From 628da5b838d060caa344585a7b8605c270c10378 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 21 2020 14:15:10 +0000 Subject: import podman-1.6.4-15.module+el8.2.0+7290+954fb593 --- diff --git a/SOURCES/podman-1846364-part2.patch b/SOURCES/podman-1846364-part2.patch new file mode 100644 index 0000000..405f84f --- /dev/null +++ b/SOURCES/podman-1846364-part2.patch @@ -0,0 +1,47 @@ +From c734a6c44e1624dab786c85026bcd8a13e7f2b01 Mon Sep 17 00:00:00 2001 +From: Daniel J Walsh +Date: Tue, 30 Jun 2020 13:36:45 -0400 +Subject: [PATCH] Disable SELinux labeling if privileged and user does not + specify labels + +The previous patch mistakenly turned on SELinux even when --privileged. + +This patch will disable SELinux, if the user specified --privileged and +did not specify any SELinux options. + +Signed-off-by: Daniel J Walsh +--- + cmd/podman/shared/create.go | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go +index 11a0c9cbe8..7bb2bc896d 100644 +--- a/cmd/podman/shared/create.go ++++ b/cmd/podman/shared/create.go +@@ -196,9 +196,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod. + } + + func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *libpod.Runtime) error { +- var ( +- labelOpts []string +- ) ++ var labelOpts []string + + if config.PidMode.IsHost() { + labelOpts = append(labelOpts, label.DisableSecOpt()...) +@@ -794,12 +792,12 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. + Syslog: c.Bool("syslog"), + } + +- if config.Privileged { +- config.LabelOpts = label.DisableSecOpt() +- } + if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil { + return nil, err + } ++ if config.Privileged && len(config.LabelOpts) == 0 { ++ config.LabelOpts = label.DisableSecOpt() ++ } + config.SecurityOpts = c.StringArray("security-opt") + warnings, err := verifyContainerResources(config, false) + if err != nil { diff --git a/SOURCES/podman-1846364-part3.patch b/SOURCES/podman-1846364-part3.patch new file mode 100644 index 0000000..6ad0e37 --- /dev/null +++ b/SOURCES/podman-1846364-part3.patch @@ -0,0 +1,70 @@ +From 48ad0f4e8f36918406b95e498f6750e5d5cf749a Mon Sep 17 00:00:00 2001 +From: Daniel J Walsh +Date: Wed, 1 Jul 2020 09:19:18 -0400 +Subject: [PATCH] Don't disable selinux labels if user specifies a security opt + +Currenty if the user specifies --pid=host or --ipc=host or --privileged +then we disable SELinux labeling. If the user however specifies +--security-opt label:... Then we assume they want to leave SELinux enabled +and know what they are doing. + +This PR will leave SELinux enabled if a user specifies a --security-opt label +option. + +Signed-off-by: Daniel J Walsh +--- + cmd/podman/shared/create.go | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go +index 7bb2bc896d..dda36826ec 100644 +--- a/cmd/podman/shared/create.go ++++ b/cmd/podman/shared/create.go +@@ -198,9 +198,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod. + func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *libpod.Runtime) error { + var labelOpts []string + +- if config.PidMode.IsHost() { +- labelOpts = append(labelOpts, label.DisableSecOpt()...) +- } else if config.PidMode.IsContainer() { ++ if config.PidMode.IsContainer() { + ctr, err := runtime.LookupContainer(config.PidMode.Container()) + if err != nil { + return errors.Wrapf(err, "container %q not found", config.PidMode.Container()) +@@ -212,9 +210,7 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *l + labelOpts = append(labelOpts, secopts...) + } + +- if config.IpcMode.IsHost() { +- labelOpts = append(labelOpts, label.DisableSecOpt()...) +- } else if config.IpcMode.IsContainer() { ++ if config.IpcMode.IsContainer() { + ctr, err := runtime.LookupContainer(config.IpcMode.Container()) + if err != nil { + return errors.Wrapf(err, "container %q not found", config.IpcMode.Container()) +@@ -255,7 +251,14 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *l + return err + } + } +- config.LabelOpts = labelOpts ++ if len(labelOpts) > 0 { ++ config.LabelOpts = labelOpts ++ } else { ++ if config.Privileged || config.IpcMode.IsHost() || config.PidMode.IsHost() { ++ config.LabelOpts = label.DisableSecOpt() ++ } ++ } ++ + return nil + } + +@@ -795,9 +798,6 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. + if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil { + return nil, err + } +- if config.Privileged && len(config.LabelOpts) == 0 { +- config.LabelOpts = label.DisableSecOpt() +- } + config.SecurityOpts = c.StringArray("security-opt") + warnings, err := verifyContainerResources(config, false) + if err != nil { diff --git a/SOURCES/podman-1846364.patch b/SOURCES/podman-1846364.patch new file mode 100644 index 0000000..cd8c620 --- /dev/null +++ b/SOURCES/podman-1846364.patch @@ -0,0 +1,29 @@ +From a81891bb376d673cb6bef851b522a6d678e15ed0 Mon Sep 17 00:00:00 2001 +From: Daniel J Walsh +Date: Wed, 24 Jun 2020 10:34:25 -0400 +Subject: [PATCH] Allow security-opts to be parsed even if container is + --privileged + +Signed-off-by: Daniel J Walsh +--- + cmd/podman/shared/create.go | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go +index dc343e6942..11a0c9cbe8 100644 +--- a/cmd/podman/shared/create.go ++++ b/cmd/podman/shared/create.go +@@ -796,10 +796,9 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod. + + if config.Privileged { + config.LabelOpts = label.DisableSecOpt() +- } else { +- if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil { +- return nil, err +- } ++ } ++ if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil { ++ return nil, err + } + config.SecurityOpts = c.StringArray("security-opt") + warnings, err := verifyContainerResources(config, false) diff --git a/SPECS/podman.spec b/SPECS/podman.spec index 0ee2e8c..7866945 100644 --- a/SPECS/podman.spec +++ b/SPECS/podman.spec @@ -29,7 +29,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Name: podman Version: 1.6.4 -Release: 12%{?dist} +Release: 15%{?dist} Summary: Manage Pods, Containers and Container Images License: ASL 2.0 URL: https://%{name}.io/ @@ -56,6 +56,16 @@ Patch6: podman-CVE-2020-10696.patch # related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1834346 # patch: https://github.com/containers/libpod/pull/6009.patch Patch7: podman-1834346.patch +# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1846364 +# patch: https://github.com/containers/libpod/pull/6750/commits/a81891bb376d673cb6bef851b522a6d678e15ed0.patch +Patch8: podman-1846364.patch +# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1846364 +# patch: https://github.com/containers/libpod/commit/2ff8dc2fdcb714009f1563fe057919a187bde4c5.patch +Patch9: podman-1846364-part2.patch +# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1846364 +# patch: https://github.com/containers/libpod/pull/6832.patch +Patch10: podman-1846364-part3.patch + Provides: %{name}-manpages = %{version}-%{release} Obsoletes: %{name}-manpages < %{version}-%{release} BuildRequires: golang >= 1.12.12-4 @@ -355,6 +365,17 @@ exit 0 %{_datadir}/%{name}/test %changelog +* Wed Jul 01 2020 Jindrich Novy - 1.6.4-15 +- fix "Don't disable selinux labels if user specifies a security opt" +- Resolves: #1846364 + +* Tue Jun 30 2020 Ian Mcleod - 1.6.4-14 +- follow on fix for #1846364 + +* Mon Jun 29 2020 Jindrich Novy - 1.6.4-13 +- fix "podman 1.6.4 is not honouring --security-opt when --privileged is passed" +- Resolves: #1846364 + * Mon May 18 2020 Jindrich Novy - 1.6.4-12 - fix "Please backport correction patch for the native container healthchecks" - Resolves: #1834346