Accepting request 735404 from home:cyphar:containers:maint

- Upgrade to runc v1.0.0~rc9. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9 - Remove upstreamed patches: - CVE-2019-16884.patch OBS-URL: https://build.opensuse.org/request/show/735404 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=81
2019-10-05 11:52:50 +00:00 · 2019-10-05 11:52:50 +00:00 · 9c821cca87
commit 9c821cca87
parent 2606526c7c
7 changed files with 30 additions and 382 deletions
--- a/CVE-2019-16884.patch
+++ b/CVE-2019-16884.patch
@ -1,353 +0,0 @@
 From 74e43887d1e124b78c6e29876cff65423b8a999a Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 23 Sep 2019 16:45:45 -0400
 Subject: [PATCH] CVE-2019-16884
 This patch includes a squash of the following upstream patches:
 * 331692baa7af ("Only allow proc mount if it is procfs")
 As well as the following still-in-review patches:
 * opencontainers/runc#2130:
   ("*: verify that writes to /proc/... are on procfs")
 * opencontainers/selinux#59:
   ("selinux: verify that writes to /proc/... are on procfs")
 SUSE-Bugs: bsc#1152308
 Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 libcontainer/apparmor/apparmor.go             | 12 ++++-
 libcontainer/container_linux.go               |  4 +-
 libcontainer/rootfs_linux.go                  | 50 ++++++++++++++-----
 libcontainer/rootfs_linux_test.go             |  8 +--
 libcontainer/utils/utils_unix.go              | 41 +++++++++++----
 .../selinux/go-selinux/selinux_linux.go       | 20 ++++++++
 6 files changed, 104 insertions(+), 31 deletions(-)
 diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go
 index 7fff0627fa1b..a482269141b6 100644
 --- a/libcontainer/apparmor/apparmor.go
 +++ b/libcontainer/apparmor/apparmor.go
@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
 +
 +	"github.com/opencontainers/runc/libcontainer/utils"
 )
 // IsEnabled returns true if apparmor is enabled for the host.
@@ -19,7 +21,7 @@ func IsEnabled() bool {
 	return false
 }
 -func setprocattr(attr, value string) error {
 +func setProcAttr(attr, value string) error {
 	// Under AppArmor you can only change your own attr, so use /proc/self/
 	// instead of /proc/<tid>/ like libapparmor does
 	path := fmt.Sprintf("/proc/self/attr/%s", attr)
@@ -30,6 +32,12 @@ func setprocattr(attr, value string) error {
 	}
 	defer f.Close()
 +	if ok, err := utils.IsProcHandle(f); err != nil {
 +		return err
 +	} else if !ok {
 +		return fmt.Errorf("%s not on procfs", path)
 +	}
 +
 	_, err = fmt.Fprintf(f, "%s", value)
 	return err
 }
@@ -37,7 +45,7 @@ func setprocattr(attr, value string) error {
 // changeOnExec reimplements aa_change_onexec from libapparmor in Go
 func changeOnExec(name string) error {
 	value := "exec " + name
 -	if err := setprocattr("exec", value); err != nil {
 +	if err := setProcAttr("exec", value); err != nil {
 		return fmt.Errorf("apparmor failed to apply profile: %s", err)
 	}
 	return nil
 diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
 index 7e58e5e00824..d51e35dffb93 100644
 --- a/libcontainer/container_linux.go
 +++ b/libcontainer/container_linux.go
@@ -19,7 +19,7 @@ import (
 	"syscall" // only for SysProcAttr and Signal
 	"time"
 -	"github.com/cyphar/filepath-securejoin"
 +	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/intelrdt"
@@ -1160,7 +1160,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error {
 		if err != nil {
 			return err
 		}
 -		if err := checkMountDestination(c.config.Rootfs, dest); err != nil {
 +		if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil {
 			return err
 		}
 		m.Destination = dest
 diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
 index f13b226e444e..5650b0acbca8 100644
 --- a/libcontainer/rootfs_linux.go
 +++ b/libcontainer/rootfs_linux.go
@@ -13,7 +13,7 @@ import (
 	"strings"
 	"time"
 -	"github.com/cyphar/filepath-securejoin"
 +	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/mrunalp/fileutils"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
@@ -197,7 +197,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) error {
 	if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
 		return err
 	}
 -	if err := checkMountDestination(rootfs, dest); err != nil {
 +	if err := checkProcMount(rootfs, dest, m.Source); err != nil {
 		return err
 	}
 	// update the mount with the correct dest after symlinks are resolved.
@@ -388,7 +388,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
 		if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
 			return err
 		}
 -		if err := checkMountDestination(rootfs, dest); err != nil {
 +		if err := checkProcMount(rootfs, dest, m.Source); err != nil {
 			return err
 		}
 		// update the mount with the correct dest after symlinks are resolved.
@@ -435,12 +435,12 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) {
 	return binds, nil
 }
 -// checkMountDestination checks to ensure that the mount destination is not over the top of /proc.
 +// checkProcMount checks to ensure that the mount destination is not over the top of /proc.
 // dest is required to be an abs path and have any symlinks resolved before calling this function.
 -func checkMountDestination(rootfs, dest string) error {
 -	invalidDestinations := []string{
 -		"/proc",
 -	}
 +//
 +// if source is nil, don't stat the filesystem.  This is used for restore of a checkpoint.
 +func checkProcMount(rootfs, dest, source string) error {
 +	const procPath = "/proc"
 	// White list, it should be sub directories of invalid destinations
 	validDestinations := []string{
 		// These entries can be bind mounted by files emulated by fuse,
@@ -463,16 +463,40 @@ func checkMountDestination(rootfs, dest string) error {
 			return nil
 		}
 	}
 -	for _, invalid := range invalidDestinations {
 -		path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest)
 +	path, err := filepath.Rel(filepath.Join(rootfs, procPath), dest)
 +	if err != nil {
 +		return err
 +	}
 +	// pass if the mount path is located outside of /proc
 +	if strings.HasPrefix(path, "..") {
 +		return nil
 +	}
 +	if path == "." {
 +		// an empty source is pasted on restore
 +		if source == "" {
 +			return nil
 +		}
 +		// only allow a mount on-top of proc if it's source is "proc"
 +		isproc, err := isProc(source)
 		if err != nil {
 			return err
 		}
 -		if path != "." && !strings.HasPrefix(path, "..") {
 -			return fmt.Errorf("%q cannot be mounted because it is located inside %q", dest, invalid)
 +		// pass if the mount is happening on top of /proc and the source of
 +		// the mount is a proc filesystem
 +		if isproc {
 +			return nil
 		}
 +		return fmt.Errorf("%q cannot be mounted because it is not of type proc", dest)
 	}
 -	return nil
 +	return fmt.Errorf("%q cannot be mounted because it is inside /proc", dest)
 +}
 +
 +func isProc(path string) (bool, error) {
 +	var s unix.Statfs_t
 +	if err := unix.Statfs(path, &s); err != nil {
 +		return false, err
 +	}
 +	return s.Type == unix.PROC_SUPER_MAGIC, nil
 }
 func setupDevSymlinks(rootfs string) error {
 diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go
 index d755984bc0f9..1bfe7c663225 100644
 --- a/libcontainer/rootfs_linux_test.go
 +++ b/libcontainer/rootfs_linux_test.go
@@ -10,7 +10,7 @@ import (
 func TestCheckMountDestOnProc(t *testing.T) {
 	dest := "/rootfs/proc/sys"
 -	err := checkMountDestination("/rootfs", dest)
 +	err := checkProcMount("/rootfs", dest, "")
 	if err == nil {
 		t.Fatal("destination inside proc should return an error")
 	}
@@ -18,7 +18,7 @@ func TestCheckMountDestOnProc(t *testing.T) {
 func TestCheckMountDestOnProcChroot(t *testing.T) {
 	dest := "/rootfs/proc/"
 -	err := checkMountDestination("/rootfs", dest)
 +	err := checkProcMount("/rootfs", dest, "/proc")
 	if err != nil {
 		t.Fatal("destination inside proc when using chroot should not return an error")
 	}
@@ -26,7 +26,7 @@ func TestCheckMountDestOnProcChroot(t *testing.T) {
 func TestCheckMountDestInSys(t *testing.T) {
 	dest := "/rootfs//sys/fs/cgroup"
 -	err := checkMountDestination("/rootfs", dest)
 +	err := checkProcMount("/rootfs", dest, "")
 	if err != nil {
 		t.Fatal("destination inside /sys should not return an error")
 	}
@@ -34,7 +34,7 @@ func TestCheckMountDestInSys(t *testing.T) {
 func TestCheckMountDestFalsePositive(t *testing.T) {
 	dest := "/rootfs/sysfiles/fs/cgroup"
 -	err := checkMountDestination("/rootfs", dest)
 +	err := checkProcMount("/rootfs", dest, "")
 	if err != nil {
 		t.Fatal(err)
 	}
 diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go
 index c96088988a6d..cac37c449c6a 100644
 --- a/libcontainer/utils/utils_unix.go
 +++ b/libcontainer/utils/utils_unix.go
@@ -3,33 +3,54 @@
 package utils
 import (
 -	"io/ioutil"
 +	"fmt"
 	"os"
 	"strconv"
 	"golang.org/x/sys/unix"
 )
 +// IsProcHandle returns whether or not the given file handle is on procfs.
 +func IsProcHandle(fh *os.File) (bool, error) {
 +	var buf unix.Statfs_t
 +	err := unix.Fstatfs(int(fh.Fd()), &buf)
 +	return buf.Type == unix.PROC_SUPER_MAGIC, err
 +}
 +
 +// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for
 +// the process (except for those below the given fd value).
 func CloseExecFrom(minFd int) error {
 -	fdList, err := ioutil.ReadDir("/proc/self/fd")
 +	fdDir, err := os.Open("/proc/self/fd")
 	if err != nil {
 		return err
 	}
 -	for _, fi := range fdList {
 -		fd, err := strconv.Atoi(fi.Name())
 +	defer fdDir.Close()
 +
 +	if ok, err := IsProcHandle(fdDir); err != nil {
 +		return err
 +	} else if !ok {
 +		return fmt.Errorf("/proc/self/fd not on procfs")
 +	}
 +
 +	fdList, err := fdDir.Readdirnames(-1)
 +	if err != nil {
 +		return err
 +	}
 +	for _, fdStr := range fdList {
 +		fd, err := strconv.Atoi(fdStr)
 +		// Ignore non-numeric file names.
 		if err != nil {
 -			// ignore non-numeric file names
 			continue
 		}
 -
 +		// Ignore descriptors lower than our specified minimum.
 		if fd < minFd {
 -			// ignore descriptors lower than our specified minimum
 			continue
 		}
 -
 -		// intentionally ignore errors from unix.CloseOnExec
 +		// Intentionally ignore errors from unix.CloseOnExec -- the cases where
 +		// this might fail are basically file descriptors that have already
 +		// been closed (including and especially the one that was created when
 +		// ioutil.ReadDir did the "opendir" syscall).
 		unix.CloseOnExec(fd)
 -		// the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall)
 	}
 	return nil
 }
 diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
 index d7786c33c197..04e94176daa0 100644
 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
 +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -18,6 +18,8 @@ import (
 	"strings"
 	"sync"
 	"syscall"
 +
 +	"golang.org/x/sys/unix"
 )
 const (
@@ -252,6 +254,12 @@ func getSELinuxPolicyRoot() string {
 	return filepath.Join(selinuxDir, readConfig(selinuxTypeTag))
 }
 +func isProcHandle(fh *os.File) (bool, error) {
 +	var buf unix.Statfs_t
 +	err := unix.Fstatfs(int(fh.Fd()), &buf)
 +	return buf.Type == unix.PROC_SUPER_MAGIC, err
 +}
 +
 func readCon(fpath string) (string, error) {
 	if fpath == "" {
 		return "", ErrEmptyPath
@@ -263,6 +271,12 @@ func readCon(fpath string) (string, error) {
 	}
 	defer in.Close()
 +	if ok, err := isProcHandle(in); err != nil {
 +		return "", err
 +	} else if !ok {
 +		return "", fmt.Errorf("%s not on procfs", fpath)
 +	}
 +
 	var retval string
 	if _, err := fmt.Fscanf(in, "%s", &retval); err != nil {
 		return "", err
@@ -345,6 +359,12 @@ func writeCon(fpath string, val string) error {
 	}
 	defer out.Close()
 +	if ok, err := isProcHandle(out); err != nil {
 +		return err
 +	} else if !ok {
 +		return fmt.Errorf("%s not on procfs", fpath)
 +	}
 +
 	if val != "" {
 		_, err = out.Write([]byte(val))
 	} else {
 -- 
 2.23.0
--- a/runc-1.0.0-rc8.tar.xz
+++ b/runc-1.0.0-rc8.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5d46f01bca203ae226f107f8e3351211f492d43038af19b8337acffab6c4f576
 size 605828
--- a/runc-1.0.0-rc8.tar.xz.asc
+++ b/runc-1.0.0-rc8.tar.xz.asc
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAlzBCX4PHGFzYXJhaUBz
 dXNlLmRlAAoJEJ4YqiZ924203EoP+gMcVwgZr/vTP919zc3Ct2g/jy6PVJ8mwAjY
 tyKF3CBBoz4HQZpzPxWrH/eVN0118/7SK2klOqvP/bE18H2Fy3aclaO4Kfv4YfK7
 UV8ejLPCxOzxcb/ZHn0sOStqFRVnnlR1OnCyzM2rd0Jy+w1GelHUSNLGrriPkXA/
 QfR7MEqtITnHmyHvgORdfe/aRzErqXaHvtTQp5spqKF4SGPb+5Dsio1A/cZWiQy6
 XqdD0i5qkzthKkyarxuPuW9FbnLigCYyuJQfJg2sxa32fbQdO23M0FH1s2hTtmDF
 CTmKF4SUpBvGe7EIoX5Jo7+NZK9msi2gnYTPNDHpgvMpB9nbAXERZpi2IrAmUA1F
 c5CwgNOx7nGEy1MYloesYApAQA/lVEnEpmU1mUnNCSM7SjUgOW6bPmPMlww9jcis
 N1qGvQLCMI2TBd3JD89us0qsS0YN5u8KiaXPyW9WKqSEdZliMMPEkf3d7pzyU5un
 EFybWwMVgbNDuj1++KOjTQFHT2g1AhCzkqoqP4aB9g6vgHpO4ThUxTcMVmDGXleB
 FYqSgYNwP5D8NaWj+PcbBExQyqxs6geygRTcbO+r+F0yNyGPet2I/1zDRe7r48TC
 G9BGtNqRkBklieOSmP9zFZG9EWltzoSxy9MsThTSCMEWrt5nuDzVflk8uhYVnYTq
 E9Hb2HPf
 =ZrUD
 -----END PGP SIGNATURE-----
--- a/runc-1.0.0-rc9.tar.xz
+++ b/runc-1.0.0-rc9.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:2f1c7ebac67c779affe2bb4370bba44b08ed280144ba58c86219186e303832ba
 size 711184
--- a/runc-1.0.0-rc9.tar.xz.asc
+++ b/runc-1.0.0-rc9.tar.xz.asc
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl2SMNUPHGFzYXJhaUBz
 dXNlLmRlAAoJEJ4YqiZ92420L3MP/jX4BABEWVD2oF5PsqB9MadkngQ85ZfJPr8w
 0g9UcangIIJsx8vSt22qQbWMcyZH5rZ89NPIs6+xoRhRVJWA1ByPJpGnx+/7p25z
 S5hCe753rs51MczvYbRLlWCl4BuHeXsJb+FHvUI70G8WyZNZuS+4bdJTpWWTL8u4
 P/9MTvKWsVp5BdI4k3h/OXD1i4GT/9nZFCKG9wfuBWGwp5po8/Izi+tZ0ZN9RZMG
 Lz2YaS/Z5cP+OSKepyCXXzlhx0+eeQ5NrjK/DQirwA4jzR1NAVKJd6npJSglra6q
 3FGDdNGf+Kod3IaCStnRaZU/gHjJLIWO6rtAQy2aZDB73eHcqG3B9xoPRuWSLzdY
 uJO2xdh/wI69md2qtxBnP2EGZi2y7s5sp2FHbYV8gkBluynak6Ig3WAaewHm9mx1
 NpwIV+YuSoSwb+s+jxGg1y3pV6UaeraYYy1G3Zv+94vj7fIfRpmtRyjhhKU38sOp
 6jjIGLEnXof7tij09sIwZAdRugJUP8aT6xA05/JAo+kT2ooXEAYC3P5OMUhULX7k
 LIflH3Znq/ZFKBH8kKxghQ+Iwy5yzfGiCJd2lWfZ631L5md6WSPtTFabcGhgOc43
 CrF5bU0bkgokyNLqc7y80ou0uGyC3c5f4SB7cf/Jq6Jvo4EgTLWAzYBY5bTZ1zv6
 xl2XtUcX
 =Aezk
 -----END PGP SIGNATURE-----
--- a/runc.changes
+++ b/runc.changes
@ -1,3 +1,11 @@
 -------------------------------------------------------------------
 Sat Oct  5 11:40:13 UTC 2019 - Aleksa Sarai <asarai@suse.com>
 - Upgrade to runc v1.0.0~rc9. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9
 - Remove upstreamed patches:
  - CVE-2019-16884.patch
 -------------------------------------------------------------------
 Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai <asarai@suse.com>
--- a/runc.spec
+++ b/runc.spec
@ -24,7 +24,7 @@
 # Package-wide golang version
 %define go_version 1.10
 %define go_tool go
-%define _version 1.0.0-rc8
+%define _version 1.0.0-rc9
 %define project github.com/opencontainers/runc
 # enable libseccomp for sle >= sle12sp2
@ -41,7 +41,7 @@
 %endif
 Name:           runc
-Version:        1.0.0~rc8
+Version:        1.0.0~rc9
 Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0
@ -51,11 +51,6 @@ Source0:        https://github.com/opencontainers/runc/releases/download/v%{_ver
 Source1:        https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc
 Source2:        runc.keyring
 Source3:        runc-rpmlintrc
 # FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2129.
 #                           https://github.com/opencontainers/selinux/pull/59.
 #                           https://github.com/opencontainers/runc/pull/2130.
 #                           bsc#1152308 CVE-2019-16884
 Patch1:         CVE-2019-16884.patch
 BuildRequires:  fdupes
 BuildRequires:  go-go-md2man
 BuildRequires:  golang(API) = %{go_version}
@ -90,8 +85,6 @@ Test package for runc. It contains the source code and the tests.
 %prep
 %setup -q -n %{name}-%{_version}
 # bsc#1152308 CVE-2019-16884
 %patch1 -p1
 %build
 # Do not use symlinks. If you want to run the unit tests for this package at