cgroups: restrict allowed keys in 'unified' section

Prevent specifying directories by banning the use of '/' characters and disallow some internal cgroup.* files as suggested in [1]. [1]: opencontainers/runtime-spec#1040 Signed-off-by: Daniel Golle <daniel@makrotopia.org>
rsalvaterra · Aug 13, 2020 · 80c9516 · 80c9516
1 parent fad8997
commit 80c9516
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/jail/cgroups.c b/jail/cgroups.c
@@ -721,6 +721,14 @@ static int parseOCIlinuxcgroups_unified(struct blob_attr *msg)
 		if (blobmsg_type(cur) != BLOBMSG_TYPE_STRING)
 			return EINVAL;
 
+		/* restrict keys */
+		if (strchr(blobmsg_name(cur), '/') ||
+		    !strcmp(blobmsg_name(cur), "cgroup.subtree_control") ||
+		    !strcmp(blobmsg_name(cur), "cgroup.procs") ||
+		    !strcmp(blobmsg_name(cur), "cgroup.threads") ||
+		    !strcmp(blobmsg_name(cur), "cgroup.freeze"))
+			return EINVAL;
+
 		cgroups_set(blobmsg_name(cur), blobmsg_get_string(cur));
 	}