Skip to content

Container: Restrict path of template files and targets#17550

Merged
tomponline merged 2 commits intocanonical:mainfrom
tomponline:tp-templates
Feb 3, 2026
Merged

Container: Restrict path of template files and targets#17550
tomponline merged 2 commits intocanonical:mainfrom
tomponline:tp-templates

Conversation

@tomponline
Copy link
Copy Markdown
Member

@tomponline tomponline commented Feb 3, 2026
edited
Loading

Based on lxc/incus#2848

Related to GHSA-7f67-crqm-jgh7 (CVE-2026-23954)

This addresses a security issue that was responsibly disclosed to the Incus security team by Rory McNamara of snyk.io.

@tomponline tomponline self-assigned this Feb 3, 2026
@tomponline tomponline force-pushed the tp-templates branch 6 times, most recently from cf0f96e to 45f2df4 Compare February 3, 2026 11:33
@tomponline tomponline requested a review from sudhackar February 3, 2026 11:40
@tomponline tomponline marked this pull request as ready for review February 3, 2026 11:41
@tomponline
lxd/instance/drivers/driver/lxc: Restrict path of template files and …
d1c8ba1 
…targets

This fixes three security issues related to file templates:

 - The template target path could be made to be relative or gothrough
   symlinks in a way that could lead to arbitrary write to the host
   filesystem.

 - The template directory could be relative, allowing for arbitrary read
   from the host filesystem.

 - The template file itself could be made relative, allowing for
   arbitrary reads from the host filesystem.

In the case of the template target path, the new logic makes use of the
kernel's openat2 system call which brings a variety of flags that can be
used to restrict path resolution and detect potential issues.

For the template path itself, we now validate that it is a simple local
file and that the template directory isn't a symlink.

This fixes CVE-2026-23954

Reported-by: Rory McNamara <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
(cherry picked from commit c1d90bd34a7ccc224276b87644d7c75437f1cb64)
Signed-off-by: Thomas Parrott <[email protected]>
License: Apache-2.0
@tomponline
lxd/instance/drivers/driver/lxc: Rework template security checks to a…
c981c47 
…llow error wrapping

Also:
 - Closes rootfs file handle earlier.
 - Handles errors if file handles error when closing.

Signed-off-by: Thomas Parrott <[email protected]>
nmezhenskyi
nmezhenskyi approved these changes Feb 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nmezhenskyi nmezhenskyi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@tomponline tomponline merged commit 1eb34e8 into canonical:main Feb 3, 2026
121 of 122 checks passed
@tomponline tomponline deleted the tp-templates branch February 3, 2026 19:23
tomponline added a commit to tomponline/lxd-pkg-snap that referenced this pull request Feb 4, 2026
@tomponline
lxd: Cherry-picks
3dcce71 
Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551

Signed-off-by: Thomas Parrott <[email protected]>
@tomponline tomponline mentioned this pull request Feb 4, 2026
Merged
tomponline added a commit to canonical/lxd-pkg-snap that referenced this pull request Feb 4, 2026
@tomponline
lxd: Cherry-picks (latest-candidate) (#1034)
5ba9e9e 
Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551
@tomponline tomponline mentioned this pull request Feb 6, 2026
Merged
tomponline added a commit that referenced this pull request Feb 6, 2026
@tomponline
Backports (stable-5.21) (#17577)
e806737 
Backports from:

 - #17478
 - #17549
 - #17550
 - #17551
 - #17576
tomponline added a commit to tomponline/lxd-pkg-snap that referenced this pull request Feb 9, 2026
@tomponline
lxd: Cherry-picks
30445bd 
Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551

Signed-off-by: Thomas Parrott <[email protected]>
tomponline added a commit to tomponline/lxd-pkg-snap that referenced this pull request Feb 9, 2026
@tomponline
lxd: Cherry-picks
5150119 
Cherry-picks from canonical/lxd#17577

Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551

Signed-off-by: Thomas Parrott <[email protected]>
@tomponline tomponline mentioned this pull request Feb 9, 2026
Merged
tomponline added a commit to tomponline/lxd-pkg-snap that referenced this pull request Feb 9, 2026
@tomponline
lxd: Cherry-picks
35688ab 
Cherry-picks from canonical/lxd#17577

Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551

Signed-off-by: Thomas Parrott <[email protected]>
tomponline added a commit to canonical/lxd-pkg-snap that referenced this pull request Feb 9, 2026
@tomponline
lxd: Cherry-picks (5.21-candidate) (#1043)
183cd22 
Cherry-picks from canonical/lxd#17577

Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551
@tomponline tomponline mentioned this pull request Feb 12, 2026
Merged
tomponline added a commit that referenced this pull request Feb 12, 2026
@tomponline
Backports (stable-5.0) (#17627)
129e478 
Backports from:

 - #17478
 - #17549
 - #17550
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simondeziel simondeziel simondeziel approved these changes

@kadinsayani kadinsayani kadinsayani approved these changes

@nmezhenskyi nmezhenskyi nmezhenskyi approved these changes

@sudhackar sudhackar Awaiting requested review from sudhackar

@markylaing markylaing Awaiting requested review from markylaing

@MusicDin MusicDin Awaiting requested review from MusicDin

Assignees

@tomponline tomponline

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tomponline @simondeziel @kadinsayani @nmezhenskyi