On Tue, 30 Aug 2022, at 14:11, Bruce Ashfield wrote: > On Tue, Aug 30, 2022 at 6:29 AM Andrei Gherzan <[email protected]> wrote: >> >> On Fri, 26 Aug 2022, at 12:33, Andrei Gherzan wrote: >> > From: Andrei Gherzan <[email protected]> >> > >> > Signed-off-by: Andrei Gherzan <[email protected]> >> > --- >> > .../podman/podman/CVE-2022-27649.patch | 106 ++++++++++++++++++ >> > recipes-containers/podman/podman_git.bb | 3 +- >> > 2 files changed, 108 insertions(+), 1 deletion(-) >> > create mode 100644 recipes-containers/podman/podman/CVE-2022-27649.patch >> > >> > diff --git a/recipes-containers/podman/podman/CVE-2022-27649.patch >> > b/recipes-containers/podman/podman/CVE-2022-27649.patch >> > new file mode 100644 >> > index 0000000..cb786ad >> > --- /dev/null >> > +++ b/recipes-containers/podman/podman/CVE-2022-27649.patch >> > @@ -0,0 +1,106 @@ >> > +From aafa80918a245edcbdaceb1191d749570f1872d0 Mon Sep 17 00:00:00 2001 >> > +From: Giuseppe Scrivano <[email protected]> >> > +Date: Mon, 28 Feb 2022 09:48:52 +0100 >> > +Subject: [PATCH] do not set the inheritable capabilities >> > + >> > +The kernel never sets the inheritable capabilities for a process, they >> > +are only set by userspace. Emulate the same behavior. >> > + >> > +CVE: CVE-2022-27649 >> > +Upstream-Status: Backport >> > [https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0] >> > +Signed-off-by: Andrei Gherzan <[email protected]> >> > +--- >> > + libpod/oci_conmon_exec_linux.go | 7 +++++-- >> > + pkg/specgen/generate/security.go | 7 +++++-- >> > + test/e2e/run_test.go | 6 +++--- >> > + 3 files changed, 13 insertions(+), 7 deletions(-) >> > + >> > +diff --git a/libpod/oci_conmon_exec_linux.go >> > b/libpod/oci_conmon_exec_linux.go >> > +index aa970bbde28..65123b37e6a 100644 >> > +--- a/libpod/oci_conmon_exec_linux.go >> > ++++ b/libpod/oci_conmon_exec_linux.go >> > +@@ -758,11 +758,14 @@ func prepareProcessExec(c *Container, options >> > *ExecOptions, env []string, sessio >> > + } else { >> > + pspec.Capabilities.Bounding = >> > ctrSpec.Process.Capabilities.Bounding >> > + } >> > ++ >> > ++ // Always unset the inheritable capabilities similarly to what the >> > Linux kernel does >> > ++ // They are used only when using capabilities with uid != 0. >> > ++ pspec.Capabilities.Inheritable = []string{} >> > ++ >> > + if execUser.Uid == 0 { >> > + pspec.Capabilities.Effective = pspec.Capabilities.Bounding >> > +- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding >> > + pspec.Capabilities.Permitted = pspec.Capabilities.Bounding >> > +- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding >> > + } else { >> > + if user == c.config.User { >> > + pspec.Capabilities.Effective = >> > ctrSpec.Process.Capabilities.Effective >> > +diff --git a/pkg/specgen/generate/security.go >> > b/pkg/specgen/generate/security.go >> > +index 9c67099054f..988c2983267 100644 >> > +--- a/pkg/specgen/generate/security.go >> > ++++ b/pkg/specgen/generate/security.go >> > +@@ -146,6 +146,10 @@ func securityConfigureGenerator(s >> > *specgen.SpecGenerator, g *generate.Generator, >> > + >> > + configSpec := g.Config >> > + configSpec.Process.Capabilities.Ambient = []string{} >> > ++ >> > ++ // Always unset the inheritable capabilities similarly to what the >> > Linux kernel does >> > ++ // They are used only when using capabilities with uid != 0. >> > ++ configSpec.Process.Capabilities.Inheritable = []string{} >> > + configSpec.Process.Capabilities.Bounding = caplist >> > + >> > + user := strings.Split(s.User, ":")[0] >> > +@@ -153,7 +157,6 @@ func securityConfigureGenerator(s >> > *specgen.SpecGenerator, g *generate.Generator, >> > + if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == >> > "root" || user == "0" { >> > + configSpec.Process.Capabilities.Effective = caplist >> > + configSpec.Process.Capabilities.Permitted = caplist >> > +- configSpec.Process.Capabilities.Inheritable = caplist >> > + } else { >> > + mergedCaps, err := capabilities.MergeCapabilities(nil, >> > s.CapAdd, >> > nil) >> > + if err != nil { >> > +@@ -175,12 +178,12 @@ func securityConfigureGenerator(s >> > *specgen.SpecGenerator, g *generate.Generator, >> > + } >> > + configSpec.Process.Capabilities.Effective = userCaps >> > + configSpec.Process.Capabilities.Permitted = userCaps >> > +- configSpec.Process.Capabilities.Inheritable = userCaps >> > + >> > + // Ambient capabilities were added to Linux 4.3. Set ambient >> > + // capabilities only when the kernel supports them. >> > + if supportAmbientCapabilities() { >> > + configSpec.Process.Capabilities.Ambient = userCaps >> > ++ configSpec.Process.Capabilities.Inheritable = >> > userCaps >> > + } >> > + } >> > + >> > +diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go >> > +index 91a2eddadf6..f4a6e573355 100644 >> > +--- a/test/e2e/run_test.go >> > ++++ b/test/e2e/run_test.go >> > +@@ -498,7 +498,7 @@ var _ = Describe("Podman run", func() { >> > + session = podmanTest.Podman([]string{"run", "--rm", "--user", >> > "root", ALPINE, "grep", "CapInh", "/proc/self/status"}) >> > + session.WaitWithDefaultTimeout() >> > + Expect(session).Should(Exit(0)) >> > +- >> > Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) >> > ++ >> > Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) >> > + >> > + session = podmanTest.Podman([]string{"run", "--rm", ALPINE, >> > "grep", >> > "CapBnd", "/proc/self/status"}) >> > + session.WaitWithDefaultTimeout() >> > +@@ -533,7 +533,7 @@ var _ = Describe("Podman run", func() { >> > + session = podmanTest.Podman([]string{"run", "--user=0:0", >> > "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", >> > "/proc/self/status"}) >> > + session.WaitWithDefaultTimeout() >> > + Expect(session).Should(Exit(0)) >> > +- >> > Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) >> > ++ >> > Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) >> > + >> > + if os.Geteuid() > 0 { >> > + if os.Getenv("SKIP_USERNS") != "" { >> > +@@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() { >> > + session = podmanTest.Podman([]string{"run", >> > "--userns=keep-id", >> > "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) >> > + session.WaitWithDefaultTimeout() >> > + Expect(session).Should(Exit(0)) >> > +- >> > Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) >> > ++ >> > Expect(session.OutputToString()).To(ContainSubstring("0000000000000002")) >> > + >> > + session = podmanTest.Podman([]string{"run", >> > "--userns=keep-id", >> > "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", >> > "/proc/self/status"}) >> > + session.WaitWithDefaultTimeout() >> > diff --git a/recipes-containers/podman/podman_git.bb >> > b/recipes-containers/podman/podman_git.bb >> > index aedb988..65e0205 100644 >> > --- a/recipes-containers/podman/podman_git.bb >> > +++ b/recipes-containers/podman/podman_git.bb >> > @@ -22,7 +22,8 @@ SRC_URI = " \ >> > git://github.com/containers/libpod.git;branch=v4.0;protocol=https \ >> > >> > file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import >> > \ >> > >> > file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang >> > \ >> > - ${@bb.utils.contains('PACKAGECONFIG', 'rootless', >> > 'file://50-podman-rootless.conf', '', d)} \ >> > + file://CVE-2022-27649.patch;patchdir=src/import \ >> > + ${@bb.utils.contains('PACKAGECONFIG', 'rootless', >> > 'file://00-podman-rootless.conf', '', d)} \ >> > " >> > >> > LICENSE = "Apache-2.0" >> > -- >> > 2.25.1 >> >> Small reminder on this patch. > > I'm on holidays all this week, and my build machines have gone > offline. If I can't restore access, it will be next week before I can > get to merges.
Thanks for giving me a rough estimation - it helps. Enjoy your holiday! Thanks, Andrei
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7584): https://lists.yoctoproject.org/g/meta-virtualization/message/7584 Mute This Topic: https://lists.yoctoproject.org/mt/93267827/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
