File tree Expand file tree Collapse file tree 1 file changed +15
-0
lines changed
Expand file tree Collapse file tree 1 file changed +15
-0
lines changed Original file line number Diff line number Diff line change @@ -629,6 +629,21 @@ tells userspace that there was an fd, but it was not allowed through.
629629
630630** Use-Case:** Any code that wants to use ` SCM_RIGHTS ` properly.
631631
632+ ### Block writes to /proc/self/exe and /proc/self/map_files
633+
634+ Provide a security primitive that prevents processes from writing to
635+ ` /proc/self/exe ` and ` /proc/self/map_files ` . This directly addresses
636+ the attack vector used in CVE-2019 -5736.
637+
638+ A common workaround used by container runtimes to prevent an untrusted
639+ container process from overwriting the host's runtime executable is to
640+ "re-exec" themselves from a read-only copy of the binary.
641+
642+ While this looks like a kernel issue, the assumption is still that any
643+ container runtime must ensure its binary cannot be overwritten.
644+
645+ ** Use-Case:** Any container runtime that executes an untrusted executable.
646+
632647---
633648
634649## Finished Items
You can’t perform that action at this time.
0 commit comments