From d63ef96652b1e2b36cdf22a87e28cc0543507ba1 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 12 Nov 2024 10:53:07 +0000 Subject: [PATCH] import CS bubblewrap-0.4.1-8.el9_5 --- ...OFS-for-access-check-of-proc-entries.patch | 26 ++++ ...ro-bind-fd-to-let-you-bind-a-O_PATH-.patch | 128 ++++++++++++++++++ SPECS/bubblewrap.spec | 12 +- 3 files changed, 164 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0001-Accept-EROFS-for-access-check-of-proc-entries.patch create mode 100644 SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch diff --git a/SOURCES/0001-Accept-EROFS-for-access-check-of-proc-entries.patch b/SOURCES/0001-Accept-EROFS-for-access-check-of-proc-entries.patch new file mode 100644 index 0000000..871ffdf --- /dev/null +++ b/SOURCES/0001-Accept-EROFS-for-access-check-of-proc-entries.patch @@ -0,0 +1,26 @@ +From 4c35d7a5f92499d6ed646d4a5ffad9acc10cb432 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=BCrg=20Billeter?= +Date: Tue, 18 Aug 2020 17:33:49 +0200 +Subject: [PATCH] Accept EROFS for access() check of /proc entries + +This is required to work in a Docker container. +--- + bubblewrap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bubblewrap.c b/bubblewrap.c +index e1a4629..d65ffef 100644 +--- a/bubblewrap.c ++++ b/bubblewrap.c +@@ -1148,7 +1148,7 @@ setup_newroot (bool unshare_pid, + if (access (subdir, W_OK) < 0) + { + /* The file is already read-only or doesn't exist. */ +- if (errno == EACCES || errno == ENOENT) ++ if (errno == EACCES || errno == ENOENT || errno == EROFS) + continue; + + die_with_error ("Can't access %s", subdir); +-- +2.44.0 + diff --git a/SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch b/SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch new file mode 100644 index 0000000..979ff51 --- /dev/null +++ b/SOURCES/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch @@ -0,0 +1,128 @@ +From 52d5f7c3ba5c8e10b3a992304fd28cd4d18caeeb Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Tue, 18 Jun 2024 10:20:36 +0200 +Subject: [PATCH] Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd. + +This is useful for example if you for some reason don't have the real +path. It is also a way to make bind-mounts race-free (i.e. to have the +mount actually be the thing you wanted to be mounted, avoiding issues +where some other process replaces the target in parallel with the bwrap +launch. + +Unfortunately due to some technical details we can't actually directly +mount the dirfd, as they come from different user namespace which is not +permitted, but at least we can delay resolving the fd to a path as much as +possible, and then validate after mount that we actually mounted the right +thing. + +Signed-off-by: Alexander Larsson +(cherry picked from commit a253257cd298892da43e15201d83f9a02c9b58b5) +[kalev: Backport to 0.4.x] +Signed-off-by: Kalev Lember +--- + bubblewrap.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ + tests/test-run.sh | 7 ++++++- + 2 files changed, 56 insertions(+), 1 deletion(-) + +diff --git a/bubblewrap.c b/bubblewrap.c +index b3d52bc..38b3646 100644 +--- a/bubblewrap.c ++++ b/bubblewrap.c +@@ -250,6 +250,8 @@ usage (int ecode, FILE *out) + " --dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existent SRC\n" + " --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n" + " --ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existent SRC\n" ++ " --bind-fd FD DEST Bind open directory or path fd on DEST\n" ++ " --ro-bind-fd FD DEST Bind open directory or path fd read-only on DEST\n" + " --remount-ro DEST Remount DEST as readonly; does not recursively remount\n" + " --exec-label LABEL Exec label for the sandbox\n" + " --file-label LABEL File label for temporary sandbox content\n" +@@ -1111,6 +1113,30 @@ setup_newroot (bool unshare_pid, + (op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) | + (op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0), + source, dest); ++ ++ if (op->fd >= 0) ++ { ++ struct stat fd_st, mount_st; ++ ++ /* When using bind-fd, there is a race condition between resolving the fd as a magic symlink ++ * and mounting it, where someone could replace what is at the symlink target. Ideally ++ * we would not even resolve the symlink and directly bind-mount from the fd, but unfortunately ++ * we can't do that, because its not permitted to bind mount a fd from another user namespace. ++ * So, we resolve, mount and then compare fstat+stat to detect the race. */ ++ ++ if (fstat(op->fd, &fd_st) != 0) ++ die_with_error("Can't stat fd %d", op->fd); ++ if (lstat(dest, &mount_st) != 0) ++ die_with_error("Can't stat mount at %s", dest); ++ ++ if (fd_st.st_ino != mount_st.st_ino || ++ fd_st.st_dev != mount_st.st_dev) ++ die_with_error("Race condition binding dirfd"); ++ ++ close(op->fd); ++ op->fd = -1; ++ } ++ + break; + + case SETUP_REMOUNT_RO_NO_RECURSIVE: +@@ -1648,6 +1674,30 @@ parse_args_recurse (int *argcp, + if (strcmp(arg, "--dev-bind-try") == 0) + op->flags = ALLOW_NOTEXIST; + ++ argv += 2; ++ argc -= 2; ++ } ++ else if (strcmp (arg, "--bind-fd") == 0 || ++ strcmp (arg, "--ro-bind-fd") == 0) ++ { ++ int src_fd; ++ char *endptr; ++ ++ if (argc < 3) ++ die ("--bind-fd takes two arguments"); ++ ++ src_fd = strtol (argv[1], &endptr, 10); ++ if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0) ++ die ("Invalid fd: %s", argv[1]); ++ ++ if (strcmp(arg, "--ro-bind-fd") == 0) ++ op = setup_op_new (SETUP_RO_BIND_MOUNT); ++ else ++ op = setup_op_new (SETUP_BIND_MOUNT); ++ op->source = xasprintf ("/proc/self/fd/%d", src_fd); ++ op->fd = src_fd; ++ op->dest = argv[2]; ++ + argv += 2; + argc -= 2; + } +diff --git a/tests/test-run.sh b/tests/test-run.sh +index 702c480..ce1eaf6 100755 +--- a/tests/test-run.sh ++++ b/tests/test-run.sh +@@ -80,7 +80,7 @@ if ! $RUN true; then + skip Seems like bwrap is not working at all. Maybe setuid is not working + fi + +-echo "1..49" ++echo "1..50" + + # Test help + ${BWRAP} --help > help.txt +@@ -382,5 +382,10 @@ else + echo "ok - Test --pidns" + fi + ++echo "foobar" > file-data ++$RUN --proc /proc --dev /dev --bind / / --bind-fd 100 /tmp cat /tmp/file-data 100< . > stdout ++assert_file_has_content stdout foobar ++ ++echo "ok - bind-fd" + + echo "ok - End of test" +-- +2.46.0 + diff --git a/SPECS/bubblewrap.spec b/SPECS/bubblewrap.spec index d8d7f65..362fc15 100644 --- a/SPECS/bubblewrap.spec +++ b/SPECS/bubblewrap.spec @@ -1,6 +1,6 @@ Name: bubblewrap Version: 0.4.1 -Release: 6%{?dist} +Release: 8%{?dist} Summary: Core execution tool for unprivileged containers License: LGPLv2+ @@ -8,6 +8,8 @@ License: LGPLv2+ URL: https://github.com/projectatomic/bubblewrap Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz Patch0: 0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch +Patch1: 0001-Accept-EROFS-for-access-check-of-proc-entries.patch +Patch2: 0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch BuildRequires: autoconf automake libtool BuildRequires: gcc @@ -23,7 +25,7 @@ containers that works as a setuid binary on kernels without user namespaces. %prep -%autosetup +%autosetup -p1 %build if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; fi @@ -47,6 +49,12 @@ find %{buildroot} -name '*.la' -delete -print %{_mandir}/man1/* %changelog +* Fri Aug 30 2024 Kalev Lember - 0.4.1-8 +- Backport upstream fix to help address CVE-2024-42472 in flatpak + +* Fri Mar 15 2024 Daan De Meyer - 0.4.1-7 +- Backport https://github.com/containers/bubblewrap/commit/4c35d7a5f92499d6ed646d4a5ffad9acc10cb432 + * Mon Aug 09 2021 Mohan Boddu - 0.4.1-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688