Start()
+	// for runc binary in /tmp, we can remove it
+	os.Remove(p.cmd.Args[0])
 	p.childPipe.Close()
 	if err != nil {
 		return newSystemErrorWithCause(err, "starting setns process")
@@ -262,6 +264,8 @@ func (p *initProcess) waitForChildExit(childPid int) error {
 func (p *initProcess) start() error {
 	defer p.parentPipe.Close()
 	err := p.cmd.Start()
+	// for runc binary in /tmp, we can remove it
+	os.Remove(p.cmd.Args[0])
 	p.process.ops = p
 	p.childPipe.Close()
 	if err != nil {

vendor.conf

@@ -23,3 +23,6 @@ golang.org/x/sys 41f3e6584952bb034a481797859f6ab34b6803bd https://github.com/gol
 # console dependencies
 github.com/containerd/console 2748ece16665b45a47f884001d5831ec79703880
 github.com/pkg/errors v0.8.0
+
+# uuid
+github.com/pborman/uuid v1.2.0