CVE-2021-43816— containerd 权限许可和访问控制问题漏洞

Improper Preservation of Permissions in containerd

containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

权限预留不恰当

containerd 权限许可和访问控制问题漏洞

containerd是美国阿帕奇（Apache）基金会的一个容器守护进程。该进程根据 RunC OCI 规范负责控制宿主机上容器的完整周期。 containerd 存在安全漏洞，该漏洞源于自 v1.5.0-beta.0 起的 containerd 作为后备容器运行时接口 (CRI)，调度到节点的非特权 pod 可能会绑定 mount , 通过 hostPath 卷，磁盘上的任何特权的常规文件以进行完整的读/写访问（无删除）。 这是通过将 hostPath 卷挂载的容器内位置放置在`/etc/hosts`、

N/A

N/A