Compare commits

...

No commits in common. "c8-stream-1.0" and "c8-stream-rhel8" have entirely different histories.

7 changed files with 2098 additions and 658 deletions

6
.gitignore vendored
View File

@ -1,2 +1,4 @@
SOURCES/cri-o-9b1f0a0.tar.gz
SOURCES/libpod-921f98f.tar.gz
SOURCES/dnsname-bdc4ab8.tar.gz
SOURCES/gvisor-tap-vsock-c62637db4d1417408b84340cbe993843a4984b92.tar.gz
SOURCES/v0.1.7.tar.gz
SOURCES/v4.9-rhel-70e4d02.tar.gz

View File

@ -1,2 +1,4 @@
b53ff7dd655dec8ddab85b7782a2d41e6bdcb301 SOURCES/cri-o-9b1f0a0.tar.gz
14fa9349a6277355aa6a4f079a131059d194fd99 SOURCES/libpod-921f98f.tar.gz
69fb828d3028f968e46420d58cc80bc59e446051 SOURCES/dnsname-bdc4ab8.tar.gz
78ab2a45bc90b147bc3d7c1c286c375c274bee6a SOURCES/gvisor-tap-vsock-c62637db4d1417408b84340cbe993843a4984b92.tar.gz
94419a237f932ff2a79c91f6e3005034d9c367a5 SOURCES/v0.1.7.tar.gz
6a76e90c911dc8fc5595459fcd9271b5bb673af6 SOURCES/v4.9-rhel-70e4d02.tar.gz

View File

@ -1,31 +0,0 @@
From fbc96cdd1741021f3d18e49eac3757297aaba851 Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Fri, 19 Feb 2021 11:34:39 -0500
Subject: [PATCH] Only drop all caps in exec when non-root
We were dropping too many capabilities otherwise, which broke
some critical system tools (e.g. useradd) in exec sessions.
Fix RHBZ#1930552
Signed-off-by: Matthew Heon <mheon@redhat.com>
---
libpod/oci_conmon_linux.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index d5973a1a6..18ede031e 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -1107,7 +1107,7 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
pspec.Capabilities.Effective = []string{}
if privileged {
pspec.Capabilities.Bounding = allCaps
- } else {
+ } else if execUser.Uid != 0 {
pspec.Capabilities.Bounding = []string{}
}
pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
--
2.29.2

View File

@ -1,23 +0,0 @@
From bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Thu, 24 Sep 2020 10:42:13 -0400
Subject: [PATCH] Fix https://bugzilla.redhat.com/show_bug.cgi?id=1882267
Signed-off-by: Matthew Heon <mheon@redhat.com>
---
cmd/podman/sigproxy.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go
index 16861bad04..92d7f4e4a9 100644
--- a/cmd/podman/sigproxy.go
+++ b/cmd/podman/sigproxy.go
@@ -19,7 +19,7 @@ func ProxySignals(ctr *libpod.Container) {
for s := range sigBuffer {
// Ignore SIGCHLD and SIGPIPE - these are mostly likely
// intended for the podman command itself.
- if s == signal.SIGCHLD || s == signal.SIGPIPE {
+ if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG {
continue
}

View File

@ -1,48 +0,0 @@
From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
From: TomSweeneyRedHat <tsweeney@redhat.com>
Date: Tue, 24 Mar 2020 20:10:22 -0400
Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
Stealing @nalind 's workaround to avoid refetching
content after a file read failure. Under the right
circumstances that could be a symlink to a file meant
to overwrite a good file with bad data.
Testing:
```
goodstuff
[1] 14901
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
no FROM statement found
goodstuff
```
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
---
imagebuildah/util.go | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
--- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696
+++ b/vendor/github.com/containers//buildah/imagebuildah/util.go
@@ -12,6 +12,7 @@ import (
"github.com/containers/buildah"
"github.com/containers/storage/pkg/chrootarchive"
+ "github.com/containers/storage/pkg/ioutils"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
}
dockerfile := filepath.Join(dir, "Dockerfile")
// Assume this is a Dockerfile
- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
}
}

View File

@ -1,319 +0,0 @@
From 69daa67c436a8fdeb0149aa5cb0112f03fdb699f Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Mon, 25 Jan 2021 14:18:07 -0500
Subject: [PATCH] Correct handling of capabilities
Ensure that capabilities are properly handled for non-root users
in privileged containers. We do not want to give full caps, but
instead only CapInh and CapEff (others should be all-zeroes).
Fixing `podman run` is easy - the same code as the Podman 1.6 fix
works there. The `podman exec` command is far more challenging.
Exec received a complete rewrite to use Conmon at some point
before Podman 1.6, and gained many capabilities in the process.
One of those was the ability to actually tweak the capabilities
of the exec process - 1.0 did not have that. Since it was needed
to resolve this CVE, I was forced to backport a large bit of the
1.0 -> 1.6 exec changes (passing a Process block to the OCI
runtime, and using `prepareProcessExec()` to prepare said block).
I am honestly uncomfortable with the size and scope of this
change but I don't see another way around this.
Fixes CVE-2021-20188
Signed-off-by: Matthew Heon <mheon@redhat.com>
---
libpod/container_api.go | 24 +------
libpod/oci.go | 148 ++++++++++++++++++++++++++++++++--------
pkg/spec/spec.go | 8 +++
3 files changed, 132 insertions(+), 48 deletions(-)
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig 2019-02-11 16:26:46.000000000 +0100
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go 2021-02-12 10:38:48.767172399 +0100
@@ -2,7 +2,6 @@ package libpod
import (
"context"
- "fmt"
"io/ioutil"
"os"
"strconv"
@@ -11,9 +10,7 @@ import (
"github.com/containers/libpod/libpod/driver"
"github.com/containers/libpod/pkg/inspect"
- "github.com/containers/libpod/pkg/lookup"
"github.com/containers/storage/pkg/stringid"
- "github.com/docker/docker/daemon/caps"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"k8s.io/apimachinery/pkg/util/wait"
@@ -263,8 +260,6 @@ func (c *Container) Kill(signal uint) er
// TODO allow specifying streams to attach to
// TODO investigate allowing exec without attaching
func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error {
- var capList []string
-
locked := false
if !c.batched {
locked = true
@@ -287,22 +282,8 @@ func (c *Container) Exec(tty, privileged
if conState != ContainerStateRunning {
return errors.Errorf("cannot exec into container that is not running")
}
- if privileged || c.config.Privileged {
- capList = caps.GetAllCapabilities()
- }
- // If user was set, look it up in the container to get a UID to use on
- // the host
- hostUser := ""
- if user != "" {
- execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
- if err != nil {
- return err
- }
-
- // runc expects user formatted as uid:gid
- hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid)
- }
+ isPrivileged := privileged || c.config.Privileged
// Generate exec session ID
// Ensure we don't conflict with an existing session ID
@@ -324,10 +305,11 @@ func (c *Container) Exec(tty, privileged
logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID)
- execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID)
+ execCmd, processFile, err := c.runtime.ociRuntime.execContainer(c, cmd, env, tty, workDir, user, sessionID, isPrivileged)
if err != nil {
return errors.Wrapf(err, "error exec %s", c.ID())
}
+ defer os.Remove(processFile)
chWait := make(chan error)
go func() {
chWait <- execCmd.Wait()
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig 2019-02-11 16:26:46.000000000 +0100
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go 2021-02-12 10:38:48.768172416 +0100
@@ -15,10 +15,12 @@ import (
"syscall"
"time"
+ "github.com/containers/libpod/pkg/lookup"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/pkg/util"
"github.com/coreos/go-systemd/activation"
"github.com/cri-o/ocicni/pkg/ocicni"
+ "github.com/docker/docker/daemon/caps"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
"github.com/opencontainers/selinux/go-selinux/label"
@@ -735,18 +737,23 @@ func (r *OCIRuntime) unpauseContainer(ct
// TODO: Add --detach support
// TODO: Convert to use conmon
// TODO: add --pid-file and use that to generate exec session tracking
-func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) {
+func (r *OCIRuntime) execContainer(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (*exec.Cmd, string, error) {
if len(cmd) == 0 {
- return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
+ return nil, "", errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
}
if sessionID == "" {
- return nil, errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
+ return nil, "", errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
}
runtimeDir, err := util.GetRootlessRuntimeDir()
if err != nil {
- return nil, err
+ return nil, "", err
+ }
+
+ processFile, err := prepareProcessExec(c, cmd, env, tty, cwd, user, sessionID, privileged)
+ if err != nil {
+ return nil, "", err
}
args := []string{}
@@ -756,34 +763,14 @@ func (r *OCIRuntime) execContainer(c *Co
args = append(args, "exec")
- if cwd != "" {
- args = append(args, "--cwd", cwd)
- }
+ args = append(args, "--process", processFile)
args = append(args, "--pid-file", c.execPidPath(sessionID))
- if tty {
- args = append(args, "--tty")
- } else {
- args = append(args, "--tty=false")
- }
-
- if user != "" {
- args = append(args, "--user", user)
- }
-
if c.config.Spec.Process.NoNewPrivileges {
args = append(args, "--no-new-privs")
}
- for _, cap := range capAdd {
- args = append(args, "--cap", cap)
- }
-
- for _, envVar := range env {
- args = append(args, "--env", envVar)
- }
-
// Append container ID and command
args = append(args, c.ID())
args = append(args, cmd...)
@@ -797,10 +784,10 @@ func (r *OCIRuntime) execContainer(c *Co
execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir))
if err := execCmd.Start(); err != nil {
- return nil, errors.Wrapf(err, "cannot start container %s", c.ID())
+ return nil, "", errors.Wrapf(err, "cannot start container %s", c.ID())
}
- return execCmd, nil
+ return execCmd, processFile, nil
}
// execStopContainer stops all active exec sessions in a container
@@ -892,3 +879,110 @@ func (r *OCIRuntime) checkpointContainer
args = append(args, ctr.ID())
return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, args...)
}
+
+// prepareProcessExec returns the path of the process.json used in runc exec -p.
+// Returns path to the created exec process file. This will need to be removed
+// by the caller when they're done, best effort.
+func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (string, error) {
+ filename := filepath.Join(c.bundlePath(), fmt.Sprintf("exec-process-%s", sessionID))
+ f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0600)
+ if err != nil {
+ return "", err
+ }
+ defer f.Close()
+
+ pspec := c.config.Spec.Process
+ pspec.SelinuxLabel = c.config.ProcessLabel
+ pspec.Args = cmd
+ // We need to default this to false else it will inherit terminal as true
+ // from the container.
+ pspec.Terminal = false
+ if tty {
+ pspec.Terminal = true
+ }
+ if len(env) > 0 {
+ pspec.Env = append(pspec.Env, env...)
+ }
+
+ if cwd != "" {
+ pspec.Cwd = cwd
+
+ }
+
+ var addGroups []string
+ var sgids []uint32
+
+ // if the user is empty, we should inherit the user that the container is currently running with
+ if user == "" {
+ user = c.config.User
+ addGroups = c.config.Groups
+ }
+
+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
+ if err != nil {
+ return "", err
+ }
+
+ if len(addGroups) > 0 {
+ sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, nil)
+ if err != nil {
+ return "", errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID)
+ }
+ }
+
+ // If user was set, look it up in the container to get a UID to use on
+ // the host
+ if user != "" || len(sgids) > 0 {
+ if user != "" {
+ for _, sgid := range execUser.Sgids {
+ sgids = append(sgids, uint32(sgid))
+ }
+ }
+ processUser := spec.User{
+ UID: uint32(execUser.Uid),
+ GID: uint32(execUser.Gid),
+ AdditionalGids: sgids,
+ }
+
+ pspec.User = processUser
+ }
+
+ allCaps := caps.GetAllCapabilities()
+ pspec.Capabilities.Effective = []string{}
+ if privileged {
+ pspec.Capabilities.Bounding = allCaps
+ } else {
+ pspec.Capabilities.Bounding = []string{}
+ }
+ pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
+ if execUser.Uid == 0 {
+ pspec.Capabilities.Effective = pspec.Capabilities.Bounding
+ pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
+ pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
+ } else {
+ pspec.Capabilities.Permitted = pspec.Capabilities.Effective
+ pspec.Capabilities.Ambient = pspec.Capabilities.Effective
+ }
+
+ hasHomeSet := false
+ for _, s := range pspec.Env {
+ if strings.HasPrefix(s, "HOME=") {
+ hasHomeSet = true
+ break
+ }
+ }
+ if !hasHomeSet {
+ pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home))
+ }
+
+ processJSON, err := json.Marshal(pspec)
+ if err != nil {
+ return "", err
+ }
+
+ if err := ioutil.WriteFile(filename, processJSON, 0644); err != nil {
+ return "", err
+ }
+
+ return filename, nil
+}
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig 2019-02-11 16:26:46.000000000 +0100
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go 2021-02-12 10:38:48.768172416 +0100
@@ -325,6 +325,14 @@ func CreateConfigToOCISpec(config *Creat
}
} else {
g.SetupPrivileged(true)
+ if config.User != "" {
+ user := strings.SplitN(config.User, ":", 2)[0]
+ if user != "root" && user != "0" {
+ g.Spec().Process.Capabilities.Effective = []string{}
+ g.Spec().Process.Capabilities.Permitted = []string{}
+ g.Spec().Process.Capabilities.Ambient = []string{}
+ }
+ }
}
// HANDLE SECCOMP

File diff suppressed because it is too large Load Diff