import podman-1.6.4-12.module+el8.2.0+6670+014d0ff8

This commit is contained in:
CentOS Sources 2020-07-28 02:09:26 -04:00 committed by Stepan Oksanichenko
parent 3138b6d755
commit a332f18f59
9 changed files with 14190 additions and 15 deletions

60
SOURCES/497.patch Normal file
View File

@ -0,0 +1,60 @@
From a6fec757c8a17f3a5b92fb766b0f2eeb3b1a208a Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 19 Dec 2019 19:06:00 +0100
Subject: [PATCH] store: keep graph lock during Mount
This solves a race condition where a mountpoint is created without the
home mount being present.
The cause is that another process could be calling the graph driver
cleanup as part of store.Shutdown() causing the unmount of the
driver home directory.
The unmount could happen between the time the rlstore is retrieved and
the actual mount, causing the driver mount to be done without a home
mount below it.
A third process then would re-create again the home mount, shadowing
the previous mount.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1757845
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
store.go | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/store.go b/store.go
index 65808b8a0..272153e51 100644
--- a/vendor/github.com/containers/storage/store.go
+++ b/vendor/github.com/containers/storage/store.go
@@ -2479,6 +2479,10 @@ func (s *store) Mount(id, mountLabel string) (string, error) {
if err != nil {
return "", err
}
+
+ s.graphLock.Lock()
+ defer s.graphLock.Unlock()
+
rlstore.Lock()
defer rlstore.Unlock()
if modified, err := rlstore.Modified(); modified || err != nil {
@@ -2486,6 +2490,18 @@ func (s *store) Mount(id, mountLabel string) (string, error) {
return "", err
}
}
+
+ /* We need to make sure the home mount is present when the Mount is done. */
+ if s.graphLock.TouchedSince(s.lastLoaded) {
+ s.graphDriver = nil
+ s.layerStore = nil
+ s.graphDriver, err = s.getGraphDriver()
+ if err != nil {
+ return "", err
+ }
+ s.lastLoaded = time.Now()
+ }
+
if rlstore.Exists(id) {
options := drivers.MountOpts{
MountLabel: mountLabel,

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,145 @@
From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 17 Dec 2019 15:24:29 -0500
Subject: [PATCH] Add support for FIPS-Mode backends
If host is running in fips mode, then RHEL8.2 and beyond container images
will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
order to make all tools in the container follow the FIPS Mode rules.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
run_linux.go | 2 +-
2 files changed, 39 insertions(+), 11 deletions(-)
diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go.1784950 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go.1784950 2020-02-19 14:58:22.049213896 +0100
+++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go 2020-02-19 14:58:22.052213937 +0100
@@ -148,12 +148,21 @@ func getMountsMap(path string) (string,
}
// SecretMounts copies, adds, and mounts the secrets to the container root filesystem
+// Deprecated, Please use SecretMountWithUIDGID
func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
}
-// SecretMountsWithUIDGID specifies the uid/gid of the owner
-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
+// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
+// mountLabel: MAC/SELinux label for container content
+// containerWorkingDir: Private data for storing secrets on the host mounted in container.
+// mountFile: Additional mount points required for the container.
+// mountPoint: Container image mountpoint
+// uid: to assign to content created for secrets
+// gid: to assign to content created for secrets
+// rootless: indicates whether container is running in rootless mode
+// disableFips: indicates whether system should ignore fips mode
+func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
var (
secretMounts []rspec.Mount
mountFiles []string
@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel,
}
for _, file := range mountFiles {
if _, err := os.Stat(file); err == nil {
- mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
+ mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
if err != nil {
logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
}
@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel,
// Add FIPS mode secret if /etc/system-fips exists on the host
_, err := os.Stat("/etc/system-fips")
if err == nil {
- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
+ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
logrus.Errorf("error adding FIPS mode secret to container: %v", err)
}
} else if os.IsNotExist(err) {
@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid in
// addSecretsFromMountsFile copies the contents of host directory to container directory
// and returns a list of mounts
-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
+func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
var mounts []rspec.Mount
defaultMountsPaths := getMounts(filePath)
for _, path := range defaultMountsPaths {
@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath,
}
m := rspec.Mount{
- Source: filepath.Join(mountPrefix, ctrDirOrFile),
+ Source: ctrDirOrFileOnHost,
Destination: ctrDirOrFile,
Type: "bind",
Options: []string{"bind", "rprivate"},
@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath,
// root filesystem if /etc/system-fips exists on hosts.
// This enables the container to be FIPS compliant and run openssl in
// FIPS mode as the host is also in FIPS mode.
-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
+func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
secretsDir := "/run/secrets"
ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
- return errors.Wrapf(err, "making container directory on host failed")
+ return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
}
if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
- return errors.Wrap(err, "error applying correct labels")
+ return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
}
}
fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.M
if !mountExists(*mounts, secretsDir) {
m := rspec.Mount{
- Source: filepath.Join(mountPrefix, secretsDir),
+ Source: ctrDirOnHost,
Destination: secretsDir,
Type: "bind",
Options: []string{"bind", "rprivate"},
@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.M
*mounts = append(*mounts, m)
}
+ srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
+ destDir := "/etc/crypto-policies/back-ends"
+ srcOnHost := filepath.Join(mountPoint, srcBackendDir)
+ if _, err := os.Stat(srcOnHost); err != nil {
+ if os.IsNotExist(err) {
+ return nil
+ }
+ return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
+ }
+
+ if !mountExists(*mounts, destDir) {
+ m := rspec.Mount{
+ Source: srcOnHost,
+ Destination: destDir,
+ Type: "bind",
+ Options: []string{"bind", "rprivate"},
+ }
+ *mounts = append(*mounts, m)
+ }
return nil
}
diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go.1784950 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go
--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go.1784950 2020-02-19 14:58:22.021213507 +0100
+++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go 2020-02-19 14:58:22.024213549 +0100
@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint
}
// Get the list of secrets mounts.
- secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
+ secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
// Add temporary copies of the contents of volume locations at the
// volume locations, unless we already have something there.

View File

@ -0,0 +1,51 @@
From 6c97e0d5c140d587e5477d478159e91b8adcfd15 Mon Sep 17 00:00:00 2001
From: Brent Baude <bbaude@redhat.com>
Date: Thu, 27 Feb 2020 14:39:31 -0600
Subject: [PATCH 2/2] network create should use firewall plugin
when creating a network, podman should add the firewall plugin to the config but not specify a backend. this will allow cni to determine whether it should use an iptables|firewalld backend.
Signed-off-by: Brent Baude <bbaude@redhat.com>
---
pkg/adapter/network.go | 1 +
pkg/network/netconflist.go | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/pkg/network/netconflist.go b/pkg/network/netconflist.go
index a8217097ac..34ff000249 100644
--- a/pkg/network/netconflist.go
+++ b/pkg/network/netconflist.go
@@ -110,7 +110,6 @@ func NewPortMapPlugin() PortMapConfig {
func NewFirewallPlugin() FirewallConfig {
return FirewallConfig{
PluginType: "firewall",
- Backend: "iptables",
}
}
From cfd40608907b653a8b05f2e4f4243f8aa677b6e3 Mon Sep 17 00:00:00 2001
From: Brent Baude <bbaude@redhat.com>
Date: Thu, 27 Feb 2020 14:35:48 -0600
Subject: [PATCH 1/2] add firewall plugin (no backend) to default cni config
in order for the fall back mechanisms to work in containernetworking-plugins, the firewall plugin must still be called via the cni configuration file. however, no backend w
Signed-off-by: Brent Baude <bbaude@redhat.com>
---
cni/87-podman-bridge.conflist | 3 +++
1 file changed, 3 insertions(+)
diff -up a/cni/87-podman-bridge.conflist b/cni/87-podman-bridge.conflist
--- a/cni/87-podman-bridge.conflist
+++ b/cni/87-podman-bridge.conflist
@@ -31,8 +31,7 @@
}
},
{
- "type": "firewall",
- "backend": "iptables"
+ "type": "firewall"
}
]
}

View File

@ -0,0 +1,133 @@
From b41c864d569357a102ee2335a4947e59e5e2b08a Mon Sep 17 00:00:00 2001
From: Matthew Heon <matthew.heon@pm.me>
Date: Thu, 27 Feb 2020 16:08:29 -0500
Subject: [PATCH] Ensure that exec sessions inherit supplemental groups
This corrects a regression from Podman 1.4.x where container exec
sessions inherited supplemental groups from the container, iff
the exec session did not specify a user.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
---
libpod/container_api.go | 5 -----
libpod/container_internal_linux.go | 5 ++++-
libpod/oci_conmon_linux.go | 25 +++++++++++++++++++++----
test/e2e/exec_test.go | 24 ++++++++++++++++++++++++
4 files changed, 49 insertions(+), 10 deletions(-)
diff --git a/libpod/container_api.go b/libpod/container_api.go
index d612341bce..dabbe27dcd 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -270,11 +270,6 @@ func (c *Container) Exec(tty, privileged bool, env map[string]string, cmd []stri
}
}()
- // if the user is empty, we should inherit the user that the container is currently running with
- if user == "" {
- user = c.config.User
- }
-
opts := new(ExecOptions)
opts.Cmd = cmd
opts.CapAdd = capList
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 7390262647..63968918cb 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -330,7 +330,10 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
// Add addition groups if c.config.GroupAdd is not empty
if len(c.config.Groups) > 0 {
- gids, _ := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, nil)
+ gids, err := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, overrides)
+ if err != nil {
+ return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s", c.ID())
+ }
for _, gid := range gids {
g.AddProcessAdditionalGid(gid)
}
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 07d38693f0..800f896036 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1252,18 +1252,35 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
}
+ var addGroups []string
+ var sgids []uint32
+
+ // if the user is empty, we should inherit the user that the container is currently running with
+ if user == "" {
+ user = c.config.User
+ addGroups = c.config.Groups
+ }
+
overrides := c.getUserOverrides()
execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, overrides)
if err != nil {
return nil, err
}
+ if len(addGroups) > 0 {
+ sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, overrides)
+ if err != nil {
+ return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID)
+ }
+ }
+
// If user was set, look it up in the container to get a UID to use on
// the host
- if user != "" {
- sgids := make([]uint32, 0, len(execUser.Sgids))
- for _, sgid := range execUser.Sgids {
- sgids = append(sgids, uint32(sgid))
+ if user != "" || len(sgids) > 0 {
+ if user != "" {
+ for _, sgid := range execUser.Sgids {
+ sgids = append(sgids, uint32(sgid))
+ }
}
processUser := spec.User{
UID: uint32(execUser.Uid),
diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go
index ed4eb3335f..ab806f6831 100644
--- a/test/e2e/exec_test.go
+++ b/test/e2e/exec_test.go
@@ -1,6 +1,7 @@
package integration
import (
+ "fmt"
"os"
"strings"
@@ -244,4 +245,27 @@ var _ = Describe("Podman exec", func() {
Expect(session.ExitCode()).To(Equal(0))
})
+ It("podman exec preserves --group-add groups", func() {
+ groupName := "group1"
+ gid := "4444"
+ ctrName1 := "ctr1"
+ ctr1 := podmanTest.Podman([]string{"run", "-ti", "--name", ctrName1, fedoraMinimal, "groupadd", "-g", gid, groupName})
+ ctr1.WaitWithDefaultTimeout()
+ Expect(ctr1.ExitCode()).To(Equal(0))
+
+ imgName := "img1"
+ commit := podmanTest.Podman([]string{"commit", ctrName1, imgName})
+ commit.WaitWithDefaultTimeout()
+ Expect(commit.ExitCode()).To(Equal(0))
+
+ ctrName2 := "ctr2"
+ ctr2 := podmanTest.Podman([]string{"run", "-d", "--name", ctrName2, "--group-add", groupName, imgName, "sleep", "300"})
+ ctr2.WaitWithDefaultTimeout()
+ Expect(ctr2.ExitCode()).To(Equal(0))
+
+ exec := podmanTest.Podman([]string{"exec", "-ti", ctrName2, "id"})
+ exec.WaitWithDefaultTimeout()
+ Expect(exec.ExitCode()).To(Equal(0))
+ Expect(strings.Contains(exec.OutputToString(), fmt.Sprintf("%s(%s)", gid, groupName))).To(BeTrue())
+ })
})

View File

@ -0,0 +1,27 @@
From fadd011a80c62f7a2fb971fac34d7b470c6a60df Mon Sep 17 00:00:00 2001
From: Brent Baude <bbaude@redhat.com>
Date: Mon, 27 Apr 2020 16:03:00 -0500
Subject: [PATCH] separate healthcheck and container log paths
instead of using the container log path to derive where to put the healthchecks, we now put them into the rundir to avoid collision of health check log files when the log path is set by user.
Fixes: #5915
Signed-off-by: Brent Baude <bbaude@redhat.com>
---
libpod/healthcheck.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libpod/healthcheck.go b/libpod/healthcheck.go
index daddb6561d..aec5fa4e0f 100644
--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/healthcheck.go
+++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/healthcheck.go
@@ -238,7 +238,7 @@ func (c *Container) updateHealthCheckLog(hcl define.HealthCheckLog, inStartPerio
// HealthCheckLogPath returns the path for where the health check log is
func (c *Container) healthCheckLogPath() string {
- return filepath.Join(filepath.Dir(c.LogPath()), "healthcheck.log")
+ return filepath.Join(filepath.Dir(c.state.RunDir), "healthcheck.log")
}
// GetHealthCheckLog returns HealthCheck results by reading the container's

View File

@ -0,0 +1,58 @@
From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
From: TomSweeneyRedHat <tsweeney@redhat.com>
Date: Tue, 24 Mar 2020 20:10:22 -0400
Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
Stealing @nalind 's workaround to avoid refetching
content after a file read failure. Under the right
circumstances that could be a symlink to a file meant
to overwrite a good file with bad data.
Testing:
```
goodstuff
[1] 14901
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
no FROM statement found
goodstuff
```
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
---
imagebuildah/util.go | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/imagebuildah/util.go b/imagebuildah/util.go
index 29ea60970..5f14c9883 100644
--- a/vendor/github.com/containers/buildah/imagebuildah/util.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/util.go
@@ -14,6 +14,7 @@ import (
"github.com/containers/buildah"
"github.com/containers/storage/pkg/chrootarchive"
+ "github.com/containers/storage/pkg/ioutils"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
@@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error {
}
dockerfile := filepath.Join(dir, "Dockerfile")
// Assume this is a Dockerfile
- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
}
}
@@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error {
if err := chrootarchive.Untar(reader, dir, nil); err != nil {
dockerfile := filepath.Join(dir, "Dockerfile")
// Assume this is a Dockerfile
- if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil {
+ if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil {
return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile)
}
}

View File

@ -0,0 +1,100 @@
From c140ecdc9b416ab4efd4d21d14acd63b6adbdd42 Mon Sep 17 00:00:00 2001
From: Matthew Heon <matthew.heon@pm.me>
Date: Mon, 10 Feb 2020 13:37:38 -0500
Subject: [PATCH] Do not copy up when volume is not empty
When Docker performs a copy up, it first verifies that the volume
being copied into is empty; thus, for volumes that have been
modified elsewhere (e.g. manually copying into then), the copy up
will not be performed at all. Duplicate this behavior in Podman
by checking if the volume is empty before copying.
Furthermore, move setting copyup to false further up. This will
prevent a potential race where copy up could happen more than
once if Podman was killed after some files had been copied but
before the DB was updated.
This resolves CVE-2020-1726.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
---
libpod/container_internal.go | 28 ++++++++++++++++++++++------
test/e2e/run_volume_test.go | 24 ++++++++++++++++++++++++
2 files changed, 46 insertions(+), 6 deletions(-)
diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go.1801152 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go
--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go.1801152 2020-02-21 17:08:38.015363357 +0100
+++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go 2020-02-21 17:08:38.019363413 +0100
@@ -1358,18 +1358,34 @@ func (c *Container) mountNamedVolume(v *
}
if vol.state.NeedsCopyUp {
logrus.Debugf("Copying up contents from container %s to volume %s", c.ID(), vol.Name())
+
+ // Set NeedsCopyUp to false immediately, so we don't try this
+ // again when there are already files copied.
+ vol.state.NeedsCopyUp = false
+ if err := vol.save(); err != nil {
+ return nil, err
+ }
+
+ // If the volume is not empty, we should not copy up.
+ volMount := vol.MountPoint()
+ contents, err := ioutil.ReadDir(volMount)
+ if err != nil {
+ return nil, errors.Wrapf(err, "error listing contents of volume %s mountpoint when copying up from container %s", vol.Name(), c.ID())
+ }
+ if len(contents) > 0 {
+ // The volume is not empty. It was likely modified
+ // outside of Podman. For safety, let's not copy up into
+ // it. Fixes CVE-2020-1726.
+ return vol, nil
+ }
+
srcDir, err := securejoin.SecureJoin(mountpoint, v.Dest)
if err != nil {
return nil, errors.Wrapf(err, "error calculating destination path to copy up container %s volume %s", c.ID(), vol.Name())
}
- if err := c.copyWithTarFromImage(srcDir, vol.MountPoint()); err != nil && !os.IsNotExist(err) {
+ if err := c.copyWithTarFromImage(srcDir, volMount); err != nil && !os.IsNotExist(err) {
return nil, errors.Wrapf(err, "error copying content from container %s into volume %s", c.ID(), vol.Name())
}
-
- vol.state.NeedsCopyUp = false
- if err := vol.save(); err != nil {
- return nil, err
- }
}
return vol, nil
}
diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go.1801152 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go
--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go.1801152 2020-02-21 17:08:38.042363735 +0100
+++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go 2020-02-21 17:08:38.046363791 +0100
@@ -375,4 +375,28 @@ var _ = Describe("Podman run with volume
volMount.WaitWithDefaultTimeout()
Expect(volMount.ExitCode()).To(Not(Equal(0)))
})
+
+ It("Podman fix for CVE-2020-1726", func() {
+ volName := "testVol"
+ volCreate := podmanTest.Podman([]string{"volume", "create", volName})
+ volCreate.WaitWithDefaultTimeout()
+ Expect(volCreate.ExitCode()).To(Equal(0))
+
+ volPath := podmanTest.Podman([]string{"volume", "inspect", "--format", "{{.Mountpoint}}", volName})
+ volPath.WaitWithDefaultTimeout()
+ Expect(volPath.ExitCode()).To(Equal(0))
+ path := volPath.OutputToString()
+
+ fileName := "thisIsATestFile"
+ file, err := os.Create(filepath.Join(path, fileName))
+ Expect(err).To(BeNil())
+ defer file.Close()
+
+ runLs := podmanTest.Podman([]string{"run", "-t", "-i", "--rm", "-v", fmt.Sprintf("%v:/etc/ssl", volName), ALPINE, "ls", "-1", "/etc/ssl"})
+ runLs.WaitWithDefaultTimeout()
+ Expect(runLs.ExitCode()).To(Equal(0))
+ outputArr := runLs.OutputToStringArray()
+ Expect(len(outputArr)).To(Equal(1))
+ Expect(strings.Contains(outputArr[0], fileName)).To(BeTrue())
+ })
})

View File

@ -29,11 +29,35 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
Name: podman
Version: 1.6.4
Release: 1%{?dist}
Release: 12%{?dist}
Summary: Manage Pods, Containers and Container Images
License: ASL 2.0
URL: https://%{name}.io/
Source0: %{git0}/archive/%{commit0}/%{repo}-%{shortcommit0}.tar.gz
Patch0: https://patch-diff.githubusercontent.com/raw/containers/storage/pull/497.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1702
# https://github.com/containers/libpod/pull/5096.patch
Patch1: CVE-2020-1702-1801929.patch
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1784950
# backported: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch
Patch2: podman-1784950.patch
# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1726
# backported: https://patch-diff.githubusercontent.com/raw/containers/libpod/pull/5168.patch
Patch3: podman-CVE-2020-1726.patch
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1805212
# backported: https://github.com/containers/libpod/pull/5348.patch
Patch4: podman-1805212.patch
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1807310
# patch: https://github.com/containers/libpod/pull/5349.patch
Patch5: podman-1807310.patch
# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
# backported: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
Patch6: podman-CVE-2020-10696.patch
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1834346
# patch: https://github.com/containers/libpod/pull/6009.patch
Patch7: podman-1834346.patch
Provides: %{name}-manpages = %{version}-%{release}
Obsoletes: %{name}-manpages < %{version}-%{release}
BuildRequires: golang >= 1.12.12-4
BuildRequires: glib2-devel
BuildRequires: glibc-devel
@ -56,7 +80,6 @@ Requires: iptables
Requires: nftables
Requires: libseccomp >= 2.4.1
Requires: conmon
Requires: %{name}-manpages = %{version}-%{release}
Requires: container-selinux
Requires: slirp4netns >= 0.4.0-1
Requires: runc >= 1.0.0-57
@ -188,13 +211,6 @@ This package installs a script named docker that emulates the Docker CLI by
executes %{name} commands, it also creates links between all Docker CLI man
pages and %{name}.
%package manpages
Summary: Man pages for the %{name} commands
BuildArch: noarch
%description manpages
Man pages for the %{name} commands
%package remote
Summary: (Experimental) Remote client for managing %{name} containers
@ -278,6 +294,11 @@ ln -s ./ ./vendor/src # ./vendor/src -> ./vendor
install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
# do not include docker and podman-remote man pages in main package
for file in `find %{buildroot}%{_mandir}/man[15] -type f | sed "s,%{buildroot},," | grep -v -e remote -e docker`; do
echo "$file*" >> podman.file-list
done
%check
%if 0%{?with_check}
# Since we aren't packaging up the vendor directory we need to link
@ -305,11 +326,10 @@ exit 0
#define license tag if not already defined
%{!?_licensedir:%global license %doc}
%files
%files -f podman.file-list
%license LICENSE
%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md
%{_bindir}/%{name}
%{_mandir}/man5/*.5*
%{_datadir}/bash-completion/completions/*
# By "owning" the site-functions dir, we don't need to Require zsh
%{_datadir}/zsh/site-functions
@ -320,24 +340,66 @@ exit 0
%{_unitdir}/io.%{name}.socket
%{_userunitdir}/io.%{name}.service
%{_userunitdir}/io.%{name}.socket
%{_usr}/lib/tmpfiles.d/%{name}.conf
%files docker
%{_bindir}/docker
%{_mandir}/man1/docker*.1*
%files manpages
%{_mandir}/man1/%{name}*.1*
%files remote
%{_bindir}/%{name}-remote
%{_mandir}/man1/%{name}-remote*.1*
%files tests
%license LICENSE
%{_datadir}/%{name}/test
%changelog
* Mon May 18 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-12
- fix "Please backport correction patch for the native container healthchecks"
- Resolves: #1834346
* Wed Apr 01 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-11
- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
- Resolves: #1819391
* Thu Mar 19 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-10
- use the full PR 5348 to fix "no route to host from inside container"
- Resolves: #1806899
* Fri Mar 06 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-9
- update fix for "podman (1.6.4) rhel 8.1 no route to host from inside container"
- Resolves: #1806899
* Fri Mar 06 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-8
- fix "[FJ8.2 Bug]: [REG]The "--group-add" option of "podman create" doesn't function."
- Resolves: #1808705
* Thu Feb 27 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-7
- fix "podman (1.6.4) rhel 8.1 no route to host from inside container"
- Resolves: #1806899
* Fri Feb 21 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-6
- fix "CVE-2020-1726 podman: incorrectly allows existing files in volumes to be overwritten by a container when it is created"
- Resolves: #1801572
* Wed Feb 19 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-5
- fix "Podman support for FIPS Mode requires a bind mount inside the container"
- Resolves: #1804193
* Mon Feb 17 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-4
- fix CVE-2020-1702
- Resolves: #1801929
* Wed Jan 08 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-3
- merge podman-manpages with podman package and put man pages for
podman-remote to its dedicated subpackage
Resolves: #1788539
* Fri Jan 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-2
- apply fix for #1757845
- Related: RHELPLAN-25139
* Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.4-1
- update to 1.6.4
- Related: RHELPLAN-25139