From 9c821cca87ae4dccd9fa64506b924ec3a3085c88483221b77addfcf7c7e72b23 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sat, 5 Oct 2019 11:52:50 +0000 Subject: [PATCH] Accepting request 735404 from home:cyphar:containers:maint - Upgrade to runc v1.0.0~rc9. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9 - Remove upstreamed patches: - CVE-2019-16884.patch OBS-URL: https://build.opensuse.org/request/show/735404 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=81 --- CVE-2019-16884.patch | 353 -------------------------------------- runc-1.0.0-rc8.tar.xz | 3 - runc-1.0.0-rc8.tar.xz.asc | 17 -- runc-1.0.0-rc9.tar.xz | 3 + runc-1.0.0-rc9.tar.xz.asc | 17 ++ runc.changes | 8 + runc.spec | 11 +- 7 files changed, 30 insertions(+), 382 deletions(-) delete mode 100644 CVE-2019-16884.patch delete mode 100644 runc-1.0.0-rc8.tar.xz delete mode 100644 runc-1.0.0-rc8.tar.xz.asc create mode 100644 runc-1.0.0-rc9.tar.xz create mode 100644 runc-1.0.0-rc9.tar.xz.asc diff --git a/CVE-2019-16884.patch b/CVE-2019-16884.patch deleted file mode 100644 index e3a437c..0000000 --- a/CVE-2019-16884.patch +++ /dev/null @@ -1,353 +0,0 @@ -From 74e43887d1e124b78c6e29876cff65423b8a999a Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Mon, 23 Sep 2019 16:45:45 -0400 -Subject: [PATCH] CVE-2019-16884 - -This patch includes a squash of the following upstream patches: - - * 331692baa7af ("Only allow proc mount if it is procfs") - -As well as the following still-in-review patches: - - * opencontainers/runc#2130: - ("*: verify that writes to /proc/... are on procfs") - * opencontainers/selinux#59: - ("selinux: verify that writes to /proc/... are on procfs") - -SUSE-Bugs: bsc#1152308 -Signed-off-by: Michael Crosby -Signed-off-by: Aleksa Sarai ---- - libcontainer/apparmor/apparmor.go | 12 ++++- - libcontainer/container_linux.go | 4 +- - libcontainer/rootfs_linux.go | 50 ++++++++++++++----- - libcontainer/rootfs_linux_test.go | 8 +-- - libcontainer/utils/utils_unix.go | 41 +++++++++++---- - .../selinux/go-selinux/selinux_linux.go | 20 ++++++++ - 6 files changed, 104 insertions(+), 31 deletions(-) - -diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go -index 7fff0627fa1b..a482269141b6 100644 ---- a/libcontainer/apparmor/apparmor.go -+++ b/libcontainer/apparmor/apparmor.go -@@ -6,6 +6,8 @@ import ( - "fmt" - "io/ioutil" - "os" -+ -+ "github.com/opencontainers/runc/libcontainer/utils" - ) - - // IsEnabled returns true if apparmor is enabled for the host. -@@ -19,7 +21,7 @@ func IsEnabled() bool { - return false - } - --func setprocattr(attr, value string) error { -+func setProcAttr(attr, value string) error { - // Under AppArmor you can only change your own attr, so use /proc/self/ - // instead of /proc// like libapparmor does - path := fmt.Sprintf("/proc/self/attr/%s", attr) -@@ -30,6 +32,12 @@ func setprocattr(attr, value string) error { - } - defer f.Close() - -+ if ok, err := utils.IsProcHandle(f); err != nil { -+ return err -+ } else if !ok { -+ return fmt.Errorf("%s not on procfs", path) -+ } -+ - _, err = fmt.Fprintf(f, "%s", value) - return err - } -@@ -37,7 +45,7 @@ func setprocattr(attr, value string) error { - // changeOnExec reimplements aa_change_onexec from libapparmor in Go - func changeOnExec(name string) error { - value := "exec " + name -- if err := setprocattr("exec", value); err != nil { -+ if err := setProcAttr("exec", value); err != nil { - return fmt.Errorf("apparmor failed to apply profile: %s", err) - } - return nil -diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go -index 7e58e5e00824..d51e35dffb93 100644 ---- a/libcontainer/container_linux.go -+++ b/libcontainer/container_linux.go -@@ -19,7 +19,7 @@ import ( - "syscall" // only for SysProcAttr and Signal - "time" - -- "github.com/cyphar/filepath-securejoin" -+ securejoin "github.com/cyphar/filepath-securejoin" - "github.com/opencontainers/runc/libcontainer/cgroups" - "github.com/opencontainers/runc/libcontainer/configs" - "github.com/opencontainers/runc/libcontainer/intelrdt" -@@ -1160,7 +1160,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error { - if err != nil { - return err - } -- if err := checkMountDestination(c.config.Rootfs, dest); err != nil { -+ if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil { - return err - } - m.Destination = dest -diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go -index f13b226e444e..5650b0acbca8 100644 ---- a/libcontainer/rootfs_linux.go -+++ b/libcontainer/rootfs_linux.go -@@ -13,7 +13,7 @@ import ( - "strings" - "time" - -- "github.com/cyphar/filepath-securejoin" -+ securejoin "github.com/cyphar/filepath-securejoin" - "github.com/mrunalp/fileutils" - "github.com/opencontainers/runc/libcontainer/cgroups" - "github.com/opencontainers/runc/libcontainer/configs" -@@ -197,7 +197,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) error { - if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil { - return err - } -- if err := checkMountDestination(rootfs, dest); err != nil { -+ if err := checkProcMount(rootfs, dest, m.Source); err != nil { - return err - } - // update the mount with the correct dest after symlinks are resolved. -@@ -388,7 +388,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b - if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil { - return err - } -- if err := checkMountDestination(rootfs, dest); err != nil { -+ if err := checkProcMount(rootfs, dest, m.Source); err != nil { - return err - } - // update the mount with the correct dest after symlinks are resolved. -@@ -435,12 +435,12 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) { - return binds, nil - } - --// checkMountDestination checks to ensure that the mount destination is not over the top of /proc. -+// checkProcMount checks to ensure that the mount destination is not over the top of /proc. - // dest is required to be an abs path and have any symlinks resolved before calling this function. --func checkMountDestination(rootfs, dest string) error { -- invalidDestinations := []string{ -- "/proc", -- } -+// -+// if source is nil, don't stat the filesystem. This is used for restore of a checkpoint. -+func checkProcMount(rootfs, dest, source string) error { -+ const procPath = "/proc" - // White list, it should be sub directories of invalid destinations - validDestinations := []string{ - // These entries can be bind mounted by files emulated by fuse, -@@ -463,16 +463,40 @@ func checkMountDestination(rootfs, dest string) error { - return nil - } - } -- for _, invalid := range invalidDestinations { -- path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest) -+ path, err := filepath.Rel(filepath.Join(rootfs, procPath), dest) -+ if err != nil { -+ return err -+ } -+ // pass if the mount path is located outside of /proc -+ if strings.HasPrefix(path, "..") { -+ return nil -+ } -+ if path == "." { -+ // an empty source is pasted on restore -+ if source == "" { -+ return nil -+ } -+ // only allow a mount on-top of proc if it's source is "proc" -+ isproc, err := isProc(source) - if err != nil { - return err - } -- if path != "." && !strings.HasPrefix(path, "..") { -- return fmt.Errorf("%q cannot be mounted because it is located inside %q", dest, invalid) -+ // pass if the mount is happening on top of /proc and the source of -+ // the mount is a proc filesystem -+ if isproc { -+ return nil - } -+ return fmt.Errorf("%q cannot be mounted because it is not of type proc", dest) - } -- return nil -+ return fmt.Errorf("%q cannot be mounted because it is inside /proc", dest) -+} -+ -+func isProc(path string) (bool, error) { -+ var s unix.Statfs_t -+ if err := unix.Statfs(path, &s); err != nil { -+ return false, err -+ } -+ return s.Type == unix.PROC_SUPER_MAGIC, nil - } - - func setupDevSymlinks(rootfs string) error { -diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go -index d755984bc0f9..1bfe7c663225 100644 ---- a/libcontainer/rootfs_linux_test.go -+++ b/libcontainer/rootfs_linux_test.go -@@ -10,7 +10,7 @@ import ( - - func TestCheckMountDestOnProc(t *testing.T) { - dest := "/rootfs/proc/sys" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "") - if err == nil { - t.Fatal("destination inside proc should return an error") - } -@@ -18,7 +18,7 @@ func TestCheckMountDestOnProc(t *testing.T) { - - func TestCheckMountDestOnProcChroot(t *testing.T) { - dest := "/rootfs/proc/" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "/proc") - if err != nil { - t.Fatal("destination inside proc when using chroot should not return an error") - } -@@ -26,7 +26,7 @@ func TestCheckMountDestOnProcChroot(t *testing.T) { - - func TestCheckMountDestInSys(t *testing.T) { - dest := "/rootfs//sys/fs/cgroup" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "") - if err != nil { - t.Fatal("destination inside /sys should not return an error") - } -@@ -34,7 +34,7 @@ func TestCheckMountDestInSys(t *testing.T) { - - func TestCheckMountDestFalsePositive(t *testing.T) { - dest := "/rootfs/sysfiles/fs/cgroup" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "") - if err != nil { - t.Fatal(err) - } -diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go -index c96088988a6d..cac37c449c6a 100644 ---- a/libcontainer/utils/utils_unix.go -+++ b/libcontainer/utils/utils_unix.go -@@ -3,33 +3,54 @@ - package utils - - import ( -- "io/ioutil" -+ "fmt" - "os" - "strconv" - - "golang.org/x/sys/unix" - ) - -+// IsProcHandle returns whether or not the given file handle is on procfs. -+func IsProcHandle(fh *os.File) (bool, error) { -+ var buf unix.Statfs_t -+ err := unix.Fstatfs(int(fh.Fd()), &buf) -+ return buf.Type == unix.PROC_SUPER_MAGIC, err -+} -+ -+// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for -+// the process (except for those below the given fd value). - func CloseExecFrom(minFd int) error { -- fdList, err := ioutil.ReadDir("/proc/self/fd") -+ fdDir, err := os.Open("/proc/self/fd") - if err != nil { - return err - } -- for _, fi := range fdList { -- fd, err := strconv.Atoi(fi.Name()) -+ defer fdDir.Close() -+ -+ if ok, err := IsProcHandle(fdDir); err != nil { -+ return err -+ } else if !ok { -+ return fmt.Errorf("/proc/self/fd not on procfs") -+ } -+ -+ fdList, err := fdDir.Readdirnames(-1) -+ if err != nil { -+ return err -+ } -+ for _, fdStr := range fdList { -+ fd, err := strconv.Atoi(fdStr) -+ // Ignore non-numeric file names. - if err != nil { -- // ignore non-numeric file names - continue - } -- -+ // Ignore descriptors lower than our specified minimum. - if fd < minFd { -- // ignore descriptors lower than our specified minimum - continue - } -- -- // intentionally ignore errors from unix.CloseOnExec -+ // Intentionally ignore errors from unix.CloseOnExec -- the cases where -+ // this might fail are basically file descriptors that have already -+ // been closed (including and especially the one that was created when -+ // ioutil.ReadDir did the "opendir" syscall). - unix.CloseOnExec(fd) -- // the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall) - } - return nil - } -diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go -index d7786c33c197..04e94176daa0 100644 ---- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go -+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go -@@ -18,6 +18,8 @@ import ( - "strings" - "sync" - "syscall" -+ -+ "golang.org/x/sys/unix" - ) - - const ( -@@ -252,6 +254,12 @@ func getSELinuxPolicyRoot() string { - return filepath.Join(selinuxDir, readConfig(selinuxTypeTag)) - } - -+func isProcHandle(fh *os.File) (bool, error) { -+ var buf unix.Statfs_t -+ err := unix.Fstatfs(int(fh.Fd()), &buf) -+ return buf.Type == unix.PROC_SUPER_MAGIC, err -+} -+ - func readCon(fpath string) (string, error) { - if fpath == "" { - return "", ErrEmptyPath -@@ -263,6 +271,12 @@ func readCon(fpath string) (string, error) { - } - defer in.Close() - -+ if ok, err := isProcHandle(in); err != nil { -+ return "", err -+ } else if !ok { -+ return "", fmt.Errorf("%s not on procfs", fpath) -+ } -+ - var retval string - if _, err := fmt.Fscanf(in, "%s", &retval); err != nil { - return "", err -@@ -345,6 +359,12 @@ func writeCon(fpath string, val string) error { - } - defer out.Close() - -+ if ok, err := isProcHandle(out); err != nil { -+ return err -+ } else if !ok { -+ return fmt.Errorf("%s not on procfs", fpath) -+ } -+ - if val != "" { - _, err = out.Write([]byte(val)) - } else { --- -2.23.0 - diff --git a/runc-1.0.0-rc8.tar.xz b/runc-1.0.0-rc8.tar.xz deleted file mode 100644 index aa2af22..0000000 --- a/runc-1.0.0-rc8.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5d46f01bca203ae226f107f8e3351211f492d43038af19b8337acffab6c4f576 -size 605828 diff --git a/runc-1.0.0-rc8.tar.xz.asc b/runc-1.0.0-rc8.tar.xz.asc deleted file mode 100644 index 1a77cdd..0000000 --- a/runc-1.0.0-rc8.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAlzBCX4PHGFzYXJhaUBz -dXNlLmRlAAoJEJ4YqiZ924203EoP+gMcVwgZr/vTP919zc3Ct2g/jy6PVJ8mwAjY -tyKF3CBBoz4HQZpzPxWrH/eVN0118/7SK2klOqvP/bE18H2Fy3aclaO4Kfv4YfK7 -UV8ejLPCxOzxcb/ZHn0sOStqFRVnnlR1OnCyzM2rd0Jy+w1GelHUSNLGrriPkXA/ -QfR7MEqtITnHmyHvgORdfe/aRzErqXaHvtTQp5spqKF4SGPb+5Dsio1A/cZWiQy6 -XqdD0i5qkzthKkyarxuPuW9FbnLigCYyuJQfJg2sxa32fbQdO23M0FH1s2hTtmDF -CTmKF4SUpBvGe7EIoX5Jo7+NZK9msi2gnYTPNDHpgvMpB9nbAXERZpi2IrAmUA1F -c5CwgNOx7nGEy1MYloesYApAQA/lVEnEpmU1mUnNCSM7SjUgOW6bPmPMlww9jcis -N1qGvQLCMI2TBd3JD89us0qsS0YN5u8KiaXPyW9WKqSEdZliMMPEkf3d7pzyU5un -EFybWwMVgbNDuj1++KOjTQFHT2g1AhCzkqoqP4aB9g6vgHpO4ThUxTcMVmDGXleB -FYqSgYNwP5D8NaWj+PcbBExQyqxs6geygRTcbO+r+F0yNyGPet2I/1zDRe7r48TC -G9BGtNqRkBklieOSmP9zFZG9EWltzoSxy9MsThTSCMEWrt5nuDzVflk8uhYVnYTq -E9Hb2HPf -=ZrUD ------END PGP SIGNATURE----- diff --git a/runc-1.0.0-rc9.tar.xz b/runc-1.0.0-rc9.tar.xz new file mode 100644 index 0000000..081bbe4 --- /dev/null +++ b/runc-1.0.0-rc9.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2f1c7ebac67c779affe2bb4370bba44b08ed280144ba58c86219186e303832ba +size 711184 diff --git a/runc-1.0.0-rc9.tar.xz.asc b/runc-1.0.0-rc9.tar.xz.asc new file mode 100644 index 0000000..26eb25b --- /dev/null +++ b/runc-1.0.0-rc9.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl2SMNUPHGFzYXJhaUBz +dXNlLmRlAAoJEJ4YqiZ92420L3MP/jX4BABEWVD2oF5PsqB9MadkngQ85ZfJPr8w +0g9UcangIIJsx8vSt22qQbWMcyZH5rZ89NPIs6+xoRhRVJWA1ByPJpGnx+/7p25z +S5hCe753rs51MczvYbRLlWCl4BuHeXsJb+FHvUI70G8WyZNZuS+4bdJTpWWTL8u4 +P/9MTvKWsVp5BdI4k3h/OXD1i4GT/9nZFCKG9wfuBWGwp5po8/Izi+tZ0ZN9RZMG +Lz2YaS/Z5cP+OSKepyCXXzlhx0+eeQ5NrjK/DQirwA4jzR1NAVKJd6npJSglra6q +3FGDdNGf+Kod3IaCStnRaZU/gHjJLIWO6rtAQy2aZDB73eHcqG3B9xoPRuWSLzdY +uJO2xdh/wI69md2qtxBnP2EGZi2y7s5sp2FHbYV8gkBluynak6Ig3WAaewHm9mx1 +NpwIV+YuSoSwb+s+jxGg1y3pV6UaeraYYy1G3Zv+94vj7fIfRpmtRyjhhKU38sOp +6jjIGLEnXof7tij09sIwZAdRugJUP8aT6xA05/JAo+kT2ooXEAYC3P5OMUhULX7k +LIflH3Znq/ZFKBH8kKxghQ+Iwy5yzfGiCJd2lWfZ631L5md6WSPtTFabcGhgOc43 +CrF5bU0bkgokyNLqc7y80ou0uGyC3c5f4SB7cf/Jq6Jvo4EgTLWAzYBY5bTZ1zv6 +xl2XtUcX +=Aezk +-----END PGP SIGNATURE----- diff --git a/runc.changes b/runc.changes index fdf5286..e112ae2 100644 --- a/runc.changes +++ b/runc.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat Oct 5 11:40:13 UTC 2019 - Aleksa Sarai + +- Upgrade to runc v1.0.0~rc9. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9 +- Remove upstreamed patches: + - CVE-2019-16884.patch + ------------------------------------------------------------------- Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai diff --git a/runc.spec b/runc.spec index 00d69aa..5e7cbc2 100644 --- a/runc.spec +++ b/runc.spec @@ -24,7 +24,7 @@ # Package-wide golang version %define go_version 1.10 %define go_tool go -%define _version 1.0.0-rc8 +%define _version 1.0.0-rc9 %define project github.com/opencontainers/runc # enable libseccomp for sle >= sle12sp2 @@ -41,7 +41,7 @@ %endif Name: runc -Version: 1.0.0~rc8 +Version: 1.0.0~rc9 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 @@ -51,11 +51,6 @@ Source0: https://github.com/opencontainers/runc/releases/download/v%{_ver Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc Source2: runc.keyring Source3: runc-rpmlintrc -# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2129. -# https://github.com/opencontainers/selinux/pull/59. -# https://github.com/opencontainers/runc/pull/2130. -# bsc#1152308 CVE-2019-16884 -Patch1: CVE-2019-16884.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: golang(API) = %{go_version} @@ -90,8 +85,6 @@ Test package for runc. It contains the source code and the tests. %prep %setup -q -n %{name}-%{_version} -# bsc#1152308 CVE-2019-16884 -%patch1 -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at