From fef0d25c8de416cd4af1b30e9c843d507453ecf8 Mon Sep 17 00:00:00 2001 From: Joseph Marrero Corchado Date: Fri, 30 Aug 2024 17:54:22 -0400 Subject: [PATCH] Rebase to 0.6.3 Resolves: RHEL-56797 --- .gitignore | 1 + ...OFS-for-access-check-of-proc-entries.patch | 26 ---- ...ro-bind-fd-to-let-you-bind-a-O_PATH-.patch | 128 ------------------ ...k-if-args-is-specified-multiple-time.patch | 39 ------ bubblewrap.spec | 42 +++--- sources | 2 +- 6 files changed, 24 insertions(+), 214 deletions(-) delete mode 100644 0001-Accept-EROFS-for-access-check-of-proc-entries.patch delete mode 100644 0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch delete mode 100644 0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch diff --git a/.gitignore b/.gitignore index a0240de..58e2d75 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ /bubblewrap-0.3.3.tar.xz /bubblewrap-0.4.0.tar.xz /bubblewrap-0.4.1.tar.xz +/bubblewrap-0.6.3.tar.xz diff --git a/0001-Accept-EROFS-for-access-check-of-proc-entries.patch b/0001-Accept-EROFS-for-access-check-of-proc-entries.patch deleted file mode 100644 index 871ffdf..0000000 --- a/0001-Accept-EROFS-for-access-check-of-proc-entries.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 4c35d7a5f92499d6ed646d4a5ffad9acc10cb432 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?J=C3=BCrg=20Billeter?= -Date: Tue, 18 Aug 2020 17:33:49 +0200 -Subject: [PATCH] Accept EROFS for access() check of /proc entries - -This is required to work in a Docker container. ---- - bubblewrap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/bubblewrap.c b/bubblewrap.c -index e1a4629..d65ffef 100644 ---- a/bubblewrap.c -+++ b/bubblewrap.c -@@ -1148,7 +1148,7 @@ setup_newroot (bool unshare_pid, - if (access (subdir, W_OK) < 0) - { - /* The file is already read-only or doesn't exist. */ -- if (errno == EACCES || errno == ENOENT) -+ if (errno == EACCES || errno == ENOENT || errno == EROFS) - continue; - - die_with_error ("Can't access %s", subdir); --- -2.44.0 - diff --git a/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch b/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch deleted file mode 100644 index 979ff51..0000000 --- a/0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 52d5f7c3ba5c8e10b3a992304fd28cd4d18caeeb Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Tue, 18 Jun 2024 10:20:36 +0200 -Subject: [PATCH] Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd. - -This is useful for example if you for some reason don't have the real -path. It is also a way to make bind-mounts race-free (i.e. to have the -mount actually be the thing you wanted to be mounted, avoiding issues -where some other process replaces the target in parallel with the bwrap -launch. - -Unfortunately due to some technical details we can't actually directly -mount the dirfd, as they come from different user namespace which is not -permitted, but at least we can delay resolving the fd to a path as much as -possible, and then validate after mount that we actually mounted the right -thing. - -Signed-off-by: Alexander Larsson -(cherry picked from commit a253257cd298892da43e15201d83f9a02c9b58b5) -[kalev: Backport to 0.4.x] -Signed-off-by: Kalev Lember ---- - bubblewrap.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ - tests/test-run.sh | 7 ++++++- - 2 files changed, 56 insertions(+), 1 deletion(-) - -diff --git a/bubblewrap.c b/bubblewrap.c -index b3d52bc..38b3646 100644 ---- a/bubblewrap.c -+++ b/bubblewrap.c -@@ -250,6 +250,8 @@ usage (int ecode, FILE *out) - " --dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existent SRC\n" - " --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n" - " --ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existent SRC\n" -+ " --bind-fd FD DEST Bind open directory or path fd on DEST\n" -+ " --ro-bind-fd FD DEST Bind open directory or path fd read-only on DEST\n" - " --remount-ro DEST Remount DEST as readonly; does not recursively remount\n" - " --exec-label LABEL Exec label for the sandbox\n" - " --file-label LABEL File label for temporary sandbox content\n" -@@ -1111,6 +1113,30 @@ setup_newroot (bool unshare_pid, - (op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) | - (op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0), - source, dest); -+ -+ if (op->fd >= 0) -+ { -+ struct stat fd_st, mount_st; -+ -+ /* When using bind-fd, there is a race condition between resolving the fd as a magic symlink -+ * and mounting it, where someone could replace what is at the symlink target. Ideally -+ * we would not even resolve the symlink and directly bind-mount from the fd, but unfortunately -+ * we can't do that, because its not permitted to bind mount a fd from another user namespace. -+ * So, we resolve, mount and then compare fstat+stat to detect the race. */ -+ -+ if (fstat(op->fd, &fd_st) != 0) -+ die_with_error("Can't stat fd %d", op->fd); -+ if (lstat(dest, &mount_st) != 0) -+ die_with_error("Can't stat mount at %s", dest); -+ -+ if (fd_st.st_ino != mount_st.st_ino || -+ fd_st.st_dev != mount_st.st_dev) -+ die_with_error("Race condition binding dirfd"); -+ -+ close(op->fd); -+ op->fd = -1; -+ } -+ - break; - - case SETUP_REMOUNT_RO_NO_RECURSIVE: -@@ -1648,6 +1674,30 @@ parse_args_recurse (int *argcp, - if (strcmp(arg, "--dev-bind-try") == 0) - op->flags = ALLOW_NOTEXIST; - -+ argv += 2; -+ argc -= 2; -+ } -+ else if (strcmp (arg, "--bind-fd") == 0 || -+ strcmp (arg, "--ro-bind-fd") == 0) -+ { -+ int src_fd; -+ char *endptr; -+ -+ if (argc < 3) -+ die ("--bind-fd takes two arguments"); -+ -+ src_fd = strtol (argv[1], &endptr, 10); -+ if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0) -+ die ("Invalid fd: %s", argv[1]); -+ -+ if (strcmp(arg, "--ro-bind-fd") == 0) -+ op = setup_op_new (SETUP_RO_BIND_MOUNT); -+ else -+ op = setup_op_new (SETUP_BIND_MOUNT); -+ op->source = xasprintf ("/proc/self/fd/%d", src_fd); -+ op->fd = src_fd; -+ op->dest = argv[2]; -+ - argv += 2; - argc -= 2; - } -diff --git a/tests/test-run.sh b/tests/test-run.sh -index 702c480..ce1eaf6 100755 ---- a/tests/test-run.sh -+++ b/tests/test-run.sh -@@ -80,7 +80,7 @@ if ! $RUN true; then - skip Seems like bwrap is not working at all. Maybe setuid is not working - fi - --echo "1..49" -+echo "1..50" - - # Test help - ${BWRAP} --help > help.txt -@@ -382,5 +382,10 @@ else - echo "ok - Test --pidns" - fi - -+echo "foobar" > file-data -+$RUN --proc /proc --dev /dev --bind / / --bind-fd 100 /tmp cat /tmp/file-data 100< . > stdout -+assert_file_has_content stdout foobar -+ -+echo "ok - bind-fd" - - echo "ok - End of test" --- -2.46.0 - diff --git a/0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch b/0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch deleted file mode 100644 index 9a11a57..0000000 --- a/0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch +++ /dev/null @@ -1,39 +0,0 @@ -From d70c640aecc30e9216dc1a614a207e85c8732036 Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Thu, 27 May 2021 16:19:27 -0400 -Subject: [PATCH] Avoid memory leak if --args is specified multiple times - -Found by a static analyzer. - -``` -bubblewrap-0.4.1/bubblewrap.c:1500: overwrite_var: Overwriting "opt_args_data" in "opt_args_data = load_file_data(the_fd, &data_len)" leaks the storage that "opt_args_data" points to. - # 1498| * keep allocated until exit time, since its argv entries get used - # 1499| * by the other cases in parse_args_recurse() when we recurse. */ - # 1500|-> opt_args_data = load_file_data (the_fd, &data_len); - # 1501| if (opt_args_data == NULL) - # 1502| die_with_error ("Can't read --args data"); -``` ---- - bubblewrap.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/bubblewrap.c b/bubblewrap.c -index 771e1ea..56ac07c 100644 ---- a/bubblewrap.c -+++ b/bubblewrap.c -@@ -1494,6 +1494,12 @@ parse_args_recurse (int *argcp, - if (argv[1][0] == 0 || endptr[0] != 0 || the_fd < 0) - die ("Invalid fd: %s", argv[1]); - -+ /* Specifying --args multiple times doesn't work; this just pacifies -+ * a static analyzer which pointed out the memory leak -+ */ -+ if (opt_args_data != NULL) -+ free (opt_args_data); -+ - /* opt_args_data is essentially a recursive argv array, which we must - * keep allocated until exit time, since its argv entries get used - * by the other cases in parse_args_recurse() when we recurse. */ --- -2.31.1 - diff --git a/bubblewrap.spec b/bubblewrap.spec index 362fc15..73f3746 100644 --- a/bubblewrap.spec +++ b/bubblewrap.spec @@ -1,23 +1,18 @@ Name: bubblewrap -Version: 0.4.1 -Release: 8%{?dist} +Version: 0.6.3 +Release: 1%{?dist} Summary: Core execution tool for unprivileged containers -License: LGPLv2+ -#VCS: git:https://github.com/projectatomic/bubblewrap -URL: https://github.com/projectatomic/bubblewrap -Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz -Patch0: 0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch -Patch1: 0001-Accept-EROFS-for-access-check-of-proc-entries.patch -Patch2: 0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch +License: LGPL-2.0-or-later +URL: https://github.com/containers/bubblewrap/ +Source0: https://github.com/containers/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz -BuildRequires: autoconf automake libtool BuildRequires: gcc -BuildRequires: libcap-devel -BuildRequires: pkgconfig(libselinux) -BuildRequires: libxslt BuildRequires: docbook-style-xsl -BuildRequires: make +BuildRequires: meson +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libselinux) +BuildRequires: /usr/bin/xsltproc %description Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged @@ -28,27 +23,34 @@ user namespaces. %autosetup -p1 %build -if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; fi -%configure --disable-silent-rules --with-priv-mode=none -%make_build +%meson -Dman=enabled +%meson_build %install -%make_install INSTALL="install -p -c" -find %{buildroot} -name '*.la' -delete -print +%meson_install %files %license COPYING +%doc README.md %dir %{_datadir}/bash-completion %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/bwrap +%dir %{_datadir}/zsh +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_bwrap %if (0%{?rhel} != 0 && 0%{?rhel} <= 7) %attr(0755,root,root) %caps(cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep) %{_bindir}/bwrap %else %{_bindir}/bwrap %endif -%{_mandir}/man1/* +%{_mandir}/man1/bwrap.1* %changelog +* Fri Aug 30 2024 Joseph Marrero - 0.6.3-1 +- Rebase to 0.6.3 which is supported upstream + This release also includes the fix for CVE-2024-42472 + Fixes: #RHEL-56797 + * Fri Aug 30 2024 Kalev Lember - 0.4.1-8 - Backport upstream fix to help address CVE-2024-42472 in flatpak diff --git a/sources b/sources index 47a611a..e26e1a2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (bubblewrap-0.4.1.tar.xz) = 0ff46dc0fda2d0cffbb36cc52ff43951b30cbd835a42cc56806acbbbd827796bfadbb1cfafc84d6b47a72c031ca44abe1c377acc0cc25fe3b33e854f5f687d35 +SHA512 (bubblewrap-0.6.3.tar.xz) = 88a06ff7025fdecba93c3084d78429f30d968fe6d2b26e9280c56781411b609a033eb1213b1180cf774adc41a0b8ecd427d656892144f4c7738c334c7d0e393e