Impact
It was found that rootless runc makes /sys/fs/cgroup writable in following conditons:
- when runc is executed inside the user namespace, and the
config.json does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl)
- or, when runc is executed outside the user namespace, and
/sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare)
A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... on the host .
Other users's cgroup hierarchies are not affected.
Patches
v1.1.5 (planned)
Workarounds
- Condition 1: Unshare the cgroup namespace (
(docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts.
- Condition 2 (very rare): add
/sys/fs/cgroup to maskedPaths
AkihiroSuda Reporter
Impact
It was found that rootless runc makes
/sys/fs/cgroupwritable in following conditons:config.jsondoes not specify the cgroup namespace to be unshared (e.g..,(docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl)/sysis mounted withrbind, ro(e.g.,runc spec --rootless; this condition is very rare)A container may gain the write access to user-owned cgroup hierarchy
/sys/fs/cgroup/user.slice/...on the host .Other users's cgroup hierarchies are not affected.
Patches
v1.1.5 (planned)
Workarounds
(docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts./sys/fs/cgrouptomaskedPaths