Accepting request 735404 from home:cyphar:containers:maint

- Upgrade to runc v1.0.0~rc9. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9 - Remove upstreamed patches: - CVE-2019-16884.patch OBS-URL: https://build.opensuse.org/request/show/735404 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=81
2019-10-05 11:52:50 +00:00 · 2019-10-05 11:52:50 +00:00 · 9c821cca87
commit 9c821cca87
parent 2606526c7c
7 changed files with 30 additions and 382 deletions
--- a/CVE-2019-16884.patch
+++ b/CVE-2019-16884.patch
@ -1,353 +0,0 @@
-From 74e43887d1e124b78c6e29876cff65423b8a999a Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Mon, 23 Sep 2019 16:45:45 -0400
-Subject: [PATCH] CVE-2019-16884
-
-This patch includes a squash of the following upstream patches:
-
- * 331692baa7af ("Only allow proc mount if it is procfs")
-
-As well as the following still-in-review patches:
-
- * opencontainers/runc#2130:
-   ("*: verify that writes to /proc/... are on procfs")
- * opencontainers/selinux#59:
-   ("selinux: verify that writes to /proc/... are on procfs")
-
-SUSE-Bugs: bsc#1152308
-Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
- libcontainer/apparmor/apparmor.go             | 12 ++++-
- libcontainer/container_linux.go               |  4 +-
- libcontainer/rootfs_linux.go                  | 50 ++++++++++++++-----
- libcontainer/rootfs_linux_test.go             |  8 +--
- libcontainer/utils/utils_unix.go              | 41 +++++++++++----
- .../selinux/go-selinux/selinux_linux.go       | 20 ++++++++
- 6 files changed, 104 insertions(+), 31 deletions(-)
-
-diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go
-index 7fff0627fa1b..a482269141b6 100644
--- a/libcontainer/apparmor/apparmor.go
-+++ b/libcontainer/apparmor/apparmor.go
-@@ -6,6 +6,8 @@ import (
- 	"fmt"
- 	"io/ioutil"
- 	"os"
-+
-+	"github.com/opencontainers/runc/libcontainer/utils"
- )
- 
- // IsEnabled returns true if apparmor is enabled for the host.
-@@ -19,7 +21,7 @@ func IsEnabled() bool {
- 	return false
- }
- 
-func setprocattr(attr, value string) error {
-+func setProcAttr(attr, value string) error {
- 	// Under AppArmor you can only change your own attr, so use /proc/self/
- 	// instead of /proc/<tid>/ like libapparmor does
- 	path := fmt.Sprintf("/proc/self/attr/%s", attr)
-@@ -30,6 +32,12 @@ func setprocattr(attr, value string) error {
- 	}
- 	defer f.Close()
- 
-+	if ok, err := utils.IsProcHandle(f); err != nil {
-+		return err
-+	} else if !ok {
-+		return fmt.Errorf("%s not on procfs", path)
-+	}
-+
- 	_, err = fmt.Fprintf(f, "%s", value)
- 	return err
- }
-@@ -37,7 +45,7 @@ func setprocattr(attr, value string) error {
- // changeOnExec reimplements aa_change_onexec from libapparmor in Go
- func changeOnExec(name string) error {
- 	value := "exec " + name
-	if err := setprocattr("exec", value); err != nil {
-+	if err := setProcAttr("exec", value); err != nil {
- 		return fmt.Errorf("apparmor failed to apply profile: %s", err)
- 	}
- 	return nil
-diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
-index 7e58e5e00824..d51e35dffb93 100644
--- a/libcontainer/container_linux.go
-+++ b/libcontainer/container_linux.go
-@@ -19,7 +19,7 @@ import (
- 	"syscall" // only for SysProcAttr and Signal
- 	"time"
- 
-	"github.com/cyphar/filepath-securejoin"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	"github.com/opencontainers/runc/libcontainer/cgroups"
- 	"github.com/opencontainers/runc/libcontainer/configs"
- 	"github.com/opencontainers/runc/libcontainer/intelrdt"
-@@ -1160,7 +1160,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error {
- 		if err != nil {
- 			return err
- 		}
-		if err := checkMountDestination(c.config.Rootfs, dest); err != nil {
-+		if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil {
- 			return err
- 		}
- 		m.Destination = dest
-diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
-index f13b226e444e..5650b0acbca8 100644
--- a/libcontainer/rootfs_linux.go
-+++ b/libcontainer/rootfs_linux.go
-@@ -13,7 +13,7 @@ import (
- 	"strings"
- 	"time"
- 
-	"github.com/cyphar/filepath-securejoin"
-+	securejoin "github.com/cyphar/filepath-securejoin"
- 	"github.com/mrunalp/fileutils"
- 	"github.com/opencontainers/runc/libcontainer/cgroups"
- 	"github.com/opencontainers/runc/libcontainer/configs"
-@@ -197,7 +197,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) error {
- 	if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
- 		return err
- 	}
-	if err := checkMountDestination(rootfs, dest); err != nil {
-+	if err := checkProcMount(rootfs, dest, m.Source); err != nil {
- 		return err
- 	}
- 	// update the mount with the correct dest after symlinks are resolved.
-@@ -388,7 +388,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
- 		if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
- 			return err
- 		}
-		if err := checkMountDestination(rootfs, dest); err != nil {
-+		if err := checkProcMount(rootfs, dest, m.Source); err != nil {
- 			return err
- 		}
- 		// update the mount with the correct dest after symlinks are resolved.
-@@ -435,12 +435,12 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) {
- 	return binds, nil
- }
- 
-// checkMountDestination checks to ensure that the mount destination is not over the top of /proc.
-+// checkProcMount checks to ensure that the mount destination is not over the top of /proc.
- // dest is required to be an abs path and have any symlinks resolved before calling this function.
-func checkMountDestination(rootfs, dest string) error {
-	invalidDestinations := []string{
-		"/proc",
-	}
-+//
-+// if source is nil, don't stat the filesystem.  This is used for restore of a checkpoint.
-+func checkProcMount(rootfs, dest, source string) error {
-+	const procPath = "/proc"
- 	// White list, it should be sub directories of invalid destinations
- 	validDestinations := []string{
- 		// These entries can be bind mounted by files emulated by fuse,
-@@ -463,16 +463,40 @@ func checkMountDestination(rootfs, dest string) error {
- 			return nil
- 		}
- 	}
-	for _, invalid := range invalidDestinations {
-		path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest)
-+	path, err := filepath.Rel(filepath.Join(rootfs, procPath), dest)
-+	if err != nil {
-+		return err
-+	}
-+	// pass if the mount path is located outside of /proc
-+	if strings.HasPrefix(path, "..") {
-+		return nil
-+	}
-+	if path == "." {
-+		// an empty source is pasted on restore
-+		if source == "" {
-+			return nil
-+		}
-+		// only allow a mount on-top of proc if it's source is "proc"
-+		isproc, err := isProc(source)
- 		if err != nil {
- 			return err
- 		}
-		if path != "." && !strings.HasPrefix(path, "..") {
-			return fmt.Errorf("%q cannot be mounted because it is located inside %q", dest, invalid)
-+		// pass if the mount is happening on top of /proc and the source of
-+		// the mount is a proc filesystem
-+		if isproc {
-+			return nil
- 		}
-+		return fmt.Errorf("%q cannot be mounted because it is not of type proc", dest)
- 	}
-	return nil
-+	return fmt.Errorf("%q cannot be mounted because it is inside /proc", dest)
-+}
-+
-+func isProc(path string) (bool, error) {
-+	var s unix.Statfs_t
-+	if err := unix.Statfs(path, &s); err != nil {
-+		return false, err
-+	}
-+	return s.Type == unix.PROC_SUPER_MAGIC, nil
- }
- 
- func setupDevSymlinks(rootfs string) error {
-diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go
-index d755984bc0f9..1bfe7c663225 100644
--- a/libcontainer/rootfs_linux_test.go
-+++ b/libcontainer/rootfs_linux_test.go
-@@ -10,7 +10,7 @@ import (
- 
- func TestCheckMountDestOnProc(t *testing.T) {
- 	dest := "/rootfs/proc/sys"
-	err := checkMountDestination("/rootfs", dest)
-+	err := checkProcMount("/rootfs", dest, "")
- 	if err == nil {
- 		t.Fatal("destination inside proc should return an error")
- 	}
-@@ -18,7 +18,7 @@ func TestCheckMountDestOnProc(t *testing.T) {
- 
- func TestCheckMountDestOnProcChroot(t *testing.T) {
- 	dest := "/rootfs/proc/"
-	err := checkMountDestination("/rootfs", dest)
-+	err := checkProcMount("/rootfs", dest, "/proc")
- 	if err != nil {
- 		t.Fatal("destination inside proc when using chroot should not return an error")
- 	}
-@@ -26,7 +26,7 @@ func TestCheckMountDestOnProcChroot(t *testing.T) {
- 
- func TestCheckMountDestInSys(t *testing.T) {
- 	dest := "/rootfs//sys/fs/cgroup"
-	err := checkMountDestination("/rootfs", dest)
-+	err := checkProcMount("/rootfs", dest, "")
- 	if err != nil {
- 		t.Fatal("destination inside /sys should not return an error")
- 	}
-@@ -34,7 +34,7 @@ func TestCheckMountDestInSys(t *testing.T) {
- 
- func TestCheckMountDestFalsePositive(t *testing.T) {
- 	dest := "/rootfs/sysfiles/fs/cgroup"
-	err := checkMountDestination("/rootfs", dest)
-+	err := checkProcMount("/rootfs", dest, "")
- 	if err != nil {
- 		t.Fatal(err)
- 	}
-diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go
-index c96088988a6d..cac37c449c6a 100644
--- a/libcontainer/utils/utils_unix.go
-+++ b/libcontainer/utils/utils_unix.go
-@@ -3,33 +3,54 @@
- package utils
- 
- import (
-	"io/ioutil"
-+	"fmt"
- 	"os"
- 	"strconv"
- 
- 	"golang.org/x/sys/unix"
- )
- 
-+// IsProcHandle returns whether or not the given file handle is on procfs.
-+func IsProcHandle(fh *os.File) (bool, error) {
-+	var buf unix.Statfs_t
-+	err := unix.Fstatfs(int(fh.Fd()), &buf)
-+	return buf.Type == unix.PROC_SUPER_MAGIC, err
-+}
-+
-+// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for
-+// the process (except for those below the given fd value).
- func CloseExecFrom(minFd int) error {
-	fdList, err := ioutil.ReadDir("/proc/self/fd")
-+	fdDir, err := os.Open("/proc/self/fd")
- 	if err != nil {
- 		return err
- 	}
-	for _, fi := range fdList {
-		fd, err := strconv.Atoi(fi.Name())
-+	defer fdDir.Close()
-+
-+	if ok, err := IsProcHandle(fdDir); err != nil {
-+		return err
-+	} else if !ok {
-+		return fmt.Errorf("/proc/self/fd not on procfs")
-+	}
-+
-+	fdList, err := fdDir.Readdirnames(-1)
-+	if err != nil {
-+		return err
-+	}
-+	for _, fdStr := range fdList {
-+		fd, err := strconv.Atoi(fdStr)
-+		// Ignore non-numeric file names.
- 		if err != nil {
-			// ignore non-numeric file names
- 			continue
- 		}
-
-+		// Ignore descriptors lower than our specified minimum.
- 		if fd < minFd {
-			// ignore descriptors lower than our specified minimum
- 			continue
- 		}
-
-		// intentionally ignore errors from unix.CloseOnExec
-+		// Intentionally ignore errors from unix.CloseOnExec -- the cases where
-+		// this might fail are basically file descriptors that have already
-+		// been closed (including and especially the one that was created when
-+		// ioutil.ReadDir did the "opendir" syscall).
- 		unix.CloseOnExec(fd)
-		// the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall)
- 	}
- 	return nil
- }
-diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
-index d7786c33c197..04e94176daa0 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
-+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
-@@ -18,6 +18,8 @@ import (
- 	"strings"
- 	"sync"
- 	"syscall"
-+
-+	"golang.org/x/sys/unix"
- )
- 
- const (
-@@ -252,6 +254,12 @@ func getSELinuxPolicyRoot() string {
- 	return filepath.Join(selinuxDir, readConfig(selinuxTypeTag))
- }
- 
-+func isProcHandle(fh *os.File) (bool, error) {
-+	var buf unix.Statfs_t
-+	err := unix.Fstatfs(int(fh.Fd()), &buf)
-+	return buf.Type == unix.PROC_SUPER_MAGIC, err
-+}
-+
- func readCon(fpath string) (string, error) {
- 	if fpath == "" {
- 		return "", ErrEmptyPath
-@@ -263,6 +271,12 @@ func readCon(fpath string) (string, error) {
- 	}
- 	defer in.Close()
- 
-+	if ok, err := isProcHandle(in); err != nil {
-+		return "", err
-+	} else if !ok {
-+		return "", fmt.Errorf("%s not on procfs", fpath)
-+	}
-+
- 	var retval string
- 	if _, err := fmt.Fscanf(in, "%s", &retval); err != nil {
- 		return "", err
-@@ -345,6 +359,12 @@ func writeCon(fpath string, val string) error {
- 	}
- 	defer out.Close()
- 
-+	if ok, err := isProcHandle(out); err != nil {
-+		return err
-+	} else if !ok {
-+		return fmt.Errorf("%s not on procfs", fpath)
-+	}
-+
- 	if val != "" {
- 		_, err = out.Write([]byte(val))
- 	} else {
-- 
-2.23.0
-
--- a/runc-1.0.0-rc8.tar.xz
+++ b/runc-1.0.0-rc8.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5d46f01bca203ae226f107f8e3351211f492d43038af19b8337acffab6c4f576
-size 605828
--- a/runc-1.0.0-rc8.tar.xz.asc
+++ b/runc-1.0.0-rc8.tar.xz.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAlzBCX4PHGFzYXJhaUBz
-dXNlLmRlAAoJEJ4YqiZ924203EoP+gMcVwgZr/vTP919zc3Ct2g/jy6PVJ8mwAjY
-tyKF3CBBoz4HQZpzPxWrH/eVN0118/7SK2klOqvP/bE18H2Fy3aclaO4Kfv4YfK7
-UV8ejLPCxOzxcb/ZHn0sOStqFRVnnlR1OnCyzM2rd0Jy+w1GelHUSNLGrriPkXA/
-QfR7MEqtITnHmyHvgORdfe/aRzErqXaHvtTQp5spqKF4SGPb+5Dsio1A/cZWiQy6
-XqdD0i5qkzthKkyarxuPuW9FbnLigCYyuJQfJg2sxa32fbQdO23M0FH1s2hTtmDF
-CTmKF4SUpBvGe7EIoX5Jo7+NZK9msi2gnYTPNDHpgvMpB9nbAXERZpi2IrAmUA1F
-c5CwgNOx7nGEy1MYloesYApAQA/lVEnEpmU1mUnNCSM7SjUgOW6bPmPMlww9jcis
-N1qGvQLCMI2TBd3JD89us0qsS0YN5u8KiaXPyW9WKqSEdZliMMPEkf3d7pzyU5un
-EFybWwMVgbNDuj1++KOjTQFHT2g1AhCzkqoqP4aB9g6vgHpO4ThUxTcMVmDGXleB
-FYqSgYNwP5D8NaWj+PcbBExQyqxs6geygRTcbO+r+F0yNyGPet2I/1zDRe7r48TC
-G9BGtNqRkBklieOSmP9zFZG9EWltzoSxy9MsThTSCMEWrt5nuDzVflk8uhYVnYTq
-E9Hb2HPf
-=ZrUD
-----END PGP SIGNATURE-----
--- a/runc-1.0.0-rc9.tar.xz
+++ b/runc-1.0.0-rc9.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2f1c7ebac67c779affe2bb4370bba44b08ed280144ba58c86219186e303832ba
+size 711184
--- a/runc-1.0.0-rc9.tar.xz.asc
+++ b/runc-1.0.0-rc9.tar.xz.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl2SMNUPHGFzYXJhaUBz
+dXNlLmRlAAoJEJ4YqiZ92420L3MP/jX4BABEWVD2oF5PsqB9MadkngQ85ZfJPr8w
+0g9UcangIIJsx8vSt22qQbWMcyZH5rZ89NPIs6+xoRhRVJWA1ByPJpGnx+/7p25z
+S5hCe753rs51MczvYbRLlWCl4BuHeXsJb+FHvUI70G8WyZNZuS+4bdJTpWWTL8u4
+P/9MTvKWsVp5BdI4k3h/OXD1i4GT/9nZFCKG9wfuBWGwp5po8/Izi+tZ0ZN9RZMG
+Lz2YaS/Z5cP+OSKepyCXXzlhx0+eeQ5NrjK/DQirwA4jzR1NAVKJd6npJSglra6q
+3FGDdNGf+Kod3IaCStnRaZU/gHjJLIWO6rtAQy2aZDB73eHcqG3B9xoPRuWSLzdY
+uJO2xdh/wI69md2qtxBnP2EGZi2y7s5sp2FHbYV8gkBluynak6Ig3WAaewHm9mx1
+NpwIV+YuSoSwb+s+jxGg1y3pV6UaeraYYy1G3Zv+94vj7fIfRpmtRyjhhKU38sOp
+6jjIGLEnXof7tij09sIwZAdRugJUP8aT6xA05/JAo+kT2ooXEAYC3P5OMUhULX7k
+LIflH3Znq/ZFKBH8kKxghQ+Iwy5yzfGiCJd2lWfZ631L5md6WSPtTFabcGhgOc43
+CrF5bU0bkgokyNLqc7y80ou0uGyC3c5f4SB7cf/Jq6Jvo4EgTLWAzYBY5bTZ1zv6
+xl2XtUcX
+=Aezk
+-----END PGP SIGNATURE-----
--- a/runc.changes
+++ b/runc.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Sat Oct  5 11:40:13 UTC 2019 - Aleksa Sarai <asarai@suse.com>
+
+- Upgrade to runc v1.0.0~rc9. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9
+- Remove upstreamed patches:
+  - CVE-2019-16884.patch
+
 -------------------------------------------------------------------
 Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai <asarai@suse.com>

--- a/runc.spec
+++ b/runc.spec
@ -24,7 +24,7 @@
 # Package-wide golang version
 %define go_version 1.10
 %define go_tool go
-%define _version 1.0.0-rc8
+%define _version 1.0.0-rc9
 %define project github.com/opencontainers/runc

 # enable libseccomp for sle >= sle12sp2
@ -41,7 +41,7 @@
 %endif

 Name:           runc
-Version:        1.0.0~rc8
+Version:        1.0.0~rc9
 Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0
@ -51,11 +51,6 @@ Source0:        https://github.com/opencontainers/runc/releases/download/v%{_ver
 Source1:        https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc
 Source2:        runc.keyring
 Source3:        runc-rpmlintrc
-# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2129.
-#                           https://github.com/opencontainers/selinux/pull/59.
-#                           https://github.com/opencontainers/runc/pull/2130.
-#                           bsc#1152308 CVE-2019-16884
-Patch1:         CVE-2019-16884.patch
 BuildRequires:  fdupes
 BuildRequires:  go-go-md2man
 BuildRequires:  golang(API) = %{go_version}
@ -90,8 +85,6 @@ Test package for runc. It contains the source code and the tests.

 %prep
 %setup -q -n %{name}-%{_version}
-# bsc#1152308 CVE-2019-16884
-%patch1 -p1

 %build
 # Do not use symlinks. If you want to run the unit tests for this package at