From 1a94d9d340e77f6a888fab3f4825f14c22bf851ffdb5b897caba4b7d9da5e144 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 26 Sep 2019 15:15:16 +0000 Subject: [PATCH 1/6] Accepting request 733478 from home:cyphar:containers:maint - Add backported fix for CVE-2019-16884. + CVE-2019-16884.patch - Add runc-rpmlintrc to drop runc-test rpmlint warnings. OBS-URL: https://build.opensuse.org/request/show/733478 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=76 --- CVE-2019-16884.patch | 195 +++++++++++++++++++++++++++++++++++++++++++ runc-rpmlintrc | 2 + runc.changes | 7 ++ runc.spec | 5 ++ 4 files changed, 209 insertions(+) create mode 100644 CVE-2019-16884.patch create mode 100644 runc-rpmlintrc diff --git a/CVE-2019-16884.patch b/CVE-2019-16884.patch new file mode 100644 index 0000000..14d309f --- /dev/null +++ b/CVE-2019-16884.patch @@ -0,0 +1,195 @@ +From 331692baa7afdf6c186f8667cb0e6362ea0802b3 Mon Sep 17 00:00:00 2001 +From: Michael Crosby +Date: Mon, 23 Sep 2019 16:45:45 -0400 +Subject: [PATCH] Only allow proc mount if it is procfs + +Fixes #2128 + +This allows proc to be bind mounted for host and rootless namespace usecases but +it removes the ability to mount over the top of proc with a directory. + +```bash +> sudo docker run --rm apparmor +docker: Error response from daemon: OCI runtime create failed: +container_linux.go:346: starting container process caused "process_linux.go:449: +container init caused \"rootfs_linux.go:58: mounting +\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\" +to rootfs +\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\" +at \\\"/proc\\\" caused +\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\" +cannot be mounted because it is not of type proc\\\"\"": unknown. + +> sudo docker run --rm -v /proc:/proc apparmor + +docker-default (enforce) root 18989 0.9 0.0 1288 4 ? +Ss 16:47 0:00 sleep 20 +``` + +Signed-off-by: Michael Crosby +--- + libcontainer/container_linux.go | 4 +-- + libcontainer/rootfs_linux.go | 50 +++++++++++++++++++++++-------- + libcontainer/rootfs_linux_test.go | 8 ++--- + 3 files changed, 43 insertions(+), 19 deletions(-) + +diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go +index 092792040f5b..6ff4d96a5f55 100644 +--- a/libcontainer/container_linux.go ++++ b/libcontainer/container_linux.go +@@ -19,7 +19,7 @@ import ( + "syscall" // only for SysProcAttr and Signal + "time" + +- "github.com/cyphar/filepath-securejoin" ++ securejoin "github.com/cyphar/filepath-securejoin" + "github.com/opencontainers/runc/libcontainer/cgroups" + "github.com/opencontainers/runc/libcontainer/configs" + "github.com/opencontainers/runc/libcontainer/intelrdt" +@@ -1176,7 +1176,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error { + if err != nil { + return err + } +- if err := checkMountDestination(c.config.Rootfs, dest); err != nil { ++ if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil { + return err + } + m.Destination = dest +diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go +index 1513c1d94b63..10888b499beb 100644 +--- a/libcontainer/rootfs_linux.go ++++ b/libcontainer/rootfs_linux.go +@@ -13,7 +13,7 @@ import ( + "strings" + "time" + +- "github.com/cyphar/filepath-securejoin" ++ securejoin "github.com/cyphar/filepath-securejoin" + "github.com/mrunalp/fileutils" + "github.com/opencontainers/runc/libcontainer/cgroups" + "github.com/opencontainers/runc/libcontainer/configs" +@@ -197,7 +197,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) error { + if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil { + return err + } +- if err := checkMountDestination(rootfs, dest); err != nil { ++ if err := checkProcMount(rootfs, dest, m.Source); err != nil { + return err + } + // update the mount with the correct dest after symlinks are resolved. +@@ -414,7 +414,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b + if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil { + return err + } +- if err := checkMountDestination(rootfs, dest); err != nil { ++ if err := checkProcMount(rootfs, dest, m.Source); err != nil { + return err + } + // update the mount with the correct dest after symlinks are resolved. +@@ -461,12 +461,12 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) { + return binds, nil + } + +-// checkMountDestination checks to ensure that the mount destination is not over the top of /proc. ++// checkProcMount checks to ensure that the mount destination is not over the top of /proc. + // dest is required to be an abs path and have any symlinks resolved before calling this function. +-func checkMountDestination(rootfs, dest string) error { +- invalidDestinations := []string{ +- "/proc", +- } ++// ++// if source is nil, don't stat the filesystem. This is used for restore of a checkpoint. ++func checkProcMount(rootfs, dest, source string) error { ++ const procPath = "/proc" + // White list, it should be sub directories of invalid destinations + validDestinations := []string{ + // These entries can be bind mounted by files emulated by fuse, +@@ -489,16 +489,40 @@ func checkMountDestination(rootfs, dest string) error { + return nil + } + } +- for _, invalid := range invalidDestinations { +- path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest) ++ path, err := filepath.Rel(filepath.Join(rootfs, procPath), dest) ++ if err != nil { ++ return err ++ } ++ // pass if the mount path is located outside of /proc ++ if strings.HasPrefix(path, "..") { ++ return nil ++ } ++ if path == "." { ++ // an empty source is pasted on restore ++ if source == "" { ++ return nil ++ } ++ // only allow a mount on-top of proc if it's source is "proc" ++ isproc, err := isProc(source) + if err != nil { + return err + } +- if path != "." && !strings.HasPrefix(path, "..") { +- return fmt.Errorf("%q cannot be mounted because it is located inside %q", dest, invalid) ++ // pass if the mount is happening on top of /proc and the source of ++ // the mount is a proc filesystem ++ if isproc { ++ return nil + } ++ return fmt.Errorf("%q cannot be mounted because it is not of type proc", dest) + } +- return nil ++ return fmt.Errorf("%q cannot be mounted because it is inside /proc", dest) ++} ++ ++func isProc(path string) (bool, error) { ++ var s unix.Statfs_t ++ if err := unix.Statfs(path, &s); err != nil { ++ return false, err ++ } ++ return s.Type == unix.PROC_SUPER_MAGIC, nil + } + + func setupDevSymlinks(rootfs string) error { +diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go +index d755984bc0f9..1bfe7c663225 100644 +--- a/libcontainer/rootfs_linux_test.go ++++ b/libcontainer/rootfs_linux_test.go +@@ -10,7 +10,7 @@ import ( + + func TestCheckMountDestOnProc(t *testing.T) { + dest := "/rootfs/proc/sys" +- err := checkMountDestination("/rootfs", dest) ++ err := checkProcMount("/rootfs", dest, "") + if err == nil { + t.Fatal("destination inside proc should return an error") + } +@@ -18,7 +18,7 @@ func TestCheckMountDestOnProc(t *testing.T) { + + func TestCheckMountDestOnProcChroot(t *testing.T) { + dest := "/rootfs/proc/" +- err := checkMountDestination("/rootfs", dest) ++ err := checkProcMount("/rootfs", dest, "/proc") + if err != nil { + t.Fatal("destination inside proc when using chroot should not return an error") + } +@@ -26,7 +26,7 @@ func TestCheckMountDestOnProcChroot(t *testing.T) { + + func TestCheckMountDestInSys(t *testing.T) { + dest := "/rootfs//sys/fs/cgroup" +- err := checkMountDestination("/rootfs", dest) ++ err := checkProcMount("/rootfs", dest, "") + if err != nil { + t.Fatal("destination inside /sys should not return an error") + } +@@ -34,7 +34,7 @@ func TestCheckMountDestInSys(t *testing.T) { + + func TestCheckMountDestFalsePositive(t *testing.T) { + dest := "/rootfs/sysfiles/fs/cgroup" +- err := checkMountDestination("/rootfs", dest) ++ err := checkProcMount("/rootfs", dest, "") + if err != nil { + t.Fatal(err) + } +-- +2.23.0 + diff --git a/runc-rpmlintrc b/runc-rpmlintrc new file mode 100644 index 0000000..ca46b2b --- /dev/null +++ b/runc-rpmlintrc @@ -0,0 +1,2 @@ +# -test is something that is used internally and isn't actually shipped -- it's a pseudo-source package. +addFilter ("^runc(-kubic)?-test.*") diff --git a/runc.changes b/runc.changes index 6f47841..10ed360 100644 --- a/runc.changes +++ b/runc.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai + +- Add backported fix for CVE-2019-16884. + + CVE-2019-16884.patch +- Add runc-rpmlintrc to drop runc-test rpmlint warnings. + ------------------------------------------------------------------- Mon Apr 29 11:56:21 UTC 2019 - Aleksa Sarai diff --git a/runc.spec b/runc.spec index c210651..8be01b7 100644 --- a/runc.spec +++ b/runc.spec @@ -50,6 +50,9 @@ Url: https://github.com/opencontainers/runc Source0: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz#/runc-%{_version}.tar.xz Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc Source2: runc.keyring +Source3: runc-rpmlintrc +# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2129. CVE-2019-16884 +Patch1: CVE-2019-16884.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: golang(API) = %{go_version} @@ -84,6 +87,8 @@ Test package for runc. It contains the source code and the tests. %prep %setup -q -n %{name}-%{_version} +# CVE-2019-16884 +%patch1 -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at From c0cf07af4274f1892e588f6edb8bbb4b76936da7ef845dad89dd2767a3bf7308 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 27 Sep 2019 03:17:22 +0000 Subject: [PATCH 2/6] Accepting request 733530 from home:cyphar:containers:maint Fix CVE patch. OBS-URL: https://build.opensuse.org/request/show/733530 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=77 --- CVE-2019-16884.patch | 155 ++++++++++++++++++++++++++++++++++--------- runc.spec | 10 +-- 2 files changed, 129 insertions(+), 36 deletions(-) diff --git a/CVE-2019-16884.patch b/CVE-2019-16884.patch index 14d309f..2831278 100644 --- a/CVE-2019-16884.patch +++ b/CVE-2019-16884.patch @@ -1,40 +1,79 @@ -From 331692baa7afdf6c186f8667cb0e6362ea0802b3 Mon Sep 17 00:00:00 2001 -From: Michael Crosby +From 6ce3791ce27128f8b4ae45323effa10953fa9904 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai Date: Mon, 23 Sep 2019 16:45:45 -0400 -Subject: [PATCH] Only allow proc mount if it is procfs +Subject: [PATCH] CVE-2019-16884 -Fixes #2128 +This patch includes a squash of the following upstream patches: -This allows proc to be bind mounted for host and rootless namespace usecases but -it removes the ability to mount over the top of proc with a directory. + * 331692baa7af ("Only allow proc mount if it is procfs") -```bash -> sudo docker run --rm apparmor -docker: Error response from daemon: OCI runtime create failed: -container_linux.go:346: starting container process caused "process_linux.go:449: -container init caused \"rootfs_linux.go:58: mounting -\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\" -to rootfs -\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\" -at \\\"/proc\\\" caused -\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\" -cannot be mounted because it is not of type proc\\\"\"": unknown. +As well as the following still-in-review patches: -> sudo docker run --rm -v /proc:/proc apparmor - -docker-default (enforce) root 18989 0.9 0.0 1288 4 ? -Ss 16:47 0:00 sleep 20 -``` + * ("apparmor: verify that writes to /proc/... are on procfs") + * ("selinux: verify that writes to /proc/... are on procfs") Signed-off-by: Michael Crosby +Signed-off-by: Aleksa Sarai --- - libcontainer/container_linux.go | 4 +-- - libcontainer/rootfs_linux.go | 50 +++++++++++++++++++++++-------- - libcontainer/rootfs_linux_test.go | 8 ++--- - 3 files changed, 43 insertions(+), 19 deletions(-) + libcontainer/apparmor/apparmor.go | 18 ++++++- + libcontainer/container_linux.go | 4 +- + libcontainer/rootfs_linux.go | 50 ++++++++++++++----- + libcontainer/rootfs_linux_test.go | 8 +-- + .../selinux/go-selinux/selinux_linux.go | 20 ++++++++ + 5 files changed, 79 insertions(+), 21 deletions(-) +diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go +index 7fff0627fa1b..3504b80d8643 100644 +--- a/libcontainer/apparmor/apparmor.go ++++ b/libcontainer/apparmor/apparmor.go +@@ -6,6 +6,8 @@ import ( + "fmt" + "io/ioutil" + "os" ++ ++ "golang.org/x/sys/unix" + ) + + // IsEnabled returns true if apparmor is enabled for the host. +@@ -19,7 +21,13 @@ func IsEnabled() bool { + return false + } + +-func setprocattr(attr, value string) error { ++func isProcHandle(fh *os.File) (bool, error) { ++ var buf unix.Statfs_t ++ err := unix.Fstatfs(int(fh.Fd()), &buf) ++ return buf.Type == unix.PROC_SUPER_MAGIC, err ++} ++ ++func setProcAttr(attr, value string) error { + // Under AppArmor you can only change your own attr, so use /proc/self/ + // instead of /proc// like libapparmor does + path := fmt.Sprintf("/proc/self/attr/%s", attr) +@@ -30,6 +38,12 @@ func setprocattr(attr, value string) error { + } + defer f.Close() + ++ if ok, err := isProcHandle(f); err != nil { ++ return err ++ } else if !ok { ++ return fmt.Errorf("/proc path not on procfs: %s", path) ++ } ++ + _, err = fmt.Fprintf(f, "%s", value) + return err + } +@@ -37,7 +51,7 @@ func setprocattr(attr, value string) error { + // changeOnExec reimplements aa_change_onexec from libapparmor in Go + func changeOnExec(name string) error { + value := "exec " + name +- if err := setprocattr("exec", value); err != nil { ++ if err := setProcAttr("exec", value); err != nil { + return fmt.Errorf("apparmor failed to apply profile: %s", err) + } + return nil diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go -index 092792040f5b..6ff4d96a5f55 100644 +index 7e58e5e00824..d51e35dffb93 100644 --- a/libcontainer/container_linux.go +++ b/libcontainer/container_linux.go @@ -19,7 +19,7 @@ import ( @@ -46,7 +85,7 @@ index 092792040f5b..6ff4d96a5f55 100644 "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/intelrdt" -@@ -1176,7 +1176,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error { +@@ -1160,7 +1160,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error { if err != nil { return err } @@ -56,7 +95,7 @@ index 092792040f5b..6ff4d96a5f55 100644 } m.Destination = dest diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go -index 1513c1d94b63..10888b499beb 100644 +index f13b226e444e..5650b0acbca8 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -13,7 +13,7 @@ import ( @@ -77,7 +116,7 @@ index 1513c1d94b63..10888b499beb 100644 return err } // update the mount with the correct dest after symlinks are resolved. -@@ -414,7 +414,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b +@@ -388,7 +388,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil { return err } @@ -86,7 +125,7 @@ index 1513c1d94b63..10888b499beb 100644 return err } // update the mount with the correct dest after symlinks are resolved. -@@ -461,12 +461,12 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) { +@@ -435,12 +435,12 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) { return binds, nil } @@ -104,7 +143,7 @@ index 1513c1d94b63..10888b499beb 100644 // White list, it should be sub directories of invalid destinations validDestinations := []string{ // These entries can be bind mounted by files emulated by fuse, -@@ -489,16 +489,40 @@ func checkMountDestination(rootfs, dest string) error { +@@ -463,16 +463,40 @@ func checkMountDestination(rootfs, dest string) error { return nil } } @@ -190,6 +229,58 @@ index d755984bc0f9..1bfe7c663225 100644 if err != nil { t.Fatal(err) } +diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +index d7786c33c197..611df8f9b3b0 100644 +--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go ++++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +@@ -18,6 +18,8 @@ import ( + "strings" + "sync" + "syscall" ++ ++ "golang.org/x/sys/unix" + ) + + const ( +@@ -252,6 +254,12 @@ func getSELinuxPolicyRoot() string { + return filepath.Join(selinuxDir, readConfig(selinuxTypeTag)) + } + ++func isProcHandle(fh *os.File) (bool, error) { ++ var buf unix.Statfs_t ++ err := unix.Fstatfs(int(fh.Fd()), &buf) ++ return buf.Type == unix.PROC_SUPER_MAGIC, err ++} ++ + func readCon(fpath string) (string, error) { + if fpath == "" { + return "", ErrEmptyPath +@@ -263,6 +271,12 @@ func readCon(fpath string) (string, error) { + } + defer in.Close() + ++ if ok, err := isProcHandle(in); err != nil { ++ return "", err ++ } else if !ok { ++ return "", fmt.Errorf("/proc path not on procfs: %s", fpath) ++ } ++ + var retval string + if _, err := fmt.Fscanf(in, "%s", &retval); err != nil { + return "", err +@@ -345,6 +359,12 @@ func writeCon(fpath string, val string) error { + } + defer out.Close() + ++ if ok, err := isProcHandle(out); err != nil { ++ return err ++ } else if !ok { ++ return fmt.Errorf("/proc path not on procfs: %s", fpath) ++ } ++ + if val != "" { + _, err = out.Write([]byte(val)) + } else { -- 2.23.0 diff --git a/runc.spec b/runc.spec index 8be01b7..8511a50 100644 --- a/runc.spec +++ b/runc.spec @@ -51,7 +51,9 @@ Source0: https://github.com/opencontainers/runc/releases/download/v%{_ver Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc Source2: runc.keyring Source3: runc-rpmlintrc -# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2129. CVE-2019-16884 +# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2129. +# https://github.com/opencontainers/selinux/pull/59. +# https://github.com/opencontainers/runc/pull/2130. CVE-2019-16884 Patch1: CVE-2019-16884.patch BuildRequires: fdupes BuildRequires: go-go-md2man @@ -95,9 +97,9 @@ Test package for runc. It contains the source code and the tests. # some point during the build and you need to directly use go list directly it # will get confused by symlinks. export GOPATH=${HOME}/go -mkdir -pv $HOME/go/src/%project +mkdir -p $HOME/go/src/%project rm -rf $HOME/go/src/%project/* -cp -av * $HOME/go/src/%project +cp -a * $HOME/go/src/%project # Additionally enable seccomp. %if 0%{?with_libseccomp} @@ -118,7 +120,7 @@ EOF source ./.runc_build_env # Build runc. -make -C "$HOME/go/src/%project" EXTRA_FLAGS="-x $BUILDFLAGS" BUILDTAGS="$BUILDTAGS" COMMIT_NO="%{git_version}" runc +make -C "$HOME/go/src/%project" EXTRA_FLAGS="$BUILDFLAGS" BUILDTAGS="$BUILDTAGS" COMMIT_NO="%{git_version}" runc mv "$HOME/go/src/%project/runc" %{name}-%{version} # Build man pages, this can only be done on arches where we can build go-md2man. From 53bd0f13029b826a7c38c12c20c951ee29e7a78efcfd5be708e60b276db19403 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 27 Sep 2019 20:18:17 +0000 Subject: [PATCH 3/6] Accepting request 733753 from home:cyphar:containers:maint Add /proc/self/fd protections to CVE-2019-16884.patch. OBS-URL: https://build.opensuse.org/request/show/733753 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=78 --- CVE-2019-16884.patch | 110 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 88 insertions(+), 22 deletions(-) diff --git a/CVE-2019-16884.patch b/CVE-2019-16884.patch index 2831278..0beee43 100644 --- a/CVE-2019-16884.patch +++ b/CVE-2019-16884.patch @@ -1,5 +1,5 @@ -From 6ce3791ce27128f8b4ae45323effa10953fa9904 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai +From 74e43887d1e124b78c6e29876cff65423b8a999a Mon Sep 17 00:00:00 2001 +From: Michael Crosby Date: Mon, 23 Sep 2019 16:45:45 -0400 Subject: [PATCH] CVE-2019-16884 @@ -9,21 +9,24 @@ This patch includes a squash of the following upstream patches: As well as the following still-in-review patches: - * ("apparmor: verify that writes to /proc/... are on procfs") - * ("selinux: verify that writes to /proc/... are on procfs") + * opencontainers/runc#2130: + ("*: verify that writes to /proc/... are on procfs") + * opencontainers/selinux#59: + ("selinux: verify that writes to /proc/... are on procfs") Signed-off-by: Michael Crosby Signed-off-by: Aleksa Sarai --- - libcontainer/apparmor/apparmor.go | 18 ++++++- + libcontainer/apparmor/apparmor.go | 12 ++++- libcontainer/container_linux.go | 4 +- libcontainer/rootfs_linux.go | 50 ++++++++++++++----- libcontainer/rootfs_linux_test.go | 8 +-- + libcontainer/utils/utils_unix.go | 41 +++++++++++---- .../selinux/go-selinux/selinux_linux.go | 20 ++++++++ - 5 files changed, 79 insertions(+), 21 deletions(-) + 6 files changed, 104 insertions(+), 31 deletions(-) diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go -index 7fff0627fa1b..3504b80d8643 100644 +index 7fff0627fa1b..a482269141b6 100644 --- a/libcontainer/apparmor/apparmor.go +++ b/libcontainer/apparmor/apparmor.go @@ -6,6 +6,8 @@ import ( @@ -31,39 +34,33 @@ index 7fff0627fa1b..3504b80d8643 100644 "io/ioutil" "os" + -+ "golang.org/x/sys/unix" ++ "github.com/opencontainers/runc/libcontainer/utils" ) // IsEnabled returns true if apparmor is enabled for the host. -@@ -19,7 +21,13 @@ func IsEnabled() bool { +@@ -19,7 +21,7 @@ func IsEnabled() bool { return false } -func setprocattr(attr, value string) error { -+func isProcHandle(fh *os.File) (bool, error) { -+ var buf unix.Statfs_t -+ err := unix.Fstatfs(int(fh.Fd()), &buf) -+ return buf.Type == unix.PROC_SUPER_MAGIC, err -+} -+ +func setProcAttr(attr, value string) error { // Under AppArmor you can only change your own attr, so use /proc/self/ // instead of /proc// like libapparmor does path := fmt.Sprintf("/proc/self/attr/%s", attr) -@@ -30,6 +38,12 @@ func setprocattr(attr, value string) error { +@@ -30,6 +32,12 @@ func setprocattr(attr, value string) error { } defer f.Close() -+ if ok, err := isProcHandle(f); err != nil { ++ if ok, err := utils.IsProcHandle(f); err != nil { + return err + } else if !ok { -+ return fmt.Errorf("/proc path not on procfs: %s", path) ++ return fmt.Errorf("%s not on procfs", path) + } + _, err = fmt.Fprintf(f, "%s", value) return err } -@@ -37,7 +51,7 @@ func setprocattr(attr, value string) error { +@@ -37,7 +45,7 @@ func setprocattr(attr, value string) error { // changeOnExec reimplements aa_change_onexec from libapparmor in Go func changeOnExec(name string) error { value := "exec " + name @@ -229,8 +226,77 @@ index d755984bc0f9..1bfe7c663225 100644 if err != nil { t.Fatal(err) } +diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go +index c96088988a6d..cac37c449c6a 100644 +--- a/libcontainer/utils/utils_unix.go ++++ b/libcontainer/utils/utils_unix.go +@@ -3,33 +3,54 @@ + package utils + + import ( +- "io/ioutil" ++ "fmt" + "os" + "strconv" + + "golang.org/x/sys/unix" + ) + ++// IsProcHandle returns whether or not the given file handle is on procfs. ++func IsProcHandle(fh *os.File) (bool, error) { ++ var buf unix.Statfs_t ++ err := unix.Fstatfs(int(fh.Fd()), &buf) ++ return buf.Type == unix.PROC_SUPER_MAGIC, err ++} ++ ++// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for ++// the process (except for those below the given fd value). + func CloseExecFrom(minFd int) error { +- fdList, err := ioutil.ReadDir("/proc/self/fd") ++ fdDir, err := os.Open("/proc/self/fd") + if err != nil { + return err + } +- for _, fi := range fdList { +- fd, err := strconv.Atoi(fi.Name()) ++ defer fdDir.Close() ++ ++ if ok, err := IsProcHandle(fdDir); err != nil { ++ return err ++ } else if !ok { ++ return fmt.Errorf("/proc/self/fd not on procfs") ++ } ++ ++ fdList, err := fdDir.Readdirnames(-1) ++ if err != nil { ++ return err ++ } ++ for _, fdStr := range fdList { ++ fd, err := strconv.Atoi(fdStr) ++ // Ignore non-numeric file names. + if err != nil { +- // ignore non-numeric file names + continue + } +- ++ // Ignore descriptors lower than our specified minimum. + if fd < minFd { +- // ignore descriptors lower than our specified minimum + continue + } +- +- // intentionally ignore errors from unix.CloseOnExec ++ // Intentionally ignore errors from unix.CloseOnExec -- the cases where ++ // this might fail are basically file descriptors that have already ++ // been closed (including and especially the one that was created when ++ // ioutil.ReadDir did the "opendir" syscall). + unix.CloseOnExec(fd) +- // the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall) + } + return nil + } diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go -index d7786c33c197..611df8f9b3b0 100644 +index d7786c33c197..04e94176daa0 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -18,6 +18,8 @@ import ( @@ -262,7 +328,7 @@ index d7786c33c197..611df8f9b3b0 100644 + if ok, err := isProcHandle(in); err != nil { + return "", err + } else if !ok { -+ return "", fmt.Errorf("/proc path not on procfs: %s", fpath) ++ return "", fmt.Errorf("%s not on procfs", fpath) + } + var retval string @@ -275,7 +341,7 @@ index d7786c33c197..611df8f9b3b0 100644 + if ok, err := isProcHandle(out); err != nil { + return err + } else if !ok { -+ return fmt.Errorf("/proc path not on procfs: %s", fpath) ++ return fmt.Errorf("%s not on procfs", fpath) + } + if val != "" { From c2791cd3bee9e14612f809020322197955aa9c7d43cd369caafd9548501daf04 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 27 Sep 2019 20:22:13 +0000 Subject: [PATCH 4/6] Fix From: line for CVE-2019-16884. OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=79 --- CVE-2019-16884.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CVE-2019-16884.patch b/CVE-2019-16884.patch index 0beee43..5fca573 100644 --- a/CVE-2019-16884.patch +++ b/CVE-2019-16884.patch @@ -1,5 +1,5 @@ From 74e43887d1e124b78c6e29876cff65423b8a999a Mon Sep 17 00:00:00 2001 -From: Michael Crosby +From: Aleksa Sarai Date: Mon, 23 Sep 2019 16:45:45 -0400 Subject: [PATCH] CVE-2019-16884 From 2606526c7c72b573248ac9839b1997db3a729af4b0de1ecca7c896d03ba0c000 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sat, 28 Sep 2019 11:41:04 +0000 Subject: [PATCH 5/6] Accepting request 733834 from home:cyphar:containers:maint Add reference to bsc#1152308. OBS-URL: https://build.opensuse.org/request/show/733834 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=80 --- CVE-2019-16884.patch | 1 + runc.changes | 2 +- runc.spec | 5 +++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CVE-2019-16884.patch b/CVE-2019-16884.patch index 5fca573..e3a437c 100644 --- a/CVE-2019-16884.patch +++ b/CVE-2019-16884.patch @@ -14,6 +14,7 @@ As well as the following still-in-review patches: * opencontainers/selinux#59: ("selinux: verify that writes to /proc/... are on procfs") +SUSE-Bugs: bsc#1152308 Signed-off-by: Michael Crosby Signed-off-by: Aleksa Sarai --- diff --git a/runc.changes b/runc.changes index 10ed360..fdf5286 100644 --- a/runc.changes +++ b/runc.changes @@ -1,7 +1,7 @@ ------------------------------------------------------------------- Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai -- Add backported fix for CVE-2019-16884. +- Add backported fix for CVE-2019-16884. bsc#1152308 + CVE-2019-16884.patch - Add runc-rpmlintrc to drop runc-test rpmlint warnings. diff --git a/runc.spec b/runc.spec index 8511a50..00d69aa 100644 --- a/runc.spec +++ b/runc.spec @@ -53,7 +53,8 @@ Source2: runc.keyring Source3: runc-rpmlintrc # FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2129. # https://github.com/opencontainers/selinux/pull/59. -# https://github.com/opencontainers/runc/pull/2130. CVE-2019-16884 +# https://github.com/opencontainers/runc/pull/2130. +# bsc#1152308 CVE-2019-16884 Patch1: CVE-2019-16884.patch BuildRequires: fdupes BuildRequires: go-go-md2man @@ -89,7 +90,7 @@ Test package for runc. It contains the source code and the tests. %prep %setup -q -n %{name}-%{_version} -# CVE-2019-16884 +# bsc#1152308 CVE-2019-16884 %patch1 -p1 %build From 9c821cca87ae4dccd9fa64506b924ec3a3085c88483221b77addfcf7c7e72b23 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sat, 5 Oct 2019 11:52:50 +0000 Subject: [PATCH 6/6] Accepting request 735404 from home:cyphar:containers:maint - Upgrade to runc v1.0.0~rc9. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9 - Remove upstreamed patches: - CVE-2019-16884.patch OBS-URL: https://build.opensuse.org/request/show/735404 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=81 --- CVE-2019-16884.patch | 353 -------------------------------------- runc-1.0.0-rc8.tar.xz | 3 - runc-1.0.0-rc8.tar.xz.asc | 17 -- runc-1.0.0-rc9.tar.xz | 3 + runc-1.0.0-rc9.tar.xz.asc | 17 ++ runc.changes | 8 + runc.spec | 11 +- 7 files changed, 30 insertions(+), 382 deletions(-) delete mode 100644 CVE-2019-16884.patch delete mode 100644 runc-1.0.0-rc8.tar.xz delete mode 100644 runc-1.0.0-rc8.tar.xz.asc create mode 100644 runc-1.0.0-rc9.tar.xz create mode 100644 runc-1.0.0-rc9.tar.xz.asc diff --git a/CVE-2019-16884.patch b/CVE-2019-16884.patch deleted file mode 100644 index e3a437c..0000000 --- a/CVE-2019-16884.patch +++ /dev/null @@ -1,353 +0,0 @@ -From 74e43887d1e124b78c6e29876cff65423b8a999a Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Mon, 23 Sep 2019 16:45:45 -0400 -Subject: [PATCH] CVE-2019-16884 - -This patch includes a squash of the following upstream patches: - - * 331692baa7af ("Only allow proc mount if it is procfs") - -As well as the following still-in-review patches: - - * opencontainers/runc#2130: - ("*: verify that writes to /proc/... are on procfs") - * opencontainers/selinux#59: - ("selinux: verify that writes to /proc/... are on procfs") - -SUSE-Bugs: bsc#1152308 -Signed-off-by: Michael Crosby -Signed-off-by: Aleksa Sarai ---- - libcontainer/apparmor/apparmor.go | 12 ++++- - libcontainer/container_linux.go | 4 +- - libcontainer/rootfs_linux.go | 50 ++++++++++++++----- - libcontainer/rootfs_linux_test.go | 8 +-- - libcontainer/utils/utils_unix.go | 41 +++++++++++---- - .../selinux/go-selinux/selinux_linux.go | 20 ++++++++ - 6 files changed, 104 insertions(+), 31 deletions(-) - -diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go -index 7fff0627fa1b..a482269141b6 100644 ---- a/libcontainer/apparmor/apparmor.go -+++ b/libcontainer/apparmor/apparmor.go -@@ -6,6 +6,8 @@ import ( - "fmt" - "io/ioutil" - "os" -+ -+ "github.com/opencontainers/runc/libcontainer/utils" - ) - - // IsEnabled returns true if apparmor is enabled for the host. -@@ -19,7 +21,7 @@ func IsEnabled() bool { - return false - } - --func setprocattr(attr, value string) error { -+func setProcAttr(attr, value string) error { - // Under AppArmor you can only change your own attr, so use /proc/self/ - // instead of /proc// like libapparmor does - path := fmt.Sprintf("/proc/self/attr/%s", attr) -@@ -30,6 +32,12 @@ func setprocattr(attr, value string) error { - } - defer f.Close() - -+ if ok, err := utils.IsProcHandle(f); err != nil { -+ return err -+ } else if !ok { -+ return fmt.Errorf("%s not on procfs", path) -+ } -+ - _, err = fmt.Fprintf(f, "%s", value) - return err - } -@@ -37,7 +45,7 @@ func setprocattr(attr, value string) error { - // changeOnExec reimplements aa_change_onexec from libapparmor in Go - func changeOnExec(name string) error { - value := "exec " + name -- if err := setprocattr("exec", value); err != nil { -+ if err := setProcAttr("exec", value); err != nil { - return fmt.Errorf("apparmor failed to apply profile: %s", err) - } - return nil -diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go -index 7e58e5e00824..d51e35dffb93 100644 ---- a/libcontainer/container_linux.go -+++ b/libcontainer/container_linux.go -@@ -19,7 +19,7 @@ import ( - "syscall" // only for SysProcAttr and Signal - "time" - -- "github.com/cyphar/filepath-securejoin" -+ securejoin "github.com/cyphar/filepath-securejoin" - "github.com/opencontainers/runc/libcontainer/cgroups" - "github.com/opencontainers/runc/libcontainer/configs" - "github.com/opencontainers/runc/libcontainer/intelrdt" -@@ -1160,7 +1160,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error { - if err != nil { - return err - } -- if err := checkMountDestination(c.config.Rootfs, dest); err != nil { -+ if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil { - return err - } - m.Destination = dest -diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go -index f13b226e444e..5650b0acbca8 100644 ---- a/libcontainer/rootfs_linux.go -+++ b/libcontainer/rootfs_linux.go -@@ -13,7 +13,7 @@ import ( - "strings" - "time" - -- "github.com/cyphar/filepath-securejoin" -+ securejoin "github.com/cyphar/filepath-securejoin" - "github.com/mrunalp/fileutils" - "github.com/opencontainers/runc/libcontainer/cgroups" - "github.com/opencontainers/runc/libcontainer/configs" -@@ -197,7 +197,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) error { - if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil { - return err - } -- if err := checkMountDestination(rootfs, dest); err != nil { -+ if err := checkProcMount(rootfs, dest, m.Source); err != nil { - return err - } - // update the mount with the correct dest after symlinks are resolved. -@@ -388,7 +388,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b - if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil { - return err - } -- if err := checkMountDestination(rootfs, dest); err != nil { -+ if err := checkProcMount(rootfs, dest, m.Source); err != nil { - return err - } - // update the mount with the correct dest after symlinks are resolved. -@@ -435,12 +435,12 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) { - return binds, nil - } - --// checkMountDestination checks to ensure that the mount destination is not over the top of /proc. -+// checkProcMount checks to ensure that the mount destination is not over the top of /proc. - // dest is required to be an abs path and have any symlinks resolved before calling this function. --func checkMountDestination(rootfs, dest string) error { -- invalidDestinations := []string{ -- "/proc", -- } -+// -+// if source is nil, don't stat the filesystem. This is used for restore of a checkpoint. -+func checkProcMount(rootfs, dest, source string) error { -+ const procPath = "/proc" - // White list, it should be sub directories of invalid destinations - validDestinations := []string{ - // These entries can be bind mounted by files emulated by fuse, -@@ -463,16 +463,40 @@ func checkMountDestination(rootfs, dest string) error { - return nil - } - } -- for _, invalid := range invalidDestinations { -- path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest) -+ path, err := filepath.Rel(filepath.Join(rootfs, procPath), dest) -+ if err != nil { -+ return err -+ } -+ // pass if the mount path is located outside of /proc -+ if strings.HasPrefix(path, "..") { -+ return nil -+ } -+ if path == "." { -+ // an empty source is pasted on restore -+ if source == "" { -+ return nil -+ } -+ // only allow a mount on-top of proc if it's source is "proc" -+ isproc, err := isProc(source) - if err != nil { - return err - } -- if path != "." && !strings.HasPrefix(path, "..") { -- return fmt.Errorf("%q cannot be mounted because it is located inside %q", dest, invalid) -+ // pass if the mount is happening on top of /proc and the source of -+ // the mount is a proc filesystem -+ if isproc { -+ return nil - } -+ return fmt.Errorf("%q cannot be mounted because it is not of type proc", dest) - } -- return nil -+ return fmt.Errorf("%q cannot be mounted because it is inside /proc", dest) -+} -+ -+func isProc(path string) (bool, error) { -+ var s unix.Statfs_t -+ if err := unix.Statfs(path, &s); err != nil { -+ return false, err -+ } -+ return s.Type == unix.PROC_SUPER_MAGIC, nil - } - - func setupDevSymlinks(rootfs string) error { -diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go -index d755984bc0f9..1bfe7c663225 100644 ---- a/libcontainer/rootfs_linux_test.go -+++ b/libcontainer/rootfs_linux_test.go -@@ -10,7 +10,7 @@ import ( - - func TestCheckMountDestOnProc(t *testing.T) { - dest := "/rootfs/proc/sys" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "") - if err == nil { - t.Fatal("destination inside proc should return an error") - } -@@ -18,7 +18,7 @@ func TestCheckMountDestOnProc(t *testing.T) { - - func TestCheckMountDestOnProcChroot(t *testing.T) { - dest := "/rootfs/proc/" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "/proc") - if err != nil { - t.Fatal("destination inside proc when using chroot should not return an error") - } -@@ -26,7 +26,7 @@ func TestCheckMountDestOnProcChroot(t *testing.T) { - - func TestCheckMountDestInSys(t *testing.T) { - dest := "/rootfs//sys/fs/cgroup" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "") - if err != nil { - t.Fatal("destination inside /sys should not return an error") - } -@@ -34,7 +34,7 @@ func TestCheckMountDestInSys(t *testing.T) { - - func TestCheckMountDestFalsePositive(t *testing.T) { - dest := "/rootfs/sysfiles/fs/cgroup" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "") - if err != nil { - t.Fatal(err) - } -diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go -index c96088988a6d..cac37c449c6a 100644 ---- a/libcontainer/utils/utils_unix.go -+++ b/libcontainer/utils/utils_unix.go -@@ -3,33 +3,54 @@ - package utils - - import ( -- "io/ioutil" -+ "fmt" - "os" - "strconv" - - "golang.org/x/sys/unix" - ) - -+// IsProcHandle returns whether or not the given file handle is on procfs. -+func IsProcHandle(fh *os.File) (bool, error) { -+ var buf unix.Statfs_t -+ err := unix.Fstatfs(int(fh.Fd()), &buf) -+ return buf.Type == unix.PROC_SUPER_MAGIC, err -+} -+ -+// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for -+// the process (except for those below the given fd value). - func CloseExecFrom(minFd int) error { -- fdList, err := ioutil.ReadDir("/proc/self/fd") -+ fdDir, err := os.Open("/proc/self/fd") - if err != nil { - return err - } -- for _, fi := range fdList { -- fd, err := strconv.Atoi(fi.Name()) -+ defer fdDir.Close() -+ -+ if ok, err := IsProcHandle(fdDir); err != nil { -+ return err -+ } else if !ok { -+ return fmt.Errorf("/proc/self/fd not on procfs") -+ } -+ -+ fdList, err := fdDir.Readdirnames(-1) -+ if err != nil { -+ return err -+ } -+ for _, fdStr := range fdList { -+ fd, err := strconv.Atoi(fdStr) -+ // Ignore non-numeric file names. - if err != nil { -- // ignore non-numeric file names - continue - } -- -+ // Ignore descriptors lower than our specified minimum. - if fd < minFd { -- // ignore descriptors lower than our specified minimum - continue - } -- -- // intentionally ignore errors from unix.CloseOnExec -+ // Intentionally ignore errors from unix.CloseOnExec -- the cases where -+ // this might fail are basically file descriptors that have already -+ // been closed (including and especially the one that was created when -+ // ioutil.ReadDir did the "opendir" syscall). - unix.CloseOnExec(fd) -- // the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall) - } - return nil - } -diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go -index d7786c33c197..04e94176daa0 100644 ---- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go -+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go -@@ -18,6 +18,8 @@ import ( - "strings" - "sync" - "syscall" -+ -+ "golang.org/x/sys/unix" - ) - - const ( -@@ -252,6 +254,12 @@ func getSELinuxPolicyRoot() string { - return filepath.Join(selinuxDir, readConfig(selinuxTypeTag)) - } - -+func isProcHandle(fh *os.File) (bool, error) { -+ var buf unix.Statfs_t -+ err := unix.Fstatfs(int(fh.Fd()), &buf) -+ return buf.Type == unix.PROC_SUPER_MAGIC, err -+} -+ - func readCon(fpath string) (string, error) { - if fpath == "" { - return "", ErrEmptyPath -@@ -263,6 +271,12 @@ func readCon(fpath string) (string, error) { - } - defer in.Close() - -+ if ok, err := isProcHandle(in); err != nil { -+ return "", err -+ } else if !ok { -+ return "", fmt.Errorf("%s not on procfs", fpath) -+ } -+ - var retval string - if _, err := fmt.Fscanf(in, "%s", &retval); err != nil { - return "", err -@@ -345,6 +359,12 @@ func writeCon(fpath string, val string) error { - } - defer out.Close() - -+ if ok, err := isProcHandle(out); err != nil { -+ return err -+ } else if !ok { -+ return fmt.Errorf("%s not on procfs", fpath) -+ } -+ - if val != "" { - _, err = out.Write([]byte(val)) - } else { --- -2.23.0 - diff --git a/runc-1.0.0-rc8.tar.xz b/runc-1.0.0-rc8.tar.xz deleted file mode 100644 index aa2af22..0000000 --- a/runc-1.0.0-rc8.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5d46f01bca203ae226f107f8e3351211f492d43038af19b8337acffab6c4f576 -size 605828 diff --git a/runc-1.0.0-rc8.tar.xz.asc b/runc-1.0.0-rc8.tar.xz.asc deleted file mode 100644 index 1a77cdd..0000000 --- a/runc-1.0.0-rc8.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAlzBCX4PHGFzYXJhaUBz -dXNlLmRlAAoJEJ4YqiZ924203EoP+gMcVwgZr/vTP919zc3Ct2g/jy6PVJ8mwAjY -tyKF3CBBoz4HQZpzPxWrH/eVN0118/7SK2klOqvP/bE18H2Fy3aclaO4Kfv4YfK7 -UV8ejLPCxOzxcb/ZHn0sOStqFRVnnlR1OnCyzM2rd0Jy+w1GelHUSNLGrriPkXA/ -QfR7MEqtITnHmyHvgORdfe/aRzErqXaHvtTQp5spqKF4SGPb+5Dsio1A/cZWiQy6 -XqdD0i5qkzthKkyarxuPuW9FbnLigCYyuJQfJg2sxa32fbQdO23M0FH1s2hTtmDF -CTmKF4SUpBvGe7EIoX5Jo7+NZK9msi2gnYTPNDHpgvMpB9nbAXERZpi2IrAmUA1F -c5CwgNOx7nGEy1MYloesYApAQA/lVEnEpmU1mUnNCSM7SjUgOW6bPmPMlww9jcis -N1qGvQLCMI2TBd3JD89us0qsS0YN5u8KiaXPyW9WKqSEdZliMMPEkf3d7pzyU5un -EFybWwMVgbNDuj1++KOjTQFHT2g1AhCzkqoqP4aB9g6vgHpO4ThUxTcMVmDGXleB -FYqSgYNwP5D8NaWj+PcbBExQyqxs6geygRTcbO+r+F0yNyGPet2I/1zDRe7r48TC -G9BGtNqRkBklieOSmP9zFZG9EWltzoSxy9MsThTSCMEWrt5nuDzVflk8uhYVnYTq -E9Hb2HPf -=ZrUD ------END PGP SIGNATURE----- diff --git a/runc-1.0.0-rc9.tar.xz b/runc-1.0.0-rc9.tar.xz new file mode 100644 index 0000000..081bbe4 --- /dev/null +++ b/runc-1.0.0-rc9.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2f1c7ebac67c779affe2bb4370bba44b08ed280144ba58c86219186e303832ba +size 711184 diff --git a/runc-1.0.0-rc9.tar.xz.asc b/runc-1.0.0-rc9.tar.xz.asc new file mode 100644 index 0000000..26eb25b --- /dev/null +++ b/runc-1.0.0-rc9.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl2SMNUPHGFzYXJhaUBz +dXNlLmRlAAoJEJ4YqiZ92420L3MP/jX4BABEWVD2oF5PsqB9MadkngQ85ZfJPr8w +0g9UcangIIJsx8vSt22qQbWMcyZH5rZ89NPIs6+xoRhRVJWA1ByPJpGnx+/7p25z +S5hCe753rs51MczvYbRLlWCl4BuHeXsJb+FHvUI70G8WyZNZuS+4bdJTpWWTL8u4 +P/9MTvKWsVp5BdI4k3h/OXD1i4GT/9nZFCKG9wfuBWGwp5po8/Izi+tZ0ZN9RZMG +Lz2YaS/Z5cP+OSKepyCXXzlhx0+eeQ5NrjK/DQirwA4jzR1NAVKJd6npJSglra6q +3FGDdNGf+Kod3IaCStnRaZU/gHjJLIWO6rtAQy2aZDB73eHcqG3B9xoPRuWSLzdY +uJO2xdh/wI69md2qtxBnP2EGZi2y7s5sp2FHbYV8gkBluynak6Ig3WAaewHm9mx1 +NpwIV+YuSoSwb+s+jxGg1y3pV6UaeraYYy1G3Zv+94vj7fIfRpmtRyjhhKU38sOp +6jjIGLEnXof7tij09sIwZAdRugJUP8aT6xA05/JAo+kT2ooXEAYC3P5OMUhULX7k +LIflH3Znq/ZFKBH8kKxghQ+Iwy5yzfGiCJd2lWfZ631L5md6WSPtTFabcGhgOc43 +CrF5bU0bkgokyNLqc7y80ou0uGyC3c5f4SB7cf/Jq6Jvo4EgTLWAzYBY5bTZ1zv6 +xl2XtUcX +=Aezk +-----END PGP SIGNATURE----- diff --git a/runc.changes b/runc.changes index fdf5286..e112ae2 100644 --- a/runc.changes +++ b/runc.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat Oct 5 11:40:13 UTC 2019 - Aleksa Sarai + +- Upgrade to runc v1.0.0~rc9. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9 +- Remove upstreamed patches: + - CVE-2019-16884.patch + ------------------------------------------------------------------- Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai diff --git a/runc.spec b/runc.spec index 00d69aa..5e7cbc2 100644 --- a/runc.spec +++ b/runc.spec @@ -24,7 +24,7 @@ # Package-wide golang version %define go_version 1.10 %define go_tool go -%define _version 1.0.0-rc8 +%define _version 1.0.0-rc9 %define project github.com/opencontainers/runc # enable libseccomp for sle >= sle12sp2 @@ -41,7 +41,7 @@ %endif Name: runc -Version: 1.0.0~rc8 +Version: 1.0.0~rc9 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 @@ -51,11 +51,6 @@ Source0: https://github.com/opencontainers/runc/releases/download/v%{_ver Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc Source2: runc.keyring Source3: runc-rpmlintrc -# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2129. -# https://github.com/opencontainers/selinux/pull/59. -# https://github.com/opencontainers/runc/pull/2130. -# bsc#1152308 CVE-2019-16884 -Patch1: CVE-2019-16884.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: golang(API) = %{go_version} @@ -90,8 +85,6 @@ Test package for runc. It contains the source code and the tests. %prep %setup -q -n %{name}-%{_version} -# bsc#1152308 CVE-2019-16884 -%patch1 -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at