Headline
CVE-2022-39206: Fix the docker sock mount security vulnerability · theonedev/onedev@0052047
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous pattern, as it can be used to break out of Docker containers and, in most cases, gain root privileges on the host system. This issue allows regular (non-admin) users to potentially take over the build infrastructure of a OneDev instance. Attackers need to have an account (or be able to register one) and need permission to create a project. Since code.onedev.io has the right preconditions for this to be exploited by remote attackers, it could have been used to hijack builds of OneDev itself, e.g. by injecting malware into the docker images that are built and pushed to Docker Hub. The impact is increased by this as described before. Users are advised to upgrade to 7.3.0 or higher. There are no known workarounds for this issue.
@@ -117,6 +117,8 @@ public class KubernetesExecutor extends JobExecutor implements Testable<TestData
private String kubeCtlPath;
private boolean mountContainerSock;
@Editable(order=20, description="Optionally specify node selector of the job pods") public List<NodeSelectorEntry> getNodeSelector() { return nodeSelector; @@ -146,6 +148,21 @@ public List<RegistryLogin> getRegistryLogins() { public void setRegistryLogins(List<RegistryLogin> registryLogins) { this.registryLogins = registryLogins; }
@Editable(order=300, description="Whether or not to mount docker/containerd sock into job " + "container to support container operations in job commands, for instance to build " + “container image.<br>” + "<b class=’text-danger’>WARNING</b>: Malicious jobs can take control of k8s node " + "running the job by operating the mounted container sock. You should configure job " + "requirement option below to make sure the executor can only be used by trusted " + “jobs if this option is enabled”) public boolean isMountContainerSock() { return mountContainerSock; }
public void setMountContainerSock(boolean mountContainerSock) { this.mountContainerSock = mountContainerSock; }
@Editable(order=25000, group="More Settings", description="Optionally specify where to run service pods " + "specified in job. The first matching locator will be used. If no any locators are found, " @@ -769,8 +786,11 @@ public void consume(String line) { commonVolumeMounts.add(authInfoMount2); if (trustCertsConfigMapName != null) commonVolumeMounts.add(trustCertsMount); commonVolumeMounts.add(dockerSockMount); commonVolumeMounts.add(containerdSockMount);
if (isMountContainerSock()) { commonVolumeMounts.add(dockerSockMount); commonVolumeMounts.add(containerdSockMount); }
CompositeFacade entryFacade; if (jobContext != null) { @@ -975,14 +995,17 @@ public Void visit(LeafFacade facade, List<Integer> position) { "configMap", CollectionUtils.newLinkedHashMap( "name", trustCertsConfigMapName))); } volumes.add(CollectionUtils.newLinkedHashMap( "name", "docker-sock", "hostPath", CollectionUtils.newLinkedHashMap( "path", dockerSock))); volumes.add(CollectionUtils.newLinkedHashMap( "name", "containerd-sock", "hostPath", CollectionUtils.newLinkedHashMap( "path", containerdSock)));
if (isMountContainerSock()) { volumes.add(CollectionUtils.newLinkedHashMap( "name", "docker-sock", "hostPath", CollectionUtils.newLinkedHashMap( "path", dockerSock))); volumes.add(CollectionUtils.newLinkedHashMap( "name", "containerd-sock", "hostPath", CollectionUtils.newLinkedHashMap( "path", containerdSock))); } podSpec.put("volumes", volumes);
String podName = "job";