Re: [meta-virtualization] [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Andrei Gherzan <andrei@gherzan.com>
Cc: meta-virtualization@lists.yoctoproject.org,
	Andrei Gherzan <andrei.gherzan@huawei.com>
Subject: Re: [meta-virtualization] [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649
Date: Tue, 30 Aug 2022 21:47:14 -0400	[thread overview]
Message-ID: <20220831014708.GA17114@gmail.com> (raw)
In-Reply-To: <20220826113319.1269257-1-andrei@gherzan.com>

merged!

Bruce

In message: [meta-virtualization] [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649
on 26/08/2022 Andrei Gherzan wrote:

> From: Andrei Gherzan <andrei.gherzan@huawei.com>
> 
> Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
> ---
>  .../podman/podman/CVE-2022-27649.patch        | 106 ++++++++++++++++++
>  recipes-containers/podman/podman_git.bb       |   3 +-
>  2 files changed, 108 insertions(+), 1 deletion(-)
>  create mode 100644 recipes-containers/podman/podman/CVE-2022-27649.patch
> 
> diff --git a/recipes-containers/podman/podman/CVE-2022-27649.patch b/recipes-containers/podman/podman/CVE-2022-27649.patch
> new file mode 100644
> index 0000000..cb786ad
> --- /dev/null
> +++ b/recipes-containers/podman/podman/CVE-2022-27649.patch
> @@ -0,0 +1,106 @@
> +From aafa80918a245edcbdaceb1191d749570f1872d0 Mon Sep 17 00:00:00 2001
> +From: Giuseppe Scrivano <gscrivan@redhat.com>
> +Date: Mon, 28 Feb 2022 09:48:52 +0100
> +Subject: [PATCH] do not set the inheritable capabilities
> +
> +The kernel never sets the inheritable capabilities for a process, they
> +are only set by userspace.  Emulate the same behavior.
> +
> +CVE: CVE-2022-27649
> +Upstream-Status: Backport [https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0]
> +Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
> +---
> + libpod/oci_conmon_exec_linux.go  | 7 +++++--
> + pkg/specgen/generate/security.go | 7 +++++--
> + test/e2e/run_test.go             | 6 +++---
> + 3 files changed, 13 insertions(+), 7 deletions(-)
> +
> +diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go
> +index aa970bbde28..65123b37e6a 100644
> +--- a/libpod/oci_conmon_exec_linux.go
> ++++ b/libpod/oci_conmon_exec_linux.go
> +@@ -758,11 +758,14 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
> + 	} else {
> + 		pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
> + 	}
> ++
> ++	// Always unset the inheritable capabilities similarly to what the Linux kernel does
> ++	// They are used only when using capabilities with uid != 0.
> ++	pspec.Capabilities.Inheritable = []string{}
> ++
> + 	if execUser.Uid == 0 {
> + 		pspec.Capabilities.Effective = pspec.Capabilities.Bounding
> +-		pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
> + 		pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
> +-		pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
> + 	} else {
> + 		if user == c.config.User {
> + 			pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective
> +diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
> +index 9c67099054f..988c2983267 100644
> +--- a/pkg/specgen/generate/security.go
> ++++ b/pkg/specgen/generate/security.go
> +@@ -146,6 +146,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
> + 
> + 	configSpec := g.Config
> + 	configSpec.Process.Capabilities.Ambient = []string{}
> ++
> ++	// Always unset the inheritable capabilities similarly to what the Linux kernel does
> ++	// They are used only when using capabilities with uid != 0.
> ++	configSpec.Process.Capabilities.Inheritable = []string{}
> + 	configSpec.Process.Capabilities.Bounding = caplist
> + 
> + 	user := strings.Split(s.User, ":")[0]
> +@@ -153,7 +157,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
> + 	if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
> + 		configSpec.Process.Capabilities.Effective = caplist
> + 		configSpec.Process.Capabilities.Permitted = caplist
> +-		configSpec.Process.Capabilities.Inheritable = caplist
> + 	} else {
> + 		mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
> + 		if err != nil {
> +@@ -175,12 +178,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
> + 		}
> + 		configSpec.Process.Capabilities.Effective = userCaps
> + 		configSpec.Process.Capabilities.Permitted = userCaps
> +-		configSpec.Process.Capabilities.Inheritable = userCaps
> + 
> + 		// Ambient capabilities were added to Linux 4.3.  Set ambient
> + 		// capabilities only when the kernel supports them.
> + 		if supportAmbientCapabilities() {
> + 			configSpec.Process.Capabilities.Ambient = userCaps
> ++			configSpec.Process.Capabilities.Inheritable = userCaps
> + 		}
> + 	}
> + 
> +diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
> +index 91a2eddadf6..f4a6e573355 100644
> +--- a/test/e2e/run_test.go
> ++++ b/test/e2e/run_test.go
> +@@ -498,7 +498,7 @@ var _ = Describe("Podman run", func() {
> + 		session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
> + 		session.WaitWithDefaultTimeout()
> + 		Expect(session).Should(Exit(0))
> +-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
> ++		Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> + 
> + 		session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"})
> + 		session.WaitWithDefaultTimeout()
> +@@ -533,7 +533,7 @@ var _ = Describe("Podman run", func() {
> + 		session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
> + 		session.WaitWithDefaultTimeout()
> + 		Expect(session).Should(Exit(0))
> +-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
> ++		Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> + 
> + 		if os.Geteuid() > 0 {
> + 			if os.Getenv("SKIP_USERNS") != "" {
> +@@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() {
> + 			session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
> + 			session.WaitWithDefaultTimeout()
> + 			Expect(session).Should(Exit(0))
> +-			Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> ++			Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
> + 
> + 			session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
> + 			session.WaitWithDefaultTimeout()
> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
> index aedb988..65e0205 100644
> --- a/recipes-containers/podman/podman_git.bb
> +++ b/recipes-containers/podman/podman_git.bb
> @@ -22,7 +22,8 @@ SRC_URI = " \
>      git://github.com/containers/libpod.git;branch=v4.0;protocol=https \
>      file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \
>      file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang \
> -    ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
> +    file://CVE-2022-27649.patch;patchdir=src/import \
> +    ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://00-podman-rootless.conf', '', d)} \
>  "
>  
>  LICENSE = "Apache-2.0"
> -- 
> 2.25.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7573): https://lists.yoctoproject.org/g/meta-virtualization/message/7573
> Mute This Topic: https://lists.yoctoproject.org/mt/93267827/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

next prev parent reply	other threads:[~2022-08-31  1:47 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-26 11:33 [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649 Andrei Gherzan
2022-08-30  9:29 ` Andrei Gherzan
2022-08-30 13:11   ` [meta-virtualization] " Bruce Ashfield
2022-08-30 13:14     ` Andrei Gherzan
2022-08-31  1:47 ` Bruce Ashfield [this message]
2022-08-31 10:35   ` Andrei Gherzan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220831014708.GA17114@gmail.com \
    --to=bruce.ashfield@gmail.com \
    --cc=andrei.gherzan@huawei.com \
    --cc=andrei@gherzan.com \
    --cc=meta-virtualization@lists.yoctoproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.