Youki Container Runtime AppArmor Handling Path Substitution Vulnerability Allowing Unintended Writes to Procfs

A vulnerability exists in the Youki container runtime, specifically in versions through 0.5.6, related to its handling of AppArmor profiles. The issue arises from inadequate validation of write targets, which, when combined with path substitution during the resolution of file paths, can lead to unintended writes in procfs. This vulnerability allows a write intended for '/proc/self/attr/apparmor/exec' to be redirected to '/proc/sys/kernel/hostname' instead. The problem is exacerbated by a shared-mount race that can substitute path components, redirecting the final target. This vulnerability has been addressed in Youki version 0.5.7.

Impact

Exploitation of this vulnerability can result in unauthorized writes to procfs, potentially allowing for manipulation of process or system attributes.

Reproduction

The vulnerability can be reproduced by applying an AppArmor profile that includes write instructions to a procfs path. Due to the weak validation, the write can be redirected to an unintended location within procfs.

Remediation

Users can update to Youki version 0.5.7 or later, where this vulnerability has been fixed.