buildah-1.27.0-2.el9
- fix CVE-2022-2990 - Related: #2061316 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy
parent
26bb4dae95
commit
ef8b3c3332
|
|
@ -0,0 +1,90 @@
|
|||
From 9934b17365083ce966b44c5ce3c7e052f516e255 Mon Sep 17 00:00:00 2001
|
||||
From: Aditya R <arajan@redhat.com>
|
||||
Date: Wed, 24 Aug 2022 08:42:23 +0530
|
||||
Subject: [PATCH] run: add container gid to additional groups
|
||||
|
||||
When container is created with specific uid and gid also add container
|
||||
gid to supplementary/additional group.
|
||||
|
||||
Signed-off-by: Aditya R <arajan@redhat.com>
|
||||
---
|
||||
run_common.go | 1 +
|
||||
tests/bud.bats | 16 ++++++++++++++++
|
||||
tests/bud/supplemental-groups/Dockerfile | 3 +++
|
||||
tests/run.bats | 14 ++++++++++++++
|
||||
4 files changed, 34 insertions(+)
|
||||
create mode 100644 tests/bud/supplemental-groups/Dockerfile
|
||||
|
||||
diff --git a/run_common.go b/run_common.go
|
||||
index 2054c56527..f5a5ec8505 100644
|
||||
--- a/run_common.go
|
||||
+++ b/run_common.go
|
||||
@@ -262,6 +262,7 @@ func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, opti
|
||||
}
|
||||
g.SetProcessUID(user.UID)
|
||||
g.SetProcessGID(user.GID)
|
||||
+ g.AddProcessAdditionalGid(user.GID)
|
||||
for _, gid := range user.AdditionalGids {
|
||||
g.AddProcessAdditionalGid(gid)
|
||||
}
|
||||
diff --git a/tests/bud.bats b/tests/bud.bats
|
||||
index a37e418b41..07bdf45cac 100644
|
||||
--- a/tests/bud.bats
|
||||
+++ b/tests/bud.bats
|
||||
@@ -366,6 +366,22 @@ _EOF
|
||||
expect_output --substring "invalid response status"
|
||||
}
|
||||
|
||||
+@test "build test has gid in supplemental groups" {
|
||||
+ _prefetch alpine
|
||||
+ run_buildah build $WITH_POLICY_JSON -t source -f $BUDFILES/supplemental-groups/Dockerfile
|
||||
+ # gid 1000 must be in supplemental groups
|
||||
+ expect_output --substring "Groups: 1000"
|
||||
+}
|
||||
+
|
||||
+@test "build test if supplemental groups has gid with --isolation chroot" {
|
||||
+ test -z "${BUILDAH_ISOLATION}" || skip "BUILDAH_ISOLATION=${BUILDAH_ISOLATION} overrides --isolation"
|
||||
+
|
||||
+ _prefetch alpine
|
||||
+ run_buildah build --isolation chroot $WITH_POLICY_JSON -t source -f $BUDFILES/supplemental-groups/Dockerfile
|
||||
+ # gid 1000 must be in supplemental groups
|
||||
+ expect_output --substring "Groups: 1000"
|
||||
+}
|
||||
+
|
||||
# Test skipping images with FROM
|
||||
@test "build-test skipping unwanted stages with FROM" {
|
||||
mkdir -p ${TEST_SCRATCH_DIR}/bud/platform
|
||||
diff --git a/tests/bud/supplemental-groups/Dockerfile b/tests/bud/supplemental-groups/Dockerfile
|
||||
new file mode 100644
|
||||
index 0000000000..462d9ea7a4
|
||||
--- /dev/null
|
||||
+++ b/tests/bud/supplemental-groups/Dockerfile
|
||||
@@ -0,0 +1,3 @@
|
||||
+FROM alpine
|
||||
+USER 1000:1000
|
||||
+RUN cat /proc/$$/status
|
||||
diff --git a/tests/run.bats b/tests/run.bats
|
||||
index 2e8836c470..e34091fcbe 100644
|
||||
--- a/tests/run.bats
|
||||
+++ b/tests/run.bats
|
||||
@@ -349,6 +349,20 @@ function configure_and_check_user() {
|
||||
expect_output "888:888"
|
||||
}
|
||||
|
||||
+@test "run --user and verify gid in supplemental groups" {
|
||||
+ skip_if_no_runtime
|
||||
+
|
||||
+ # Create the container.
|
||||
+ _prefetch alpine
|
||||
+ run_buildah from $WITH_POLICY_JSON alpine
|
||||
+ ctr="$output"
|
||||
+
|
||||
+ # Run with uid:gid 1000:1000 and verify if gid is present in additional groups
|
||||
+ run_buildah run --user 1000:1000 "$ctr" cat /proc/self/status
|
||||
+ # gid 1000 must be in additional/supplemental groups
|
||||
+ expect_output --substring "Groups: 1000 "
|
||||
+}
|
||||
+
|
||||
@test "run --workingdir" {
|
||||
skip_if_no_runtime
|
||||
|
||||
|
|
@ -15,7 +15,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
|
|||
Epoch: 1
|
||||
Name: buildah
|
||||
Version: 1.27.0
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: A command line tool used for creating OCI Images
|
||||
License: ASL 2.0
|
||||
URL: https://%{name}.io
|
||||
|
|
@ -26,6 +26,7 @@ Source0: https://%{import_path}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar
|
|||
%else
|
||||
Source0: https://%{import_path}/archive/%{commit0}/%{name}-%{version}-%{shortcommit0}.tar.gz
|
||||
%endif
|
||||
Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/4200.patch
|
||||
BuildRequires: golang >= 1.16.6
|
||||
BuildRequires: git
|
||||
BuildRequires: glib2-devel
|
||||
|
|
@ -132,6 +133,10 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
|
|||
%{_datadir}/%{name}/test
|
||||
|
||||
%changelog
|
||||
* Fri Aug 26 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.27.0-2
|
||||
- fix CVE-2022-2990
|
||||
- Related: #2061316
|
||||
|
||||
* Tue Aug 09 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.27.0-1
|
||||
- update to https://github.com/containers/buildah/releases/tag/v1.27.0
|
||||
- Related: #2061316
|
||||
|
|
|
|||
Loading…
Reference in New Issue