From 8eb44383da0906bc21ce8a3fcbf346e13ab0c658 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 11 2019 14:27:31 +0000 Subject: import docker-1.13.1-91.git07f3374.el7 --- diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch b/SOURCES/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch new file mode 100644 index 0000000..59bbcf5 --- /dev/null +++ b/SOURCES/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch @@ -0,0 +1,290 @@ +From 2a03a0c265d5bd3e77bc22e7d1fbb57388984727 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Wed, 9 Jan 2019 13:40:01 +1100 +Subject: [PATCH 1/1] nsenter: clone /proc/self/exe to avoid exposing host + binary to container + +There are quite a few circumstances where /proc/self/exe pointing to a +pretty important container binary is a _bad_ thing, so to avoid this we +have to make a copy (preferably doing self-clean-up and not being +writeable). + +As a hotfix we require memfd_create(2), but we can always extend this to +use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this +approach is no page-cache sharing for the runc binary (which overlayfs +would give us) but this is far less complicated. + +This is only done during nsenter so that it happens transparently to the +Go code, and any libcontainer users benefit from it. This also makes +ExtraFiles and --preserve-fds handling trivial (because we don't need to +worry about it). + +Fixes: CVE-2019-5736 +Co-developed-by: Christian Brauner +Signed-off-by: Aleksa Sarai +Signed-off-by: Mrunal Patel +--- + libcontainer/nsenter/cloned_binary.c | 221 +++++++++++++++++++++++++++ + libcontainer/nsenter/nsexec.c | 11 ++ + 2 files changed, 232 insertions(+) + create mode 100644 libcontainer/nsenter/cloned_binary.c + +diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c +new file mode 100644 +index 00000000..d9f6093a +--- /dev/null ++++ b/libcontainer/nsenter/cloned_binary.c +@@ -0,0 +1,221 @@ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++/* Use our own wrapper for memfd_create. */ ++#if !defined(SYS_memfd_create) && defined(__NR_memfd_create) ++# define SYS_memfd_create __NR_memfd_create ++#endif ++#ifndef SYS_memfd_create ++# error "memfd_create(2) syscall not supported by this glibc version" ++#endif ++int memfd_create(const char *name, unsigned int flags) ++{ ++ return syscall(SYS_memfd_create, name, flags); ++} ++ ++/* This comes directly from . */ ++#ifndef F_LINUX_SPECIFIC_BASE ++# define F_LINUX_SPECIFIC_BASE 1024 ++#endif ++#ifndef F_ADD_SEALS ++# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) ++# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) ++#endif ++#ifndef F_SEAL_SEAL ++# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */ ++# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */ ++# define F_SEAL_GROW 0x0004 /* prevent file from growing */ ++# define F_SEAL_WRITE 0x0008 /* prevent writes */ ++#endif ++ ++ ++#define OUR_MEMFD_COMMENT "runc_cloned:/proc/self/exe" ++#define OUR_MEMFD_SEALS \ ++ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) ++ ++static void *must_realloc(void *ptr, size_t size) ++{ ++ void *old = ptr; ++ do { ++ ptr = realloc(old, size); ++ } while(!ptr); ++ return ptr; ++} ++ ++/* ++ * Verify whether we are currently in a self-cloned program (namely, is ++ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather ++ * for shmem files), and we want to be sure it's actually sealed. ++ */ ++static int is_self_cloned(void) ++{ ++ int fd, seals; ++ ++ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC); ++ if (fd < 0) ++ return -ENOTRECOVERABLE; ++ ++ seals = fcntl(fd, F_GET_SEALS); ++ close(fd); ++ return seals == OUR_MEMFD_SEALS; ++} ++ ++/* ++ * Basic wrapper around mmap(2) that gives you the file length so you can ++ * safely treat it as an ordinary buffer. Only gives you read access. ++ */ ++static char *read_file(char *path, size_t *length) ++{ ++ int fd; ++ char buf[4096], *copy = NULL; ++ ++ if (!length) ++ return NULL; ++ ++ fd = open(path, O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ return NULL; ++ ++ *length = 0; ++ for (;;) { ++ int n; ++ ++ n = read(fd, buf, sizeof(buf)); ++ if (n < 0) ++ goto error; ++ if (!n) ++ break; ++ ++ copy = must_realloc(copy, (*length + n) * sizeof(*copy)); ++ memcpy(copy + *length, buf, n); ++ *length += n; ++ } ++ close(fd); ++ return copy; ++ ++error: ++ close(fd); ++ free(copy); ++ return NULL; ++} ++ ++/* ++ * A poor-man's version of "xargs -0". Basically parses a given block of ++ * NUL-delimited data, within the given length and adds a pointer to each entry ++ * to the array of pointers. ++ */ ++static int parse_xargs(char *data, int data_length, char ***output) ++{ ++ int num = 0; ++ char *cur = data; ++ ++ if (!data || *output != NULL) ++ return -1; ++ ++ while (cur < data + data_length) { ++ num++; ++ *output = must_realloc(*output, (num + 1) * sizeof(**output)); ++ (*output)[num - 1] = cur; ++ cur += strlen(cur) + 1; ++ } ++ (*output)[num] = NULL; ++ return num; ++} ++ ++/* ++ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ. ++ * This is necessary because we are running in a context where we don't have a ++ * main() that we can just get the arguments from. ++ */ ++static int fetchve(char ***argv, char ***envp) ++{ ++ char *cmdline = NULL, *environ = NULL; ++ size_t cmdline_size, environ_size; ++ ++ cmdline = read_file("/proc/self/cmdline", &cmdline_size); ++ if (!cmdline) ++ goto error; ++ environ = read_file("/proc/self/environ", &environ_size); ++ if (!environ) ++ goto error; ++ ++ if (parse_xargs(cmdline, cmdline_size, argv) <= 0) ++ goto error; ++ if (parse_xargs(environ, environ_size, envp) <= 0) ++ goto error; ++ ++ return 0; ++ ++error: ++ free(environ); ++ free(cmdline); ++ return -EINVAL; ++} ++ ++#define SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */ ++static int clone_binary(void) ++{ ++ int binfd, memfd, err; ++ ssize_t sent = 0; ++ ++ memfd = memfd_create(OUR_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING); ++ if (memfd < 0) ++ return -ENOTRECOVERABLE; ++ ++ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); ++ if (binfd < 0) ++ goto error; ++ ++ sent = sendfile(memfd, binfd, NULL, SENDFILE_MAX); ++ close(binfd); ++ if (sent < 0) ++ goto error; ++ ++ err = fcntl(memfd, F_ADD_SEALS, OUR_MEMFD_SEALS); ++ if (err < 0) ++ goto error; ++ ++ return memfd; ++ ++error: ++ close(memfd); ++ return -EIO; ++} ++ ++int ensure_cloned_binary(void) ++{ ++ int execfd; ++ char **argv = NULL, **envp = NULL; ++ ++ /* Check that we're not self-cloned, and if we are then bail. */ ++ int cloned = is_self_cloned(); ++ if (cloned > 0 || cloned == -ENOTRECOVERABLE) ++ return cloned; ++ ++ if (fetchve(&argv, &envp) < 0) ++ return -EINVAL; ++ ++ execfd = clone_binary(); ++ if (execfd < 0) ++ return -EIO; ++ ++ fexecve(execfd, argv, envp); ++ return -ENOEXEC; ++} +diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c +index 0a10f802..814c738d 100644 +--- a/libcontainer/nsenter/nsexec.c ++++ b/libcontainer/nsenter/nsexec.c +@@ -420,6 +420,9 @@ void join_namespaces(char *nslist) + free(namespaces); + } + ++/* Defined in cloned_binary.c. */ ++int ensure_cloned_binary(void); ++ + void nsexec(void) + { + int pipenum; +@@ -435,6 +438,14 @@ void nsexec(void) + if (pipenum == -1) + return; + ++ /* ++ * We need to re-exec if we are not in a cloned binary. This is necessary ++ * to ensure that containers won't be able to access the host binary ++ * through /proc/self/exe. See CVE-2019-5736. ++ */ ++ if (ensure_cloned_binary() < 0) ++ bail("could not ensure we are a cloned binary"); ++ + /* make the process non-dumpable */ + if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { + bail("failed to set process as non-dumpable"); +-- +2.20.1 + diff --git a/SPECS/docker.spec b/SPECS/docker.spec index 8599c1f..e4ec5d5 100644 --- a/SPECS/docker.spec +++ b/SPECS/docker.spec @@ -77,7 +77,7 @@ Name: %{repo} Epoch: 2 Version: 1.13.1 -Release: 90.git%{shortcommit_docker}%{?dist} +Release: 91.git%{shortcommit_docker}%{?dist} Summary: Automates deployment of containerized applications License: ASL 2.0 URL: https://%{import_path} @@ -109,6 +109,7 @@ Source29: 99-docker.conf Source30: %{git_tini}/archive/%{commit_tini}/tini-%{shortcommit_tini}.tar.gz Source31: %{git_libnetwork}/archive/%{commit_libnetwork}/libnetwork-%{shortcommit_libnetwork}.tar.gz Source32: seccomp.json +Patch0: 0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch BuildRequires: cmake BuildRequires: sed BuildRequires: git @@ -302,6 +303,9 @@ tar zxf %{SOURCE17} # untar docker-runc tar zxf %{SOURCE19} +pushd runc-%{commit_runc} +%patch0 -p1 +popd # untar docker-containerd tar zxf %{SOURCE20} @@ -653,7 +657,7 @@ fi %config(noreplace) %attr(644, root, root) %{_sysconfdir}/sysconfig/%{name}-storage %config(noreplace) %{_sysconfdir}/sysconfig/%{name}-network # Use ghost to not package default file installed by "make install-docker". -# Instead we will install a default based on kernel version in %posttrans. +# Instead we will install a default based on kernel version in %%posttrans. %ghost %{_sysconfdir}/sysconfig/%{name}-storage-setup %config(noreplace) %{_sysconfdir}/%{name}/daemon.json %config(noreplace) %{_sysconfdir}/%{name}/seccomp.json @@ -741,6 +745,9 @@ fi %{_bindir}/%{name}-v1.10-migrator-* %changelog +* Sat Feb 09 2019 Lokesh Mandvekar - 2:1.13.1-91.git07f3374 +- Resolves: #1665326 - CVE-2019-5736 + * Wed Jan 16 2019 Lokesh Mandvekar - 2:1.13.1-90.git07f3374 - Resolves: #1662700 - built docker-containerd @projectatomic/docker-1.13.1-rhel commit b968034