UNIX Symbolic Link (Symlink) Following

Summary

runc is a CLI tool for spawning and running containers according to the OCI specification. In "github.com/opencontainers/runc" versions through 1.2.7, 1.3.0-rc.1 through 1.3.2, 1.4.0-rc.1 through 1.4.0-rc.2 and "github.com/opencontainers/selinux" versions through 1.12.0, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a "tmpfs" or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files.