Date: Sunday, March 31, 2019 @ 20:21:17 Author: bpiotrowski Revision: 446895
archrelease: copy trunk to community-x86_64 Added: runc/repos/community-x86_64/PKGBUILD (from rev 446894, runc/trunk/PKGBUILD) Deleted: runc/repos/community-x86_64/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch runc/repos/community-x86_64/PKGBUILD -----------------------------------------------------------------+ 0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch | 304 ---------- PKGBUILD | 96 +-- 2 files changed, 46 insertions(+), 354 deletions(-) Deleted: 0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch =================================================================== --- 0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch 2019-03-31 20:20:54 UTC (rev 446894) +++ 0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch 2019-03-31 20:21:17 UTC (rev 446895) @@ -1,304 +0,0 @@ -From 604a8f8120ef128c0a5bc778e71909eeb0906842 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai <asa...@suse.de> -Date: Wed, 9 Jan 2019 13:40:01 +1100 -Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary - to container - -There are quite a few circumstances where /proc/self/exe pointing to a -pretty important container binary is a _bad_ thing, so to avoid this we -have to make a copy (preferably doing self-clean-up and not being -writeable). - -As a hotfix we require memfd_create(2), but we can always extend this to -use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this -approach is no page-cache sharing for the runc binary (which overlayfs -would give us) but this is far less complicated. - -This is only done during nsenter so that it happens transparently to the -Go code, and any libcontainer users benefit from it. This also makes -ExtraFiles and --preserve-fds handling trivial (because we don't need to -worry about it). - -Fixes: CVE-2019-5736 -Signed-off-by: Aleksa Sarai <asa...@suse.de> ---- - libcontainer/nsenter/cloned_binary.c | 236 +++++++++++++++++++++++++++ - libcontainer/nsenter/nsexec.c | 11 ++ - 2 files changed, 247 insertions(+) - create mode 100644 libcontainer/nsenter/cloned_binary.c - -diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c -new file mode 100644 -index 000000000000..ec383c173dd2 ---- /dev/null -+++ b/libcontainer/nsenter/cloned_binary.c -@@ -0,0 +1,236 @@ -+#define _GNU_SOURCE -+#include <unistd.h> -+#include <stdio.h> -+#include <stdlib.h> -+#include <stdbool.h> -+#include <string.h> -+#include <limits.h> -+#include <fcntl.h> -+ -+#include <sys/types.h> -+#include <sys/stat.h> -+#include <sys/vfs.h> -+#include <sys/mman.h> -+#include <sys/sendfile.h> -+#include <sys/syscall.h> -+ -+#include <linux/magic.h> -+#include <linux/memfd.h> -+ -+#define MEMFD_COMMENT "runc_cloned:/proc/self/exe" -+#define MEMFD_LNKNAME "/memfd:" MEMFD_COMMENT " (deleted)" -+ -+/* Use our own wrapper for memfd_create. */ -+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create) -+# define SYS_memfd_create __NR_memfd_create -+#endif -+#ifndef SYS_memfd_create -+# error "memfd_create(2) syscall not supported by this glibc version" -+#endif -+int memfd_create(const char *name, unsigned int flags) -+{ -+ return syscall(SYS_memfd_create, name, flags); -+} -+ -+/* This comes directly from <linux/fcntl.h>. */ -+#ifndef F_LINUX_SPECIFIC_BASE -+# define F_LINUX_SPECIFIC_BASE 1024 -+#endif -+#ifndef F_ADD_SEALS -+# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) -+# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) -+#endif -+#ifndef F_SEAL_SEAL -+# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */ -+# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */ -+# define F_SEAL_GROW 0x0004 /* prevent file from growing */ -+# define F_SEAL_WRITE 0x0008 /* prevent writes */ -+#endif -+ -+/* -+ * Verify whether we are currently in a self-cloned program. It's not really -+ * possible to trivially identify a memfd compared to a regular tmpfs file, so -+ * the best we can do is to check whether the readlink(2) looks okay and that -+ * it is on a tmpfs. -+ */ -+static int is_self_cloned(void) -+{ -+ struct statfs statfsbuf = {0}; -+ char linkname[PATH_MAX + 1] = {0}; -+ -+ if (statfs("/proc/self/exe", &statfsbuf) < 0) -+ return -1; -+ if (readlink("/proc/self/exe", linkname, PATH_MAX) < 0) -+ return -1; -+ -+ return statfsbuf.f_type == TMPFS_MAGIC && -+ !strncmp(linkname, MEMFD_LNKNAME, PATH_MAX); -+} -+ -+/* -+ * Basic wrapper around mmap(2) that gives you the file length so you can -+ * safely treat it as an ordinary buffer. Only gives you read access. -+ */ -+static char *read_file(char *path, size_t *length) -+{ -+ int fd; -+ char buf[4096], *copy = NULL; -+ -+ if (!length) -+ goto err; -+ *length = 0; -+ -+ fd = open(path, O_RDONLY|O_CLOEXEC); -+ if (fd < 0) -+ goto err_free; -+ -+ for (;;) { -+ int n; -+ char *old = copy; -+ -+ n = read(fd, buf, sizeof(buf)); -+ if (n < 0) -+ goto err_fd; -+ if (!n) -+ break; -+ -+ do { -+ copy = realloc(old, (*length + n) * sizeof(*old)); -+ } while(!copy); -+ -+ memcpy(copy + *length, buf, n); -+ *length += n; -+ } -+ close(fd); -+ return copy; -+ -+err_fd: -+ close(fd); -+err_free: -+ free(copy); -+err: -+ return NULL; -+} -+ -+/* -+ * A poor-man's version of "xargs -0". Basically parses a given block of -+ * NUL-delimited data, within the given length and adds a pointer to each entry -+ * to the array of pointers. -+ */ -+static int parse_xargs(char *data, int data_length, char ***output) -+{ -+ int num = 0; -+ char *cur = data; -+ -+ if (!data || *output) -+ return -1; -+ -+ do { -+ *output = malloc(sizeof(**output)); -+ } while (!*output); -+ -+ while (cur < data + data_length) { -+ char **old = *output; -+ -+ num++; -+ do { -+ *output = realloc(old, (num + 1) * sizeof(*old)); -+ } while (!*output); -+ -+ (*output)[num - 1] = cur; -+ cur += strlen(cur) + 1; -+ } -+ (*output)[num] = NULL; -+ return num; -+} -+ -+/* -+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ. -+ * This is necessary because we are running in a context where we don't have a -+ * main() that we can just get the arguments from. -+ */ -+static int fetchve(char ***argv, char ***envp) -+{ -+ char *cmdline, *environ; -+ size_t cmdline_size, environ_size; -+ -+ cmdline = read_file("/proc/self/cmdline", &cmdline_size); -+ if (!cmdline) -+ goto err; -+ environ = read_file("/proc/self/environ", &environ_size); -+ if (!environ) -+ goto err_free; -+ -+ if (parse_xargs(cmdline, cmdline_size, argv) <= 0) -+ goto err_free_both; -+ if (parse_xargs(environ, environ_size, envp) <= 0) -+ goto err_free_both; -+ -+ return 0; -+ -+err_free_both: -+ free(environ); -+err_free: -+ free(cmdline); -+err: -+ return -1; -+} -+ -+static int clone_binary(void) -+{ -+ int binfd, memfd, err; -+ ssize_t sent = 0; -+ struct stat statbuf = {0}; -+ -+ binfd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC); -+ if (binfd < 0) -+ goto err; -+ if (fstat(binfd, &statbuf) < 0) -+ goto err_binfd; -+ -+ memfd = memfd_create(MEMFD_COMMENT, MFD_CLOEXEC|MFD_ALLOW_SEALING); -+ if (memfd < 0) -+ goto err_binfd; -+ -+ while (sent < statbuf.st_size) { -+ ssize_t n = sendfile(memfd, binfd, NULL, statbuf.st_size - sent); -+ if (n < 0) -+ goto err_memfd; -+ sent += n; -+ } -+ -+ err = fcntl(memfd, F_ADD_SEALS, F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE|F_SEAL_SEAL); -+ if (err < 0) -+ goto err_memfd; -+ -+ close(binfd); -+ return memfd; -+ -+err_memfd: -+ close(memfd); -+err_binfd: -+ close(binfd); -+err: -+ return -1; -+} -+ -+int ensure_cloned_binary(void) -+{ -+ int execfd; -+ char **argv = NULL, **envp = NULL; -+ -+ /* Check that we're not self-cloned, and if we are then bail. */ -+ int cloned = is_self_cloned(); -+ if (cloned != 0) -+ return cloned; -+ -+ if (fetchve(&argv, &envp) < 0) -+ return -1; -+ -+ execfd = clone_binary(); -+ if (execfd < 0) -+ return -1; -+ -+ fexecve(execfd, argv, envp); -+ return -1; -+} -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index 28269dfc027f..4fdfec1b7b89 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -534,6 +534,9 @@ void join_namespaces(char *nslist) - free(namespaces); - } - -+/* Defined in cloned_binary.c. */ -+int ensure_cloned_binary(void); -+ - void nsexec(void) - { - int pipenum; -@@ -549,6 +552,14 @@ void nsexec(void) - if (pipenum == -1) - return; - -+ /* -+ * We need to re-exec if we are not in a cloned binary. This is necessary -+ * to ensure that containers won't be able to access the host binary -+ * through /proc/self/exe. See CVE-2019-5736. -+ */ -+ if (ensure_cloned_binary() < 0) -+ bail("could not ensure we are a cloned binary"); -+ - /* Parse all of the netlink configuration. */ - nl_parse(pipenum, &config); - --- -2.20.1 - - Deleted: PKGBUILD =================================================================== --- PKGBUILD 2019-03-31 20:20:54 UTC (rev 446894) +++ PKGBUILD 2019-03-31 20:21:17 UTC (rev 446895) @@ -1,50 +0,0 @@ -# Maintainer: Morten Linderud <foxbo...@archlinux.org> -# Contributor: Sébastien "Seblu" Luttringer - -pkgname=runc -pkgver=1.0.0rc6 -pkgrel=1 -pkgdesc='CLI tool for managing OCI compliant containers' -arch=(x86_64) -url='https://runc.io/' -license=(Apache) -depends=(libseccomp) -makedepends=(git go-pie go-md2man) -_commit=ccb5efd37fb7c86364786e9137e22948751de7ed -source=("git+https://github.com/opencontainers/runc.git#commit=$_commit?signed" - "0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch") -validpgpkeys=("5F36C6C61B5460124A75F5A69E18AA267DDB8DB4") -sha256sums=('SKIP' - '327ee5b857062d53527701e70ae86a0614732e11b9000ab7a69f9e32981717c6') - -pkgver() { - cd runc - git describe | sed 's/^v//;s/-//;s/-/+/g' -} - -prepare() { - mkdir -p src/github.com/opencontainers - cp -r runc src/github.com/opencontainers/ - cd src/github.com/opencontainers/runc - patch -Np1 -i "${srcdir}/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch" -} - -build() { - cd src/github.com/opencontainers/runc - export EXTRA_FLAGS="-gcflags all=-trimpath=${PWD} -asmflags all=-trimpath=${PWD}" - export GOPATH="$srcdir" - export EXTRA_LDFLAGS="-extldflags ${LDFLAGS}" - export BUILDTAGS='seccomp' - make runc man -} - -package() { - cd src/github.com/opencontainers/runc - - install -Dm755 runc "$pkgdir/usr/bin/runc" - install -Dm644 contrib/completions/bash/runc \ - "$pkgdir/usr/share/bash-completion/completions/runc" - - install -d "$pkgdir/usr/share/man/man8" - install -m644 man/man8/*.8 "$pkgdir/usr/share/man/man8" -} Copied: runc/repos/community-x86_64/PKGBUILD (from rev 446894, runc/trunk/PKGBUILD) =================================================================== --- PKGBUILD (rev 0) +++ PKGBUILD 2019-03-31 20:21:17 UTC (rev 446895) @@ -0,0 +1,46 @@ +# Maintainer: Morten Linderud <foxbo...@archlinux.org> +# Contributor: Sébastien "Seblu" Luttringer + +pkgname=runc +pkgver=1.0.0rc7 +pkgrel=1 +pkgdesc='CLI tool for managing OCI compliant containers' +arch=(x86_64) +url='https://runc.io/' +license=(Apache) +depends=(libseccomp) +makedepends=(git go-pie go-md2man) +_commit=69ae5da6afdcaaf38285a10b36f362e41cb298d6 # tags/v1.0.0-rc7^0 +source=("git+https://github.com/opencontainers/runc.git#commit=$_commit?signed") +validpgpkeys=("5F36C6C61B5460124A75F5A69E18AA267DDB8DB4") +sha256sums=('SKIP') + +pkgver() { + cd runc + git describe | sed 's/^v//;s/-//;s/-/+/g' +} + +prepare() { + mkdir -p src/github.com/opencontainers + cp -r runc src/github.com/opencontainers/ +} + +build() { + cd src/github.com/opencontainers/runc + export EXTRA_FLAGS="-gcflags all=-trimpath=${PWD} -asmflags all=-trimpath=${PWD}" + export GOPATH="$srcdir" + export EXTRA_LDFLAGS="-extldflags ${LDFLAGS}" + export BUILDTAGS='seccomp' + make runc man +} + +package() { + cd src/github.com/opencontainers/runc + + install -Dm755 runc "$pkgdir/usr/bin/runc" + install -Dm644 contrib/completions/bash/runc \ + "$pkgdir/usr/share/bash-completion/completions/runc" + + install -d "$pkgdir/usr/share/man/man8" + install -m644 man/man8/*.8 "$pkgdir/usr/share/man/man8" +}