From 959c89e4beb404beec08f3e90a8f7562b1117af20d84027a77c4415a566789ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Mon, 8 Jan 2024 13:22:28 +0000 Subject: [PATCH 1/2] Accepting request 1137560 from home:danishprakash:branches:Virtualization:containers Add patch for bsc#1217952 OBS-URL: https://build.opensuse.org/request/show/1137560 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/containerd?expand=0&rev=165 --- ...reate-pid-file-with-0644-permissions.patch | 75 +++++++++++++++++++ containerd.changes | 6 ++ containerd.spec | 5 +- 3 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 0002-shim-Create-pid-file-with-0644-permissions.patch diff --git a/0002-shim-Create-pid-file-with-0644-permissions.patch b/0002-shim-Create-pid-file-with-0644-permissions.patch new file mode 100644 index 0000000..a40da68 --- /dev/null +++ b/0002-shim-Create-pid-file-with-0644-permissions.patch @@ -0,0 +1,75 @@ +From 260963a354d972201ffe9a6ce882f1c0e9b319d9 Mon Sep 17 00:00:00 2001 +From: Jaroslav Jindrak +Date: Sat, 23 Dec 2023 21:41:54 +0100 +Subject: [PATCH 1/2] shim: Create pid-file with 0644 permissions + +Fixes ae7021300 + +In ae7021300 the WritePidFile and WriteAddress functions were +changed to use AtomicFile instead of os.CreateFile. However, +AtomicFile creates a temporary file and then changes its permissions +with os.Chmod which alters the previously observed behavior of +os.CreateFile which takes the system's umask into account. + +This means that on Linux-based systems these files suddenly +became world writable (#9363). The address file has since been +removed, but pid-file was still created as world writable. This +commit explicitly requests 0644 permissions as even on systems +without default umask of 0022 there is no reason to have these +two files world writable. + +Signed-off-by: Jaroslav Jindrak +(cherry picked from commit 9d328410a5c7bab106fe81cd37a36e4534ce9205) +Signed-off-by: Jaroslav Jindrak +--- + runtime/v2/shim/util.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/runtime/v2/shim/util.go b/runtime/v2/shim/util.go +index fce1318a63ad..3740d87dbf8a 100644 +--- a/runtime/v2/shim/util.go ++++ b/runtime/v2/shim/util.go +@@ -126,7 +126,7 @@ func WritePidFile(path string, pid int) error { + if err != nil { + return err + } +- f, err := atomicfile.New(path, 0o666) ++ f, err := atomicfile.New(path, 0o644) + if err != nil { + return err + } + +From 8d82242eb525f87b91bbc2c2499559855dd363cf Mon Sep 17 00:00:00 2001 +From: Jaroslav Jindrak +Date: Sat, 23 Dec 2023 21:46:12 +0100 +Subject: [PATCH 2/2] shim: Create address file with 0644 permissions + +Fixes ae70213 + +In ae70213 the WritePidFile and WriteAddress functions were +changed to use AtomicFile instead of os.CreateFile. However, +AtomicFile creates a temporary file and then changes its permissions +with os.Chmod which alters the previously observed behavior of +os.CreateFile which takes the system's umask into account. + +This means that on Linux-based systems these files suddenly +became world writable (#9363). + +Signed-off-by: Jaroslav Jindrak +--- + runtime/v2/shim/util.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/runtime/v2/shim/util.go b/runtime/v2/shim/util.go +index 3740d87dbf8a..e8cfeec077c5 100644 +--- a/runtime/v2/shim/util.go ++++ b/runtime/v2/shim/util.go +@@ -144,7 +144,7 @@ func WriteAddress(path, address string) error { + if err != nil { + return err + } +- f, err := atomicfile.New(path, 0o666) ++ f, err := atomicfile.New(path, 0o644) + if err != nil { + return err + } diff --git a/containerd.changes b/containerd.changes index 5f374d1..2e077de 100644 --- a/containerd.changes +++ b/containerd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Jan 8 12:12:00 UTC 2024 - Danish Prakash + +- Add patch for bsc#1217952: + + 0002-shim-Create-pid-file-with-0644-permissions.patch + ------------------------------------------------------------------- Mon Dec 4 08:44:40 UTC 2023 - Aleksa Sarai diff --git a/containerd.spec b/containerd.spec index bf94992..e4dff34 100644 --- a/containerd.spec +++ b/containerd.spec @@ -1,7 +1,7 @@ # # spec file for package containerd # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -41,6 +41,8 @@ Source1: %{name}-rpmlintrc Source2: %{name}.service # UPSTREAM: Revert to fix build on SLE-12. Patch1: 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch +# https://github.com/containerd/containerd/pull/9571 +Patch2: 0002-shim-Create-pid-file-with-0644-permissions.patch BuildRequires: fdupes BuildRequires: glibc-devel-static BuildRequires: go >= 1.19 @@ -99,6 +101,7 @@ reference the following Go import paths: github.com/containerd/containerd %if 0%{?sle_version} == 120000 %patch1 -p1 %endif +%patch2 -p1 %build %goprep %{import_path} From 05de9e69c089b1024e6a0ecb6c8b42251f717716756680684ef5caf832c2a9f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Mon, 8 Jan 2024 13:50:35 +0000 Subject: [PATCH 2/2] Add missing bugref OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/containerd?expand=0&rev=166 --- containerd.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containerd.changes b/containerd.changes index 2e077de..5f1d14b 100644 --- a/containerd.changes +++ b/containerd.changes @@ -16,7 +16,7 @@ Mon Dec 4 08:44:40 UTC 2023 - Aleksa Sarai Fri Oct 27 21:13:23 UTC 2023 - Aleksa Sarai - Update to containerd v1.7.8. Upstream release notes: - + bsc#1200528 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch