tests: add regression test for CVE-2019-19921 / CVE-2023-27561

We reintroduced this once already because it is quite easy to miss this subtle aspect of proc mounting. The recent migration to securejoin.MkdirAllInRoot could have also inadvertently reintroduced this (though it didn't). Signed-off-by: Aleksa Sarai <[email protected]>
cyphar · Sep 13, 2024 · 457e1ff · 457e1ff
1 parent 7c2e69f
commit 457e1ff
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/tests/integration/mounts.bats b/tests/integration/mounts.bats
@@ -199,6 +199,18 @@ function test_mount_order() {
 	[ "$status" -eq 0 ]
 }
 
+# CVE-2023-27561 CVE-2019-19921
+@test "runc run [/proc is a symlink]" {
+	# Make /proc in the container a symlink.
+	rm -rf rootfs/proc
+	mkdir -p rootfs/bad-proc
+	ln -sf /bad-proc rootfs/proc
+	# This should fail.
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"must be mounted on ordinary directory"* ]]
+}
+
 @test "runc run [ro /sys/fs/cgroup mounts]" {
 	# Without cgroup namespace.
 	update_config '.linux.namespaces -= [{"type": "cgroup"}]'