fix(security): harden runtime against critical/high vulnerabilities (#25)

* fix(security): harden runtime against 6 critical/high vulnerabilities

- Gate REAPER_NO_OVERLAY behind #[cfg(test)] so overlay bypass is
  impossible in release builds (Critical)
- Validate container/exec IDs against path traversal: reject empty,
  '..', slashes, and non-alphanumeric chars (Critical)
- Restrict config file to REAPER_ prefixed keys only, preventing
  injection of LD_PRELOAD, PATH, etc. (High)
- Set restrictive permissions (0700 dirs, 0600 files) on state files
  and directories (High)
- Validate PID > 1 before sending kill signals to prevent signalling
  init or the caller's process group (High)
- Always clear supplementary groups during privilege drop, even when
  additional_gids is empty, to prevent inheriting root's groups (High)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use debug_assertions gate for REAPER_NO_OVERLAY bypass

#[cfg(test)] only applies to the test harness, not binary targets
built alongside it. Integration tests spawn reaper-runtime as a
subprocess, so the overlay bypass was inactive in CI.

Switch to #[cfg(debug_assertions)] which is active in debug builds
(cargo test) but not in release builds (production).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: miguelgila

docs/TODO.md

@@ -14,7 +14,7 @@ List of tasks to do, not ordered in any specific way.
 - [x] Add examples that use jobs, deployments and daemonsets
 - [x] Add complex example (idea openldap server + sssd + something that uses users)
 - [x] Add quick-start guide with a playground kind cluster for doing fast testing
-- [ ] Evaluate if it would make sense to isolate overlays by namespace
+- [x] Evaluate if it would make sense to isolate overlays by namespace
 - [x] Manage DNS settings, currently relying on host DNS instead of k8s DNS settings.
 - [ ] Add certain configuration parameters as annotations, so users can influence how Reaper works (DNS, overlay name and mount point, etc.). But ensuring adminsistrator parameters cannot be overriden.
 - [ ] Introduce more complex examples, answer this question: can we have a sssd containerd pod expose its socks file so a sample reaper pod can utilize it?

src/bin/containerd-shim-reaper-v2/main.rs

@@ -345,14 +345,32 @@ fn extract_k8s_namespace(bundle: &str) -> Option<String> {
     })
 }
 
+/// Validate that an ID is safe for use in filesystem paths.
+/// Rejects empty strings, path traversal (`..`), and characters outside `[a-zA-Z0-9._-]`.
+fn validate_id(id: &str) -> Result<(), Error> {
+    if id.is_empty()
+        || id.len() > 256
+        || id == "."
+        || id == ".."
+        || !id
+            .chars()
+            .all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '_' || c == '-')
+    {
+        return Err(Error::InvalidArgument(format!("invalid ID: {:?}", id)));
+    }
+    Ok(())
+}
+
 /// Build the file path for an exec state file.
-fn build_exec_state_path(container_id: &str, exec_id: &str) -> String {
-    format!(
+fn build_exec_state_path(container_id: &str, exec_id: &str) -> Result<String, Error> {
+    validate_id(container_id)?;
+    validate_id(exec_id)?;
+    Ok(format!(
         "{}/{}/exec-{}.json",
         runtime_state_dir(),
         container_id,
         exec_id
-    )
+    ))
 }
 
 /// Map a status string from runtime state JSON to the protobuf Status enum.
@@ -633,7 +651,7 @@ impl Task for ReaperTask {
             }
 
             // Poll exec state file for PID
-            let exec_path = build_exec_state_path(&req.id, &req.exec_id);
+            let exec_path = build_exec_state_path(&req.id, &req.exec_id)?;
             let exec_path_clone = exec_path.clone();
 
             let pid = tokio::task::spawn_blocking(move || {
@@ -769,7 +787,7 @@ impl Task for ReaperTask {
         if !req.exec_id.is_empty() {
             info!("delete() - EXEC process, exec_id={}", req.exec_id);
 
-            let exec_path = build_exec_state_path(&req.id, &req.exec_id);
+            let exec_path = build_exec_state_path(&req.id, &req.exec_id)?;
             let _ = std::fs::remove_file(&exec_path);
 
             return Ok(api::DeleteResponse {
@@ -871,12 +889,12 @@ impl Task for ReaperTask {
         if !req.exec_id.is_empty() {
             info!("kill() - EXEC process, exec_id={}", req.exec_id);
 
-            let exec_path = build_exec_state_path(&req.id, &req.exec_id);
+            let exec_path = build_exec_state_path(&req.id, &req.exec_id)?;
 
             if let Ok(data) = std::fs::read_to_string(&exec_path) {
                 if let Ok(state) = serde_json::from_str::<serde_json::Value>(&data) {
                     if let Some(pid) = state["pid"].as_i64() {
-                        if pid > 0 {
+                        if pid > 1 {
                             let sig = nix::sys::signal::Signal::try_from(req.signal as i32)
                                 .unwrap_or(nix::sys::signal::Signal::SIGTERM);
                             // Kill the entire process group so children are also signalled.
@@ -1002,7 +1020,7 @@ impl Task for ReaperTask {
         if !req.exec_id.is_empty() {
             info!("wait() - EXEC process, exec_id={}", req.exec_id);
 
-            let exec_path = build_exec_state_path(&req.id, &req.exec_id);
+            let exec_path = build_exec_state_path(&req.id, &req.exec_id)?;
             let container_id = req.id.clone();
             let exec_id_clone = req.exec_id.clone();
 
@@ -1136,7 +1154,7 @@ impl Task for ReaperTask {
         if !req.exec_id.is_empty() {
             info!("state() - EXEC process, exec_id={}", req.exec_id);
 
-            let exec_path = build_exec_state_path(&req.id, &req.exec_id);
+            let exec_path = build_exec_state_path(&req.id, &req.exec_id)?;
 
             if let Ok(data) = std::fs::read_to_string(&exec_path) {
                 if let Ok(state) = serde_json::from_str::<serde_json::Value>(&data) {
@@ -1367,7 +1385,7 @@ impl Task for ReaperTask {
             "stderr": if req.stderr.is_empty() { serde_json::Value::Null } else { serde_json::Value::String(req.stderr.clone()) },
         });
 
-        let exec_path = build_exec_state_path(&req.id, &req.exec_id);
+        let exec_path = build_exec_state_path(&req.id, &req.exec_id)?;
 
         std::fs::write(&exec_path, serde_json::to_vec_pretty(&exec_state).unwrap()).map_err(
             |e| {
@@ -1814,7 +1832,7 @@ mod tests {
     #[serial]
     fn test_build_exec_state_path_format() {
         std::env::set_var("REAPER_RUNTIME_ROOT", "/run/reaper");
-        let path = build_exec_state_path("my-container", "exec-123");
+        let path = build_exec_state_path("my-container", "exec-123").unwrap();
         assert_eq!(path, "/run/reaper/my-container/exec-exec-123.json");
         std::env::remove_var("REAPER_RUNTIME_ROOT");
     }
@@ -1823,7 +1841,7 @@ mod tests {
     #[serial]
     fn test_build_exec_state_path_custom_root() {
         std::env::set_var("REAPER_RUNTIME_ROOT", "/custom/path");
-        let path = build_exec_state_path("ctr-1", "e1");
+        let path = build_exec_state_path("ctr-1", "e1").unwrap();
         assert_eq!(path, "/custom/path/ctr-1/exec-e1.json");
         std::env::remove_var("REAPER_RUNTIME_ROOT");
     }

src/bin/reaper-runtime/main.rs

@@ -434,9 +434,12 @@ fn do_start(id: &str, bundle: &Path) -> Result<()> {
             // REAPER_NO_OVERLAY=1 disables overlay for unit tests that lack CAP_SYS_ADMIN.
             #[cfg(target_os = "linux")]
             {
+                #[cfg(debug_assertions)]
                 let skip_overlay = std::env::var("REAPER_NO_OVERLAY")
                     .map(|v| v == "1" || v.eq_ignore_ascii_case("true"))
                     .unwrap_or(false);
+                #[cfg(not(debug_assertions))]
+                let skip_overlay = false;
 
                 if skip_overlay {
                     info!("do_start() - overlay disabled via REAPER_NO_OVERLAY");
@@ -582,10 +585,9 @@ fn do_start(id: &str, bundle: &Path) -> Result<()> {
 
                         // Apply user/group configuration if present
                         if let Some(ref user) = user_cfg_for_exec {
-                            // Set supplementary groups first (must be done while privileged)
-                            if !user.additional_gids.is_empty() {
-                                safe_setgroups(&user.additional_gids)?;
-                            }
+                            // Always clear/set supplementary groups (must be done while privileged).
+                            // When empty, this clears inherited root supplementary groups.
+                            safe_setgroups(&user.additional_gids)?;
 
                             // Set GID before UID (privilege dropping order matters)
                             if nix::libc::setgid(user.gid) != 0 {
@@ -968,6 +970,9 @@ fn do_kill(id: &str, signal: Option<i32>) -> Result<()> {
     let signal = signal.unwrap_or(15); // Default to SIGTERM
     info!("do_kill() called - id={}, signal={}", id, signal);
     let pid = load_pid(id)?;
+    if pid <= 1 {
+        bail!("refusing to send signal to PID {} (must be > 1)", pid);
+    }
     info!(
         "do_kill() - sending signal {} to process group (pgid={})",
         signal, pid

src/bin/reaper-runtime/state.rs

@@ -1,8 +1,33 @@
+use anyhow::bail;
 use serde::{Deserialize, Serialize};
 use std::fs;
 use std::io::Write;
+#[cfg(unix)]
+use std::os::unix::fs::PermissionsExt;
 use std::path::PathBuf;
 
+/// Validate that an ID is safe for use in filesystem paths.
+/// Rejects empty strings, path traversal (`..`), and characters outside `[a-zA-Z0-9._-]`.
+/// IDs longer than 256 characters are also rejected.
+pub fn validate_id(id: &str) -> anyhow::Result<()> {
+    if id.is_empty() {
+        bail!("ID must not be empty");
+    }
+    if id.len() > 256 {
+        bail!("ID must not exceed 256 characters");
+    }
+    if id == "." || id == ".." {
+        bail!("ID must not be '.' or '..'");
+    }
+    if !id
+        .chars()
+        .all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '_' || c == '-')
+    {
+        bail!("ID contains invalid characters (allowed: a-zA-Z0-9._-)");
+    }
+    Ok(())
+}
+
 /// OCI User specification for UID/GID switching
 #[derive(Debug, Deserialize, Serialize, Clone)]
 pub struct OciUser {
@@ -72,34 +97,49 @@ pub fn pid_path(id: &str) -> PathBuf {
 }
 
 pub fn save_state(state: &ContainerState) -> anyhow::Result<()> {
+    validate_id(&state.id)?;
     let dir = container_dir(&state.id);
     fs::create_dir_all(&dir)?;
+    #[cfg(unix)]
+    fs::set_permissions(&dir, fs::Permissions::from_mode(0o700))?;
+    let path = state_path(&state.id);
     let json = serde_json::to_vec_pretty(&state)?;
-    fs::write(state_path(&state.id), json)?;
+    fs::write(&path, json)?;
+    #[cfg(unix)]
+    fs::set_permissions(&path, fs::Permissions::from_mode(0o600))?;
     Ok(())
 }
 
 pub fn load_state(id: &str) -> anyhow::Result<ContainerState> {
+    validate_id(id)?;
     let data = fs::read(state_path(id))?;
     let state: ContainerState = serde_json::from_slice(&data)?;
     Ok(state)
 }
 
 pub fn save_pid(id: &str, pid: i32) -> anyhow::Result<()> {
+    validate_id(id)?;
     let dir = container_dir(id);
     fs::create_dir_all(&dir)?;
-    let mut f = fs::File::create(pid_path(id))?;
+    #[cfg(unix)]
+    fs::set_permissions(&dir, fs::Permissions::from_mode(0o700))?;
+    let path = pid_path(id);
+    let mut f = fs::File::create(&path)?;
     writeln!(f, "{}", pid)?;
+    #[cfg(unix)]
+    fs::set_permissions(&path, fs::Permissions::from_mode(0o600))?;
     Ok(())
 }
 
 pub fn load_pid(id: &str) -> anyhow::Result<i32> {
+    validate_id(id)?;
     let s = fs::read_to_string(pid_path(id))?;
     let pid: i32 = s.trim().parse()?;
     Ok(pid)
 }
 
 pub fn delete(id: &str) -> anyhow::Result<()> {
+    validate_id(id)?;
     let dir = container_dir(id);
     if dir.exists() {
         fs::remove_dir_all(dir)?;
@@ -138,14 +178,23 @@ pub fn exec_state_path(container_id: &str, exec_id: &str) -> PathBuf {
 }
 
 pub fn save_exec_state(state: &ExecState) -> anyhow::Result<()> {
+    validate_id(&state.container_id)?;
+    validate_id(&state.exec_id)?;
     let dir = container_dir(&state.container_id);
     fs::create_dir_all(&dir)?;
+    #[cfg(unix)]
+    fs::set_permissions(&dir, fs::Permissions::from_mode(0o700))?;
+    let path = exec_state_path(&state.container_id, &state.exec_id);
     let json = serde_json::to_vec_pretty(&state)?;
-    fs::write(exec_state_path(&state.container_id, &state.exec_id), json)?;
+    fs::write(&path, json)?;
+    #[cfg(unix)]
+    fs::set_permissions(&path, fs::Permissions::from_mode(0o600))?;
     Ok(())
 }
 
 pub fn load_exec_state(container_id: &str, exec_id: &str) -> anyhow::Result<ExecState> {
+    validate_id(container_id)?;
+    validate_id(exec_id)?;
     let path = exec_state_path(container_id, exec_id);
     let data = fs::read(&path)?;
     let state: ExecState = serde_json::from_slice(&data)?;
@@ -425,4 +474,52 @@ mod tests {
     //             .expect("Delete should not fail on nonexistent exec");
     //     });
     // }
+
+    // --- validate_id tests ---
+
+    #[test]
+    fn test_validate_id_valid() {
+        assert!(validate_id("my-container").is_ok());
+        assert!(validate_id("abc123").is_ok());
+        assert!(validate_id("a.b_c-d").is_ok());
+        assert!(validate_id("A").is_ok());
+    }
+
+    #[test]
+    fn test_validate_id_rejects_empty() {
+        assert!(validate_id("").is_err());
+    }
+
+    #[test]
+    fn test_validate_id_rejects_path_traversal() {
+        assert!(validate_id("..").is_err());
+        assert!(validate_id("../etc/passwd").is_err());
+        assert!(validate_id("foo/../bar").is_err());
+    }
+
+    #[test]
+    fn test_validate_id_rejects_dot() {
+        assert!(validate_id(".").is_err());
+    }
+
+    #[test]
+    fn test_validate_id_rejects_slashes() {
+        assert!(validate_id("foo/bar").is_err());
+        assert!(validate_id("/absolute").is_err());
+    }
+
+    #[test]
+    fn test_validate_id_rejects_long() {
+        let long_id = "a".repeat(257);
+        assert!(validate_id(&long_id).is_err());
+        let ok_id = "a".repeat(256);
+        assert!(validate_id(&ok_id).is_ok());
+    }
+
+    #[test]
+    fn test_validate_id_rejects_special_chars() {
+        assert!(validate_id("foo bar").is_err());
+        assert!(validate_id("foo\nbar").is_err());
+        assert!(validate_id("foo\0bar").is_err());
+    }
 }

src/config.rs

@@ -44,6 +44,16 @@ pub fn load_config() {
                 continue;
             }
 
+            // Only allow REAPER_ prefixed keys to prevent injection of
+            // dangerous env vars like LD_PRELOAD, PATH, etc.
+            if !key.starts_with("REAPER_") {
+                eprintln!(
+                    "reaper: config: ignoring non-REAPER_ key {:?} in {}",
+                    key, path
+                );
+                continue;
+            }
+
             // Only set if not already present in environment (env wins)
             if std::env::var(key).is_err() {
                 std::env::set_var(key, value);
@@ -120,6 +130,34 @@ mod tests {
         std::env::remove_var("REAPER_TEST_PRECEDENCE");
     }
 
+    #[test]
+    #[serial]
+    fn test_rejects_non_reaper_keys() {
+        let dir = tempfile::tempdir().unwrap();
+        let conf = dir.path().join("reaper.conf");
+        let mut f = std::fs::File::create(&conf).unwrap();
+        writeln!(f, "LD_PRELOAD=/tmp/evil.so").unwrap();
+        writeln!(f, "PATH=/tmp/evil").unwrap();
+        writeln!(f, "REAPER_TEST_ALLOWED=yes").unwrap();
+
+        std::env::remove_var("LD_PRELOAD");
+        std::env::remove_var("REAPER_TEST_ALLOWED");
+        std::env::set_var("REAPER_CONFIG", conf.to_str().unwrap());
+
+        load_config();
+
+        // Non-REAPER_ keys must NOT be set
+        assert!(
+            std::env::var("LD_PRELOAD").is_err(),
+            "LD_PRELOAD should not be set from config"
+        );
+        // REAPER_ keys should be set
+        assert_eq!(std::env::var("REAPER_TEST_ALLOWED").unwrap(), "yes");
+
+        std::env::remove_var("REAPER_CONFIG");
+        std::env::remove_var("REAPER_TEST_ALLOWED");
+    }
+
     #[test]
     #[serial]
     fn test_skips_malformed_lines() {