From: Andrei Gherzan <[email protected]> Signed-off-by: Andrei Gherzan <[email protected]> --- .../podman/podman/CVE-2022-27649.patch | 106 ++++++++++++++++++ recipes-containers/podman/podman_git.bb | 3 +- 2 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 recipes-containers/podman/podman/CVE-2022-27649.patch
diff --git a/recipes-containers/podman/podman/CVE-2022-27649.patch b/recipes-containers/podman/podman/CVE-2022-27649.patch new file mode 100644 index 0000000..cb786ad --- /dev/null +++ b/recipes-containers/podman/podman/CVE-2022-27649.patch @@ -0,0 +1,106 @@ +From aafa80918a245edcbdaceb1191d749570f1872d0 Mon Sep 17 00:00:00 2001 +From: Giuseppe Scrivano <[email protected]> +Date: Mon, 28 Feb 2022 09:48:52 +0100 +Subject: [PATCH] do not set the inheritable capabilities + +The kernel never sets the inheritable capabilities for a process, they +are only set by userspace. Emulate the same behavior. + +CVE: CVE-2022-27649 +Upstream-Status: Backport [https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0] +Signed-off-by: Andrei Gherzan <[email protected]> +--- + libpod/oci_conmon_exec_linux.go | 7 +++++-- + pkg/specgen/generate/security.go | 7 +++++-- + test/e2e/run_test.go | 6 +++--- + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go +index aa970bbde28..65123b37e6a 100644 +--- a/libpod/oci_conmon_exec_linux.go ++++ b/libpod/oci_conmon_exec_linux.go +@@ -758,11 +758,14 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio + } else { + pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding + } ++ ++ // Always unset the inheritable capabilities similarly to what the Linux kernel does ++ // They are used only when using capabilities with uid != 0. ++ pspec.Capabilities.Inheritable = []string{} ++ + if execUser.Uid == 0 { + pspec.Capabilities.Effective = pspec.Capabilities.Bounding +- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding + pspec.Capabilities.Permitted = pspec.Capabilities.Bounding +- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding + } else { + if user == c.config.User { + pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective +diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go +index 9c67099054f..988c2983267 100644 +--- a/pkg/specgen/generate/security.go ++++ b/pkg/specgen/generate/security.go +@@ -146,6 +146,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, + + configSpec := g.Config + configSpec.Process.Capabilities.Ambient = []string{} ++ ++ // Always unset the inheritable capabilities similarly to what the Linux kernel does ++ // They are used only when using capabilities with uid != 0. ++ configSpec.Process.Capabilities.Inheritable = []string{} + configSpec.Process.Capabilities.Bounding = caplist + + user := strings.Split(s.User, ":")[0] +@@ -153,7 +157,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, + if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" { + configSpec.Process.Capabilities.Effective = caplist + configSpec.Process.Capabilities.Permitted = caplist +- configSpec.Process.Capabilities.Inheritable = caplist + } else { + mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil) + if err != nil { +@@ -175,12 +178,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, + } + configSpec.Process.Capabilities.Effective = userCaps + configSpec.Process.Capabilities.Permitted = userCaps +- configSpec.Process.Capabilities.Inheritable = userCaps + + // Ambient capabilities were added to Linux 4.3. Set ambient + // capabilities only when the kernel supports them. + if supportAmbientCapabilities() { + configSpec.Process.Capabilities.Ambient = userCaps ++ configSpec.Process.Capabilities.Inheritable = userCaps + } + } + +diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go +index 91a2eddadf6..f4a6e573355 100644 +--- a/test/e2e/run_test.go ++++ b/test/e2e/run_test.go +@@ -498,7 +498,7 @@ var _ = Describe("Podman run", func() { + session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) + + session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"}) + session.WaitWithDefaultTimeout() +@@ -533,7 +533,7 @@ var _ = Describe("Podman run", func() { + session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) + + if os.Geteuid() > 0 { + if os.Getenv("SKIP_USERNS") != "" { +@@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() { + session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) +- Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000002")) + + session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) + session.WaitWithDefaultTimeout() diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb index aedb988..65e0205 100644 --- a/recipes-containers/podman/podman_git.bb +++ b/recipes-containers/podman/podman_git.bb @@ -22,7 +22,8 @@ SRC_URI = " \ git://github.com/containers/libpod.git;branch=v4.0;protocol=https \ file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \ file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang \ - ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \ + file://CVE-2022-27649.patch;patchdir=src/import \ + ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://00-podman-rootless.conf', '', d)} \ " LICENSE = "Apache-2.0" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7573): https://lists.yoctoproject.org/g/meta-virtualization/message/7573 Mute This Topic: https://lists.yoctoproject.org/mt/93267827/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
