Hello community,
here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2019-10-23 15:47:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/docker-runc (Old)
and /work/SRC/openSUSE:Factory/.docker-runc.new.2352 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker-runc"
Wed Oct 23 15:47:10 2019 rev:20 rq:736405 version:1.0.0rc8+gitr3917_3e425f80a8c9
Changes:
--------
--- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2019-06-30 10:19:26.507428221 +0200
+++ /work/SRC/openSUSE:Factory/.docker-runc.new.2352/docker-runc.changes 2019-10-23 15:47:16.114462304 +0200
@@ -1,0 +2,15 @@
+Tue Oct 8 23:39:02 UTC 2019 - Aleksa Sarai
+
+- Update to runc 3e425f80a8c9, which is required for Docker 19.03.3-ce.
+ bsc#1153367
+- Rebase CVE-2019-16884 fix (3e425f80a8c9 doesn't contain the entire fix).
+ bsc#1152308
+ - CVE-2019-16884.patch
+
+-------------------------------------------------------------------
+Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai
+
+- Add backported fix for CVE-2019-16884. bsc#1152308
+ + CVE-2019-16884.patch
+
+-------------------------------------------------------------------
Old:
----
docker-runc-git.425e105d5a03fabd737a126ad93d62a9eeede87f.tar.xz
New:
----
CVE-2019-16884.patch
docker-runc-git.3e425f80a8c9.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ docker-runc.spec ++++++
--- /var/tmp/diff_new_pack.zYiheW/_old 2019-10-23 15:47:17.374463666 +0200
+++ /var/tmp/diff_new_pack.zYiheW/_new 2019-10-23 15:47:17.378463670 +0200
@@ -29,14 +29,14 @@
%endif
# MANUAL: Update the git_version, git_short, and git_revision
-%define git_version 425e105d5a03fabd737a126ad93d62a9eeede87f
-%define git_short 425e105d5a03
+%define git_version 3e425f80a8c931f88e6d94a8c831b9d5aa481657
+%define git_short 3e425f80a8c9
# How to get the git_revision
# git clone ${url}.git runc-upstream
# cd runc-upstream
# git checkout $git_version
# git_revision=r$(git rev-list HEAD | wc -l)
-%define git_revision r3826
+%define git_revision r3917
%define go_tool go
%define _name runc
@@ -49,8 +49,10 @@
License: Apache-2.0
Group: System/Management
Url: https://github.com/opencontainers/runc
-Source: %{realname}-git.%{git_version}.tar.xz
+Source: %{realname}-git.%{git_short}.tar.xz
Source1: %{realname}-rpmlintrc
+# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2130.
+Patch1: CVE-2019-16884.patch
BuildRequires: fdupes
BuildRequires: go-go-md2man
BuildRequires: libapparmor-devel
@@ -86,7 +88,9 @@
and has grown to become a separate project entirely.
%prep
-%setup -q -n %{realname}-git.%{git_version}
+%setup -q -n %{realname}-git.%{git_short}
+# CVE-2019-16884 bsc#1152308
+%patch1 -p1
%build
# Do not use symlinks. If you want to run the unit tests for this package at
@@ -94,9 +98,9 @@
# will get confused by symlinks.
export GOPATH=${HOME}/go
export PROJECT=${HOME}/go/src/%project
-mkdir -pv $PROJECT
+mkdir -p $PROJECT
rm -rf $PROJECT/*
-cp -av * $PROJECT
+cp -a * $PROJECT
# Build all features.
export BUILDTAGS="apparmor selinux seccomp"
++++++ CVE-2019-16884.patch ++++++
From cb9f5ac65dc00dc8a7f859bc422483950d180e83 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai
Date: Mon, 30 Sep 2019 00:35:33 +1000
Subject: [PATCH] CVE-2019-16884
This is a backport of the following patches:
* e12201c719ac ("vendor: update github.com/opencontainers/selinux")
* 5db97bbdef9f ("*: verify that operations on /proc/... are on procfs")
SUSE-Bugs: CVE-2019-16884 bsc#1152308
Signed-off-by: Aleksa Sarai
---
libcontainer/apparmor/apparmor.go | 10 ++++-
libcontainer/utils/utils_unix.go | 44 ++++++++++++++-----
vendor.conf | 2 +-
.../selinux/go-selinux/label/label_selinux.go | 18 +++++---
.../selinux/go-selinux/selinux_linux.go | 33 ++++++++++++++
.../selinux/go-selinux/selinux_stub.go | 13 ++++++
6 files changed, 100 insertions(+), 20 deletions(-)
diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go
index 7fff0627fa1b..debfc1e489ed 100644
--- a/libcontainer/apparmor/apparmor.go
+++ b/libcontainer/apparmor/apparmor.go
@@ -6,6 +6,8 @@ import (
"fmt"
"io/ioutil"
"os"
+
+ "github.com/opencontainers/runc/libcontainer/utils"
)
// IsEnabled returns true if apparmor is enabled for the host.
@@ -19,7 +21,7 @@ func IsEnabled() bool {
return false
}
-func setprocattr(attr, value string) error {
+func setProcAttr(attr, value string) error {
// Under AppArmor you can only change your own attr, so use /proc/self/
// instead of /proc/<tid>/ like libapparmor does
path := fmt.Sprintf("/proc/self/attr/%s", attr)
@@ -30,6 +32,10 @@ func setprocattr(attr, value string) error {
}
defer f.Close()
+ if err := utils.EnsureProcHandle(f); err != nil {
+ return err
+ }
+
_, err = fmt.Fprintf(f, "%s", value)
return err
}
@@ -37,7 +43,7 @@ func setprocattr(attr, value string) error {
// changeOnExec reimplements aa_change_onexec from libapparmor in Go
func changeOnExec(name string) error {
value := "exec " + name
- if err := setprocattr("exec", value); err != nil {
+ if err := setProcAttr("exec", value); err != nil {
return fmt.Errorf("apparmor failed to apply profile: %s", err)
}
return nil
diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go
index c96088988a6d..1576f2d4ab63 100644
--- a/libcontainer/utils/utils_unix.go
+++ b/libcontainer/utils/utils_unix.go
@@ -3,33 +3,57 @@
package utils
import (
- "io/ioutil"
+ "fmt"
"os"
"strconv"
"golang.org/x/sys/unix"
)
+// EnsureProcHandle returns whether or not the given file handle is on procfs.
+func EnsureProcHandle(fh *os.File) error {
+ var buf unix.Statfs_t
+ if err := unix.Fstatfs(int(fh.Fd()), &buf); err != nil {
+ return fmt.Errorf("ensure %s is on procfs: %v", fh.Name(), err)
+ }
+ if buf.Type != unix.PROC_SUPER_MAGIC {
+ return fmt.Errorf("%s is not on procfs", fh.Name())
+ }
+ return nil
+}
+
+// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for
+// the process (except for those below the given fd value).
func CloseExecFrom(minFd int) error {
- fdList, err := ioutil.ReadDir("/proc/self/fd")
+ fdDir, err := os.Open("/proc/self/fd")
+ if err != nil {
+ return err
+ }
+ defer fdDir.Close()
+
+ if err := EnsureProcHandle(fdDir); err != nil {
+ return err
+ }
+
+ fdList, err := fdDir.Readdirnames(-1)
if err != nil {
return err
}
- for _, fi := range fdList {
- fd, err := strconv.Atoi(fi.Name())
+ for _, fdStr := range fdList {
+ fd, err := strconv.Atoi(fdStr)
+ // Ignore non-numeric file names.
if err != nil {
- // ignore non-numeric file names
continue
}
-
+ // Ignore descriptors lower than our specified minimum.
if fd < minFd {
- // ignore descriptors lower than our specified minimum
continue
}
-
- // intentionally ignore errors from unix.CloseOnExec
+ // Intentionally ignore errors from unix.CloseOnExec -- the cases where
+ // this might fail are basically file descriptors that have already
+ // been closed (including and especially the one that was created when
+ // ioutil.ReadDir did the "opendir" syscall).
unix.CloseOnExec(fd)
- // the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall)
}
return nil
}
diff --git a/vendor.conf b/vendor.conf
index e3f8e6d7ea06..a29764cd73c3 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -6,7 +6,7 @@ github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4
# Core libcontainer functionality.
github.com/checkpoint-restore/go-criu 17b0214f6c48980c45dc47ecb0cfd6d9e02df723 # v3.11
github.com/mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7
-github.com/opencontainers/selinux 3a1f366feb7aecbf7a0e71ac4cea88b31597de9e # v1.2.2
+github.com/opencontainers/selinux 5215b1806f52b1fcc2070a8826c542c9d33cd3cf # v1.3.0 (+ CVE-2019-16884)
github.com/seccomp/libseccomp-golang 689e3c1541a84461afc49c1c87352a6cedf72e9c # v0.9.1
github.com/sirupsen/logrus 8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f # v1.4.1
github.com/syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
index 1eb9a6bf2527..2730fcf4a9ad 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
@@ -13,11 +13,12 @@ import (
// Valid Label Options
var validOptions = map[string]bool{
- "disable": true,
- "type": true,
- "user": true,
- "role": true,
- "level": true,
+ "disable": true,
+ "type": true,
+ "filetype": true,
+ "user": true,
+ "role": true,
+ "level": true,
}
var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together")
@@ -51,13 +52,16 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
return "", mountLabel, nil
}
if i := strings.Index(opt, ":"); i == -1 {
- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
}
con := strings.SplitN(opt, ":", 2)
if !validOptions[con[0]] {
- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
+ return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
}
+ if con[0] == "filetype" {
+ mcon["type"] = con[1]
+ }
pcon[con[0]] = con[1]
if con[0] == "level" || con[0] == "user" {
mcon[con[0]] = con[1]
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index d7786c33c197..8cdf1b054ace 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -18,6 +18,8 @@ import (
"strings"
"sync"
"syscall"
+
+ "golang.org/x/sys/unix"
)
const (
@@ -252,6 +254,12 @@ func getSELinuxPolicyRoot() string {
return filepath.Join(selinuxDir, readConfig(selinuxTypeTag))
}
+func isProcHandle(fh *os.File) (bool, error) {
+ var buf unix.Statfs_t
+ err := unix.Fstatfs(int(fh.Fd()), &buf)
+ return buf.Type == unix.PROC_SUPER_MAGIC, err
+}
+
func readCon(fpath string) (string, error) {
if fpath == "" {
return "", ErrEmptyPath
@@ -263,6 +271,12 @@ func readCon(fpath string) (string, error) {
}
defer in.Close()
+ if ok, err := isProcHandle(in); err != nil {
+ return "", err
+ } else if !ok {
+ return "", fmt.Errorf("%s not on procfs", fpath)
+ }
+
var retval string
if _, err := fmt.Fscanf(in, "%s", &retval); err != nil {
return "", err
@@ -345,6 +359,12 @@ func writeCon(fpath string, val string) error {
}
defer out.Close()
+ if ok, err := isProcHandle(out); err != nil {
+ return err
+ } else if !ok {
+ return fmt.Errorf("%s not on procfs", fpath)
+ }
+
if val != "" {
_, err = out.Write([]byte(val))
} else {
@@ -392,6 +412,14 @@ func SetExecLabel(label string) error {
return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label)
}
+/*
+SetTaskLabel sets the SELinux label for the current thread, or an error.
+This requires the dyntransition permission.
+*/
+func SetTaskLabel(label string) error {
+ return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid()), label)
+}
+
// SetSocketLabel takes a process label and tells the kernel to assign the
// label to the next socket that gets created
func SetSocketLabel(label string) error {
@@ -403,6 +431,11 @@ func SocketLabel() (string, error) {
return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()))
}
+// PeerLabel retrieves the label of the client on the other side of a socket
+func PeerLabel(fd uintptr) (string, error) {
+ return unix.GetsockoptString(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERSEC)
+}
+
// SetKeyLabel takes a process label and tells the kernel to assign the
// label to the next kernel keyring that gets created
func SetKeyLabel(label string) error {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 79b005d194c9..0c2e1cd38e79 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -96,6 +96,14 @@ func SetExecLabel(label string) error {
return nil
}
+/*
+SetTaskLabel sets the SELinux label for the current thread, or an error.
+This requires the dyntransition permission.
+*/
+func SetTaskLabel(label string) error {
+ return nil
+}
+
/*
SetSocketLabel sets the SELinux label that the kernel will use for any programs
that are executed by the current process thread, or an error.
@@ -109,6 +117,11 @@ func SocketLabel() (string, error) {
return "", nil
}
+// PeerLabel retrieves the label of the client on the other side of a socket
+func PeerLabel(fd uintptr) (string, error) {
+ return "", nil
+}
+
// SetKeyLabel takes a process label and tells the kernel to assign the
// label to the next kernel keyring that gets created
func SetKeyLabel(label string) error {
--
2.23.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.zYiheW/_old 2019-10-23 15:47:17.434463731 +0200
+++ /var/tmp/diff_new_pack.zYiheW/_new 2019-10-23 15:47:17.438463735 +0200
@@ -3,8 +3,8 @@
<param name="url">https://github.com/opencontainers/runc.git</param>
<param name="scm">git</param>
<param name="filename">docker-runc</param>
- <param name="versionformat">git.%H</param>
- <param name="revision">425e105d5a03fabd737a126ad93d62a9eeede87f</param>
+ <param name="versionformat">git.%h</param>
+ <param name="revision">3e425f80a8c931f88e6d94a8c831b9d5aa481657</param>
<param name="exclude">.git</param>
</service>
<service name="recompress" mode="disabled">
++++++ docker-runc-git.425e105d5a03fabd737a126ad93d62a9eeede87f.tar.xz -> docker-runc-git.3e425f80a8c9.tar.xz ++++++
++++ 56267 lines of diff (skipped)