mirror of
https://github.com/kemko/nomad.git
synced 2026-01-10 12:25:42 +03:00
df86503349
The Nomad client renders templates in the same privileged process used for most other client operations. During internal testing, we discovered that a malicious task can create a symlink that can cause template rendering to read and write to arbitrary files outside the allocation sandbox. Because the Nomad agent can be restarted without restarting tasks, we can't simply check that the path is safe at the time we write without encountering a time-of-check/time-of-use race. To protect Nomad client hosts from this attack, we'll now read and write templates in a subprocess: * On Linux/Unix, this subprocess is sandboxed via chroot to the allocation directory. This requires that Nomad is running as a privileged process. A non-root Nomad agent will warn that it cannot sandbox the template renderer. * On Windows, this process is sandboxed via a Windows AppContainer which has been granted access to only to the allocation directory. This does not require special privileges on Windows. (Creating symlinks in the first place can be prevented by running workloads as non-Administrator or non-ContainerAdministrator users.) Both sandboxes cause encountered symlinks to be evaluated in the context of the sandbox, which will result in a "file not found" or "access denied" error, depending on the platform. This change will also require an update to Consul-Template to allow callers to inject a custom `ReaderFunc` and `RenderFunc`. This design is intended as a workaround to allow us to fix this bug without creating backwards compatibility issues for running tasks. A future version of Nomad may introduce a read-only mount specifically for templates and artifacts so that tasks cannot write into the same location that the Nomad agent is. Fixes: https://github.com/hashicorp/nomad/issues/19888 Fixes: CVE-2024-1329
170 lines
4.8 KiB
Go
170 lines
4.8 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
//go:build windows
|
|
|
|
package template
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"path/filepath"
|
|
"time"
|
|
|
|
"github.com/hashicorp/go-hclog"
|
|
"github.com/hashicorp/nomad/client/allocrunner/taskrunner/template/renderer"
|
|
"github.com/hashicorp/nomad/helper/subproc"
|
|
"github.com/hashicorp/nomad/helper/winappcontainer"
|
|
"github.com/hashicorp/nomad/helper/winexec"
|
|
)
|
|
|
|
const ExitCodeFatal int = 13 // typically this is going to be a bug in Nomad
|
|
|
|
// createPlatformSandbox creates the AppContainer profile and sets DACLs on the
|
|
// files we want to grant access to.
|
|
func createPlatformSandbox(cfg *TaskTemplateManagerConfig) error {
|
|
|
|
if !isSandboxEnabled(cfg) {
|
|
return nil
|
|
}
|
|
thisBin := subproc.Self()
|
|
|
|
containerCfg := &winappcontainer.AppContainerConfig{
|
|
Name: cfg.TaskID,
|
|
AllowedPaths: []string{
|
|
thisBin,
|
|
filepath.Dir(cfg.TaskDir), // give access to the whole alloc working directory
|
|
},
|
|
}
|
|
if cfg.Logger == nil {
|
|
cfg.Logger = hclog.Default() // prevents panics in tests
|
|
}
|
|
|
|
err := winappcontainer.CreateAppContainer(cfg.Logger, containerCfg)
|
|
if err != nil {
|
|
// if Nomad is running as an unprivileged user, we might not be able to
|
|
// create the sandbox, but in that case we're not vulnerable to the
|
|
// attacks this is intended to prevent anyways
|
|
if errors.Is(err, winappcontainer.ErrAccessDeniedToCreateSandbox) {
|
|
cfg.Logger.Debug("could not create platform sandbox", "error", err)
|
|
return nil
|
|
}
|
|
return fmt.Errorf("could not create platform sandbox: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// destroyPlatformSandbox deletes the AppContainer profile.
|
|
func destroyPlatformSandbox(cfg *TaskTemplateManagerConfig) error {
|
|
|
|
if cfg.ClientConfig.TemplateConfig.DisableSandbox {
|
|
return nil
|
|
}
|
|
|
|
if cfg.Logger == nil {
|
|
cfg.Logger = hclog.Default()
|
|
}
|
|
|
|
err := winappcontainer.DeleteAppContainer(cfg.Logger, cfg.TaskID)
|
|
if err != nil {
|
|
cfg.Logger.Warn("could not destroy platform sandbox", "error", err)
|
|
}
|
|
return err
|
|
}
|
|
|
|
// renderTemplateInSandbox runs the template-render command in an AppContainer to
|
|
// prevent a task from swapping a directory between the sandbox path and the
|
|
// destination with a symlink pointing to somewhere outside the sandbox.
|
|
//
|
|
// See renderer/ subdirectory for implementation.
|
|
func renderTemplateInSandbox(cfg *sandboxConfig) (string, int, error) {
|
|
procThreadAttrs, cleanup, err := winappcontainer.CreateProcThreadAttributes(cfg.taskID)
|
|
if err != nil {
|
|
return "", ExitCodeFatal, fmt.Errorf("could not create proc attributes: %v", err)
|
|
}
|
|
defer cleanup()
|
|
|
|
// Safe to inject user input as command arguments since winexec.Command
|
|
// does not invoke a shell.
|
|
args := []string{
|
|
"template-render",
|
|
"write",
|
|
"-sandbox-path", cfg.sandboxPath,
|
|
"-dest-path", cfg.destPath,
|
|
"-perms", cfg.perms,
|
|
}
|
|
if cfg.user != "" {
|
|
args = append(args, "-user")
|
|
args = append(args, cfg.user)
|
|
}
|
|
if cfg.group != "" {
|
|
args = append(args, "-group")
|
|
args = append(args, cfg.group)
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
|
|
defer cancel()
|
|
|
|
cmd := winexec.CommandContext(ctx, cfg.thisBin, args...)
|
|
cmd.ProcThreadAttributes = procThreadAttrs
|
|
|
|
stdin, err := cmd.StdinPipe()
|
|
if err != nil {
|
|
return "", 1, err
|
|
}
|
|
|
|
go func() {
|
|
defer stdin.Close()
|
|
io.Copy(stdin, bytes.NewReader(cfg.contents))
|
|
}()
|
|
|
|
out, err := cmd.CombinedOutput()
|
|
code := cmd.ProcessState.ExitCode()
|
|
if code == renderer.ExitWouldRenderButDidnt {
|
|
err = nil // erase the "exit code 117" error
|
|
}
|
|
|
|
return string(out), code, err
|
|
}
|
|
|
|
// readTemplateFromSandbox runs the template-render command in a subprocess that
|
|
// will chroot itself to prevent a task from swapping a directory between the
|
|
// sandbox path and the source with a symlink pointing to somewhere outside
|
|
// the sandbox.
|
|
func readTemplateFromSandbox(cfg *sandboxConfig) ([]byte, []byte, int, error) {
|
|
procThreadAttrs, cleanup, err := winappcontainer.CreateProcThreadAttributes(cfg.taskID)
|
|
if err != nil {
|
|
return nil, nil, ExitCodeFatal, fmt.Errorf("could not create proc attributes: %v", err)
|
|
}
|
|
defer cleanup()
|
|
|
|
// Safe to inject user input as command arguments since winexec.Command
|
|
// does not invoke a shell. Also, the only user-controlled argument here is
|
|
// the source path which we've already verified is at least a valid path in
|
|
// the caller.
|
|
args := []string{
|
|
"template-render",
|
|
"read",
|
|
"-sandbox-path", cfg.sandboxPath,
|
|
"-source-path", cfg.sourcePath,
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
|
|
defer cancel()
|
|
|
|
cmd := winexec.CommandContext(ctx, cfg.thisBin, args...)
|
|
cmd.ProcThreadAttributes = procThreadAttrs
|
|
var outb, errb bytes.Buffer
|
|
cmd.Stdout = &outb
|
|
cmd.Stderr = &errb
|
|
|
|
err = cmd.Run()
|
|
stdout := outb.Bytes()
|
|
stderr := errb.Bytes()
|
|
return stdout, stderr, cmd.ProcessState.ExitCode(), err
|
|
}
|