SHA256
1
0
forked from pool/docker

Accepting request 1146719 from home:dancermak:branches:Virtualization:containers

Vendor latest buildkit v0.11 including CVE patches

OBS-URL: https://build.opensuse.org/request/show/1146719
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=400
This commit is contained in:
Danish Prakash 2024-02-15 14:06:27 +00:00 committed by Git OBS Bridge
parent e62df9de4c
commit 4406dfe326
9 changed files with 3201 additions and 40 deletions

View File

@ -1,7 +1,7 @@
From abdf99298d04ab089ff084669ea421adc0e43f69 Mon Sep 17 00:00:00 2001 From 678e0f470c01dcf849d42d4f3f38e97b8d7ba841 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100 Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
Since FileMode can have the directory bit set, allow a SecretStore Since FileMode can have the directory bit set, allow a SecretStore
implementation to return secrets that are actually directories. This is implementation to return secrets that are actually directories. This is
@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 20 insertions(+), 3 deletions(-) 1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 290ec59a34a7..b7013fb89c83 100644 index 290ec59a34..b7013fb89c 100644
--- a/daemon/container_operations_unix.go --- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go
@@ -4,6 +4,7 @@ @@ -4,6 +4,7 @@
@ -69,5 +69,5 @@ index 290ec59a34a7..b7013fb89c83 100644
return errors.Wrap(err, "error setting ownership for secret") return errors.Wrap(err, "error setting ownership for secret")
} }
-- --
2.42.0 2.43.0

View File

@ -1,7 +1,7 @@
From b218415fb0a1da1b39743e61fa39e99cfbda5157 Mon Sep 17 00:00:00 2001 From 4f2462c67f8aa24d08648c2494a83a10e1578079 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100 Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers. for SUSEConnect to work with containers.
@ -19,7 +19,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
create mode 100644 daemon/suse_secrets.go create mode 100644 daemon/suse_secrets.go
diff --git a/daemon/start.go b/daemon/start.go diff --git a/daemon/start.go b/daemon/start.go
index 2e0b9e6be847..dca04486888f 100644 index 2e0b9e6be8..dca0448688 100644
--- a/daemon/start.go --- a/daemon/start.go
+++ b/daemon/start.go +++ b/daemon/start.go
@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C @@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C
@ -36,7 +36,7 @@ index 2e0b9e6be847..dca04486888f 100644
return errdefs.System(err) return errdefs.System(err)
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
new file mode 100644 new file mode 100644
index 000000000000..32b0ece91b59 index 0000000000..32b0ece91b
--- /dev/null --- /dev/null
+++ b/daemon/suse_secrets.go +++ b/daemon/suse_secrets.go
@@ -0,0 +1,415 @@ @@ -0,0 +1,415 @@
@ -456,5 +456,5 @@ index 000000000000..32b0ece91b59
+ return nil + return nil
+} +}
-- --
2.42.0 2.43.0

View File

@ -1,7 +1,7 @@
From bf66581467a0b1faccedb6a4e8a61d5cdb973bdb Mon Sep 17 00:00:00 2001 From 4b6edb887a878a9637e9b3f434fa3f905543e1d1 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 22 May 2023 15:44:54 +1000 Date: Mon, 22 May 2023 15:44:54 +1000
Subject: [PATCH 3/5] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI Subject: [PATCH 3/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
headers" headers"
This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d. This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
@ -16,7 +16,7 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
1 file changed, 4 insertions(+), 9 deletions(-) 1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
index d88efc4be2bb..4e976aa689cd 100644 index d88efc4be2..4e976aa689 100644
--- a/daemon/graphdriver/btrfs/btrfs.go --- a/daemon/graphdriver/btrfs/btrfs.go
+++ b/daemon/graphdriver/btrfs/btrfs.go +++ b/daemon/graphdriver/btrfs/btrfs.go
@@ -5,17 +5,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs" @@ -5,17 +5,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
@ -42,5 +42,5 @@ index d88efc4be2bb..4e976aa689cd 100644
static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) { static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value); snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
-- --
2.42.0 2.43.0

View File

@ -1,7 +1,7 @@
From ffd675934886f01d557366902c81e0f8076a89c2 Mon Sep 17 00:00:00 2001 From a309d7e57c351a5f81a0cf9a342205ab790f60ba Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000 Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
start start
In the process of making docker-default reloading far less expensive, In the process of making docker-default reloading far less expensive,
@ -22,7 +22,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
3 files changed, 17 insertions(+), 6 deletions(-) 3 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index 6376001613f7..5fde21a4af8a 100644 index 6376001613..5fde21a4af 100644
--- a/daemon/apparmor_default.go --- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go +++ b/daemon/apparmor_default.go
@@ -24,6 +24,15 @@ func DefaultApparmorProfile() string { @@ -24,6 +24,15 @@ func DefaultApparmorProfile() string {
@ -54,7 +54,7 @@ index 6376001613f7..5fde21a4af8a 100644
return nil return nil
} }
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
index e3dc18b32b5e..9c7723056268 100644 index e3dc18b32b..9c77230562 100644
--- a/daemon/apparmor_default_unsupported.go --- a/daemon/apparmor_default_unsupported.go
+++ b/daemon/apparmor_default_unsupported.go +++ b/daemon/apparmor_default_unsupported.go
@@ -3,6 +3,10 @@ @@ -3,6 +3,10 @@
@ -69,7 +69,7 @@ index e3dc18b32b5e..9c7723056268 100644
return nil return nil
} }
diff --git a/daemon/daemon.go b/daemon/daemon.go diff --git a/daemon/daemon.go b/daemon/daemon.go
index 4d76c5798888..15c95b50c4eb 100644 index 4d76c57988..15c95b50c4 100644
--- a/daemon/daemon.go --- a/daemon/daemon.go
+++ b/daemon/daemon.go +++ b/daemon/daemon.go
@@ -839,8 +839,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S @@ -839,8 +839,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
@ -85,5 +85,5 @@ index 4d76c5798888..15c95b50c4eb 100644
} }
-- --
2.42.0 2.43.0

View File

@ -1,7 +1,7 @@
From eef724b45a4047b6d3cefb214e330a4b24ccdf2e Mon Sep 17 00:00:00 2001 From e4c2b3e6b168e815ec7248aea696afe807153cb6 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 11 Oct 2023 21:19:12 +1100 Date: Wed, 11 Oct 2023 21:19:12 +1100
Subject: [PATCH 5/5] SLE12: revert "apparmor: remove version-conditionals from Subject: [PATCH 5/6] SLE12: revert "apparmor: remove version-conditionals from
template" template"
This reverts the following commits: This reverts the following commits:
@ -25,7 +25,7 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
5 files changed, 46 insertions(+), 6 deletions(-) 5 files changed, 46 insertions(+), 6 deletions(-)
diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
index d67890d265de..f4a2978b86cb 100644 index d67890d265..f4a2978b86 100644
--- a/contrib/apparmor/main.go --- a/contrib/apparmor/main.go
+++ b/contrib/apparmor/main.go +++ b/contrib/apparmor/main.go
@@ -6,9 +6,13 @@ import ( @@ -6,9 +6,13 @@ import (
@ -68,7 +68,7 @@ index d67890d265de..f4a2978b86cb 100644
log.Fatalf("executing template failed: %v", err) log.Fatalf("executing template failed: %v", err)
} }
diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
index 58afcbe845ee..e6d0b6d37c58 100644 index 58afcbe845..e6d0b6d37c 100644
--- a/contrib/apparmor/template.go --- a/contrib/apparmor/template.go
+++ b/contrib/apparmor/template.go +++ b/contrib/apparmor/template.go
@@ -20,9 +20,11 @@ profile /usr/bin/docker (attach_disconnected, complain) { @@ -20,9 +20,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
@ -156,7 +156,7 @@ index 58afcbe845ee..e6d0b6d37c58 100644
/lib/** rm, /lib/** rm,
/usr/bin/xz rm, /usr/bin/xz rm,
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
index 3d7c2c5a97b3..2b5a2605f9c1 100644 index 3d7c2c5a97..2b5a2605f9 100644
--- a/pkg/aaparser/aaparser.go --- a/pkg/aaparser/aaparser.go
+++ b/pkg/aaparser/aaparser.go +++ b/pkg/aaparser/aaparser.go
@@ -13,8 +13,6 @@ const ( @@ -13,8 +13,6 @@ const (
@ -169,7 +169,7 @@ index 3d7c2c5a97b3..2b5a2605f9c1 100644
output, err := cmd("", "--version") output, err := cmd("", "--version")
if err != nil { if err != nil {
diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
index d0f236160506..b3566b2f7354 100644 index d0f2361605..b3566b2f73 100644
--- a/profiles/apparmor/apparmor.go --- a/profiles/apparmor/apparmor.go
+++ b/profiles/apparmor/apparmor.go +++ b/profiles/apparmor/apparmor.go
@@ -14,8 +14,10 @@ import ( @@ -14,8 +14,10 @@ import (
@ -208,7 +208,7 @@ index d0f236160506..b3566b2f7354 100644
} }
diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
index 9f207e2014a8..626e5f6789a3 100644 index 9f207e2014..626e5f6789 100644
--- a/profiles/apparmor/template.go --- a/profiles/apparmor/template.go
+++ b/profiles/apparmor/template.go +++ b/profiles/apparmor/template.go
@@ -24,12 +24,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { @@ -24,12 +24,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@ -237,5 +237,5 @@ index 9f207e2014a8..626e5f6789a3 100644
} }
` `
-- --
2.42.0 2.43.0

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,2 @@
# The #! comes from upstream. addFilter("^docker-bash-completion.noarch: (E|W): non-executable-script /usr/share/bash-completion/completions/docker")
addFilter ("^docker-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash") addFilter("^docker-zsh-completion.noarch: W: non-conffile-in-etc /etc/zsh_completion.d/_docker")
addFilter ("^docker-zsh-completion.noarch: W: sourced-script-with-shebang /etc/zsh_completion.d/docker zsh")
# -test is something that is used internally and isn't actually shipped -- it's a pseduo-source package.
addFilter ("^docker-test.*")

View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Wed Feb 14 08:40:36 UTC 2024 - Dan Čermák <dcermak@suse.com>
- Vendor latest buildkit v0.11:
Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that
vendors in the latest v0.11 buildkit branch including bugfixes for the following:
* bsc#1219438: CVE-2024-23653
* bsc#1219268: CVE-2024-23652
* bsc#1219267: CVE-2024-23651
- rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- switch from %patchN to %patch -PN syntax
- remove unused rpmlint filters and add filters to silence pointless bash & zsh
completion warnings
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Oct 27 21:14:37 UTC 2023 - Aleksa Sarai <asarai@suse.com> Fri Oct 27 21:14:37 UTC 2023 - Aleksa Sarai <asarai@suse.com>

View File

@ -72,6 +72,11 @@ Patch201: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
Patch202: 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch Patch202: 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>. # UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch
# bugfix for:
# bsc#1219438: CVE-2024-23653
# bsc#1219268: CVE-2024-23652
# bsc#1219267: CVE-2024-23651
Patch901: 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
BuildRequires: audit BuildRequires: audit
BuildRequires: bash-completion BuildRequires: bash-completion
BuildRequires: ca-certificates BuildRequires: ca-certificates
@ -122,7 +127,7 @@ Requires: iptables >= 1.4
Requires: procps Requires: procps
Requires: tar >= 1.26 Requires: tar >= 1.26
Requires: xz >= 4.9 Requires: xz >= 4.9
%sysusers_requires %?sysusers_requires
Requires(post): %fillup_prereq Requires(post): %fillup_prereq
Requires(post): udev Requires(post): udev
Requires(post): shadow Requires(post): shadow
@ -198,7 +203,7 @@ Fish command line completion support for %{name}.
%setup -q -T -b 1 -n %{name}-cli-%{version} %setup -q -T -b 1 -n %{name}-cli-%{version}
[ "%{cli_builddir}" = "$PWD" ] [ "%{cli_builddir}" = "$PWD" ]
# offline manpages # offline manpages
%patch900 -p1 %patch -P900 -p1
# docker # docker
%define docker_builddir %{_builddir}/%{name}-%{version}_%{git_version} %define docker_builddir %{_builddir}/%{name}-%{version}_%{git_version}
@ -209,17 +214,19 @@ cp %{SOURCE130} .
%if 0%{?is_opensuse} == 0 %if 0%{?is_opensuse} == 0
# PATCH-SUSE: Secrets patches. # PATCH-SUSE: Secrets patches.
%patch100 -p1 %patch -P100 -p1
%patch101 -p1 %patch -P101 -p1
%endif %endif
%if 0%{?sle_version} == 120000 %if 0%{?sle_version} == 120000
# Patches to build on SLE-12. # Patches to build on SLE-12.
%patch200 -p1 %patch -P200 -p1
%endif %endif
# bsc#1099277 # bsc#1099277
%patch201 -p1 %patch -P201 -p1
# Solves apparmor issues on SLE-12, but okay for newer SLE versions too. # Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
%patch202 -p1 %patch -P202 -p1
# temporary buildkit bugfixes
%patch -P901 -p1
%build %build
%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf %sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf