- Update to Docker 20.10.11-ce. See upstream changelog in the packaged

/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=365
This commit is contained in:
Aleksa Sarai 2021-11-19 00:09:22 +00:00 committed by Git OBS Bridge
parent a222574549
commit 97daa986c4
13 changed files with 55 additions and 237 deletions

View File

@ -1,7 +1,7 @@
From 44214e643a578dfec9f5898f9225ccf3ccbec419 Mon Sep 17 00:00:00 2001
From f6170a9d05df85cc61f3e5373eceed61ef3d741e Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
Since FileMode can have the directory bit set, allow a SecretStore
implementation to return secrets that are actually directories. This is
@ -10,22 +10,25 @@ useful for creating directories and subdirectories of secrets.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
daemon/container_operations_unix.go | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
daemon/container_operations_unix.go | 25 ++++++++++++++++++++++---
1 file changed, 22 insertions(+), 3 deletions(-)
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 1647df0ce7ba..4ea2efed241f 100644
index 6a50b99bd29e..583db20aa459 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
@@ -1,8 +1,10 @@
+//go:build linux || freebsd
// +build linux freebsd
package daemon // import "github.com/docker/docker/daemon"
import (
+ "bytes"
"context"
"fmt"
"io/ioutil"
@@ -14,6 +15,7 @@ import (
"os"
@@ -12,6 +14,7 @@ import (
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/links"
"github.com/docker/docker/errdefs"
@ -33,7 +36,7 @@ index 1647df0ce7ba..4ea2efed241f 100644
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/stringid"
"github.com/docker/docker/pkg/system"
@@ -207,9 +209,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
@@ -205,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
if err != nil {
return errors.Wrap(err, "unable to get secret from secret store")
}
@ -43,7 +46,7 @@ index 1647df0ce7ba..4ea2efed241f 100644
uid, err := strconv.Atoi(s.File.UID)
if err != nil {
@@ -220,6 +219,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
@@ -218,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
return err
}
@ -70,5 +73,5 @@ index 1647df0ce7ba..4ea2efed241f 100644
return errors.Wrap(err, "error setting ownership for secret")
}
--
2.33.0
2.33.1

View File

@ -1,7 +1,7 @@
From 7202e34c5cf8e5c0816bfc610689e2f9d246d131 Mon Sep 17 00:00:00 2001
From a28715c97b87152c41538b137f8ad49003db1756 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers.
@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497
+ return nil
+}
--
2.33.0
2.33.1

View File

@ -1,7 +1,7 @@
From 0bb32212d07d21b0704ef3b3197fad118ae87e7f Mon Sep 17 00:00:00 2001
From 4914111dcaf1257a9dd3f9f7a089de17c7dc6752 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <vrothberg@suse.com>
Date: Mon, 2 Jul 2018 13:37:34 +0200
Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support
Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support
NOTE: This is a backport/downstream patch of the upstream pull-request
for Moby, which is still subject to changes. Please visit
@ -1142,5 +1142,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
endpoints = []APIEndpoint{
--
2.33.0
2.33.1

View File

@ -1,7 +1,7 @@
From 41a72d2a2d835de1e806a5b316067ea933f665e2 Mon Sep 17 00:00:00 2001
From 29779c3e010e387ef037e5ef9a33cf05a14c79ea Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
start
In the process of making docker-default reloading far less expensive,
@ -85,5 +85,5 @@ index 2a2fbbd52e19..0999ac3186b7 100644
}
--
2.33.0
2.33.1

View File

@ -1,7 +1,7 @@
From db0df8889ebc1aad3613cf95803e4672dc8ce96a Mon Sep 17 00:00:00 2001
From a6aa2a591d31f43e01ba29abdf73658b34fded49 Mon Sep 17 00:00:00 2001
From: Michal Rostecki <mrostecki@opensuse.org>
Date: Thu, 8 Apr 2021 14:42:02 +0100
Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup
Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup
Before this change, cleanup of the btrfs driver (occuring on each daemon
shutdown) resulted in disabling quotas. It was done with an assumption
@ -140,5 +140,5 @@ index 8fd2854a2673..32c4f07c620d 100644
}
if err := subvolLimitQgroup(dir, size); err != nil {
--
2.33.0
2.33.1

View File

@ -1,195 +0,0 @@
From 9cc9665d00293bdff2420a4db49278bc7bb9ed72 Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Thu, 9 Sep 2021 11:31:30 -0700
Subject: [PATCH 6/6] bsc1190670: seccomp: add support for "clone3" syscall in
default policy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a backport of 9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594, adapted to avoid the refactoring that happened in d92739713c633c155c0f3d8065c8278b1d8a44e7.
Original commit message is as follows:
> If no seccomp policy is requested, then the built-in default policy in
> dockerd applies. This has no rule for "clone3" defined, nor any default
> errno defined. So when runc receives the config it attempts to determine
> a default errno, using logic defined in its commit:
>
> opencontainers/runc@7a8d716
>
> As explained in the above commit message, runc uses a heuristic to
> decide which errno to return by default:
>
> [quote]
> The solution applied here is to prepend a "stub" filter which returns
> -ENOSYS if the requested syscall has a larger syscall number than any
> syscall mentioned in the filter. The reason for this specific rule is
> that syscall numbers are (roughly) allocated sequentially and thus newer
> syscalls will (usually) have a larger syscall number -- thus causing our
> filters to produce -ENOSYS if the filter was written before the syscall
> existed.
> [/quote]
>
> Unfortunately clone3 appears to one of the edge cases that does not
> result in use of ENOSYS, instead ending up with the historical EPERM
> errno.
>
> Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use
> clone3 by default. If it sees ENOSYS then it will automatically
> fallback to using clone. Any other errno is treated as a fatal
> error. Thus when docker seccomp policy triggers EPERM from clone3,
> no fallback occurs and programs are thus unable to spawn threads.
>
> The clone3 syscall is much more complicated than clone, most notably its
> flags are not exposed as a directly argument any more. Instead they are
> hidden inside a struct. This means that seccomp filters are unable to
> apply policy based on values seen in flags. Thus we can't directly
> replicate the current "clone" filtering for "clone3". We can at least
> ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone"
> at which point we can filter on flags.
SUSE-Bugs: bsc#1190670
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
Co-authored-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
profiles/seccomp/default.json | 16 ++++++++++++++++
profiles/seccomp/default_linux.go | 13 +++++++++++++
profiles/seccomp/seccomp.go | 1 +
profiles/seccomp/seccomp_linux.go | 28 ++++++++++++----------------
4 files changed, 42 insertions(+), 16 deletions(-)
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index 4213799ddb5c..ee5e04f781a8 100644
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -591,6 +591,7 @@
"names": [
"bpf",
"clone",
+ "clone3",
"fanotify_init",
"fsconfig",
"fsmount",
@@ -670,6 +671,21 @@
]
}
},
+ {
+ "names": [
+ "clone3"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "errnoRet": 38,
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_SYS_ADMIN"
+ ]
+ }
+ },
{
"names": [
"reboot"
diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
index 879eb88c64f1..fb593f336f7a 100644
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@@ -42,6 +42,7 @@ func arches() []Architecture {
// DefaultProfile defines the allowed syscalls for the default seccomp profile.
func DefaultProfile() *Seccomp {
+ nosys := uint(unix.ENOSYS)
syscalls := []*Syscall{
{
Names: []string{
@@ -522,6 +523,7 @@ func DefaultProfile() *Seccomp {
Names: []string{
"bpf",
"clone",
+ "clone3",
"fanotify_init",
"fsconfig",
"fsmount",
@@ -587,6 +589,17 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_ADMIN"},
},
},
+ {
+ Names: []string{
+ "clone3",
+ },
+ Action: specs.ActErrno,
+ ErrnoRet: &nosys,
+ Args: []*specs.LinuxSeccompArg{},
+ Excludes: Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ },
+ },
{
Names: []string{
"reboot",
diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go
index d2a21cddc4b2..9edec72db546 100644
--- a/profiles/seccomp/seccomp.go
+++ b/profiles/seccomp/seccomp.go
@@ -45,6 +45,7 @@ type Syscall struct {
Name string `json:"name,omitempty"`
Names []string `json:"names,omitempty"`
Action specs.LinuxSeccompAction `json:"action"`
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
Args []*specs.LinuxSeccompArg `json:"args"`
Comment string `json:"comment"`
Includes Filter `json:"includes"`
diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go
index 566f173acd3a..e35e242cd500 100644
--- a/profiles/seccomp/seccomp_linux.go
+++ b/profiles/seccomp/seccomp_linux.go
@@ -150,29 +150,25 @@ Loop:
}
}
+ newCall := specs.LinuxSyscall{
+ Action: call.Action,
+ ErrnoRet: call.ErrnoRet,
+ }
if call.Name != "" && len(call.Names) != 0 {
return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
}
-
if call.Name != "" {
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args))
+ newCall.Names = []string{call.Name}
} else {
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args))
+ newCall.Names = call.Names
+ }
+ // Loop through all the arguments of the syscall and convert them
+ for _, arg := range call.Args {
+ newCall.Args = append(newCall.Args, *arg)
}
- }
-
- return newConfig, nil
-}
-func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall {
- newCall := specs.LinuxSyscall{
- Names: names,
- Action: action,
+ newConfig.Syscalls = append(newConfig.Syscalls, newCall)
}
- // Loop through all the arguments of the syscall and convert them
- for _, arg := range args {
- newCall.Args = append(newCall.Args, *arg)
- }
- return newCall
+ return newConfig, nil
}
--
2.33.0

View File

@ -3,16 +3,16 @@
<param name="url">https://github.com/moby/moby.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">20.10.9_ce_%h</param>
<param name="revision">v20.10.9</param>
<param name="versionformat">20.10.11_ce_%h</param>
<param name="revision">v20.10.11</param>
<param name="filename">docker</param>
</service>
<service name="tar_scm" mode="disabled">
<param name="url">https://github.com/docker/cli.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">20.10.9_ce</param>
<param name="revision">v20.10.9</param>
<param name="versionformat">20.10.11_ce</param>
<param name="revision">v20.10.11</param>
<param name="filename">docker-cli</param>
</service>
<service name="tar_scm" mode="disabled">

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cf82151ca8fff00a1b4bea55ae44022faf2f8eab518ef979a9c6d6cffd9fb450
size 6497200

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c1428dd0f94fa001b1e4c46c3db89dbd66d209c678fc6f5d21d2f7799b4701a1
size 6491984

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7820570e1249dc498ef2580c6bf647bd720de27938c82acdcec0bcf90c6af4f8
size 4272896

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1090b7ade21e0b7d717fc2d6c08882ec14c8ac12b54ff51f407262588555e7a0
size 4272556

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Thu Nov 18 08:35:37 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to Docker 20.10.11-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Remove upstreamed patches:
- 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
-------------------------------------------------------------------
Wed Oct 6 02:51:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>

View File

@ -42,8 +42,8 @@
# helpfully injects into our build environment from the changelog). If you want
# to generate a new git_commit_epoch, use this:
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
%define git_version 79ea9d308018
%define git_commit_epoch 1632421578
%define git_version 847da184ad50
%define git_commit_epoch 1637194919
# We require a specific pin of libnetwork because it doesn't really do
# versioning and minor version mismatches in libnetwork can break Docker
@ -56,10 +56,10 @@
%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
Name: %{realname}%{name_suffix}
Version: 20.10.9_ce
Version: 20.10.11_ce
# This "nice version" is so that docker --version gives a result that can be
# parsed by other people. boo#1182476
%define nice_version 20.10.9-ce
%define nice_version 20.10.11-ce
Release: 0
Summary: The Moby-project Linux container runtime
License: Apache-2.0
@ -94,8 +94,6 @@ Patch200: 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081
Patch301: 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42836. bsc#1190670
Patch302: 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: ca-certificates
@ -121,7 +119,7 @@ Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
# Required to actually run containers. We require the minimum version that is
# pinned by Docker, but in order to avoid headaches we allow for updates.
Requires: runc >= 1.0.2
Requires: containerd >= 1.4.11
Requires: containerd >= 1.4.12
# Needed for --init support. We don't use "tini", we use our own implementation
# which handles edge-cases better.
Requires: catatonit
@ -264,8 +262,6 @@ docker container runtime configuration for kubeadm
%patch300 -p1
# bsc#1183855 bsc#1175081
%patch301 -p1
# bsc#1190670
%patch302 -p1
# README_SUSE.md for documentation.
cp %{SOURCE103} .