From 00112aab82c73bc9f1d9ae10cfa4954a00be804cbb7ec617399aaa8df8e75428 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Thu, 7 Sep 2017 07:53:28 +0000 Subject: [PATCH] Accepting request 521690 from home:cyphar:containers:dm_bsc1045628 - devicemapper: add patch to make the dm storage driver remove a container's rootfs mountpoint before attempting to do libdm operations on it. This helps avoid complications when live mounts will leak into containers. Backport of https://github.com/moby/moby/pull/34573. bsc#1045628 + bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch OBS-URL: https://build.opensuse.org/request/show/521690 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=200 --- ...ove-container-rootfs-mountPath-after.patch | 72 +++++++++++++++++++ docker.changes | 9 +++ docker.spec | 6 ++ 3 files changed, 87 insertions(+) create mode 100644 bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch diff --git a/bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch b/bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch new file mode 100644 index 0000000..2122b3f --- /dev/null +++ b/bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch @@ -0,0 +1,72 @@ +From be9eaee9e25e6b389fcfacd8829bc1235269527b Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Sun, 20 Aug 2017 13:50:52 +1000 +Subject: [PATCH] devicemapper: remove container rootfs mountPath after umount + +libdm currently has a fairly substantial DoS bug that makes certain +operations fail on a libdm device if the device has active references +through mountpoints. This is a significant problem with the advent of +mount namespaces and MS_PRIVATE, and can cause certain --volume mounts +to cause libdm to no longer be able to remove containers: + + % docker run -d --name testA busybox top + % docker run -d --name testB -v /var/lib/docker:/docker busybox top + % docker rm -f testA + [fails on libdm with dm_task_run errors.] + +This also solves the problem of unprivileged users being able to DoS +docker by using unprivileged mount namespaces to preseve mounts that +Docker has dropped. + +SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1045628 +SUSE-Backport: https://github.com/moby/moby/pull/34573 +Signed-off-by: Aleksa Sarai +--- + daemon/graphdriver/devmapper/deviceset.go | 12 ++++++++++++ + daemon/graphdriver/devmapper/driver.go | 4 +++- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/daemon/graphdriver/devmapper/deviceset.go b/daemon/graphdriver/devmapper/deviceset.go +index ba845d4d01d4..fe8103683b9b 100644 +--- a/daemon/graphdriver/devmapper/deviceset.go ++++ b/daemon/graphdriver/devmapper/deviceset.go +@@ -2402,6 +2402,18 @@ func (devices *DeviceSet) UnmountDevice(hash, mountPath string) error { + } + logrus.Debug("devmapper: Unmount done") + ++ // Remove the mountpoint here. Removing the mountpoint (in newer kernels) ++ // will cause all other instances of this mount in other mount namespaces ++ // to be killed (this is an anti-DoS measure that is necessary for things ++ // like devicemapper). This is necessary to avoid cases where a libdm mount ++ // that is present in another namespace will cause subsequent RemoveDevice ++ // operations to fail. We ignore any errors here because this may fail on ++ // older kernels which don't have ++ // torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe applied. ++ if err := os.Remove(mountPath); err != nil { ++ logrus.Debugf("devmapper: error doing a remove on unmounted device %s: %v", mountPath, err) ++ } ++ + return devices.deactivateDevice(info) + } + +diff --git a/daemon/graphdriver/devmapper/driver.go b/daemon/graphdriver/devmapper/driver.go +index 91de5cd12a0f..69a3b3184933 100644 +--- a/daemon/graphdriver/devmapper/driver.go ++++ b/daemon/graphdriver/devmapper/driver.go +@@ -227,10 +227,12 @@ func (d *Driver) Put(id string) error { + if count := d.ctr.Decrement(mp); count > 0 { + return nil + } ++ + err := d.DeviceSet.UnmountDevice(id, mp) + if err != nil { +- logrus.Errorf("devmapper: Error unmounting device %s: %s", id, err) ++ logrus.Errorf("devmapper: Error unmounting device %s: %v", id, err) + } ++ + return err + } + +-- +2.14.1 + diff --git a/docker.changes b/docker.changes index 006d393..50cb4f3 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Sep 6 11:42:31 UTC 2017 - asarai@suse.com + +- devicemapper: add patch to make the dm storage driver remove a container's + rootfs mountpoint before attempting to do libdm operations on it. This helps + avoid complications when live mounts will leak into containers. Backport of + https://github.com/moby/moby/pull/34573. bsc#1045628 + + bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch + ------------------------------------------------------------------- Wed Aug 30 14:58:52 UTC 2017 - asarai@suse.com diff --git a/docker.spec b/docker.spec index 1fd56b7..940c0f0 100644 --- a/docker.spec +++ b/docker.spec @@ -58,6 +58,8 @@ Patch300: integration-cli-fix-TestInfoEnsureSucceeds.patch Patch400: bsc1037436-0001-client-check-tty-before-creating-exec-job.patch # PATCH-FIX-UPSTREAM: Backport of https://github.com/moby/moby/pull/33250 (bsc#1037607). Patch401: bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch +# PATCH-FIX-UPSTREAM: Backport of https://github.com/moby/moby/pull/34573 (bsc#1045628) +Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -176,8 +178,12 @@ Test package for docker. It contains the source code and the tests. %patch201 -p1 %endif %patch300 -p1 +# bsc#1037436 %patch400 -p1 +# bsc#1037607 %patch401 -p1 +# bsc#1045628 +%patch402 -p1 cp %{SOURCE7} . cp %{SOURCE10} .