'Yan kwanaki da suka gabata an fitar da labarin an bayyana cikakkun bayanai yanayin rauni da aka samu a cikin aiwatar da tsarin iyakance albarkatun kungiyoyi v1 a cikin Linux kernel wanda aka riga aka tsara shi a ƙarƙashin CVE-2022-0492.
An sami wannan raunin se za a iya amfani da su fita ware kwantena kuma an yi cikakken bayani cewa matsalar tana nan tun Linux kernel 2.6.24.
A cikin rubutun blog an ambaci cewa raunin ya faru ne saboda kuskuren ma'ana a cikin mai sarrafa fayil na release_agent, don haka ba a yi rajistan da ya dace ba lokacin da aka gudanar da direba tare da cikakken izini.
Fayil release_agent ana amfani dashi don ayyana shirin da kernel ke aiwatarwa lokacin da tsari ya ƙare a cikin rukuni. Wannan shirin yana gudana azaman tushen tare da duk "ƙarfin" a cikin tushen suna. Mai gudanarwa ne kawai ya kamata ya sami damar yin amfani da tsarin release_agent, amma a gaskiya, an iyakance binciken ne kawai don ba da damar yin amfani da tushen mai amfani, wanda bai hana canza tsarin daga akwati ko ta mai amfani da tushen ba (CAP_SYS_ADMIN) .
A baya, wannan siffa da ba za a gane a matsayin rauni ba, amma yanayin ya canza tare da zuwan masu gano masu amfani da sunan mai amfani (masu amfani da sunan mai amfani), wanda ke ba ka damar ƙirƙirar masu amfani da tushen daban a cikin kwantena waɗanda ba su zo tare da tushen mai amfani da babban muhalli ba.
Haka kuma don harin, ya isa a cikin akwati wanda ke da tushen mai amfani da shi a cikin keɓan wurin id na mai amfani don toshe mai sarrafa release_agent, wanda, da zarar aikin ya ƙare, zai gudana tare da duk gata na mahallin iyaye.
Ta hanyar tsohuwa, ana saka gungun ƙungiyoyi a cikin akwati mai karantawa kawai, amma babu wata matsala a sake hawa wannan pseudofs a yanayin rubutu tare da haƙƙin CAP_SYS_ADMIN ko ta hanyar ƙirƙira babban akwati tare da keɓantaccen sunan mai amfani ta amfani da tsarin kira don dakatar da rabawa, wanda haƙƙin CAP_SYS_ADMIN yake. suna samuwa ga akwati da aka halitta.
Harin za a iya yi ta hanyar samun tushen gata a cikin keɓaɓɓen akwati ko ta hanyar gudanar da akwati ba tare da tutar no_new_privs ba, wanda ke hana samun ƙarin gata.
Dole ne tsarin ya sami goyan baya don kunna wuraren suna mai amfani (wanda aka kunna ta tsohuwa akan Ubuntu da Fedora, amma ba a kunna shi akan Debian da RHEL) kuma suna da damar zuwa rukunin rukunin v1 (misali, Docker yana gudanar da kwantena a cikin rukunin tushen RDMA). Har ila yau, harin yana yiwuwa tare da gata na CAP_SYS_ADMIN, wanda ba a buƙatar tallafi ga wuraren sunan mai amfani da samun dama ga tushen matsayi na cgroup v1.
Baya ga watsewa daga cikin keɓaɓɓen akwati, raunin kuma yana ba da damar aiwatar da tsarin da tushen mai amfani ya fara ba tare da "iko" ko kowane mai amfani da haƙƙin CAP_DAC_OVERRIDE (harrin yana buƙatar samun dama ga / sys/fs/cgroup/*/release_agent fayil mallakar mallakar) tushen) don samun damar yin amfani da duk "ikon" na tsarin.
Baya ga kwantena, raunin kuma na iya ba da damar tsarin tafiyar da tushen tushen ba tare da iyawa ba, ko tsarin tafiyar da ba tushen tushen ba tare da damar CAP_DAC_OVERRIDE, don haɓaka gata zuwa cikakken ƙarfi. Wannan na iya ƙyale maharan su ketare ma'aunin taurin da wasu ayyuka ke amfani da su, wanda ke cire iyakoki a ƙoƙarin iyakance tasirin idan sulhu ya faru.
Sashe na 42 yana ba da shawarar haɓaka masu amfani zuwa ƙayyadaddun sigar kwaya. Ga waɗancan kwantena masu gudana, kunna Seccomp kuma tabbatar da kunna AppArmor ko SELinux. Masu amfani da Prisma Cloud na iya komawa zuwa sashin "Kariyar Cloud Prisma" don ganin raguwar da Prisma Cloud ke bayarwa.
Lura cewa ba za a iya yin amfani da raunin rauni yayin amfani da hanyoyin kariya na Seccomp, AppArmor ko SELinux don ƙarin warewar akwati, kamar yadda Seccomp ke toshe kiran tsarin unshare () da AppArmor da SELinux ba sa ƙyale gungun ƙungiyoyi su hau cikin yanayin rubutu.
A ƙarshe, yana da kyau a faɗi cewa an gyara shi a cikin nau'ikan kwaya 5.16.12, 5.15.26, 5.10.97, 5.4.177, 4.19.229, 4.14.266 da 4.9.301. Kuna iya bin sakin sabuntawar fakiti a cikin rabawa akan waɗannan shafuka: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
Finalmente idan kuna sha'awar ƙarin sani game da shi, zaku iya bincika cikakkun bayanai a cikin bin hanyar haɗi.