Rebase to 0.6.3
Resolves: RHEL-56797
This commit is contained in:
parent
0c425a8b4c
commit
fef0d25c8d
1
.gitignore
vendored
1
.gitignore
vendored
@ -15,3 +15,4 @@
|
|||||||
/bubblewrap-0.3.3.tar.xz
|
/bubblewrap-0.3.3.tar.xz
|
||||||
/bubblewrap-0.4.0.tar.xz
|
/bubblewrap-0.4.0.tar.xz
|
||||||
/bubblewrap-0.4.1.tar.xz
|
/bubblewrap-0.4.1.tar.xz
|
||||||
|
/bubblewrap-0.6.3.tar.xz
|
||||||
|
|||||||
@ -1,26 +0,0 @@
|
|||||||
From 4c35d7a5f92499d6ed646d4a5ffad9acc10cb432 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?J=C3=BCrg=20Billeter?= <j@bitron.ch>
|
|
||||||
Date: Tue, 18 Aug 2020 17:33:49 +0200
|
|
||||||
Subject: [PATCH] Accept EROFS for access() check of /proc entries
|
|
||||||
|
|
||||||
This is required to work in a Docker container.
|
|
||||||
---
|
|
||||||
bubblewrap.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/bubblewrap.c b/bubblewrap.c
|
|
||||||
index e1a4629..d65ffef 100644
|
|
||||||
--- a/bubblewrap.c
|
|
||||||
+++ b/bubblewrap.c
|
|
||||||
@@ -1148,7 +1148,7 @@ setup_newroot (bool unshare_pid,
|
|
||||||
if (access (subdir, W_OK) < 0)
|
|
||||||
{
|
|
||||||
/* The file is already read-only or doesn't exist. */
|
|
||||||
- if (errno == EACCES || errno == ENOENT)
|
|
||||||
+ if (errno == EACCES || errno == ENOENT || errno == EROFS)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
die_with_error ("Can't access %s", subdir);
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
||||||
@ -1,128 +0,0 @@
|
|||||||
From 52d5f7c3ba5c8e10b3a992304fd28cd4d18caeeb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Larsson <alexl@redhat.com>
|
|
||||||
Date: Tue, 18 Jun 2024 10:20:36 +0200
|
|
||||||
Subject: [PATCH] Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd.
|
|
||||||
|
|
||||||
This is useful for example if you for some reason don't have the real
|
|
||||||
path. It is also a way to make bind-mounts race-free (i.e. to have the
|
|
||||||
mount actually be the thing you wanted to be mounted, avoiding issues
|
|
||||||
where some other process replaces the target in parallel with the bwrap
|
|
||||||
launch.
|
|
||||||
|
|
||||||
Unfortunately due to some technical details we can't actually directly
|
|
||||||
mount the dirfd, as they come from different user namespace which is not
|
|
||||||
permitted, but at least we can delay resolving the fd to a path as much as
|
|
||||||
possible, and then validate after mount that we actually mounted the right
|
|
||||||
thing.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Larsson <alexl@redhat.com>
|
|
||||||
(cherry picked from commit a253257cd298892da43e15201d83f9a02c9b58b5)
|
|
||||||
[kalev: Backport to 0.4.x]
|
|
||||||
Signed-off-by: Kalev Lember <klember@redhat.com>
|
|
||||||
---
|
|
||||||
bubblewrap.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
tests/test-run.sh | 7 ++++++-
|
|
||||||
2 files changed, 56 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/bubblewrap.c b/bubblewrap.c
|
|
||||||
index b3d52bc..38b3646 100644
|
|
||||||
--- a/bubblewrap.c
|
|
||||||
+++ b/bubblewrap.c
|
|
||||||
@@ -250,6 +250,8 @@ usage (int ecode, FILE *out)
|
|
||||||
" --dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existent SRC\n"
|
|
||||||
" --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n"
|
|
||||||
" --ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existent SRC\n"
|
|
||||||
+ " --bind-fd FD DEST Bind open directory or path fd on DEST\n"
|
|
||||||
+ " --ro-bind-fd FD DEST Bind open directory or path fd read-only on DEST\n"
|
|
||||||
" --remount-ro DEST Remount DEST as readonly; does not recursively remount\n"
|
|
||||||
" --exec-label LABEL Exec label for the sandbox\n"
|
|
||||||
" --file-label LABEL File label for temporary sandbox content\n"
|
|
||||||
@@ -1111,6 +1113,30 @@ setup_newroot (bool unshare_pid,
|
|
||||||
(op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) |
|
|
||||||
(op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0),
|
|
||||||
source, dest);
|
|
||||||
+
|
|
||||||
+ if (op->fd >= 0)
|
|
||||||
+ {
|
|
||||||
+ struct stat fd_st, mount_st;
|
|
||||||
+
|
|
||||||
+ /* When using bind-fd, there is a race condition between resolving the fd as a magic symlink
|
|
||||||
+ * and mounting it, where someone could replace what is at the symlink target. Ideally
|
|
||||||
+ * we would not even resolve the symlink and directly bind-mount from the fd, but unfortunately
|
|
||||||
+ * we can't do that, because its not permitted to bind mount a fd from another user namespace.
|
|
||||||
+ * So, we resolve, mount and then compare fstat+stat to detect the race. */
|
|
||||||
+
|
|
||||||
+ if (fstat(op->fd, &fd_st) != 0)
|
|
||||||
+ die_with_error("Can't stat fd %d", op->fd);
|
|
||||||
+ if (lstat(dest, &mount_st) != 0)
|
|
||||||
+ die_with_error("Can't stat mount at %s", dest);
|
|
||||||
+
|
|
||||||
+ if (fd_st.st_ino != mount_st.st_ino ||
|
|
||||||
+ fd_st.st_dev != mount_st.st_dev)
|
|
||||||
+ die_with_error("Race condition binding dirfd");
|
|
||||||
+
|
|
||||||
+ close(op->fd);
|
|
||||||
+ op->fd = -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
break;
|
|
||||||
|
|
||||||
case SETUP_REMOUNT_RO_NO_RECURSIVE:
|
|
||||||
@@ -1648,6 +1674,30 @@ parse_args_recurse (int *argcp,
|
|
||||||
if (strcmp(arg, "--dev-bind-try") == 0)
|
|
||||||
op->flags = ALLOW_NOTEXIST;
|
|
||||||
|
|
||||||
+ argv += 2;
|
|
||||||
+ argc -= 2;
|
|
||||||
+ }
|
|
||||||
+ else if (strcmp (arg, "--bind-fd") == 0 ||
|
|
||||||
+ strcmp (arg, "--ro-bind-fd") == 0)
|
|
||||||
+ {
|
|
||||||
+ int src_fd;
|
|
||||||
+ char *endptr;
|
|
||||||
+
|
|
||||||
+ if (argc < 3)
|
|
||||||
+ die ("--bind-fd takes two arguments");
|
|
||||||
+
|
|
||||||
+ src_fd = strtol (argv[1], &endptr, 10);
|
|
||||||
+ if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0)
|
|
||||||
+ die ("Invalid fd: %s", argv[1]);
|
|
||||||
+
|
|
||||||
+ if (strcmp(arg, "--ro-bind-fd") == 0)
|
|
||||||
+ op = setup_op_new (SETUP_RO_BIND_MOUNT);
|
|
||||||
+ else
|
|
||||||
+ op = setup_op_new (SETUP_BIND_MOUNT);
|
|
||||||
+ op->source = xasprintf ("/proc/self/fd/%d", src_fd);
|
|
||||||
+ op->fd = src_fd;
|
|
||||||
+ op->dest = argv[2];
|
|
||||||
+
|
|
||||||
argv += 2;
|
|
||||||
argc -= 2;
|
|
||||||
}
|
|
||||||
diff --git a/tests/test-run.sh b/tests/test-run.sh
|
|
||||||
index 702c480..ce1eaf6 100755
|
|
||||||
--- a/tests/test-run.sh
|
|
||||||
+++ b/tests/test-run.sh
|
|
||||||
@@ -80,7 +80,7 @@ if ! $RUN true; then
|
|
||||||
skip Seems like bwrap is not working at all. Maybe setuid is not working
|
|
||||||
fi
|
|
||||||
|
|
||||||
-echo "1..49"
|
|
||||||
+echo "1..50"
|
|
||||||
|
|
||||||
# Test help
|
|
||||||
${BWRAP} --help > help.txt
|
|
||||||
@@ -382,5 +382,10 @@ else
|
|
||||||
echo "ok - Test --pidns"
|
|
||||||
fi
|
|
||||||
|
|
||||||
+echo "foobar" > file-data
|
|
||||||
+$RUN --proc /proc --dev /dev --bind / / --bind-fd 100 /tmp cat /tmp/file-data 100< . > stdout
|
|
||||||
+assert_file_has_content stdout foobar
|
|
||||||
+
|
|
||||||
+echo "ok - bind-fd"
|
|
||||||
|
|
||||||
echo "ok - End of test"
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
||||||
@ -1,39 +0,0 @@
|
|||||||
From d70c640aecc30e9216dc1a614a207e85c8732036 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Colin Walters <walters@verbum.org>
|
|
||||||
Date: Thu, 27 May 2021 16:19:27 -0400
|
|
||||||
Subject: [PATCH] Avoid memory leak if --args is specified multiple times
|
|
||||||
|
|
||||||
Found by a static analyzer.
|
|
||||||
|
|
||||||
```
|
|
||||||
bubblewrap-0.4.1/bubblewrap.c:1500: overwrite_var: Overwriting "opt_args_data" in "opt_args_data = load_file_data(the_fd, &data_len)" leaks the storage that "opt_args_data" points to.
|
|
||||||
# 1498| * keep allocated until exit time, since its argv entries get used
|
|
||||||
# 1499| * by the other cases in parse_args_recurse() when we recurse. */
|
|
||||||
# 1500|-> opt_args_data = load_file_data (the_fd, &data_len);
|
|
||||||
# 1501| if (opt_args_data == NULL)
|
|
||||||
# 1502| die_with_error ("Can't read --args data");
|
|
||||||
```
|
|
||||||
---
|
|
||||||
bubblewrap.c | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/bubblewrap.c b/bubblewrap.c
|
|
||||||
index 771e1ea..56ac07c 100644
|
|
||||||
--- a/bubblewrap.c
|
|
||||||
+++ b/bubblewrap.c
|
|
||||||
@@ -1494,6 +1494,12 @@ parse_args_recurse (int *argcp,
|
|
||||||
if (argv[1][0] == 0 || endptr[0] != 0 || the_fd < 0)
|
|
||||||
die ("Invalid fd: %s", argv[1]);
|
|
||||||
|
|
||||||
+ /* Specifying --args multiple times doesn't work; this just pacifies
|
|
||||||
+ * a static analyzer which pointed out the memory leak
|
|
||||||
+ */
|
|
||||||
+ if (opt_args_data != NULL)
|
|
||||||
+ free (opt_args_data);
|
|
||||||
+
|
|
||||||
/* opt_args_data is essentially a recursive argv array, which we must
|
|
||||||
* keep allocated until exit time, since its argv entries get used
|
|
||||||
* by the other cases in parse_args_recurse() when we recurse. */
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
||||||
@ -1,23 +1,18 @@
|
|||||||
Name: bubblewrap
|
Name: bubblewrap
|
||||||
Version: 0.4.1
|
Version: 0.6.3
|
||||||
Release: 8%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: Core execution tool for unprivileged containers
|
Summary: Core execution tool for unprivileged containers
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPL-2.0-or-later
|
||||||
#VCS: git:https://github.com/projectatomic/bubblewrap
|
URL: https://github.com/containers/bubblewrap/
|
||||||
URL: https://github.com/projectatomic/bubblewrap
|
Source0: https://github.com/containers/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
|
||||||
Source0: https://github.com/projectatomic/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
|
|
||||||
Patch0: 0001-Avoid-memory-leak-if-args-is-specified-multiple-time.patch
|
|
||||||
Patch1: 0001-Accept-EROFS-for-access-check-of-proc-entries.patch
|
|
||||||
Patch2: 0001-Add-bind-fd-and-ro-bind-fd-to-let-you-bind-a-O_PATH-.patch
|
|
||||||
|
|
||||||
BuildRequires: autoconf automake libtool
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: libcap-devel
|
|
||||||
BuildRequires: pkgconfig(libselinux)
|
|
||||||
BuildRequires: libxslt
|
|
||||||
BuildRequires: docbook-style-xsl
|
BuildRequires: docbook-style-xsl
|
||||||
BuildRequires: make
|
BuildRequires: meson
|
||||||
|
BuildRequires: pkgconfig(libcap)
|
||||||
|
BuildRequires: pkgconfig(libselinux)
|
||||||
|
BuildRequires: /usr/bin/xsltproc
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged
|
Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged
|
||||||
@ -28,27 +23,34 @@ user namespaces.
|
|||||||
%autosetup -p1
|
%autosetup -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; fi
|
%meson -Dman=enabled
|
||||||
%configure --disable-silent-rules --with-priv-mode=none
|
%meson_build
|
||||||
%make_build
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install INSTALL="install -p -c"
|
%meson_install
|
||||||
find %{buildroot} -name '*.la' -delete -print
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license COPYING
|
%license COPYING
|
||||||
|
%doc README.md
|
||||||
%dir %{_datadir}/bash-completion
|
%dir %{_datadir}/bash-completion
|
||||||
%dir %{_datadir}/bash-completion/completions
|
%dir %{_datadir}/bash-completion/completions
|
||||||
%{_datadir}/bash-completion/completions/bwrap
|
%{_datadir}/bash-completion/completions/bwrap
|
||||||
|
%dir %{_datadir}/zsh
|
||||||
|
%dir %{_datadir}/zsh/site-functions
|
||||||
|
%{_datadir}/zsh/site-functions/_bwrap
|
||||||
%if (0%{?rhel} != 0 && 0%{?rhel} <= 7)
|
%if (0%{?rhel} != 0 && 0%{?rhel} <= 7)
|
||||||
%attr(0755,root,root) %caps(cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep) %{_bindir}/bwrap
|
%attr(0755,root,root) %caps(cap_sys_admin,cap_net_admin,cap_sys_chroot,cap_setuid,cap_setgid=ep) %{_bindir}/bwrap
|
||||||
%else
|
%else
|
||||||
%{_bindir}/bwrap
|
%{_bindir}/bwrap
|
||||||
%endif
|
%endif
|
||||||
%{_mandir}/man1/*
|
%{_mandir}/man1/bwrap.1*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Aug 30 2024 Joseph Marrero <jmarrero@redhat.com> - 0.6.3-1
|
||||||
|
- Rebase to 0.6.3 which is supported upstream
|
||||||
|
This release also includes the fix for CVE-2024-42472
|
||||||
|
Fixes: #RHEL-56797
|
||||||
|
|
||||||
* Fri Aug 30 2024 Kalev Lember <klember@redhat.com> - 0.4.1-8
|
* Fri Aug 30 2024 Kalev Lember <klember@redhat.com> - 0.4.1-8
|
||||||
- Backport upstream fix to help address CVE-2024-42472 in flatpak
|
- Backport upstream fix to help address CVE-2024-42472 in flatpak
|
||||||
|
|
||||||
|
|||||||
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (bubblewrap-0.4.1.tar.xz) = 0ff46dc0fda2d0cffbb36cc52ff43951b30cbd835a42cc56806acbbbd827796bfadbb1cfafc84d6b47a72c031ca44abe1c377acc0cc25fe3b33e854f5f687d35
|
SHA512 (bubblewrap-0.6.3.tar.xz) = 88a06ff7025fdecba93c3084d78429f30d968fe6d2b26e9280c56781411b609a033eb1213b1180cf774adc41a0b8ecd427d656892144f4c7738c334c7d0e393e
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user