From 97daa986c486384e6caf7dbba448ba14b57cfff2698327c5dad9112502366c11 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 19 Nov 2021 00:09:22 +0000 Subject: [PATCH] - Update to Docker 20.10.11-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=365 --- ...llow-directory-creation-in-run-secre.patch | 25 ++- ...USE-implement-SUSE-container-secrets.patch | 6 +- ...-add-private-registry-mirror-support.patch | 6 +- ...mor-clobber-docker-default-profile-o.patch | 6 +- ...trfs-Do-not-disable-quota-on-cleanup.patch | 6 +- ...mp-add-support-for-clone3-syscall-in.patch | 195 ------------------ _service | 8 +- docker-20.10.11_ce_847da184ad50.tar.xz | 3 + docker-20.10.9_ce_79ea9d308018.tar.xz | 3 - docker-cli-20.10.11_ce.tar.xz | 3 + docker-cli-20.10.9_ce.tar.xz | 3 - docker.changes | 14 ++ docker.spec | 14 +- 13 files changed, 55 insertions(+), 237 deletions(-) delete mode 100644 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch create mode 100644 docker-20.10.11_ce_847da184ad50.tar.xz delete mode 100644 docker-20.10.9_ce_79ea9d308018.tar.xz create mode 100644 docker-cli-20.10.11_ce.tar.xz delete mode 100644 docker-cli-20.10.9_ce.tar.xz diff --git a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch index ffbad23..d837731 100644 --- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch +++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch @@ -1,7 +1,7 @@ -From 44214e643a578dfec9f5898f9225ccf3ccbec419 Mon Sep 17 00:00:00 2001 +From f6170a9d05df85cc61f3e5373eceed61ef3d741e Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets +Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore implementation to return secrets that are actually directories. This is @@ -10,22 +10,25 @@ useful for creating directories and subdirectories of secrets. Signed-off-by: Antonio Murdaca Signed-off-by: Aleksa Sarai --- - daemon/container_operations_unix.go | 24 +++++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) + daemon/container_operations_unix.go | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go -index 1647df0ce7ba..4ea2efed241f 100644 +index 6a50b99bd29e..583db20aa459 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go -@@ -3,6 +3,7 @@ +@@ -1,8 +1,10 @@ ++//go:build linux || freebsd + // +build linux freebsd + package daemon // import "github.com/docker/docker/daemon" import ( + "bytes" - "context" "fmt" "io/ioutil" -@@ -14,6 +15,7 @@ import ( + "os" +@@ -12,6 +14,7 @@ import ( "github.com/docker/docker/container" "github.com/docker/docker/daemon/links" "github.com/docker/docker/errdefs" @@ -33,7 +36,7 @@ index 1647df0ce7ba..4ea2efed241f 100644 "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/stringid" "github.com/docker/docker/pkg/system" -@@ -207,9 +209,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -205,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { if err != nil { return errors.Wrap(err, "unable to get secret from secret store") } @@ -43,7 +46,7 @@ index 1647df0ce7ba..4ea2efed241f 100644 uid, err := strconv.Atoi(s.File.UID) if err != nil { -@@ -220,6 +219,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -218,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { return err } @@ -70,5 +73,5 @@ index 1647df0ce7ba..4ea2efed241f 100644 return errors.Wrap(err, "error setting ownership for secret") } -- -2.33.0 +2.33.1 diff --git a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch index c3ebcec..a5f2dec 100644 --- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch +++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch @@ -1,7 +1,7 @@ -From 7202e34c5cf8e5c0816bfc610689e2f9d246d131 Mon Sep 17 00:00:00 2001 +From a28715c97b87152c41538b137f8ad49003db1756 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets +Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. @@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497 + return nil +} -- -2.33.0 +2.33.1 diff --git a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch index 8ddab30..ce1c3cc 100644 --- a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch +++ b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch @@ -1,7 +1,7 @@ -From 0bb32212d07d21b0704ef3b3197fad118ae87e7f Mon Sep 17 00:00:00 2001 +From 4914111dcaf1257a9dd3f9f7a089de17c7dc6752 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Mon, 2 Jul 2018 13:37:34 +0200 -Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support +Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support NOTE: This is a backport/downstream patch of the upstream pull-request for Moby, which is still subject to changes. Please visit @@ -1142,5 +1142,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644 endpoints = []APIEndpoint{ -- -2.33.0 +2.33.1 diff --git a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch index 986b605..d5851e2 100644 --- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch @@ -1,7 +1,7 @@ -From 41a72d2a2d835de1e806a5b316067ea933f665e2 Mon Sep 17 00:00:00 2001 +From 29779c3e010e387ef037e5ef9a33cf05a14c79ea Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on +Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, @@ -85,5 +85,5 @@ index 2a2fbbd52e19..0999ac3186b7 100644 } -- -2.33.0 +2.33.1 diff --git a/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch b/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch index a43d5b9..8fb19a3 100644 --- a/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch +++ b/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch @@ -1,7 +1,7 @@ -From db0df8889ebc1aad3613cf95803e4672dc8ce96a Mon Sep 17 00:00:00 2001 +From a6aa2a591d31f43e01ba29abdf73658b34fded49 Mon Sep 17 00:00:00 2001 From: Michal Rostecki Date: Thu, 8 Apr 2021 14:42:02 +0100 -Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup +Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup Before this change, cleanup of the btrfs driver (occuring on each daemon shutdown) resulted in disabling quotas. It was done with an assumption @@ -140,5 +140,5 @@ index 8fd2854a2673..32c4f07c620d 100644 } if err := subvolLimitQgroup(dir, size); err != nil { -- -2.33.0 +2.33.1 diff --git a/0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch b/0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch deleted file mode 100644 index dff5182..0000000 --- a/0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch +++ /dev/null @@ -1,195 +0,0 @@ -From 9cc9665d00293bdff2420a4db49278bc7bb9ed72 Mon Sep 17 00:00:00 2001 -From: Tianon Gravi -Date: Thu, 9 Sep 2021 11:31:30 -0700 -Subject: [PATCH 6/6] bsc1190670: seccomp: add support for "clone3" syscall in - default policy -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is a backport of 9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594, adapted to avoid the refactoring that happened in d92739713c633c155c0f3d8065c8278b1d8a44e7. - -Original commit message is as follows: - -> If no seccomp policy is requested, then the built-in default policy in -> dockerd applies. This has no rule for "clone3" defined, nor any default -> errno defined. So when runc receives the config it attempts to determine -> a default errno, using logic defined in its commit: -> -> opencontainers/runc@7a8d716 -> -> As explained in the above commit message, runc uses a heuristic to -> decide which errno to return by default: -> -> [quote] -> The solution applied here is to prepend a "stub" filter which returns -> -ENOSYS if the requested syscall has a larger syscall number than any -> syscall mentioned in the filter. The reason for this specific rule is -> that syscall numbers are (roughly) allocated sequentially and thus newer -> syscalls will (usually) have a larger syscall number -- thus causing our -> filters to produce -ENOSYS if the filter was written before the syscall -> existed. -> [/quote] -> -> Unfortunately clone3 appears to one of the edge cases that does not -> result in use of ENOSYS, instead ending up with the historical EPERM -> errno. -> -> Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use -> clone3 by default. If it sees ENOSYS then it will automatically -> fallback to using clone. Any other errno is treated as a fatal -> error. Thus when docker seccomp policy triggers EPERM from clone3, -> no fallback occurs and programs are thus unable to spawn threads. -> -> The clone3 syscall is much more complicated than clone, most notably its -> flags are not exposed as a directly argument any more. Instead they are -> hidden inside a struct. This means that seccomp filters are unable to -> apply policy based on values seen in flags. Thus we can't directly -> replicate the current "clone" filtering for "clone3". We can at least -> ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone" -> at which point we can filter on flags. - -SUSE-Bugs: bsc#1190670 -Signed-off-by: Tianon Gravi -Co-authored-by: Daniel P. Berrangé -Signed-off-by: Aleksa Sarai ---- - profiles/seccomp/default.json | 16 ++++++++++++++++ - profiles/seccomp/default_linux.go | 13 +++++++++++++ - profiles/seccomp/seccomp.go | 1 + - profiles/seccomp/seccomp_linux.go | 28 ++++++++++++---------------- - 4 files changed, 42 insertions(+), 16 deletions(-) - -diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json -index 4213799ddb5c..ee5e04f781a8 100644 ---- a/profiles/seccomp/default.json -+++ b/profiles/seccomp/default.json -@@ -591,6 +591,7 @@ - "names": [ - "bpf", - "clone", -+ "clone3", - "fanotify_init", - "fsconfig", - "fsmount", -@@ -670,6 +671,21 @@ - ] - } - }, -+ { -+ "names": [ -+ "clone3" -+ ], -+ "action": "SCMP_ACT_ERRNO", -+ "errnoRet": 38, -+ "args": [], -+ "comment": "", -+ "includes": {}, -+ "excludes": { -+ "caps": [ -+ "CAP_SYS_ADMIN" -+ ] -+ } -+ }, - { - "names": [ - "reboot" -diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go -index 879eb88c64f1..fb593f336f7a 100644 ---- a/profiles/seccomp/default_linux.go -+++ b/profiles/seccomp/default_linux.go -@@ -42,6 +42,7 @@ func arches() []Architecture { - - // DefaultProfile defines the allowed syscalls for the default seccomp profile. - func DefaultProfile() *Seccomp { -+ nosys := uint(unix.ENOSYS) - syscalls := []*Syscall{ - { - Names: []string{ -@@ -522,6 +523,7 @@ func DefaultProfile() *Seccomp { - Names: []string{ - "bpf", - "clone", -+ "clone3", - "fanotify_init", - "fsconfig", - "fsmount", -@@ -587,6 +589,17 @@ func DefaultProfile() *Seccomp { - Caps: []string{"CAP_SYS_ADMIN"}, - }, - }, -+ { -+ Names: []string{ -+ "clone3", -+ }, -+ Action: specs.ActErrno, -+ ErrnoRet: &nosys, -+ Args: []*specs.LinuxSeccompArg{}, -+ Excludes: Filter{ -+ Caps: []string{"CAP_SYS_ADMIN"}, -+ }, -+ }, - { - Names: []string{ - "reboot", -diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go -index d2a21cddc4b2..9edec72db546 100644 ---- a/profiles/seccomp/seccomp.go -+++ b/profiles/seccomp/seccomp.go -@@ -45,6 +45,7 @@ type Syscall struct { - Name string `json:"name,omitempty"` - Names []string `json:"names,omitempty"` - Action specs.LinuxSeccompAction `json:"action"` -+ ErrnoRet *uint `json:"errnoRet,omitempty"` - Args []*specs.LinuxSeccompArg `json:"args"` - Comment string `json:"comment"` - Includes Filter `json:"includes"` -diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go -index 566f173acd3a..e35e242cd500 100644 ---- a/profiles/seccomp/seccomp_linux.go -+++ b/profiles/seccomp/seccomp_linux.go -@@ -150,29 +150,25 @@ Loop: - } - } - -+ newCall := specs.LinuxSyscall{ -+ Action: call.Action, -+ ErrnoRet: call.ErrnoRet, -+ } - if call.Name != "" && len(call.Names) != 0 { - return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'") - } -- - if call.Name != "" { -- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args)) -+ newCall.Names = []string{call.Name} - } else { -- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args)) -+ newCall.Names = call.Names -+ } -+ // Loop through all the arguments of the syscall and convert them -+ for _, arg := range call.Args { -+ newCall.Args = append(newCall.Args, *arg) - } -- } -- -- return newConfig, nil --} - --func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall { -- newCall := specs.LinuxSyscall{ -- Names: names, -- Action: action, -+ newConfig.Syscalls = append(newConfig.Syscalls, newCall) - } - -- // Loop through all the arguments of the syscall and convert them -- for _, arg := range args { -- newCall.Args = append(newCall.Args, *arg) -- } -- return newCall -+ return newConfig, nil - } --- -2.33.0 - diff --git a/_service b/_service index e581df4..f8342e6 100644 --- a/_service +++ b/_service @@ -3,16 +3,16 @@ https://github.com/moby/moby.git git .git - 20.10.9_ce_%h - v20.10.9 + 20.10.11_ce_%h + v20.10.11 docker https://github.com/docker/cli.git git .git - 20.10.9_ce - v20.10.9 + 20.10.11_ce + v20.10.11 docker-cli diff --git a/docker-20.10.11_ce_847da184ad50.tar.xz b/docker-20.10.11_ce_847da184ad50.tar.xz new file mode 100644 index 0000000..2b09880 --- /dev/null +++ b/docker-20.10.11_ce_847da184ad50.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf82151ca8fff00a1b4bea55ae44022faf2f8eab518ef979a9c6d6cffd9fb450 +size 6497200 diff --git a/docker-20.10.9_ce_79ea9d308018.tar.xz b/docker-20.10.9_ce_79ea9d308018.tar.xz deleted file mode 100644 index ec9d404..0000000 --- a/docker-20.10.9_ce_79ea9d308018.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c1428dd0f94fa001b1e4c46c3db89dbd66d209c678fc6f5d21d2f7799b4701a1 -size 6491984 diff --git a/docker-cli-20.10.11_ce.tar.xz b/docker-cli-20.10.11_ce.tar.xz new file mode 100644 index 0000000..7908515 --- /dev/null +++ b/docker-cli-20.10.11_ce.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7820570e1249dc498ef2580c6bf647bd720de27938c82acdcec0bcf90c6af4f8 +size 4272896 diff --git a/docker-cli-20.10.9_ce.tar.xz b/docker-cli-20.10.9_ce.tar.xz deleted file mode 100644 index e485731..0000000 --- a/docker-cli-20.10.9_ce.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1090b7ade21e0b7d717fc2d6c08882ec14c8ac12b54ff51f407262588555e7a0 -size 4272556 diff --git a/docker.changes b/docker.changes index bae338f..3bec76a 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Nov 18 08:35:37 UTC 2021 - Aleksa Sarai + +- Update to Docker 20.10.11-ce. See upstream changelog in the packaged + /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190 +- Rebase patches: + * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch + * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch +- Remove upstreamed patches: + - 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch + ------------------------------------------------------------------- Wed Oct 6 02:51:16 UTC 2021 - Aleksa Sarai diff --git a/docker.spec b/docker.spec index cf60bd2..1feb8d4 100644 --- a/docker.spec +++ b/docker.spec @@ -42,8 +42,8 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version 79ea9d308018 -%define git_commit_epoch 1632421578 +%define git_version 847da184ad50 +%define git_commit_epoch 1637194919 # We require a specific pin of libnetwork because it doesn't really do # versioning and minor version mismatches in libnetwork can break Docker @@ -56,10 +56,10 @@ %define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork Name: %{realname}%{name_suffix} -Version: 20.10.9_ce +Version: 20.10.11_ce # This "nice version" is so that docker --version gives a result that can be # parsed by other people. boo#1182476 -%define nice_version 20.10.9-ce +%define nice_version 20.10.11-ce Release: 0 Summary: The Moby-project Linux container runtime License: Apache-2.0 @@ -94,8 +94,6 @@ Patch200: 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081 Patch301: 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42836. bsc#1190670 -Patch302: 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -121,7 +119,7 @@ Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version} # Required to actually run containers. We require the minimum version that is # pinned by Docker, but in order to avoid headaches we allow for updates. Requires: runc >= 1.0.2 -Requires: containerd >= 1.4.11 +Requires: containerd >= 1.4.12 # Needed for --init support. We don't use "tini", we use our own implementation # which handles edge-cases better. Requires: catatonit @@ -264,8 +262,6 @@ docker container runtime configuration for kubeadm %patch300 -p1 # bsc#1183855 bsc#1175081 %patch301 -p1 -# bsc#1190670 -%patch302 -p1 # README_SUSE.md for documentation. cp %{SOURCE103} .