fix(sidecar): block bind mount sources at syscall level to prevent rootfs tampering

89luca89 · 89luca89 · commit 626119b7ac04 · 2026-04-04T20:44:35.000+02:00
Enforce bind source allowlist in the seccomp-notif supervisor, mirroring
the OCI hook checkMounts() logic.
Build containers skip hooks but inherit the filter, closing a possible rootfs
tampering chain (podman build -v /:/hostroot).

Update tests accordingly.

Signed-off-by: Luca Di Maio &lt;luca.dimaio1@gmail.com&gt;
diff --git a/container-images/sidecar/entrypoint/entrypoint_test.go b/container-images/sidecar/entrypoint/entrypoint_test.go
@@ -451,3 +451,65 @@ func TestReadPPID_Missing(t *testing.T) {
 		t.Errorf("expected 0 for nonexistent PID, got %d", ppid)
 	}
 }
+
+// ---------------------------------------------------------------------------
+// Bind mount source allowlist tests
+// ---------------------------------------------------------------------------
+
+func TestIsAllowedBindSource(t *testing.T) {
+	workdir := "/home/user/project"
+	tests := []struct {
+		source string
+		want   bool
+	}{
+		// Workdir and children.
+		{"/home/user/project", true},
+		{"/home/user/project/src", true},
+		{"/home/user/project/.git/hooks", true},
+
+		// Infrastructure storage.
+		{"/var/lib/containers/storage/overlay/abc/merged", true},
+		{"/var/run/containers/storage/abc", true},
+		{"/var/cache/containers/blob-cache/sha256/abc", true},
+		{"/run/containers/storage/abc", true},
+		{"/run/credentials/gh", true},
+
+		// Device files.
+		{"/dev/null", true},
+		{"/dev/zero", true},
+		{"/dev/shm/foo", false},
+
+		// Temp dirs.
+		{"/tmp/buildah123", false},
+		{"/var/tmp/foo", false},
+
+		// Special rootfs files.
+		{"/sandbox-seal", true},
+		{"/rename_exdev_shim.so", true},
+		{"/empty", true},
+
+		// Empty source (remount).
+		{"", true},
+
+		// ATTACK: rootfs paths that must be blocked.
+		{"/", false},
+		{"/etc", false},
+		{"/etc/containers", false},
+		{"/etc/containers/containers.conf", false},
+		{"/usr", false},
+		{"/usr/share/containers/oci/hooks.d", false},
+		{"/usr/libexec/oci/hooks.d/security-policy", false},
+		{"/bin", false},
+		{"/home/user", false}, // parent of workdir, not under it
+		{"/proc", false},
+		{"/sys", false},
+		{"/opt", false},
+		{"/entrypoint", false},
+	}
+	for _, tt := range tests {
+		got := isAllowedBindSource(tt.source, workdir)
+		if got != tt.want {
+			t.Errorf("isAllowedBindSource(%q, %q) = %v, want %v", tt.source, workdir, got, tt.want)
+		}
+	}
+}
diff --git a/container-images/sidecar/entrypoint/handlers.go b/container-images/sidecar/entrypoint/handlers.go
@@ -21,21 +21,73 @@ import (
 // (IPT_SO_SET_REPLACE) and IPv6 (IP6T_SO_SET_REPLACE).
 const iptSOSetReplace = 64
 
+// allowedBindSources lists path prefixes from which bind mount sources
+// are permitted.
+var allowedBindSources = []string{
+	// infra mounts for namespace setup
+	"/proc/self",
+	"/proc/thread-self",
+	"/run/user/0",
+	"/run/netns",
+	"/dev/char",
+	"/dev/pts",
+	// infra mounts for container storage, cache, logs
+	"/run/containers",
+	"/var/cache/containers",
+	"/var/lib/containers/storage",
+	"/var/run/containers/storage",
+	// credential forwarding
+	"/run/credentials",
+}
+
+// allowedBindSourceFiles lists individual rootfs files that may be
+// bind-mounted into nested containers.
+var allowedBindSourceFiles = []string{
+	"/dev/full",
+	"/dev/null",
+	"/dev/random",
+	"/dev/tty",
+	"/dev/urandom",
+	"/dev/zero",
+	"/empty",
+	"/rename_exdev_shim.so",
+	"/sandbox-seal",
+}
+
+// isAllowedBindSource checks whether a bind mount source is permitted.
+func isAllowedBindSource(source, workdir string) bool {
+	if source == "" {
+		return true
+	}
+
+	if workdir != "" && isSubPath(workdir, source) {
+		return true
+	}
+
+	for _, prefix := range allowedBindSources {
+		if isSubPath(prefix, source) {
+			return true
+		}
+	}
+
+	return slices.Contains(allowedBindSourceFiles, source)
+}
+
 // proc1Sensitive lists /proc/1 sub-paths that must never be opened from
 // sidecar processes. Defense-in-depth behind the /dev/null mask on
 // /proc/1/mem and the mount supervisor blocking unmounts.
 var proc1Sensitive = []string{
-	"/proc/1/mem",
+	"/proc/1/auxv",
+	"/proc/1/cwd",
 	"/proc/1/environ",
+	"/proc/1/exe",
+	"/proc/1/io",
 	"/proc/1/maps",
+	"/proc/1/mem",
+	"/proc/1/pagemap",
 	"/proc/1/root",
-	"/proc/1/cwd",
-	"/proc/1/exe",
 	"/proc/1/stack",
 	"/proc/1/syscall",
-	"/proc/1/io",
-	"/proc/1/auxv",
-	"/proc/1/pagemap",
 }
 
 // ---------------------------------------------------------------------------
@@ -123,6 +175,15 @@ func handleMount(
 		return
 	}
 
+	// Block bind mounts from disallowed sources. This is the syscall-level
+	// equivalent of the OCI hook's checkMounts()
+	if flags&unix.MS_BIND != 0 && flags&unix.MS_REMOUNT == 0 && !isAllowedBindSource(source, workdir) {
+		resp.Error = -int32(unix.EPERM)
+		logf("BLOCKED mount(MS_BIND) source=%s target=%s pid=%d bin=%s (source not allowed)",
+			source, target, pid, exePath(pid))
+		return
+	}
+
 	// Block non-recursive bind mount where the source is the workdir or
 	// an ancestor of it. A non-recursive bind of any path that contains
 	// the workdir doesn't carry the /dev/null sub-mounts, exposing masked files.
diff --git a/pkg/sandbox/integration_test.go b/pkg/sandbox/integration_test.go
@@ -1197,6 +1197,150 @@ func TestSupervisor(t *testing.T) {
 	})
 }
 
+// ---------------------------------------------------------------------------
+// Rootfs tampering: pentest escape chain — bind mount source allowlist.
+// Validates that the seccomp-notif supervisor blocks the attack at the
+// mount level, preventing access to sidecar config via -v /:/hostroot.
+// Build containers skip OCI hooks; the supervisor is the only defense.
+// ---------------------------------------------------------------------------
+
+func TestRootfsTampering(t *testing.T) {
+	t.Parallel()
+
+	t.Run("run_bind_root_blocked", func(t *testing.T) {
+		t.Parallel()
+		// podman run -v /:/hostroot — exposes entire sidecar rootfs.
+		// The supervisor's bind source check must reject source "/".
+		out, err := sidecarExec(t, sidecarName,
+			innerRun([]string{"-v", "/:/hostroot"}, "cat", "/hostroot/etc/containers/containers.conf"))
+		requireFail(t, out, err)
+	})
+
+	t.Run("run_bind_etc_blocked", func(t *testing.T) {
+		t.Parallel()
+		// podman run -v /etc:/hostetc — exposes sidecar config dir.
+		out, err := sidecarExec(t, sidecarName,
+			innerRun([]string{"-v", "/etc:/hostetc"}, "cat", "/hostetc/containers/containers.conf"))
+		requireFail(t, out, err)
+	})
+
+	t.Run("run_bind_usr_blocked", func(t *testing.T) {
+		t.Parallel()
+		// podman run -v /usr:/hostusr — exposes hook binaries/configs.
+		out, err := sidecarExec(t, sidecarName,
+			innerRun([]string{"-v", "/usr:/hostusr"}, "ls", "/hostusr/share/containers"))
+		requireFail(t, out, err)
+	})
+
+	t.Run("build_escalate_full_chain", func(t *testing.T) {
+		t.Parallel()
+		containerfile := strings.Join([]string{
+			"FROM " + alpineImage,
+			"RUN ls -la /hostroot/usr/share/containers/oci/hooks.d/security-policy.json /hostroot/usr/share/containers/oci/hooks.d/seal-inject.json",
+			"RUN cat /hostroot/usr/share/containers/oci/hooks.d/security-policy.json /hostroot/usr/share/containers/oci/hooks.d/seal-inject.json",
+			"RUN rm -f /hostroot/usr/share/containers/oci/hooks.d/security-policy.json /hostroot/usr/share/containers/oci/hooks.d/seal-inject.json",
+			"",
+		}, "\n")
+		cfPath := filepath.Join(workdir, "Containerfile.escalate")
+		if err := os.WriteFile(cfPath, []byte(containerfile), 0o644); err != nil {
+			t.Fatal(err)
+		}
+		defer os.Remove(cfPath)
+		out, err := sidecarExecTimeout(t, sidecarName, []string{
+			innerPodman, "build", "--no-cache",
+			"--cap-add", "ALL",
+			"-v", "/:/hostroot",
+			"-f", cfPath, workdir,
+		}, 120*time.Second)
+		requireFail(t, out, err)
+	})
+
+	t.Run("build_bind_root_delete_hooks", func(t *testing.T) {
+		t.Parallel()
+		cfPath := filepath.Join(workdir, "Containerfile.delete_hooks")
+		cf := "FROM " + alpineImage + "\nRUN rm -f /hostroot/usr/share/containers/oci/hooks.d/security-policy.json\n"
+		if err := os.WriteFile(cfPath, []byte(cf), 0o644); err != nil {
+			t.Fatal(err)
+		}
+		defer os.Remove(cfPath)
+		out, err := sidecarExecTimeout(t, sidecarName, []string{
+			innerPodman, "build", "--no-cache",
+			"-v", "/:/hostroot",
+			"-f", cfPath, workdir,
+		}, 120*time.Second)
+		requireFail(t, out, err)
+	})
+
+	t.Run("build_bind_root_overwrite_seccomp", func(t *testing.T) {
+		t.Parallel()
+		// Overwrite seccomp_nested.json to weaken nested container restrictions.
+		cfPath := filepath.Join(workdir, "Containerfile.overwrite_seccomp")
+		cf := "FROM " + alpineImage + "\nRUN echo '{}' > /hostroot/etc/containers/seccomp_nested.json\n"
+		if err := os.WriteFile(cfPath, []byte(cf), 0o644); err != nil {
+			t.Fatal(err)
+		}
+		defer os.Remove(cfPath)
+		out, err := sidecarExecTimeout(t, sidecarName, []string{
+			innerPodman, "build", "--no-cache",
+			"-v", "/:/hostroot",
+			"-f", cfPath, workdir,
+		}, 120*time.Second)
+		requireFail(t, out, err)
+	})
+
+	t.Run("build_bind_root_modify_containers_conf", func(t *testing.T) {
+		t.Parallel()
+		// Modify containers.conf to disable security defaults.
+		cfPath := filepath.Join(workdir, "Containerfile.modify_conf")
+		cf := "FROM " + alpineImage + "\nRUN echo '[containers]' > /hostroot/etc/containers/containers.conf\n"
+		if err := os.WriteFile(cfPath, []byte(cf), 0o644); err != nil {
+			t.Fatal(err)
+		}
+		defer os.Remove(cfPath)
+		out, err := sidecarExecTimeout(t, sidecarName, []string{
+			innerPodman, "build", "--no-cache",
+			"-v", "/:/hostroot",
+			"-f", cfPath, workdir,
+		}, 120*time.Second)
+		requireFail(t, out, err)
+	})
+
+	t.Run("run_bind_etc_containers_blocked", func(t *testing.T) {
+		t.Parallel()
+		out, err := sidecarExec(t, sidecarName,
+			innerRun([]string{"-v", "/etc/containers:/mnt"}, "cat", "/mnt/containers.conf"))
+		requireFail(t, out, err)
+	})
+
+	t.Run("run_bind_hook_dir_blocked", func(t *testing.T) {
+		t.Parallel()
+		out, err := sidecarExec(t, sidecarName,
+			innerRun([]string{"-v", "/usr/share/containers/oci/hooks.d:/mnt"}, "ls", "/mnt"))
+		requireFail(t, out, err)
+	})
+
+	t.Run("run_bind_hook_binary_blocked", func(t *testing.T) {
+		t.Parallel()
+		out, err := sidecarExec(t, sidecarName,
+			innerRun([]string{"-v", "/usr/libexec/oci/hooks.d/security-policy:/mnt/sp"}, "ls", "/mnt/sp"))
+		requireFail(t, out, err)
+	})
+
+	t.Run("run_bind_dev_fuse_blocked", func(t *testing.T) {
+		t.Parallel()
+		out, err := sidecarExec(t, sidecarName,
+			innerRun([]string{"-v", "/dev/fuse:/dev/fuse"}, "ls", "/dev/fuse"))
+		requireFail(t, out, err)
+	})
+
+	t.Run("run_workdir_mount_allowed", func(t *testing.T) {
+		t.Parallel()
+		out, err := sidecarExec(t, sidecarName,
+			innerRun([]string{"-v", workdir + ":/work"}, "ls", "/work"))
+		requireSuccess(t, out, err)
+	})
+}
+
 func TestSecurityAudit(t *testing.T) {
 	t.Run("cdk", func(t *testing.T) {
 		// Detect architecture for the correct CDK binary.
