[meta-virtualization][dunfell][PATCH 2/3] runc: FIx CVE-2022-29162

Hugo Simeliere via lists.yoctoproject.org Wed, 22 Feb 2023 02:42:45 -0800

Signed-off-by: Hugo SIMELIERE <[email protected]>
---
 .../runc/files/CVE-2022-29162.patch           | 123 ++++++++++++++++++
 recipes-containers/runc/runc-docker_git.bb    |   1 +
 .../runc/runc-opencontainers_git.bb           |   1 +
 3 files changed, 125 insertions(+)
 create mode 100644 recipes-containers/runc/files/CVE-2022-29162.patch


diff --git a/recipes-containers/runc/files/CVE-2022-29162.patch 
b/recipes-containers/runc/files/CVE-2022-29162.patch
new file mode 100644
index 0000000..797c923
--- /dev/null
+++ b/recipes-containers/runc/files/CVE-2022-29162.patch
@@ -0,0 +1,123 @@
+From 2e46aecb3c3212eef2c4fb26e78aac5918fc058b Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <[email protected]>
+Date: Thu, 12 May 2022 08:15:42 +1000
+Subject: [PATCH] Merge pull request from GHSA-f3fp-gc8g-vw66
+
+[ Upstream commit d04de3a9b72d7a2455c1885fc75eb36d02cd17b5 ]
+
+runc: do not set inheritable capabilities
+
+CVE: CVE-2022-29162
+---
+ exec.go                                   |  1 -
+ libcontainer/README.md                    | 16 ----------------
+ libcontainer/integration/exec_test.go     |  2 --
+ libcontainer/integration/template_test.go | 16 ----------------
+ libcontainer/specconv/example.go          |  5 -----
+ 5 files changed, 40 deletions(-)
+
+diff --git a/src/import/exec.go b/src/import/exec.go
+index 6053ea97..fc078d4e 100644
+--- a/src/import/exec.go
++++ b/src/import/exec.go
+@@ -193,7 +193,6 @@ func getProcess(context *cli.Context, bundle string) 
(*specs.Process, error) {
+     if caps := context.StringSlice("cap"); len(caps) > 0 {
+           for _, c := range caps {
+                 p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
+-                p.Capabilities.Inheritable = 
append(p.Capabilities.Inheritable, c)
+                 p.Capabilities.Effective = append(p.Capabilities.Effective, c)
+                 p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
+                 p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
+diff --git a/src/import/libcontainer/README.md 
b/src/import/libcontainer/README.md
+index 13eee49d..aedde773 100644
+--- a/src/import/libcontainer/README.md
++++ b/src/import/libcontainer/README.md
+@@ -96,22 +96,6 @@ config := &configs.Config{
+                 "CAP_KILL",
+                 "CAP_AUDIT_WRITE",
+           },
+-          Inheritable: []string{
+-                "CAP_CHOWN",
+-                "CAP_DAC_OVERRIDE",
+-                "CAP_FSETID",
+-                "CAP_FOWNER",
+-                "CAP_MKNOD",
+-                "CAP_NET_RAW",
+-                "CAP_SETGID",
+-                "CAP_SETUID",
+-                "CAP_SETFCAP",
+-                "CAP_SETPCAP",
+-                "CAP_NET_BIND_SERVICE",
+-                "CAP_SYS_CHROOT",
+-                "CAP_KILL",
+-                "CAP_AUDIT_WRITE",
+-          },
+           Permitted: []string{
+                 "CAP_CHOWN",
+                 "CAP_DAC_OVERRIDE",
+diff --git a/src/import/libcontainer/integration/exec_test.go 
b/src/import/libcontainer/integration/exec_test.go
+index 1e8e185f..bb8ec9f6 100644
+--- a/src/import/libcontainer/integration/exec_test.go
++++ b/src/import/libcontainer/integration/exec_test.go
+@@ -412,7 +412,6 @@ func TestProcessCaps(t *testing.T) {
+     pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, 
"CAP_NET_ADMIN")
+     pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, 
"CAP_NET_ADMIN")
+     pconfig.Capabilities.Effective = append(config.Capabilities.Effective, 
"CAP_NET_ADMIN")
+-    pconfig.Capabilities.Inheritable = 
append(config.Capabilities.Inheritable, "CAP_NET_ADMIN")
+     err = container.Run(&pconfig)
+     ok(t, err)
+
+@@ -1539,7 +1538,6 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
+     pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, 
"CAP_SYS_ADMIN")
+     pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, 
"CAP_SYS_ADMIN")
+     pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, 
"CAP_SYS_ADMIN")
+-    pconfig2.Capabilities.Inheritable = 
append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN")
+
+     err = container.Run(pconfig2)
+     _ = stdinR2.Close()
+diff --git a/src/import/libcontainer/integration/template_test.go 
b/src/import/libcontainer/integration/template_test.go
+index 039cd737..60ca0f43 100644
+--- a/src/import/libcontainer/integration/template_test.go
++++ b/src/import/libcontainer/integration/template_test.go
+@@ -71,22 +71,6 @@ func newTemplateConfig(t *testing.T, p *tParam) 
*configs.Config {
+                       "CAP_KILL",
+                       "CAP_AUDIT_WRITE",
+                 },
+-                Inheritable: []string{
+-                      "CAP_CHOWN",
+-                      "CAP_DAC_OVERRIDE",
+-                      "CAP_FSETID",
+-                      "CAP_FOWNER",
+-                      "CAP_MKNOD",
+-                      "CAP_NET_RAW",
+-                      "CAP_SETGID",
+-                      "CAP_SETUID",
+-                      "CAP_SETFCAP",
+-                      "CAP_SETPCAP",
+-                      "CAP_NET_BIND_SERVICE",
+-                      "CAP_SYS_CHROOT",
+-                      "CAP_KILL",
+-                      "CAP_AUDIT_WRITE",
+-                },
+                 Ambient: []string{
+                       "CAP_CHOWN",
+                       "CAP_DAC_OVERRIDE",
+diff --git a/src/import/libcontainer/specconv/example.go 
b/src/import/libcontainer/specconv/example.go
+index 56bab3bf..152d938a 100644
+--- a/src/import/libcontainer/specconv/example.go
++++ b/src/import/libcontainer/specconv/example.go
+@@ -41,11 +41,6 @@ func Example() *specs.Spec {
+                             "CAP_KILL",
+                             "CAP_NET_BIND_SERVICE",
+                       },
+-                      Inheritable: []string{
+-                            "CAP_AUDIT_WRITE",
+-                            "CAP_KILL",
+-                            "CAP_NET_BIND_SERVICE",
+-                      },
+                       Ambient: []string{
+                             "CAP_AUDIT_WRITE",
+                             "CAP_KILL",
+--
+2.39.1
+
diff --git a/recipes-containers/runc/runc-docker_git.bb 
b/recipes-containers/runc/runc-docker_git.bb
index 2019ad3..5499333 100644
--- a/recipes-containers/runc/runc-docker_git.bb
+++ b/recipes-containers/runc/runc-docker_git.bb
@@ -7,6 +7,7 @@ SRC_URI = 
"git://github.com/opencontainers/runc;branch=release-1.0;name=runc-doc
            file://0001-runc-Add-console-socket-dev-null.patch \
            
file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
            file://0001-runc-docker-SIGUSR1-daemonize.patch \
+           file://CVE-2022-29162.patch \
           "

 RUNC_VERSION = "1.0.3"
diff --git a/recipes-containers/runc/runc-opencontainers_git.bb 
b/recipes-containers/runc/runc-opencontainers_git.bb
index 4b1d0a0..0f625af 100644
--- a/recipes-containers/runc/runc-opencontainers_git.bb
+++ b/recipes-containers/runc/runc-opencontainers_git.bb
@@ -4,6 +4,7 @@ SRCREV = "e0124d569cb2dfe93bd9fb8d7f4ade461e006464"
 SRC_URI = " \
     git://github.com/opencontainers/runc;branch=release-1.0;protocol=https \
     file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
+    file://CVE-2022-29162.patch \
     "
 RUNC_VERSION = "1.0.3"

--
2.39.2

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#7891): 
https://lists.yoctoproject.org/g/meta-virtualization/message/7891
Mute This Topic: https://lists.yoctoproject.org/mt/97157092/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[meta-virtualization][dunfell][PATCH 2/3] runc: FIx CVE-2022-29162

Reply via email to