diff --git a/.gitignore b/.gitignore index 4d97e7f..32283ba 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/runc-425e105.tar.gz +SOURCES/runc-dc9208a.tar.gz diff --git a/.runc.metadata b/.runc.metadata index 1ff52c1..39b6b73 100644 --- a/.runc.metadata +++ b/.runc.metadata @@ -1 +1 @@ -cfbe1abc984f5b0be1413475f888e39304b265ae SOURCES/runc-425e105.tar.gz +32859590dea35b77eed012c388d97fc12fdfdb93 SOURCES/runc-dc9208a.tar.gz diff --git a/SOURCES/1807.patch b/SOURCES/1807.patch index dcfae56..6d415f0 100644 --- a/SOURCES/1807.patch +++ b/SOURCES/1807.patch @@ -1,4 +1,4 @@ -From e3b37893afa498ef6254cc9d94c159b12e04d0b0 Mon Sep 17 00:00:00 2001 +From 3d99c51e1b38a440804a55c9f314f62cc50b8902 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 25 May 2018 18:04:06 +0200 Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create @@ -10,21 +10,20 @@ still accessible from the container. Signed-off-by: Giuseppe Scrivano --- - notify_socket.go | 113 ++++++++++++++++++++++++++++++++++------------- + notify_socket.go | 112 ++++++++++++++++++++++++++++++++++------------- signals.go | 4 +- start.go | 13 +++++- utils_linux.go | 12 ++++- - 4 files changed, 106 insertions(+), 36 deletions(-) + 4 files changed, 105 insertions(+), 36 deletions(-) diff --git a/notify_socket.go b/notify_socket.go -index b890b5b1c..286ce1ddd 100644 +index e7453c62..d961453a 100644 --- a/notify_socket.go +++ b/notify_socket.go -@@ -6,11 +6,14 @@ import ( - "bytes" +@@ -7,11 +7,13 @@ import ( "fmt" "net" -+ "os" + "os" + "path" "path/filepath" + "strconv" @@ -37,7 +36,7 @@ index b890b5b1c..286ce1ddd 100644 "github.com/urfave/cli" ) -@@ -26,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) * +@@ -27,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) * } root := filepath.Join(context.GlobalString("root"), id) @@ -52,7 +51,7 @@ index b890b5b1c..286ce1ddd 100644 } return notifySocket -@@ -43,13 +46,19 @@ func (s *notifySocket) Close() error { +@@ -44,13 +46,19 @@ func (s *notifySocket) Close() error { // If systemd is supporting sd_notify protocol, this function will add support // for sd_notify protocol from within the container. @@ -76,7 +75,7 @@ index b890b5b1c..286ce1ddd 100644 addr := net.UnixAddr{ Name: s.socketPath, Net: "unixgram", -@@ -64,45 +73,89 @@ func (s *notifySocket) setupSocket() error { +@@ -71,45 +79,89 @@ func (s *notifySocket) setupSocket() error { return nil } @@ -189,7 +188,7 @@ index b890b5b1c..286ce1ddd 100644 } } diff --git a/signals.go b/signals.go -index b67f65a03..dd25e094c 100644 +index b67f65a0..dd25e094 100644 --- a/signals.go +++ b/signals.go @@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach @@ -211,7 +210,7 @@ index b67f65a03..dd25e094c 100644 } } diff --git a/start.go b/start.go -index 2bb698b20..3a1769a43 100644 +index 2bb698b2..3a1769a4 100644 --- a/start.go +++ b/start.go @@ -3,6 +3,7 @@ package main @@ -242,10 +241,10 @@ index 2bb698b20..3a1769a43 100644 return errors.New("cannot start a container that has stopped") case libcontainer.Running: diff --git a/utils_linux.go b/utils_linux.go -index ce50db145..670c0fcba 100644 +index 984e6b0f..46c26246 100644 --- a/utils_linux.go +++ b/utils_linux.go -@@ -406,7 +406,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp +@@ -408,7 +408,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id) if notifySocket != nil { @@ -256,7 +255,7 @@ index ce50db145..670c0fcba 100644 } container, err := createContainer(context, id, spec) -@@ -415,10 +417,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp +@@ -417,10 +419,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp } if notifySocket != nil { @@ -274,3 +273,6 @@ index ce50db145..670c0fcba 100644 } // Support on-demand socket activation by passing file descriptors into the container init process. +-- +2.21.0 + diff --git a/SOURCES/99-containers.conf b/SOURCES/99-containers.conf deleted file mode 100644 index 7e2d537..0000000 --- a/SOURCES/99-containers.conf +++ /dev/null @@ -1 +0,0 @@ -fs.may_detach_mounts=1 diff --git a/SOURCES/change-default-root.patch b/SOURCES/change-default-root.patch deleted file mode 100644 index 091bc88..0000000 --- a/SOURCES/change-default-root.patch +++ /dev/null @@ -1,72 +0,0 @@ -From bc548da226f683aa123551295b95d9c11621b7bf Mon Sep 17 00:00:00 2001 -From: Lokesh Mandvekar -Date: Thu, 4 Jul 2019 19:17:16 +0000 -Subject: [PATCH] change default root - -Signed-off-by: Lokesh Mandvekar ---- - list.go | 2 +- - main.go | 4 ++-- - man/runc-list.8.md | 2 +- - man/runc.8.md | 2 +- - 4 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/list.go b/list.go -index 0313d8c..328798b 100644 ---- a/list.go -+++ b/list.go -@@ -50,7 +50,7 @@ var listCommand = cli.Command{ - ArgsUsage: ` - - Where the given root is specified via the global option "--root" --(default: "/run/runc"). -+(default: "/run/runc-ctrs"). - - EXAMPLE 1: - To list containers created via the default "--root": -diff --git a/main.go b/main.go -index 072447d..e675a96 100644 ---- a/main.go -+++ b/main.go -@@ -62,10 +62,10 @@ func main() { - v = append(v, fmt.Sprintf("spec: %s", specs.Version)) - app.Version = strings.Join(v, "\n") - -- root := "/run/runc" -+ root := "/run/runc-ctrs" - if shouldHonorXDGRuntimeDir() { - if runtimeDir := os.Getenv("XDG_RUNTIME_DIR"); runtimeDir != "" { -- root = runtimeDir + "/runc" -+ root = runtimeDir + "/runc-ctrs" - // According to the XDG specification, we need to set anything in - // XDG_RUNTIME_DIR to have a sticky bit if we don't want it to get - // auto-pruned. -diff --git a/man/runc-list.8.md b/man/runc-list.8.md -index f737424..107220e 100644 ---- a/man/runc-list.8.md -+++ b/man/runc-list.8.md -@@ -6,7 +6,7 @@ - - # EXAMPLE - Where the given root is specified via the global option "--root" --(default: "/run/runc"). -+(default: "/run/runc-ctrs"). - - To list containers created via the default "--root": - # runc list -diff --git a/man/runc.8.md b/man/runc.8.md -index 6d0ddff..9d6816d 100644 ---- a/man/runc.8.md -+++ b/man/runc.8.md -@@ -51,7 +51,7 @@ value for "bundle" is the current directory. - --debug enable debug output for logging - --log value set the log file path where internal debug information is written (default: "/dev/null") - --log-format value set the format used by logs ('text' (default), or 'json') (default: "text") -- --root value root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc" or $XDG_RUNTIME_DIR/runc for rootless containers) -+ --root value root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc-ctrs" or $XDG_RUNTIME_DIR/runc for rootless containers) - --criu value path to the criu binary used for checkpoint and restore (default: "criu") - --systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234" - --rootless value enable rootless mode ('true', 'false', or 'auto') (default: "auto") --- -1.8.3.1 - diff --git a/SOURCES/runc-CVE-2019-19921.patch b/SOURCES/runc-CVE-2019-19921.patch deleted file mode 100644 index b81c5da..0000000 --- a/SOURCES/runc-CVE-2019-19921.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 3291d66b98445bd7f7d02eac7f2bca2ac2c56942 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Sat, 21 Dec 2019 23:40:17 +1100 -Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories - -mount(2) will blindly follow symlinks, which is a problem because it -allows a malicious container to trick runc into mounting /proc to an -entirely different location (and thus within the attacker's control for -a rename-exchange attack). - -This is just a hotfix (to "stop the bleeding"), and the more complete -fix would be finish libpathrs and port runc to it (to avoid these types -of attacks entirely, and defend against a variety of other /proc-related -attacks). It can be bypased by someone having "/" be a volume controlled -by another container. - -Fixes: CVE-2019-19921 -Signed-off-by: Aleksa Sarai ---- - libcontainer/rootfs_linux.go | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go -index 291021440..106c4c2b9 100644 ---- a/libcontainer/rootfs_linux.go -+++ b/libcontainer/rootfs_linux.go -@@ -299,6 +299,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b - - switch m.Device { - case "proc", "sysfs": -+ // If the destination already exists and is not a directory, we bail -+ // out This is to avoid mounting through a symlink or similar -- which -+ // has been a "fun" attack scenario in the past. -+ // TODO: This won't be necessary once we switch to libpathrs and we can -+ // stop all of these symlink-exchange attacks. -+ if fi, err := os.Lstat(dest); err != nil { -+ if !os.IsNotExist(err) { -+ return err -+ } -+ } else if fi.Mode()&os.ModeDir == 0 { -+ return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device) -+ } - if err := os.MkdirAll(dest, 0755); err != nil { - return err - } diff --git a/SPECS/runc.spec b/SPECS/runc.spec index d510b6f..66e3eac 100644 --- a/SPECS/runc.spec +++ b/SPECS/runc.spec @@ -1,16 +1,17 @@ %global with_debug 1 +%global with_bundled 1 %global with_check 0 %if 0%{?with_debug} %global _find_debuginfo_dwz_opts %{nil} %global _dwz_low_mem_die_limit 0 %else -%global debug_package %{nil} +%global debug_package %{nil} %endif %if ! 0%{?gobuild:1} %define gobuild(o:) \ -go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; +scl enable go-toolset-1.12 -- go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; %endif %global provider github @@ -20,41 +21,33 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" - # https://github.com/opencontainers/runc %global import_path %{provider}.%{provider_tld}/%{project}/%{repo} %global git0 https://%{import_path} -%global commit0 425e105d5a03fabd737a126ad93d62a9eeede87f +%global commit0 dc9208a3303feef5b3839f4323d9beb36df0a9dd %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Name: %{repo} Version: 1.0.0 -Release: 66.rc8%{?dist} +Release: 67.rc10%{?dist} Summary: CLI for running Open Containers +ExcludeArch: %{ix86} s390 ppc ppc64 License: ASL 2.0 URL: %{git0} Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz -Source1: 99-containers.conf Patch0: 1807.patch -Patch1: change-default-root.patch -# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19921 -# patch: https://github.com/opencontainers/runc/pull/2207/commits/3291d66b98445bd7f7d02eac7f2bca2ac2c56942.patch -Patch2: runc-CVE-2019-19921.patch -Requires: criu -Requires(pre): container-selinux >= 2:2.2-2 -ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64 -BuildRequires: go-toolset-1.10 -BuildRequires: openssl-devel +BuildRequires: go-toolset-1.12 BuildRequires: git BuildRequires: go-md2man BuildRequires: libseccomp-devel +Requires: criu +Requires(pre): container-selinux >= 2:2.2-2 %description The runc command can be used to start containers which are packaged in accordance with the Open Container Initiative's specifications, and to manage containers running under runc. -# Go Toolset -%{?enable_gotoolset110} - %prep -%autosetup -Sgit -n %{name}-%{commit0} +%autosetup -Sgit -n %{repo}-%{commit0} +sed -i '/\#\!\/bin\/bash/d' contrib/completions/bash/%{name} %build mkdir -p GOPATH @@ -65,8 +58,8 @@ popd pushd GOPATH/src/%{import_path} export GOPATH=$(pwd)/GOPATH -export BUILDTAGS='selinux seccomp' -%gobuild -o %{name} %{import_path} +export BUILDTAGS="selinux seccomp" +%gobuild -o %{name} %{import_path} pushd man ./md2man-all.sh @@ -76,57 +69,33 @@ popd install -d -p %{buildroot}%{_bindir} install -p -m 755 %{name} %{buildroot}%{_bindir} +# install man pages install -d -p %{buildroot}%{_mandir}/man8 install -p -m 644 man/man8/* %{buildroot}%{_mandir}/man8 - -install -d -p %{buildroot}%{_usr}/lib/sysctl.d -install -p -m 644 %{SOURCE1} %{buildroot}%{_usr}/lib/sysctl.d +# install bash completion +install -d -p %{buildroot}%{_datadir}/bash-completion/completions +install -p -m 0644 contrib/completions/bash/%{name} %{buildroot}%{_datadir}/bash-completion/completions %check -%if 0%{?with_check} -export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath} - -%if ! 0%{?gotest:1} -%global gotest go test -%endif - -# FAIL: TestFactoryNewTmpfs (0.00s), factory_linux_test.go:59: operation not permitted -#%%gotest %%{import_path}/libcontainer -%gotest %{import_path}/libcontainer/cgroups -%gotest %{import_path}/libcontainer/cgroups/fs -%gotest %{import_path}/libcontainer/configs -%gotest %{import_path}/libcontainer/devices -# undefined reference to `nsexec' -#%%gotest %%{import_path}/libcontainer/integration -%gotest %{import_path}/libcontainer/label -# Unable to create tstEth link: operation not permitted -#%%gotest %%{import_path}/libcontainer/netlink -# undefined reference to `nsexec' -#%%gotest %%{import_path}/libcontainer/nsenter -%gotest %{import_path}/libcontainer/selinux -%gotest %{import_path}/libcontainer/stacktrace -%gotest %{import_path}/libcontainer/user -%gotest %{import_path}/libcontainer/utils -%gotest %{import_path}/libcontainer/xattr -%endif #define license tag if not already defined %{!?_licensedir:%global license %doc} -%post -%sysctl_apply 99-containers.conf - %files %license LICENSE %doc MAINTAINERS_GUIDE.md PRINCIPLES.md README.md CONTRIBUTING.md %{_bindir}/%{name} %{_mandir}/man8/%{name}* -%{_usr}/lib/sysctl.d/99-containers.conf +%{_datadir}/bash-completion/completions/%{name} %changelog -* Mon Mar 02 2020 Jindrich Novy - 1.0.0-66.rc8 -- fix "CVE-2019-19921 runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation" -- Resolves: #1803100 +* Thu Feb 13 2020 Jindrich Novy - 1.0.0-67.rc10 +- address CVE-2019-19921 by updating to rc10 +- Resolves: #1802599 + +* Tue Dec 03 2019 Jindrich Novy - 1.0.0-66.rc9 +- update to rc9 +- Related: RHELPLAN-26239 * Fri Aug 02 2019 Jindrich Novy - 1.0.0-65.rc8 - rebase to 1.0.0-65 in RHEL7u7