rpms/bubblewrap
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to 0.6.3

Browse Source 
Resolves: RHEL-56797
This commit is contained in:
Joseph Marrero Corchado 2024-08-30 17:54:22 -04:00
parent 0c425a8b4c
commit fef0d25c8d
6 changed files with 24 additions and 214 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -15,3 +15,4 @@
/bubblewrap-0.3.3.tar.xz
/bubblewrap-0.4.0.tar.xz
/bubblewrap-0.4.1.tar.xz
/bubblewrap-0.6.3.tar.xz

26
0001-Accept-EROFS-for-access-check-of-proc-entries.patch
View File

@ -1,26 +0,0 @@
From 4c35d7a5f92499d6ed646d4a5ffad9acc10cb432 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrg=20Billeter?= <j@bitron.ch>
Date: Tue, 18 Aug 2020 17:33:49 +0200
Subject: [PATCH] Accept EROFS for access() check of /proc entries
This is required to work in a Docker container.
---
bubblewrap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bubblewrap.c b/bubblewrap.c
index e1a4629..d65ffef 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -1148,7 +1148,7 @@ setup_newroot (bool unshare_pid,
if (access (subdir, W_OK) < 0)
{
/* The file is already read-only or doesn't exist. */
- if (errno == EACCES || errno == ENOENT)
+ if (errno == EACCES || errno == ENOENT || errno == EROFS)
continue;
die_with_error ("Can't access %s", subdir);
--
2.44.0

128
0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
View File

@ -1,128 +0,0 @@
From 52d5f7c3ba5c8e10b3a992304fd28cd4d18caeeb Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Tue, 18 Jun 2024 10:20:36 +0200
Subject: [PATCH] Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd.
This is useful for example if you for some reason don't have the real
path. It is also a way to make bind-mounts race-free (i.e. to have the
mount actually be the thing you wanted to be mounted, avoiding issues
where some other process replaces the target in parallel with the bwrap
launch.
Unfortunately due to some technical details we can't actually directly
mount the dirfd, as they come from different user namespace which is not
permitted, but at least we can delay resolving the fd to a path as much as
possible, and then validate after mount that we actually mounted the right
thing.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
(cherry picked from commit a253257cd298892da43e15201d83f9a02c9b58b5)
[kalev: Backport to 0.4.x]
Signed-off-by: Kalev Lember <klember@redhat.com>
---
bubblewrap.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++
tests/test-run.sh | 7 ++++++-
2 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/bubblewrap.c b/bubblewrap.c
index b3d52bc..38b3646 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -250,6 +250,8 @@ usage (int ecode, FILE *out)
" --dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existent SRC\n"
" --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n"
" --ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existent SRC\n"
+ " --bind-fd FD DEST Bind open directory or path fd on DEST\n"
+ " --ro-bind-fd FD DEST Bind open directory or path fd read-only on DEST\n"
" --remount-ro DEST Remount DEST as readonly; does not recursively remount\n"
" --exec-label LABEL Exec label for the sandbox\n"
" --file-label LABEL File label for temporary sandbox content\n"
@@ -1111,6 +1113,30 @@ setup_newroot (bool unshare_pid,
(op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) |
(op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0),
source, dest);
+
+ if (op->fd >= 0)
+ {
+ struct stat fd_st, mount_st;
+
+ /* When using bind-fd, there is a race condition between resolving the fd as a magic symlink
+ * and mounting it, where someone could replace what is at the symlink target. Ideally
+ * we would not even resolve the symlink and directly bind-mount from the fd, but unfortunately
+ * we can't do that, because its not permitted to bind mount a fd from another user namespace.
+ * So, we resolve, mount and then compare fstat+stat to detect the race. */
+
+ if (fstat(op->fd, &fd_st) != 0)
+ die_with_error("Can't stat fd %d", op->fd);
+ if (lstat(dest, &mount_st) != 0)
+ die_with_error("Can't stat mount at %s", dest);
+
+ if (fd_st.st_ino != mount_st.st_ino ||
+ fd_st.st_dev != mount_st.st_dev)
+ die_with_error("Race condition binding dirfd");
+
+ close(op->fd);
+ op->fd = -1;
+ }
+
break;
case SETUP_REMOUNT_RO_NO_RECURSIVE:
@@ -1648,6 +1674,30 @@ parse_args_recurse (int *argcp,
if (strcmp(arg, "--dev-bind-try") == 0)
op->flags = ALLOW_NOTEXIST;
+ argv += 2;
+ argc -= 2;
+ }
+ else if (strcmp (arg, "--bind-fd") == 0 ||
+ strcmp (arg, "--ro-bind-fd") == 0)
+ {
+ int src_fd;
+ char *endptr;
+
+ if (argc < 3)
+ die ("--bind-fd takes two arguments");
+
+ src_fd = strtol (argv[1], &endptr, 10);
+ if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0)
+ die ("Invalid fd: %s", argv[1]);
+
+ if (strcmp(arg, "--ro-bind-fd") == 0)
+ op = setup_op_new (SETUP_RO_BIND_MOUNT);
+ else
+ op = setup_op_new (SETUP_BIND_MOUNT);
+ op->source = xasprintf ("/proc/self/fd/%d", src_fd);
+ op->fd = src_fd;
+ op->dest = argv[2];
+
argv += 2;
argc -= 2;
}
diff --git a/tests/test-run.sh b/tests/test-run.sh
index 702c480..ce1eaf6 100755
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -80,7 +80,7 @@ if ! $RUN true; then
skip Seems like bwrap is not working at all. Maybe setuid is not working
fi
-echo "1..49"
+echo "1..50"
# Test help
${BWRAP} --help > help.txt
@@ -382,5 +382,10 @@ else
echo "ok - Test --pidns"
fi
+echo "foobar" > file-data
+$RUN --proc /proc --dev /dev --bind / / --bind-fd 100 /tmp cat /tmp/file-data 100< . > stdout
+assert_file_has_content stdout foobar
+
+echo "ok - bind-fd"
echo "ok - End of test"
--
2.46.0

39
0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch
View File

@ -1,39 +0,0 @@
From d70c640aecc30e9216dc1a614a207e85c8732036 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 27 May 2021 16:19:27 -0400
Subject: [PATCH] Avoid memory leak if --args is specified multiple times
Found by a static analyzer.
```
bubblewrap-0.4.1/bubblewrap.c:1500: overwrite_var: Overwriting "opt_args_data" in "opt_args_data = load_file_data(the_fd, &data_len)" leaks the storage that "opt_args_data" points to.
# 1498| * keep allocated until exit time, since its argv entries get used
# 1499| * by the other cases in parse_args_recurse() when we recurse. */
# 1500|-> opt_args_data = load_file_data (the_fd, &data_len);
# 1501| if (opt_args_data == NULL)
# 1502| die_with_error ("Can't read --args data");
```
---
bubblewrap.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/bubblewrap.c b/bubblewrap.c
index 771e1ea..56ac07c 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -1494,6 +1494,12 @@ parse_args_recurse (int *argcp,
if (argv[1][0] == 0 || endptr[0] != 0 || the_fd < 0)
die ("Invalid fd: %s", argv[1]);
+ /* Specifying --args multiple times doesn't work; this just pacifies
+ * a static analyzer which pointed out the memory leak
+ */
+ if (opt_args_data != NULL)
+ free (opt_args_data);
+
/* opt_args_data is essentially a recursive argv array, which we must
* keep allocated until exit time, since its argv entries get used
* by the other cases in parse_args_recurse() when we recurse. */
--
2.31.1

42
bubblewrap.spec
View File

@ -1,23 +1,18 @@
Name: bubblewrap
Version: 0.4.1
Release: 8%{?dist}
Version: 0.6.3
Release: 1%{?dist}
Summary: Core execution tool for unprivileged containers
License: LGPLv2+
#VCS: git:https://github.com/projectatomic/bubblewrap
URL: https://github.com/projectatomic/bubblewrap
Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
Patch0: 0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch
Patch1: 0001-Accept-EROFS-for-access-check-of-proc-entries.patch
Patch2: 0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
License: LGPL-2.0-or-later
URL: https://github.com/containers/bubblewrap/
Source0: https://github.com/containers/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
BuildRequires: autoconf automake libtool
BuildRequires: gcc
BuildRequires: libcap-devel
BuildRequires: pkgconfig(libselinux)
BuildRequires: libxslt
BuildRequires: docbook-style-xsl
BuildRequires: make
BuildRequires: meson
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libselinux)
BuildRequires: /usr/bin/xsltproc
%description
Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged
@ -28,27 +23,34 @@ user namespaces.
%autosetup -p1
%build
if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; fi
%configure --disable-silent-rules --with-priv-mode=none
%make_build
%meson -Dman=enabled
%meson_build
%install
%make_install INSTALL="install -p -c"
find %{buildroot} -name '*.la' -delete -print
%meson_install
%files
%license COPYING
%doc README.md
%dir %{_datadir}/bash-completion
%dir %{_datadir}/bash-completion/completions
%{_datadir}/bash-completion/completions/bwrap
%dir %{_datadir}/zsh
%dir %{_datadir}/zsh/site-functions
%{_datadir}/zsh/site-functions/_bwrap
%if (0%{?rhel} != 0 && 0%{?rhel} <= 7)
%attr(0755,root,root) %caps(cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep) %{_bindir}/bwrap
%else
%{_bindir}/bwrap
%endif
%{_mandir}/man1/*
%{_mandir}/man1/bwrap.1*
%changelog
* Fri Aug 30 2024 Joseph Marrero <jmarrero@redhat.com> - 0.6.3-1
- Rebase to 0.6.3 which is supported upstream
This release also includes the fix for CVE-2024-42472
Fixes: #RHEL-56797
* Fri Aug 30 2024 Kalev Lember <klember@redhat.com> - 0.4.1-8
- Backport upstream fix to help address CVE-2024-42472 in flatpak

2
sources
View File

@ -1 +1 @@
SHA512 (bubblewrap-0.4.1.tar.xz) = 0ff46dc0fda2d0cffbb36cc52ff43951b30cbd835a42cc56806acbbbd827796bfadbb1cfafc84d6b47a72c031ca44abe1c377acc0cc25fe3b33e854f5f687d35
SHA512 (bubblewrap-0.6.3.tar.xz) = 88a06ff7025fdecba93c3084d78429f30d968fe6d2b26e9280c56781411b609a033eb1213b1180cf774adc41a0b8ecd427d656892144f4c7738c334c7d0e393e