- Update to Docker 20.10.11-ce. See upstream changelog in the packaged

/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=365
2021-11-19 00:09:22 +00:00 · 2021-11-19 00:09:22 +00:00 · 97daa986c4
commit 97daa986c4
parent a222574549
13 changed files with 55 additions and 237 deletions
--- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
@ -1,7 +1,7 @@
-From 44214e643a578dfec9f5898f9225ccf3ccbec419 Mon Sep 17 00:00:00 2001
+From f6170a9d05df85cc61f3e5373eceed61ef3d741e Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
+Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets

 Since FileMode can have the directory bit set, allow a SecretStore
 implementation to return secrets that are actually directories. This is
@ -10,22 +10,25 @@ useful for creating directories and subdirectories of secrets.
 Signed-off-by: Antonio Murdaca <runcom@redhat.com>
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
- daemon/container_operations_unix.go | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
+ daemon/container_operations_unix.go | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)

 diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index 1647df0ce7ba..4ea2efed241f 100644
+index 6a50b99bd29e..583db20aa459 100644
 --- a/daemon/container_operations_unix.go
 +++ b/daemon/container_operations_unix.go
-@@ -3,6 +3,7 @@
+@@ -1,8 +1,10 @@
+//go:build linux || freebsd
+ // +build linux freebsd
+ 
 package daemon // import "github.com/docker/docker/daemon"
 
 import (
 +	"bytes"
- 	"context"
 	"fmt"
 	"io/ioutil"
-@@ -14,6 +15,7 @@ import (
+ 	"os"
+@@ -12,6 +14,7 @@ import (
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/daemon/links"
 	"github.com/docker/docker/errdefs"
@ -33,7 +36,7 @@ index 1647df0ce7ba..4ea2efed241f 100644
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/docker/docker/pkg/system"
-@@ -207,9 +209,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -205,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		if err != nil {
 			return errors.Wrap(err, "unable to get secret from secret store")
 		}
@ -43,7 +46,7 @@ index 1647df0ce7ba..4ea2efed241f 100644
 
 		uid, err := strconv.Atoi(s.File.UID)
 		if err != nil {
-@@ -220,6 +219,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -218,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 			return err
 		}
 
@ -70,5 +73,5 @@ index 1647df0ce7ba..4ea2efed241f 100644
 			return errors.Wrap(err, "error setting ownership for secret")
 		}
 -- 
-2.33.0
+2.33.1

--- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@ -1,7 +1,7 @@
-From 7202e34c5cf8e5c0816bfc610689e2f9d246d131 Mon Sep 17 00:00:00 2001
+From a28715c97b87152c41538b137f8ad49003db1756 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
+Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets

 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497
 +	return nil
 +}
 -- 
-2.33.0
+2.33.1

--- a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+++ b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
@ -1,7 +1,7 @@
-From 0bb32212d07d21b0704ef3b3197fad118ae87e7f Mon Sep 17 00:00:00 2001
+From 4914111dcaf1257a9dd3f9f7a089de17c7dc6752 Mon Sep 17 00:00:00 2001
 From: Valentin Rothberg <vrothberg@suse.com>
 Date: Mon, 2 Jul 2018 13:37:34 +0200
-Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support
+Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support

 NOTE: This is a backport/downstream patch of the upstream pull-request
      for Moby, which is still subject to changes.  Please visit
@ -1142,5 +1142,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
 
 	endpoints = []APIEndpoint{
 -- 
-2.33.0
+2.33.1

--- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
@ -1,7 +1,7 @@
-From 41a72d2a2d835de1e806a5b316067ea933f665e2 Mon Sep 17 00:00:00 2001
+From 29779c3e010e387ef037e5ef9a33cf05a14c79ea Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
+Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
 start

 In the process of making docker-default reloading far less expensive,
@ -85,5 +85,5 @@ index 2a2fbbd52e19..0999ac3186b7 100644
 	}
 
 -- 
-2.33.0
+2.33.1

--- a/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
+++ b/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
@ -1,7 +1,7 @@
-From db0df8889ebc1aad3613cf95803e4672dc8ce96a Mon Sep 17 00:00:00 2001
+From a6aa2a591d31f43e01ba29abdf73658b34fded49 Mon Sep 17 00:00:00 2001
 From: Michal Rostecki <mrostecki@opensuse.org>
 Date: Thu, 8 Apr 2021 14:42:02 +0100
-Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup
+Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup

 Before this change, cleanup of the btrfs driver (occuring on each daemon
 shutdown) resulted in disabling quotas. It was done with an assumption
@ -140,5 +140,5 @@ index 8fd2854a2673..32c4f07c620d 100644
 			}
 			if err := subvolLimitQgroup(dir, size); err != nil {
 -- 
-2.33.0
+2.33.1

--- a/0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
+++ b/0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
@ -1,195 +0,0 @@
-From 9cc9665d00293bdff2420a4db49278bc7bb9ed72 Mon Sep 17 00:00:00 2001
-From: Tianon Gravi <admwiggin@gmail.com>
-Date: Thu, 9 Sep 2021 11:31:30 -0700
-Subject: [PATCH 6/6] bsc1190670: seccomp: add support for "clone3" syscall in
- default policy
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is a backport of 9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594, adapted to avoid the refactoring that happened in d92739713c633c155c0f3d8065c8278b1d8a44e7.
-
-Original commit message is as follows:
-
-> If no seccomp policy is requested, then the built-in default policy in
-> dockerd applies. This has no rule for "clone3" defined, nor any default
-> errno defined. So when runc receives the config it attempts to determine
-> a default errno, using logic defined in its commit:
->
->   opencontainers/runc@7a8d716
->
-> As explained in the above commit message, runc uses a heuristic to
-> decide which errno to return by default:
->
-> [quote]
->   The solution applied here is to prepend a "stub" filter which returns
->   -ENOSYS if the requested syscall has a larger syscall number than any
->   syscall mentioned in the filter. The reason for this specific rule is
->   that syscall numbers are (roughly) allocated sequentially and thus newer
->   syscalls will (usually) have a larger syscall number -- thus causing our
->   filters to produce -ENOSYS if the filter was written before the syscall
->   existed.
-> [/quote]
->
-> Unfortunately clone3 appears to one of the edge cases that does not
-> result in use of ENOSYS, instead ending up with the historical EPERM
-> errno.
->
-> Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use
-> clone3 by default. If it sees ENOSYS then it will automatically
-> fallback to using clone. Any other errno is treated as a fatal
-> error. Thus when docker seccomp policy triggers EPERM from clone3,
-> no fallback occurs and programs are thus unable to spawn threads.
->
-> The clone3 syscall is much more complicated than clone, most notably its
-> flags are not exposed as a directly argument any more. Instead they are
-> hidden inside a struct. This means that seccomp filters are unable to
-> apply policy based on values seen in flags. Thus we can't directly
-> replicate the current "clone" filtering for "clone3". We can at least
-> ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone"
-> at which point we can filter on flags.
-
-SUSE-Bugs: bsc#1190670
-Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
-Co-authored-by: Daniel P. Berrangé <berrange@redhat.com>
-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
- profiles/seccomp/default.json     | 16 ++++++++++++++++
- profiles/seccomp/default_linux.go | 13 +++++++++++++
- profiles/seccomp/seccomp.go       |  1 +
- profiles/seccomp/seccomp_linux.go | 28 ++++++++++++----------------
- 4 files changed, 42 insertions(+), 16 deletions(-)
-
-diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
-index 4213799ddb5c..ee5e04f781a8 100644
--- a/profiles/seccomp/default.json
-+++ b/profiles/seccomp/default.json
-@@ -591,6 +591,7 @@
- 			"names": [
- 				"bpf",
- 				"clone",
-+				"clone3",
- 				"fanotify_init",
- 				"fsconfig",
- 				"fsmount",
-@@ -670,6 +671,21 @@
- 				]
- 			}
- 		},
-+		{
-+			"names": [
-+				"clone3"
-+			],
-+			"action": "SCMP_ACT_ERRNO",
-+			"errnoRet": 38,
-+			"args": [],
-+			"comment": "",
-+			"includes": {},
-+			"excludes": {
-+				"caps": [
-+					"CAP_SYS_ADMIN"
-+				]
-+			}
-+		},
- 		{
- 			"names": [
- 				"reboot"
-diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
-index 879eb88c64f1..fb593f336f7a 100644
--- a/profiles/seccomp/default_linux.go
-+++ b/profiles/seccomp/default_linux.go
-@@ -42,6 +42,7 @@ func arches() []Architecture {
- 
- // DefaultProfile defines the allowed syscalls for the default seccomp profile.
- func DefaultProfile() *Seccomp {
-+	nosys := uint(unix.ENOSYS)
- 	syscalls := []*Syscall{
- 		{
- 			Names: []string{
-@@ -522,6 +523,7 @@ func DefaultProfile() *Seccomp {
- 			Names: []string{
- 				"bpf",
- 				"clone",
-+				"clone3",
- 				"fanotify_init",
- 				"fsconfig",
- 				"fsmount",
-@@ -587,6 +589,17 @@ func DefaultProfile() *Seccomp {
- 				Caps: []string{"CAP_SYS_ADMIN"},
- 			},
- 		},
-+		{
-+			Names: []string{
-+				"clone3",
-+			},
-+			Action:   specs.ActErrno,
-+			ErrnoRet: &nosys,
-+			Args:     []*specs.LinuxSeccompArg{},
-+			Excludes: Filter{
-+				Caps: []string{"CAP_SYS_ADMIN"},
-+			},
-+		},
- 		{
- 			Names: []string{
- 				"reboot",
-diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go
-index d2a21cddc4b2..9edec72db546 100644
--- a/profiles/seccomp/seccomp.go
-+++ b/profiles/seccomp/seccomp.go
-@@ -45,6 +45,7 @@ type Syscall struct {
- 	Name     string                   `json:"name,omitempty"`
- 	Names    []string                 `json:"names,omitempty"`
- 	Action   specs.LinuxSeccompAction `json:"action"`
-+	ErrnoRet *uint                    `json:"errnoRet,omitempty"`
- 	Args     []*specs.LinuxSeccompArg `json:"args"`
- 	Comment  string                   `json:"comment"`
- 	Includes Filter                   `json:"includes"`
-diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go
-index 566f173acd3a..e35e242cd500 100644
--- a/profiles/seccomp/seccomp_linux.go
-+++ b/profiles/seccomp/seccomp_linux.go
-@@ -150,29 +150,25 @@ Loop:
- 			}
- 		}
- 
-+		newCall := specs.LinuxSyscall{
-+			Action:   call.Action,
-+			ErrnoRet: call.ErrnoRet,
-+		}
- 		if call.Name != "" && len(call.Names) != 0 {
- 			return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
- 		}
-
- 		if call.Name != "" {
-			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args))
-+			newCall.Names = []string{call.Name}
- 		} else {
-			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args))
-+			newCall.Names = call.Names
-+		}
-+		// Loop through all the arguments of the syscall and convert them
-+		for _, arg := range call.Args {
-+			newCall.Args = append(newCall.Args, *arg)
- 		}
-	}
-
-	return newConfig, nil
-}
- 
-func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall {
-	newCall := specs.LinuxSyscall{
-		Names:  names,
-		Action: action,
-+		newConfig.Syscalls = append(newConfig.Syscalls, newCall)
- 	}
- 
-	// Loop through all the arguments of the syscall and convert them
-	for _, arg := range args {
-		newCall.Args = append(newCall.Args, *arg)
-	}
-	return newCall
-+	return newConfig, nil
- }
-- 
-2.33.0
-
--- a/8
+++ b/8
@ -3,16 +3,16 @@
    <param name="url">https://github.com/moby/moby.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">20.10.9_ce_%h</param>
-    <param name="revision">v20.10.9</param>
+    <param name="versionformat">20.10.11_ce_%h</param>
+    <param name="revision">v20.10.11</param>
    <param name="filename">docker</param>
  </service>
  <service name="tar_scm" mode="disabled">
    <param name="url">https://github.com/docker/cli.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">20.10.9_ce</param>
-    <param name="revision">v20.10.9</param>
+    <param name="versionformat">20.10.11_ce</param>
+    <param name="revision">v20.10.11</param>
    <param name="filename">docker-cli</param>
  </service>
  <service name="tar_scm" mode="disabled">
--- a/docker-20.10.11_ce_847da184ad50.tar.xz
+++ b/docker-20.10.11_ce_847da184ad50.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cf82151ca8fff00a1b4bea55ae44022faf2f8eab518ef979a9c6d6cffd9fb450
+size 6497200
--- a/docker-20.10.9_ce_79ea9d308018.tar.xz
+++ b/docker-20.10.9_ce_79ea9d308018.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c1428dd0f94fa001b1e4c46c3db89dbd66d209c678fc6f5d21d2f7799b4701a1
-size 6491984
--- a/docker-cli-20.10.11_ce.tar.xz
+++ b/docker-cli-20.10.11_ce.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7820570e1249dc498ef2580c6bf647bd720de27938c82acdcec0bcf90c6af4f8
+size 4272896
--- a/docker-cli-20.10.9_ce.tar.xz
+++ b/docker-cli-20.10.9_ce.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1090b7ade21e0b7d717fc2d6c08882ec14c8ac12b54ff51f407262588555e7a0
-size 4272556
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Nov 18 08:35:37 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 20.10.11-ce. See upstream changelog in the packaged
+  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190
+- Rebase patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
+- Remove upstreamed patches:
+  - 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
+
 -------------------------------------------------------------------
 Wed Oct  6 02:51:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>

--- a/docker.spec
+++ b/docker.spec
@ -42,8 +42,8 @@
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define git_version 79ea9d308018
-%define git_commit_epoch 1632421578
+%define git_version 847da184ad50
+%define git_commit_epoch 1637194919

 # We require a specific pin of libnetwork because it doesn't really do
 # versioning and minor version mismatches in libnetwork can break Docker
@ -56,10 +56,10 @@
 %define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork

 Name:           %{realname}%{name_suffix}
-Version:        20.10.9_ce
+Version:        20.10.11_ce
 # This "nice version" is so that docker --version gives a result that can be
 # parsed by other people. boo#1182476
-%define nice_version 20.10.9-ce
+%define nice_version 20.10.11-ce
 Release:        0
 Summary:        The Moby-project Linux container runtime
 License:        Apache-2.0
@ -94,8 +94,6 @@ Patch200:       0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
 Patch300:       0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081
 Patch301:       0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42836. bsc#1190670
-Patch302:       0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@ -121,7 +119,7 @@ Provides:       docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
 # Required to actually run containers. We require the minimum version that is
 # pinned by Docker, but in order to avoid headaches we allow for updates.
 Requires:       runc >= 1.0.2
-Requires:       containerd >= 1.4.11
+Requires:       containerd >= 1.4.12
 # Needed for --init support. We don't use "tini", we use our own implementation
 # which handles edge-cases better.
 Requires:       catatonit
@ -264,8 +262,6 @@ docker container runtime configuration for kubeadm
 %patch300 -p1
 # bsc#1183855 bsc#1175081
 %patch301 -p1
-# bsc#1190670
-%patch302 -p1

 # README_SUSE.md for documentation.
 cp %{SOURCE103} .