diff --git a/.gitignore b/.gitignore index 4d97e7f..dc6af45 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/runc-425e105.tar.gz +SOURCES/runc-d736ef1.tar.gz diff --git a/.runc.metadata b/.runc.metadata index 1ff52c1..6c81a25 100644 --- a/.runc.metadata +++ b/.runc.metadata @@ -1 +1 @@ -cfbe1abc984f5b0be1413475f888e39304b265ae SOURCES/runc-425e105.tar.gz +812dbd873389db38f03438166784aee998146d30 SOURCES/runc-d736ef1.tar.gz diff --git a/SOURCES/1807.patch b/SOURCES/1807.patch index dcfae56..6d415f0 100644 --- a/SOURCES/1807.patch +++ b/SOURCES/1807.patch @@ -1,4 +1,4 @@ -From e3b37893afa498ef6254cc9d94c159b12e04d0b0 Mon Sep 17 00:00:00 2001 +From 3d99c51e1b38a440804a55c9f314f62cc50b8902 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 25 May 2018 18:04:06 +0200 Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create @@ -10,21 +10,20 @@ still accessible from the container. Signed-off-by: Giuseppe Scrivano --- - notify_socket.go | 113 ++++++++++++++++++++++++++++++++++------------- + notify_socket.go | 112 ++++++++++++++++++++++++++++++++++------------- signals.go | 4 +- start.go | 13 +++++- utils_linux.go | 12 ++++- - 4 files changed, 106 insertions(+), 36 deletions(-) + 4 files changed, 105 insertions(+), 36 deletions(-) diff --git a/notify_socket.go b/notify_socket.go -index b890b5b1c..286ce1ddd 100644 +index e7453c62..d961453a 100644 --- a/notify_socket.go +++ b/notify_socket.go -@@ -6,11 +6,14 @@ import ( - "bytes" +@@ -7,11 +7,13 @@ import ( "fmt" "net" -+ "os" + "os" + "path" "path/filepath" + "strconv" @@ -37,7 +36,7 @@ index b890b5b1c..286ce1ddd 100644 "github.com/urfave/cli" ) -@@ -26,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) * +@@ -27,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) * } root := filepath.Join(context.GlobalString("root"), id) @@ -52,7 +51,7 @@ index b890b5b1c..286ce1ddd 100644 } return notifySocket -@@ -43,13 +46,19 @@ func (s *notifySocket) Close() error { +@@ -44,13 +46,19 @@ func (s *notifySocket) Close() error { // If systemd is supporting sd_notify protocol, this function will add support // for sd_notify protocol from within the container. @@ -76,7 +75,7 @@ index b890b5b1c..286ce1ddd 100644 addr := net.UnixAddr{ Name: s.socketPath, Net: "unixgram", -@@ -64,45 +73,89 @@ func (s *notifySocket) setupSocket() error { +@@ -71,45 +79,89 @@ func (s *notifySocket) setupSocket() error { return nil } @@ -189,7 +188,7 @@ index b890b5b1c..286ce1ddd 100644 } } diff --git a/signals.go b/signals.go -index b67f65a03..dd25e094c 100644 +index b67f65a0..dd25e094 100644 --- a/signals.go +++ b/signals.go @@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach @@ -211,7 +210,7 @@ index b67f65a03..dd25e094c 100644 } } diff --git a/start.go b/start.go -index 2bb698b20..3a1769a43 100644 +index 2bb698b2..3a1769a4 100644 --- a/start.go +++ b/start.go @@ -3,6 +3,7 @@ package main @@ -242,10 +241,10 @@ index 2bb698b20..3a1769a43 100644 return errors.New("cannot start a container that has stopped") case libcontainer.Running: diff --git a/utils_linux.go b/utils_linux.go -index ce50db145..670c0fcba 100644 +index 984e6b0f..46c26246 100644 --- a/utils_linux.go +++ b/utils_linux.go -@@ -406,7 +406,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp +@@ -408,7 +408,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id) if notifySocket != nil { @@ -256,7 +255,7 @@ index ce50db145..670c0fcba 100644 } container, err := createContainer(context, id, spec) -@@ -415,10 +417,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp +@@ -417,10 +419,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp } if notifySocket != nil { @@ -274,3 +273,6 @@ index ce50db145..670c0fcba 100644 } // Support on-demand socket activation by passing file descriptors into the container init process. +-- +2.21.0 + diff --git a/SOURCES/99-containers.conf b/SOURCES/99-containers.conf deleted file mode 100644 index 7e2d537..0000000 --- a/SOURCES/99-containers.conf +++ /dev/null @@ -1 +0,0 @@ -fs.may_detach_mounts=1 diff --git a/SOURCES/9aef50441511f0e9954d31d5ae84429040032e7c.patch b/SOURCES/9aef50441511f0e9954d31d5ae84429040032e7c.patch deleted file mode 100644 index b077fb5..0000000 --- a/SOURCES/9aef50441511f0e9954d31d5ae84429040032e7c.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 9aef50441511f0e9954d31d5ae84429040032e7c Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Mon, 30 Sep 2019 00:35:33 +1000 -Subject: [PATCH] vendor: update github.com/opencontainers/selinux - -This is a bump to v1.3.0, plus the necessary CVE-2019-16884 mitigation. - -Signed-off-by: Aleksa Sarai ---- - vendor.conf | 2 +- - .../selinux/go-selinux/label/label_selinux.go | 18 ++++++---- - .../selinux/go-selinux/selinux_linux.go | 33 +++++++++++++++++++ - .../selinux/go-selinux/selinux_stub.go | 13 ++++++++ - 4 files changed, 58 insertions(+), 8 deletions(-) - -diff --git a/vendor.conf b/vendor.conf -index e3f8e6d7e..a29764cd7 100644 ---- a/vendor.conf -+++ b/vendor.conf -@@ -5,7 +5,7 @@ - # Core libcontainer functionality. - github.com/checkpoint-restore/go-criu v3.11 - github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08 --github.com/opencontainers/selinux v1.2.2 -+github.com/opencontainers/selinux 5215b1806f52b1fcc2070a8826c542c9d33cd3cf # v1.3.0 (+ CVE-2019-16884) - github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f - github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac - github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16 -diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go -index 1eb9a6bf2..2730fcf4a 100644 ---- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go -+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go -@@ -13,11 +13,12 @@ import ( - - // Valid Label Options - var validOptions = map[string]bool{ -- "disable": true, -- "type": true, -- "user": true, -- "role": true, -- "level": true, -+ "disable": true, -+ "type": true, -+ "filetype": true, -+ "user": true, -+ "role": true, -+ "level": true, - } - - var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together") -@@ -51,13 +52,16 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) { - return "", mountLabel, nil - } - if i := strings.Index(opt, ":"); i == -1 { -- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt) -+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt) - } - con := strings.SplitN(opt, ":", 2) - if !validOptions[con[0]] { -- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0]) -+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0]) - - } -+ if con[0] == "filetype" { -+ mcon["type"] = con[1] -+ } - pcon[con[0]] = con[1] - if con[0] == "level" || con[0] == "user" { - mcon[con[0]] = con[1] -diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go -index d7786c33c..8cdf1b054 100644 ---- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go -+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go -@@ -18,6 +18,8 @@ import ( - "strings" - "sync" - "syscall" -+ -+ "golang.org/x/sys/unix" - ) - - const ( -@@ -252,6 +254,12 @@ func getSELinuxPolicyRoot() string { - return filepath.Join(selinuxDir, readConfig(selinuxTypeTag)) - } - -+func isProcHandle(fh *os.File) (bool, error) { -+ var buf unix.Statfs_t -+ err := unix.Fstatfs(int(fh.Fd()), &buf) -+ return buf.Type == unix.PROC_SUPER_MAGIC, err -+} -+ - func readCon(fpath string) (string, error) { - if fpath == "" { - return "", ErrEmptyPath -@@ -263,6 +271,12 @@ func readCon(fpath string) (string, error) { - } - defer in.Close() - -+ if ok, err := isProcHandle(in); err != nil { -+ return "", err -+ } else if !ok { -+ return "", fmt.Errorf("%s not on procfs", fpath) -+ } -+ - var retval string - if _, err := fmt.Fscanf(in, "%s", &retval); err != nil { - return "", err -@@ -345,6 +359,12 @@ func writeCon(fpath string, val string) error { - } - defer out.Close() - -+ if ok, err := isProcHandle(out); err != nil { -+ return err -+ } else if !ok { -+ return fmt.Errorf("%s not on procfs", fpath) -+ } -+ - if val != "" { - _, err = out.Write([]byte(val)) - } else { -@@ -392,6 +412,14 @@ func SetExecLabel(label string) error { - return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label) - } - -+/* -+SetTaskLabel sets the SELinux label for the current thread, or an error. -+This requires the dyntransition permission. -+*/ -+func SetTaskLabel(label string) error { -+ return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid()), label) -+} -+ - // SetSocketLabel takes a process label and tells the kernel to assign the - // label to the next socket that gets created - func SetSocketLabel(label string) error { -@@ -403,6 +431,11 @@ func SocketLabel() (string, error) { - return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid())) - } - -+// PeerLabel retrieves the label of the client on the other side of a socket -+func PeerLabel(fd uintptr) (string, error) { -+ return unix.GetsockoptString(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERSEC) -+} -+ - // SetKeyLabel takes a process label and tells the kernel to assign the - // label to the next kernel keyring that gets created - func SetKeyLabel(label string) error { -diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go -index 79b005d19..0c2e1cd38 100644 ---- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go -+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go -@@ -96,6 +96,14 @@ func SetExecLabel(label string) error { - return nil - } - -+/* -+SetTaskLabel sets the SELinux label for the current thread, or an error. -+This requires the dyntransition permission. -+*/ -+func SetTaskLabel(label string) error { -+ return nil -+} -+ - /* - SetSocketLabel sets the SELinux label that the kernel will use for any programs - that are executed by the current process thread, or an error. -@@ -109,6 +117,11 @@ func SocketLabel() (string, error) { - return "", nil - } - -+// PeerLabel retrieves the label of the client on the other side of a socket -+func PeerLabel(fd uintptr) (string, error) { -+ return "", nil -+} -+ - // SetKeyLabel takes a process label and tells the kernel to assign the - // label to the next kernel keyring that gets created - func SetKeyLabel(label string) error { diff --git a/SOURCES/d463f6485b809b5ea738f84e05ff5b456058a184.patch b/SOURCES/d463f6485b809b5ea738f84e05ff5b456058a184.patch deleted file mode 100644 index a751010..0000000 --- a/SOURCES/d463f6485b809b5ea738f84e05ff5b456058a184.patch +++ /dev/null @@ -1,140 +0,0 @@ -From d463f6485b809b5ea738f84e05ff5b456058a184 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Fri, 27 Sep 2019 12:01:07 +1000 -Subject: [PATCH] *: verify that operations on /proc/... are on procfs - -This is an additional mitigation for CVE-2019-16884. The primary problem -is that Docker can be coerced into bind-mounting a file system on top of -/proc (resulting in label-related writes to /proc no longer happening). - -While we are working on mitigations against permitting the mounts, this -helps avoid our code from being tricked into writing to non-procfs -files. This is not a perfect solution (after all, there might be a -bind-mount of a different procfs file over the target) but in order to -exploit that you would need to be able to tweak a config.json pretty -specifically (which thankfully Docker doesn't allow). - -Specifically this stops AppArmor from not labeling a process silently -due to /proc/self/attr/... being incorrectly set, and stops any -accidental fd leaks because /proc/self/fd/... is not real. - -Signed-off-by: Aleksa Sarai ---- - libcontainer/apparmor/apparmor.go | 10 +++++-- - libcontainer/utils/utils_unix.go | 44 ++++++++++++++++++++++++------- - 2 files changed, 42 insertions(+), 12 deletions(-) - -diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go -index 7fff0627f..debfc1e48 100644 ---- a/libcontainer/apparmor/apparmor.go -+++ b/libcontainer/apparmor/apparmor.go -@@ -6,6 +6,8 @@ import ( - "fmt" - "io/ioutil" - "os" -+ -+ "github.com/opencontainers/runc/libcontainer/utils" - ) - - // IsEnabled returns true if apparmor is enabled for the host. -@@ -19,7 +21,7 @@ func IsEnabled() bool { - return false - } - --func setprocattr(attr, value string) error { -+func setProcAttr(attr, value string) error { - // Under AppArmor you can only change your own attr, so use /proc/self/ - // instead of /proc// like libapparmor does - path := fmt.Sprintf("/proc/self/attr/%s", attr) -@@ -30,6 +32,10 @@ func setprocattr(attr, value string) error { - } - defer f.Close() - -+ if err := utils.EnsureProcHandle(f); err != nil { -+ return err -+ } -+ - _, err = fmt.Fprintf(f, "%s", value) - return err - } -@@ -37,7 +43,7 @@ func setprocattr(attr, value string) error { - // changeOnExec reimplements aa_change_onexec from libapparmor in Go - func changeOnExec(name string) error { - value := "exec " + name -- if err := setprocattr("exec", value); err != nil { -+ if err := setProcAttr("exec", value); err != nil { - return fmt.Errorf("apparmor failed to apply profile: %s", err) - } - return nil -diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go -index c96088988..1576f2d4a 100644 ---- a/libcontainer/utils/utils_unix.go -+++ b/libcontainer/utils/utils_unix.go -@@ -3,33 +3,57 @@ - package utils - - import ( -- "io/ioutil" -+ "fmt" - "os" - "strconv" - - "golang.org/x/sys/unix" - ) - -+// EnsureProcHandle returns whether or not the given file handle is on procfs. -+func EnsureProcHandle(fh *os.File) error { -+ var buf unix.Statfs_t -+ if err := unix.Fstatfs(int(fh.Fd()), &buf); err != nil { -+ return fmt.Errorf("ensure %s is on procfs: %v", fh.Name(), err) -+ } -+ if buf.Type != unix.PROC_SUPER_MAGIC { -+ return fmt.Errorf("%s is not on procfs", fh.Name()) -+ } -+ return nil -+} -+ -+// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for -+// the process (except for those below the given fd value). - func CloseExecFrom(minFd int) error { -- fdList, err := ioutil.ReadDir("/proc/self/fd") -+ fdDir, err := os.Open("/proc/self/fd") -+ if err != nil { -+ return err -+ } -+ defer fdDir.Close() -+ -+ if err := EnsureProcHandle(fdDir); err != nil { -+ return err -+ } -+ -+ fdList, err := fdDir.Readdirnames(-1) - if err != nil { - return err - } -- for _, fi := range fdList { -- fd, err := strconv.Atoi(fi.Name()) -+ for _, fdStr := range fdList { -+ fd, err := strconv.Atoi(fdStr) -+ // Ignore non-numeric file names. - if err != nil { -- // ignore non-numeric file names - continue - } -- -+ // Ignore descriptors lower than our specified minimum. - if fd < minFd { -- // ignore descriptors lower than our specified minimum - continue - } -- -- // intentionally ignore errors from unix.CloseOnExec -+ // Intentionally ignore errors from unix.CloseOnExec -- the cases where -+ // this might fail are basically file descriptors that have already -+ // been closed (including and especially the one that was created when -+ // ioutil.ReadDir did the "opendir" syscall). - unix.CloseOnExec(fd) -- // the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall) - } - return nil - } diff --git a/SPECS/runc.spec b/SPECS/runc.spec index 7cf6021..d08a700 100644 --- a/SPECS/runc.spec +++ b/SPECS/runc.spec @@ -11,8 +11,8 @@ %if 0%{?rhel} > 7 && ! 0%{?fedora} %define gobuild(o:) \ -go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; -%endif # distro +go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; +%endif %global provider github %global provider_tld com @@ -21,23 +21,19 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" - # https://github.com/opencontainers/runc %global import_path %{provider}.%{provider_tld}/%{project}/%{repo} %global git0 https://%{import_path} -%global commit0 425e105d5a03fabd737a126ad93d62a9eeede87f +%global commit0 d736ef14f0288d6993a1845745d6756cfc9ddd5a %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Name: %{repo} Version: 1.0.0 -Release: 61.rc8%{?dist} +Release: 64.rc9%{?dist} Summary: CLI for running Open Containers ExcludeArch: %{ix86} License: ASL 2.0 URL: %{git0} Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz -Source1: 99-containers.conf Patch0: 1807.patch -Patch1: https://github.com/opencontainers/runc/commit/9aef50441511f0e9954d31d5ae84429040032e7c.patch -Patch2: https://github.com/opencontainers/runc/commit/d463f6485b809b5ea738f84e05ff5b456058a184.patch -# If go_compiler is not set to 1, there is no virtual provide. Use golang instead. -BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.6.2 +BuildRequires: golang >= 1.12.12-4 BuildRequires: git BuildRequires: go-md2man BuildRequires: libseccomp-devel @@ -63,7 +59,7 @@ popd pushd GOPATH/src/%{import_path} export GOPATH=%{gopath}:$(pwd)/GOPATH export BUILDTAGS="selinux seccomp" -%gobuild -o %{name} %{import_path} +%gobuild -o %{name} %{import_path} pushd man ./md2man-all.sh @@ -93,9 +89,22 @@ install -p -m 0644 contrib/completions/bash/%{name} %{buildroot}%{_datadir}/bash %{_datadir}/bash-completion/completions/%{name} %changelog -* Mon Nov 25 2019 Jindrich Novy - 1.0.0-61.rc8 -- backport patches for CVE-2019-16884 from upstream -- Resolves: #1764182 +* Wed Dec 11 2019 Jindrich Novy - 1.0.0-64.rc9 +- use no_openssl in BUILDTAGS (no vendored crypto in runc) +- Related: RHELPLAN-25138 + +* Mon Dec 09 2019 Jindrich Novy - 1.0.0-63.rc9 +- be sure to use golang >= 1.12.12-4 +- Related: RHELPLAN-25138 + +* Thu Nov 28 2019 Jindrich Novy - 1.0.0-62.rc9 +- rebuild because of CVE-2019-9512 and CVE-2019-9514 +- Related: RHELPLAN-25138 + +* Thu Nov 21 2019 Jindrich Novy - 1.0.0-61.rc9 +- update to runc 1.0.0-rc9 release +- amend golang deps +- fixes CVE-2019-16884 * Mon Jun 17 2019 Lokesh Mandvekar - 1.0.0-60.rc8 - Resolves: #1721247 - enable fips mode