Accepting request 932375 from Virtualization:containers

- Update to Docker 20.10.11-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Remove upstreamed patches:
  - 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch

OBS-URL: https://build.opensuse.org/request/show/932375
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=116
This commit is contained in:
Dominique Leuenberger 2021-11-22 22:03:43 +00:00 committed by Git OBS Bridge
commit af6c523a8a
13 changed files with 55 additions and 237 deletions

View File

@ -1,7 +1,7 @@
From 44214e643a578dfec9f5898f9225ccf3ccbec419 Mon Sep 17 00:00:00 2001 From f6170a9d05df85cc61f3e5373eceed61ef3d741e Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100 Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
Since FileMode can have the directory bit set, allow a SecretStore Since FileMode can have the directory bit set, allow a SecretStore
implementation to return secrets that are actually directories. This is implementation to return secrets that are actually directories. This is
@ -10,22 +10,25 @@ useful for creating directories and subdirectories of secrets.
Signed-off-by: Antonio Murdaca <runcom@redhat.com> Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de> Signed-off-by: Aleksa Sarai <asarai@suse.de>
--- ---
daemon/container_operations_unix.go | 24 +++++++++++++++++++++--- daemon/container_operations_unix.go | 25 ++++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-) 1 file changed, 22 insertions(+), 3 deletions(-)
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 1647df0ce7ba..4ea2efed241f 100644 index 6a50b99bd29e..583db20aa459 100644
--- a/daemon/container_operations_unix.go --- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@ @@ -1,8 +1,10 @@
+//go:build linux || freebsd
// +build linux freebsd
package daemon // import "github.com/docker/docker/daemon" package daemon // import "github.com/docker/docker/daemon"
import ( import (
+ "bytes" + "bytes"
"context"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
@@ -14,6 +15,7 @@ import ( "os"
@@ -12,6 +14,7 @@ import (
"github.com/docker/docker/container" "github.com/docker/docker/container"
"github.com/docker/docker/daemon/links" "github.com/docker/docker/daemon/links"
"github.com/docker/docker/errdefs" "github.com/docker/docker/errdefs"
@ -33,7 +36,7 @@ index 1647df0ce7ba..4ea2efed241f 100644
"github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/stringid" "github.com/docker/docker/pkg/stringid"
"github.com/docker/docker/pkg/system" "github.com/docker/docker/pkg/system"
@@ -207,9 +209,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { @@ -205,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
if err != nil { if err != nil {
return errors.Wrap(err, "unable to get secret from secret store") return errors.Wrap(err, "unable to get secret from secret store")
} }
@ -43,7 +46,7 @@ index 1647df0ce7ba..4ea2efed241f 100644
uid, err := strconv.Atoi(s.File.UID) uid, err := strconv.Atoi(s.File.UID)
if err != nil { if err != nil {
@@ -220,6 +219,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { @@ -218,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
return err return err
} }
@ -70,5 +73,5 @@ index 1647df0ce7ba..4ea2efed241f 100644
return errors.Wrap(err, "error setting ownership for secret") return errors.Wrap(err, "error setting ownership for secret")
} }
-- --
2.33.0 2.33.1

View File

@ -1,7 +1,7 @@
From 7202e34c5cf8e5c0816bfc610689e2f9d246d131 Mon Sep 17 00:00:00 2001 From a28715c97b87152c41538b137f8ad49003db1756 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100 Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers. for SUSEConnect to work with containers.
@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497
+ return nil + return nil
+} +}
-- --
2.33.0 2.33.1

View File

@ -1,7 +1,7 @@
From 0bb32212d07d21b0704ef3b3197fad118ae87e7f Mon Sep 17 00:00:00 2001 From 4914111dcaf1257a9dd3f9f7a089de17c7dc6752 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <vrothberg@suse.com> From: Valentin Rothberg <vrothberg@suse.com>
Date: Mon, 2 Jul 2018 13:37:34 +0200 Date: Mon, 2 Jul 2018 13:37:34 +0200
Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support
NOTE: This is a backport/downstream patch of the upstream pull-request NOTE: This is a backport/downstream patch of the upstream pull-request
for Moby, which is still subject to changes. Please visit for Moby, which is still subject to changes. Please visit
@ -1142,5 +1142,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
endpoints = []APIEndpoint{ endpoints = []APIEndpoint{
-- --
2.33.0 2.33.1

View File

@ -1,7 +1,7 @@
From 41a72d2a2d835de1e806a5b316067ea933f665e2 Mon Sep 17 00:00:00 2001 From 29779c3e010e387ef037e5ef9a33cf05a14c79ea Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000 Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
start start
In the process of making docker-default reloading far less expensive, In the process of making docker-default reloading far less expensive,
@ -85,5 +85,5 @@ index 2a2fbbd52e19..0999ac3186b7 100644
} }
-- --
2.33.0 2.33.1

View File

@ -1,7 +1,7 @@
From db0df8889ebc1aad3613cf95803e4672dc8ce96a Mon Sep 17 00:00:00 2001 From a6aa2a591d31f43e01ba29abdf73658b34fded49 Mon Sep 17 00:00:00 2001
From: Michal Rostecki <mrostecki@opensuse.org> From: Michal Rostecki <mrostecki@opensuse.org>
Date: Thu, 8 Apr 2021 14:42:02 +0100 Date: Thu, 8 Apr 2021 14:42:02 +0100
Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup
Before this change, cleanup of the btrfs driver (occuring on each daemon Before this change, cleanup of the btrfs driver (occuring on each daemon
shutdown) resulted in disabling quotas. It was done with an assumption shutdown) resulted in disabling quotas. It was done with an assumption
@ -140,5 +140,5 @@ index 8fd2854a2673..32c4f07c620d 100644
} }
if err := subvolLimitQgroup(dir, size); err != nil { if err := subvolLimitQgroup(dir, size); err != nil {
-- --
2.33.0 2.33.1

View File

@ -1,195 +0,0 @@
From 9cc9665d00293bdff2420a4db49278bc7bb9ed72 Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Thu, 9 Sep 2021 11:31:30 -0700
Subject: [PATCH 6/6] bsc1190670: seccomp: add support for "clone3" syscall in
default policy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a backport of 9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594, adapted to avoid the refactoring that happened in d92739713c633c155c0f3d8065c8278b1d8a44e7.
Original commit message is as follows:
> If no seccomp policy is requested, then the built-in default policy in
> dockerd applies. This has no rule for "clone3" defined, nor any default
> errno defined. So when runc receives the config it attempts to determine
> a default errno, using logic defined in its commit:
>
> opencontainers/runc@7a8d716
>
> As explained in the above commit message, runc uses a heuristic to
> decide which errno to return by default:
>
> [quote]
> The solution applied here is to prepend a "stub" filter which returns
> -ENOSYS if the requested syscall has a larger syscall number than any
> syscall mentioned in the filter. The reason for this specific rule is
> that syscall numbers are (roughly) allocated sequentially and thus newer
> syscalls will (usually) have a larger syscall number -- thus causing our
> filters to produce -ENOSYS if the filter was written before the syscall
> existed.
> [/quote]
>
> Unfortunately clone3 appears to one of the edge cases that does not
> result in use of ENOSYS, instead ending up with the historical EPERM
> errno.
>
> Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use
> clone3 by default. If it sees ENOSYS then it will automatically
> fallback to using clone. Any other errno is treated as a fatal
> error. Thus when docker seccomp policy triggers EPERM from clone3,
> no fallback occurs and programs are thus unable to spawn threads.
>
> The clone3 syscall is much more complicated than clone, most notably its
> flags are not exposed as a directly argument any more. Instead they are
> hidden inside a struct. This means that seccomp filters are unable to
> apply policy based on values seen in flags. Thus we can't directly
> replicate the current "clone" filtering for "clone3". We can at least
> ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone"
> at which point we can filter on flags.
SUSE-Bugs: bsc#1190670
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
Co-authored-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
profiles/seccomp/default.json | 16 ++++++++++++++++
profiles/seccomp/default_linux.go | 13 +++++++++++++
profiles/seccomp/seccomp.go | 1 +
profiles/seccomp/seccomp_linux.go | 28 ++++++++++++----------------
4 files changed, 42 insertions(+), 16 deletions(-)
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index 4213799ddb5c..ee5e04f781a8 100644
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -591,6 +591,7 @@
"names": [
"bpf",
"clone",
+ "clone3",
"fanotify_init",
"fsconfig",
"fsmount",
@@ -670,6 +671,21 @@
]
}
},
+ {
+ "names": [
+ "clone3"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "errnoRet": 38,
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_SYS_ADMIN"
+ ]
+ }
+ },
{
"names": [
"reboot"
diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
index 879eb88c64f1..fb593f336f7a 100644
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@@ -42,6 +42,7 @@ func arches() []Architecture {
// DefaultProfile defines the allowed syscalls for the default seccomp profile.
func DefaultProfile() *Seccomp {
+ nosys := uint(unix.ENOSYS)
syscalls := []*Syscall{
{
Names: []string{
@@ -522,6 +523,7 @@ func DefaultProfile() *Seccomp {
Names: []string{
"bpf",
"clone",
+ "clone3",
"fanotify_init",
"fsconfig",
"fsmount",
@@ -587,6 +589,17 @@ func DefaultProfile() *Seccomp {
Caps: []string{"CAP_SYS_ADMIN"},
},
},
+ {
+ Names: []string{
+ "clone3",
+ },
+ Action: specs.ActErrno,
+ ErrnoRet: &nosys,
+ Args: []*specs.LinuxSeccompArg{},
+ Excludes: Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ },
+ },
{
Names: []string{
"reboot",
diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go
index d2a21cddc4b2..9edec72db546 100644
--- a/profiles/seccomp/seccomp.go
+++ b/profiles/seccomp/seccomp.go
@@ -45,6 +45,7 @@ type Syscall struct {
Name string `json:"name,omitempty"`
Names []string `json:"names,omitempty"`
Action specs.LinuxSeccompAction `json:"action"`
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
Args []*specs.LinuxSeccompArg `json:"args"`
Comment string `json:"comment"`
Includes Filter `json:"includes"`
diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go
index 566f173acd3a..e35e242cd500 100644
--- a/profiles/seccomp/seccomp_linux.go
+++ b/profiles/seccomp/seccomp_linux.go
@@ -150,29 +150,25 @@ Loop:
}
}
+ newCall := specs.LinuxSyscall{
+ Action: call.Action,
+ ErrnoRet: call.ErrnoRet,
+ }
if call.Name != "" && len(call.Names) != 0 {
return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
}
-
if call.Name != "" {
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args))
+ newCall.Names = []string{call.Name}
} else {
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args))
+ newCall.Names = call.Names
+ }
+ // Loop through all the arguments of the syscall and convert them
+ for _, arg := range call.Args {
+ newCall.Args = append(newCall.Args, *arg)
}
- }
-
- return newConfig, nil
-}
-func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall {
- newCall := specs.LinuxSyscall{
- Names: names,
- Action: action,
+ newConfig.Syscalls = append(newConfig.Syscalls, newCall)
}
- // Loop through all the arguments of the syscall and convert them
- for _, arg := range args {
- newCall.Args = append(newCall.Args, *arg)
- }
- return newCall
+ return newConfig, nil
}
--
2.33.0

View File

@ -3,16 +3,16 @@
<param name="url">https://github.com/moby/moby.git</param> <param name="url">https://github.com/moby/moby.git</param>
<param name="scm">git</param> <param name="scm">git</param>
<param name="exclude">.git</param> <param name="exclude">.git</param>
<param name="versionformat">20.10.9_ce_%h</param> <param name="versionformat">20.10.11_ce_%h</param>
<param name="revision">v20.10.9</param> <param name="revision">v20.10.11</param>
<param name="filename">docker</param> <param name="filename">docker</param>
</service> </service>
<service name="tar_scm" mode="disabled"> <service name="tar_scm" mode="disabled">
<param name="url">https://github.com/docker/cli.git</param> <param name="url">https://github.com/docker/cli.git</param>
<param name="scm">git</param> <param name="scm">git</param>
<param name="exclude">.git</param> <param name="exclude">.git</param>
<param name="versionformat">20.10.9_ce</param> <param name="versionformat">20.10.11_ce</param>
<param name="revision">v20.10.9</param> <param name="revision">v20.10.11</param>
<param name="filename">docker-cli</param> <param name="filename">docker-cli</param>
</service> </service>
<service name="tar_scm" mode="disabled"> <service name="tar_scm" mode="disabled">

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cf82151ca8fff00a1b4bea55ae44022faf2f8eab518ef979a9c6d6cffd9fb450
size 6497200

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c1428dd0f94fa001b1e4c46c3db89dbd66d209c678fc6f5d21d2f7799b4701a1
size 6491984

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7820570e1249dc498ef2580c6bf647bd720de27938c82acdcec0bcf90c6af4f8
size 4272896

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1090b7ade21e0b7d717fc2d6c08882ec14c8ac12b54ff51f407262588555e7a0
size 4272556

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Thu Nov 18 08:35:37 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to Docker 20.10.11-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Remove upstreamed patches:
- 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Oct 6 02:51:16 UTC 2021 - Aleksa Sarai <asarai@suse.com> Wed Oct 6 02:51:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>

View File

@ -42,8 +42,8 @@
# helpfully injects into our build environment from the changelog). If you want # helpfully injects into our build environment from the changelog). If you want
# to generate a new git_commit_epoch, use this: # to generate a new git_commit_epoch, use this:
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
%define git_version 79ea9d308018 %define git_version 847da184ad50
%define git_commit_epoch 1632421578 %define git_commit_epoch 1637194919
# We require a specific pin of libnetwork because it doesn't really do # We require a specific pin of libnetwork because it doesn't really do
# versioning and minor version mismatches in libnetwork can break Docker # versioning and minor version mismatches in libnetwork can break Docker
@ -56,10 +56,10 @@
%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork %define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
Name: %{realname}%{name_suffix} Name: %{realname}%{name_suffix}
Version: 20.10.9_ce Version: 20.10.11_ce
# This "nice version" is so that docker --version gives a result that can be # This "nice version" is so that docker --version gives a result that can be
# parsed by other people. boo#1182476 # parsed by other people. boo#1182476
%define nice_version 20.10.9-ce %define nice_version 20.10.11-ce
Release: 0 Release: 0
Summary: The Moby-project Linux container runtime Summary: The Moby-project Linux container runtime
License: Apache-2.0 License: Apache-2.0
@ -94,8 +94,6 @@ Patch200: 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081
Patch301: 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch Patch301: 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42836. bsc#1190670
Patch302: 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
BuildRequires: audit BuildRequires: audit
BuildRequires: bash-completion BuildRequires: bash-completion
BuildRequires: ca-certificates BuildRequires: ca-certificates
@ -121,7 +119,7 @@ Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
# Required to actually run containers. We require the minimum version that is # Required to actually run containers. We require the minimum version that is
# pinned by Docker, but in order to avoid headaches we allow for updates. # pinned by Docker, but in order to avoid headaches we allow for updates.
Requires: runc >= 1.0.2 Requires: runc >= 1.0.2
Requires: containerd >= 1.4.11 Requires: containerd >= 1.4.12
# Needed for --init support. We don't use "tini", we use our own implementation # Needed for --init support. We don't use "tini", we use our own implementation
# which handles edge-cases better. # which handles edge-cases better.
Requires: catatonit Requires: catatonit
@ -264,8 +262,6 @@ docker container runtime configuration for kubeadm
%patch300 -p1 %patch300 -p1
# bsc#1183855 bsc#1175081 # bsc#1183855 bsc#1175081
%patch301 -p1 %patch301 -p1
# bsc#1190670
%patch302 -p1
# README_SUSE.md for documentation. # README_SUSE.md for documentation.
cp %{SOURCE103} . cp %{SOURCE103} .