esrlabs / northstar

Embedded container runtime

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ESR-01-006 WP1: Resource Directory Host Escape (Info)

flxo opened this issue · comments

During a source code review of the northstar-0.6.0 repository, it was identified that the Northstar runtime supports so-called resource containers. The purpose of such containers is to host resources used by one or more containers. Specifically, the containers mount resources for containers into their filesystem, so as to access files stored within the resource container. For that purpose, the Manifest of an application container defines a mount of type resource. Such resource mounts also include a dir parameter which points to a specific directory within the resource container. However, the runtime fails to properly sanitize the dir parameter and, resultantly, an escape to the host filesystem is feasible.

Fixed by #767