tetragon
55 строк · 1.6 Кб
1# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640
2#
3# Description
4# On Ubuntu kernels carrying both c914c0e27eb0 and
5# "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs",
6# an unprivileged user may set privileged extended attributes on the mounted files,
7# leading them to be set on the upper files without the appropriate security checks.
8#
9# Affected ubuntu kernel version:
10# 6.2.0
11# 5.19.0 tested on kernel 5.19.0-46
12# ...
13#
14# Prevention:
15# Prevents copying up security.capability xattr on overlayfs from a user namespace,
16# making it a nop.
17#
18# Prerequisites
19# Needs a kernel with a CONFIG_BPF_KPROBE_OVERRIDE=y
20#
21# Doing "getcap upper/binary" will display empty file capabilities.
22#
23apiVersion: cilium.io/v1alpha124kind: TracingPolicy25metadata:26name: "cve-2023-2460-overlayfs-ubuntu"27#annotations:28#url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-264029#description: "Prevents copying up security.capability xattr on overlayfs from a user namespace."30#author: "Djalal Harouni"31spec:32kprobes:33- call: "security_inode_copy_up_xattr"34syscall: false35return: true36args:37- index: 038type: "string"39returnArg:40index: 041type: "int"42selectors:43- matchNamespaces:44- namespace: User45operator: NotIn46values:47- "host_ns"48matchArgs:49- index: 050operator: "Equal"51values:52- "security.capability\0"53matchActions:54- action: Override55argError: 1 # Override with 1 avoids copying up security.capability, with -1 the copy up fails.56