--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package singularity-container
2.2 release contained a vulnerability described in detail upstream
https://github.com/singularityware/singularity/releases/tag/2.2.1 :
In versions of Singularity previous to 2.2.1, it was possible for a malicious
user to create and manipulate specifically crafted raw devices within
containers they own. Utilizing MS_NODEV as a container image mount option
mitigates this potential vector of attack. As a result, this update should be
implemented with high urgency. A big thanks to Mattias Wadenstein (@UMU in
Sweden) for identifying and reporting this issue!
2.2-2 (debdiff attached) was prepared in collaboration with upstream to cover
that vulnerability and address few other possibly security related (snprintf)
and functionality related issues. [email protected] was provided with debdiff and
no negative opinions were expressed.
unblock singularity-container/2.2-2
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100,
'unstable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru singularity-container-2.2/debian/changelog
singularity-container-2.2/debian/changelog
--- singularity-container-2.2/debian/changelog 2016-11-30 12:33:01.000000000
-0500
+++ singularity-container-2.2/debian/changelog 2017-02-09 16:27:55.000000000
-0500
@@ -1,3 +1,24 @@
+singularity-container (2.2-2) unstable; urgency=high
+
+ * debian/patches - picks up from upcoming 2.2.1 release
+ critical functionality and possibly security-related fixes
+ - changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
+ to support mounting ext4 formatted images read-only
+ - changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
+ to utilize mount option MS_NODEV for images
+ (fixes potential security implications)
+ - changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
+ to fix bootstrapping ran as root (thus no MS_NODEV restriction
+ from above patch should be applied)
+ - changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
+ exit with error if snprintf would have went out of bounds
+ - changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
+ changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
+ changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
+ Various obvious fixes (updated URLs, apt --force-yes)
+
+ -- Yaroslav Halchenko <[email protected]> Thu, 09 Feb 2017 16:27:55 -0500
+
singularity-container (2.2-1) unstable; urgency=medium
[ Mehdi Dogguy ]
diff -Nru
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
---
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
1969-12-31 19:00:00.000000000 -0500
+++
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,21 @@
+From: Gregory M. Kurtzer <[email protected]>
+Subject: Use --force-yes
+
+--- a/examples/debian.def
++++ b/examples/debian.def
+@@ -16,5 +16,5 @@ MirrorURL: http://ftp.us.debian.org/debi
+ %post
+ echo "Hello from inside the container"
+ apt-get update
+- apt-get -y install vim
++ apt-get -y --force-yes install vim
+
+--- a/examples/ubuntu.def
++++ b/examples/ubuntu.def
+@@ -16,5 +16,5 @@ MirrorURL: http://us.archive.ubuntu.com/
+ %post
+ echo "Hello from inside the container"
+ sed -i 's/$/ universe/' /etc/apt/sources.list
+- apt-get -y install vim
++ apt-get -y --force-yes install vim
+
diff -Nru
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
---
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
1969-12-31 19:00:00.000000000 -0500
+++
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,14 @@
+From: Nekel-Seyew <[email protected]>
+Subject: added an ERRNO==ENOENT clause
+
+--- a/src/lib/file/group/group.c
++++ b/src/lib/file/group/group.c
+@@ -139,7 +139,7 @@ int singularity_file_group(void) {
+ singularity_message(VERBOSE3, "Found supplementary group
membership in: %d\n", gids[i]);
+ singularity_message(VERBOSE2, "Adding user's supplementary
group ('%s') info to template group file\n", grent->gr_name);
+ fprintf(file_fp, "%s:x:%u:%s\n", gr->gr_name, gr->gr_gid,
pwent->pw_name);
+- } else if ( (errno == 0) || (errno == ESRCH) || (errno == EBADF)
|| (errno == EPERM) ) {
++ } else if ( (errno == 0) || (errno == ESRCH) || (errno == EBADF)
|| (errno == EPERM) || (errno == ENOENT)) {
+ singularity_message(VERBOSE3, "Skipping GID %d as group entry
does not exist.\n", gids[i]);
+ } else {
+ singularity_message(ERROR, "Failed to lookup GID %d group
entry: %s\n", gids[i], strerror(errno));
diff -Nru
singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
---
singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
1969-12-31 19:00:00.000000000 -0500
+++
singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,120 @@
+From: Brian Bockelman <[email protected]>
+Subject: Fix remaining usage of snprintf.
+
+--- a/src/lib/message.c
++++ b/src/lib/message.c
+@@ -109,23 +109,23 @@ void _singularity_message(int level, con
+ }
+
+ if ( level <= messagelevel ) {
+- char *header_string;
++ char header_string[95];
+
+ if ( messagelevel >= DEBUG ) {
+- char *debug_string = (char *) malloc(25);
+- char *location_string = (char *) malloc(60);
+- char *tmp_header_string = (char *) malloc(80);
+- header_string = (char *) malloc(80);
++ char debug_string[25];
++ char location_string[60];
++ char tmp_header_string[86];
+ snprintf(location_string, 60, "%s:%d:%s()", file, line,
function); // Flawfinder: ignore
++ location_string[59] = '\0';
+ snprintf(debug_string, 25, "[U=%d,P=%d]", geteuid(), getpid());
// Flawfinder: ignore
+- snprintf(tmp_header_string, 80, "%-18s %s", debug_string,
location_string); // Flawfinder: ignore
+- snprintf(header_string, 80, "%-7s %-62s: ", prefix,
tmp_header_string); // Flawfinder: ignore
+- free(debug_string);
+- free(location_string);
+- free(tmp_header_string);
++ debug_string[24] = '\0';
++ snprintf(tmp_header_string, 86, "%-18s %s", debug_string,
location_string); // Flawfinder: ignore
++ tmp_header_string[85] = '\0';
++ snprintf(header_string, 95, "%-7s %-62s: ", prefix,
tmp_header_string); // Flawfinder: ignore
++ header_string[94] = '\0';
+ } else {
+- header_string = (char *) malloc(11);
+ snprintf(header_string, 10, "%-7s: ", prefix); // Flawfinder:
ignore
++ header_string[9] = '\0';
+ }
+
+ if ( level == INFO && messagelevel == INFO ) {
+@@ -138,7 +138,6 @@ void _singularity_message(int level, con
+ fprintf(stderr, "%s", strjoin(header_string, message));
+ }
+
+-
+ fflush(stdout);
+ fflush(stderr);
+
+--- a/src/lib/rootfs/rootfs.c
++++ b/src/lib/rootfs/rootfs.c
+@@ -184,7 +184,10 @@ int singularity_rootfs_mount(void) {
+ } else if ( envar_defined("SINGULARITY_WRITABLE") == TRUE ) {
+ singularity_message(VERBOSE3, "Not enabling overlayFS, image mounted
writablable\n");
+ } else {
+- snprintf(overlay_options, overlay_options_len,
"lowerdir=%s,upperdir=%s,workdir=%s", rootfs_source, overlay_upper,
overlay_work); // Flawfinder: ignore
++ if (snprintf(overlay_options, overlay_options_len,
"lowerdir=%s,upperdir=%s,workdir=%s", rootfs_source, overlay_upper,
overlay_work) >= overlay_options_len) {
++ singularity_message(ERROR, "Overly-long path names for OverlayFS
configuration.\n");
++ ABORT(255);
++ }
+
+ singularity_priv_escalate();
+ singularity_message(DEBUG, "Mounting overlay tmpfs: %s\n",
overlay_mount);
+--- a/src/lib/sessiondir.c
++++ b/src/lib/sessiondir.c
+@@ -55,7 +55,7 @@ char *singularity_sessiondir_init(char *
+ struct stat filestat;
+ uid_t uid = singularity_priv_getuid();
+
+- sessiondir = (char *) malloc(sizeof(char) * PATH_MAX);
++ sessiondir = (char *) malloc(PATH_MAX);
+
+ singularity_message(DEBUG, "Checking Singularity configuration for
'sessiondir prefix'\n");
+
+@@ -66,9 +66,15 @@ char *singularity_sessiondir_init(char *
+
+ singularity_config_rewind();
+ if ( ( sessiondir_prefix = envar_path("SINGULARITY_SESSIONDIR") ) !=
NULL ) {
+- snprintf(sessiondir, sizeof(char) * PATH_MAX,
"%s/singularity-session-%d.%d.%lu", sessiondir_prefix, (int)uid,
(int)filestat.st_dev, (long unsigned)filestat.st_ino); // Flawfinder: ignore
++ if (snprintf(sessiondir, PATH_MAX,
"%s/singularity-session-%d.%d.%lu", sessiondir_prefix, (int)uid,
(int)filestat.st_dev, (long unsigned)filestat.st_ino) >= PATH_MAX) { //
Flawfinder: ignore
++ singularity_message(ERROR, "Overly-long session directory
specified.\n");
++ ABORT(255);
++ }
+ } else if ( ( sessiondir_prefix =
singularity_config_get_value("sessiondir prefix") ) != NULL ) {
+- snprintf(sessiondir, sizeof(char) * PATH_MAX, "%s%d.%d.%lu",
sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long
unsigned)filestat.st_ino); // Flawfinder: ignore
++ if (snprintf(sessiondir, PATH_MAX, "%s%d.%d.%lu",
sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long
unsigned)filestat.st_ino) >= PATH_MAX) { // Flawfinder: ignore
++ singularity_message(ERROR, "Overly-long session directory
specified.\n");
++ ABORT(255);
++ }
+ } else {
+ snprintf(sessiondir, sizeof(char) * PATH_MAX,
"/tmp/.singularity-session-%d.%d.%lu", (int)uid, (int)filestat.st_dev, (long
unsigned)filestat.st_ino); // Flawfinder: ignore
+ }
+--- a/src/util/util.c
++++ b/src/util/util.c
+@@ -136,8 +136,12 @@ char *joinpath(const char * path1, const
+ path2++;
+ }
+
+- ret = (char *) malloc(strlength(tmp_path1, PATH_MAX) + strlength(path2,
PATH_MAX) + 2);
+- snprintf(ret, strlength(tmp_path1, PATH_MAX) + strlen(path2) + 2,
"%s/%s", tmp_path1, path2); // Flawfinder: ignore
++ size_t ret_pathlen = strlength(tmp_path1, PATH_MAX) + strlength(path2,
PATH_MAX) + 2;
++ ret = (char *) malloc(ret_pathlen);
++ if (snprintf(ret, ret_pathlen, "%s/%s", tmp_path1, path2) >= ret_pathlen)
{ // Flawfinder: ignore
++ singularity_message(ERROR, "Overly-long path name.\n");
++ ABORT(255);
++ }
+
+ return(ret);
+ }
+@@ -147,7 +151,10 @@ char *strjoin(char *str1, char *str2) {
+ int len = strlength(str1, 2048) + strlength(str2, 2048) + 1;
+
+ ret = (char *) malloc(len);
+- snprintf(ret, len, "%s%s", str1, str2); // Flawfinder: ignore
++ if (snprintf(ret, len, "%s%s", str1, str2) >= len) { // Flawfinder: ignore
++ singularity_message(ERROR, "Overly-long string encountered.\n");
++ ABORT(255);
++ }
+
+ return(ret);
+ }
diff -Nru
singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
---
singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
1969-12-31 19:00:00.000000000 -0500
+++
singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,14 @@
+From: Gregory M. Kurtzer <[email protected]>
+Subject: Fix busybox path
+
+--- a/examples/busybox.def
++++ b/examples/busybox.def
+@@ -5,7 +5,7 @@
+ # required approvals from the U.S. Dept. of Energy). All rights reserved.
+
+ BootStrap: busybox
+-MirrorURL: https://www.busybox.net/downloads/binaries/busybox-x86_64
++MirrorURL:
https://www.busybox.net/downloads/binaries/1.26.2-defconfig-multiarch/busybox-x86_64
+
+
+ %post
diff -Nru
singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
---
singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
1969-12-31 19:00:00.000000000 -0500
+++
singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,31 @@
+From: Gregory M. Kurtzer <[email protected]>
+Subject: Minor fixup to fail over to try ext4 file system
+ Sorry, I didn't realize anyone was still using those images!
+
+--- a/src/lib/rootfs/image/image.c
++++ b/src/lib/rootfs/image/image.c
+@@ -127,16 +127,20 @@ int rootfs_image_mount(void) {
+ singularity_message(VERBOSE, "Mounting image in read/write\n");
+ singularity_priv_escalate();
+ if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID,
"errors=remount-ro") < 0 ) {
+- singularity_message(ERROR, "Failed to mount image in
(read/write): %s\n", strerror(errno));
+- ABORT(255);
++ if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID,
"errors=remount-ro") < 0 ) {
++ singularity_message(ERROR, "Failed to mount image in
(read/write): %s\n", strerror(errno));
++ ABORT(255);
++ }
+ }
+ singularity_priv_drop();
+ } else {
+ singularity_priv_escalate();
+ singularity_message(VERBOSE, "Mounting image in read/only\n");
+ if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY,
"errors=remount-ro") < 0 ) {
+- singularity_message(ERROR, "Failed to mount image in (read only):
%s\n", strerror(errno));
+- ABORT(255);
++ if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY,
"errors=remount-ro") < 0 ) {
++ singularity_message(ERROR, "Failed to mount image in (read
only): %s\n", strerror(errno));
++ ABORT(255);
++ }
+ }
+ singularity_priv_drop();
+ }
diff -Nru
singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
---
singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
1969-12-31 19:00:00.000000000 -0500
+++
singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,76 @@
+From: Gregory M. Kurtzer <[email protected]>
+Subject: Conditionally disable MS_NODEV when running as root
+
+--- a/src/lib/rootfs/dir/dir.c
++++ b/src/lib/rootfs/dir/dir.c
+@@ -65,6 +65,7 @@ int rootfs_dir_init(char *source, char *
+
+
+ int rootfs_dir_mount(void) {
++ int opts = MS_BIND|MS_NOSUID|MS_REC;
+
+ if ( ( mount_point == NULL ) || ( source_dir == NULL ) ) {
+ singularity_message(ERROR, "Called image_mount but image_init()
hasn't been called\n");
+@@ -76,9 +77,13 @@ int rootfs_dir_mount(void) {
+ ABORT(255);
+ }
+
++ if ( getuid() != 0 ) {
++ opts |= MS_NODEV;
++ }
++
+ singularity_priv_escalate();
+ singularity_message(DEBUG, "Mounting container directory %s->%s\n",
source_dir, mount_point);
+- if ( mount(source_dir, mount_point, NULL,
MS_BIND|MS_NOSUID|MS_REC|MS_NODEV, NULL) < 0 ) {
++ if ( mount(source_dir, mount_point, NULL, opts, NULL) < 0 ) {
+ singularity_message(ERROR, "Could not mount container directory
%s->%s: %s\n", source_dir, mount_point, strerror(errno));
+ return 1;
+ }
+@@ -88,7 +93,7 @@ int rootfs_dir_mount(void) {
+ if ( singularity_ns_user_enabled() <= 0 ) {
+ singularity_priv_escalate();
+ singularity_message(VERBOSE2, "Making mount read only: %s\n",
mount_point);
+- if ( mount(NULL, mount_point, NULL,
MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY|MS_NODEV, NULL) < 0 ) {
++ if ( mount(NULL, mount_point, NULL, opts|MS_REMOUNT|MS_RDONLY,
NULL) < 0 ) {
+ singularity_message(ERROR, "Could not bind read only %s:
%s\n", mount_point, strerror(errno));
+ ABORT(255);
+ }
+--- a/src/lib/rootfs/image/image.c
++++ b/src/lib/rootfs/image/image.c
+@@ -100,6 +100,7 @@ int rootfs_image_init(char *source, char
+
+
+ int rootfs_image_mount(void) {
++ int opts = MS_NOSUID;
+
+ if ( mount_point == NULL ) {
+ singularity_message(ERROR, "Called image_mount but image_init()
hasn't been called\n");
+@@ -122,12 +123,15 @@ int rootfs_image_mount(void) {
+ ABORT(255);
+ }
+
++ if ( getuid() != 0 ) {
++ opts |= MS_NODEV;
++ }
+
+ if ( read_write > 0 ) {
+ singularity_message(VERBOSE, "Mounting image in read/write\n");
+ singularity_priv_escalate();
+- if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_NODEV,
"errors=remount-ro") < 0 ) {
+- if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_NODEV,
"errors=remount-ro") < 0 ) {
++ if ( mount(loop_dev, mount_point, "ext3", opts, "errors=remount-ro")
< 0 ) {
++ if ( mount(loop_dev, mount_point, "ext4", opts,
"errors=remount-ro") < 0 ) {
+ singularity_message(ERROR, "Failed to mount image in
(read/write): %s\n", strerror(errno));
+ ABORT(255);
+ }
+@@ -136,8 +140,8 @@ int rootfs_image_mount(void) {
+ } else {
+ singularity_priv_escalate();
+ singularity_message(VERBOSE, "Mounting image in read/only\n");
+- if ( mount(loop_dev, mount_point, "ext3",
MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
+- if ( mount(loop_dev, mount_point, "ext4",
MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
++ if ( mount(loop_dev, mount_point, "ext3", opts|MS_RDONLY,
"errors=remount-ro") < 0 ) {
++ if ( mount(loop_dev, mount_point, "ext4", opts|MS_RDONLY,
"errors=remount-ro") < 0 ) {
+ singularity_message(ERROR, "Failed to mount image in (read
only): %s\n", strerror(errno));
+ ABORT(255);
+ }
diff -Nru
singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
---
singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
1969-12-31 19:00:00.000000000 -0500
+++
singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,67 @@
+commit f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d
+Author: Gregory M. Kurtzer <[email protected]>
+Date: Thu Feb 2 22:37:50 2017 +0000
+
+ Utilize mount option MS_NODEV for images
+
+diff --git a/src/lib/rootfs/dir/dir.c b/src/lib/rootfs/dir/dir.c
+index c6ba1a8c..75fa6468 100644
+--- a/src/lib/rootfs/dir/dir.c
++++ b/src/lib/rootfs/dir/dir.c
+@@ -78,7 +78,7 @@ int rootfs_dir_mount(void) {
+
+ singularity_priv_escalate();
+ singularity_message(DEBUG, "Mounting container directory %s->%s\n",
source_dir, mount_point);
+- if ( mount(source_dir, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC, NULL)
< 0 ) {
++ if ( mount(source_dir, mount_point, NULL,
MS_BIND|MS_NOSUID|MS_REC|MS_NODEV, NULL) < 0 ) {
+ singularity_message(ERROR, "Could not mount container directory
%s->%s: %s\n", source_dir, mount_point, strerror(errno));
+ return 1;
+ }
+@@ -88,7 +88,7 @@ int rootfs_dir_mount(void) {
+ if ( singularity_ns_user_enabled() <= 0 ) {
+ singularity_priv_escalate();
+ singularity_message(VERBOSE2, "Making mount read only: %s\n",
mount_point);
+- if ( mount(NULL, mount_point, NULL,
MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY, NULL) < 0 ) {
++ if ( mount(NULL, mount_point, NULL,
MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY|MS_NODEV, NULL) < 0 ) {
+ singularity_message(ERROR, "Could not bind read only %s:
%s\n", mount_point, strerror(errno));
+ ABORT(255);
+ }
+diff --git a/src/lib/rootfs/image/image.c b/src/lib/rootfs/image/image.c
+index 0db44999..8f3261fd 100644
+--- a/src/lib/rootfs/image/image.c
++++ b/src/lib/rootfs/image/image.c
+@@ -126,8 +126,8 @@ int rootfs_image_mount(void) {
+ if ( read_write > 0 ) {
+ singularity_message(VERBOSE, "Mounting image in read/write\n");
+ singularity_priv_escalate();
+- if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID,
"errors=remount-ro") < 0 ) {
+- if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID,
"errors=remount-ro") < 0 ) {
++ if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_NODEV,
"errors=remount-ro") < 0 ) {
++ if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_NODEV,
"errors=remount-ro") < 0 ) {
+ singularity_message(ERROR, "Failed to mount image in
(read/write): %s\n", strerror(errno));
+ ABORT(255);
+ }
+@@ -136,8 +136,8 @@ int rootfs_image_mount(void) {
+ } else {
+ singularity_priv_escalate();
+ singularity_message(VERBOSE, "Mounting image in read/only\n");
+- if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY,
"errors=remount-ro") < 0 ) {
+- if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY,
"errors=remount-ro") < 0 ) {
++ if ( mount(loop_dev, mount_point, "ext3",
MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
++ if ( mount(loop_dev, mount_point, "ext4",
MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
+ singularity_message(ERROR, "Failed to mount image in (read
only): %s\n", strerror(errno));
+ ABORT(255);
+ }
+diff --git a/src/lib/rootfs/squashfs/squashfs.c
b/src/lib/rootfs/squashfs/squashfs.c
+index df71f4c2..82f2dfc5 100644
+--- a/src/lib/rootfs/squashfs/squashfs.c
++++ b/src/lib/rootfs/squashfs/squashfs.c
+@@ -104,7 +104,7 @@ int rootfs_squashfs_mount(void) {
+
+ singularity_priv_escalate();
+ singularity_message(VERBOSE, "Mounting squashfs image\n");
+- if ( mount(loop_dev, mount_point, "squashfs", MS_NOSUID|MS_RDONLY,
"errors=remount-ro") < 0 ) {
++ if ( mount(loop_dev, mount_point, "squashfs",
MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
+ singularity_message(ERROR, "Failed to mount squashfs image in (read
only): %s\n", strerror(errno));
+ ABORT(255);
+ }
diff -Nru singularity-container-2.2/debian/patches/series
singularity-container-2.2/debian/patches/series
--- singularity-container-2.2/debian/patches/series 2016-11-30
12:33:01.000000000 -0500
+++ singularity-container-2.2/debian/patches/series 2017-02-09
16:27:55.000000000 -0500
@@ -2,3 +2,10 @@
0001-BF-do-not-make-python-modules-not-intended-to-be-exe.patch
0002-ENH-removed-python-shebangs-from-non-script-python-m.patch
0001-BF-bash_completion.d-script-has-bashisms-so-use-bash.patch
+changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
+changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
+changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
+changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
+changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
+changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
+changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
--- End Message ---
