libpathrs: securing path operations for system tools
09-26, 10:20–10:45 (Europe/Berlin), Dome

Container runtimes and other privileged system management tools have historically struggled with safely operating on a path within a directory tree controlled by a malicious user. libpathrs is a library which makes it easy to do said path operations, as well as providing some other safe path-related utilities such as providing safe wrappers to operate on procfs files in a safe way.


As part of the kernel work on openat2(2) and continuing kernel work to make magic-links safer (against both confused deputy attacks and resource re-opening attacks), the need for a library to make it easy to do all sorts of VFS operations safely became obvious, and so libpathrs was born. libpathrs uses openat2(2) if available, but has a fallback to the old fashioned (and more finicky) method of doing safe-ish path resolutions.

This talk will talk about how libpathrs works and how it can help secure container runtimes and privileged system management tools against attacks, as well as touching on some ongoing kernel work which would allow for even more hardening.

After the talk, slides will be available from my site.

Aleksa Sarai is a core developer and maintainer of runc and umoci, contributor and maintainer of Open Container Initiative specifications, and a Linux kernel contributor. He works on the containers team at SUSE, maintaining various core parts of the lower levels of the containers stack and related software for both SUSE Linux Enterprise and openSUSE; he is also committed to working in the open, and is a strong proponent of Free Software.