File tree Expand file tree Collapse file tree 1 file changed +16
-0
lines changed
Expand file tree Collapse file tree 1 file changed +16
-0
lines changed Original file line number Diff line number Diff line change @@ -629,6 +629,22 @@ tells userspace that there was an fd, but it was not allowed through.
629629
630630** Use-Case:** Any code that wants to use ` SCM_RIGHTS ` properly.
631631
632+ ### Block reopening R/O file descriptor for /proc/self/exe and /proc/self/map_files/*
633+
634+ Provide a security primitive that prevents processes from reopening a
635+ read-only file descriptor to ` /proc/self/exe ` and files under
636+ ` /proc/self/map_files ` . This directly addresses the attack vector used
637+ in CVE-2019 -5736.
638+
639+ A common workaround used by container runtimes to prevent an untrusted
640+ container process from overwriting the host's runtime executable is to
641+ "re-exec" themselves from a read-only copy of the binary.
642+
643+ While this looks like a kernel issue, the assumption is still that any
644+ container runtime must ensure its binary cannot be overwritten.
645+
646+ ** Use-Case:** Any container runtime that executes an untrusted executable.
647+
632648---
633649
634650## Finished Items
You can’t perform that action at this time.
0 commit comments