* [meta-virtualization][kirkstone][PATCH 2/5] buildah: add seccomp and ipv6 to REQUIRED_DISTRO_FEATURES
2025-01-22 8:28 [meta-virtualization][kirkstone][PATCH 1/5] buildah: update to 1.26.8 Qi.Chen
@ 2025-01-22 8:28 ` Qi.Chen
2025-01-22 8:28 ` [meta-virtualization][kirkstone][PATCH 3/5] buildah: fix CVE-2024-9676 Qi.Chen
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Qi.Chen @ 2025-01-22 8:28 UTC (permalink / raw)
To: meta-virtualization
From: Martin Jansa <Martin.Jansa@gmail.com>
* because it rdepends on podman with the same restriction
* BTW: .gitignore has:
build*/
which gets triggered for buildah as well:
meta-virtualization $ git add ./recipes-containers/buildah/buildah_git.bb
The following paths are ignored by one of your .gitignore files:
recipes-containers/buildah
I've adjusted it to /build*/ only.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
.gitignore | 2 +-
recipes-containers/buildah/buildah_git.bb | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/.gitignore b/.gitignore
index a61332ef..daeb43d5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-build*/
+/build*/
pyshtables.py
*.swp
*.orig
diff --git a/recipes-containers/buildah/buildah_git.bb b/recipes-containers/buildah/buildah_git.bb
index 9e074415..1c33291a 100644
--- a/recipes-containers/buildah/buildah_git.bb
+++ b/recipes-containers/buildah/buildah_git.bb
@@ -16,6 +16,10 @@ inherit go
inherit goarch
inherit pkgconfig
+# Rdepends on podman which needs seccomp and ipv6
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "seccomp ipv6"
+
GO_IMPORT = "github.com/containers/buildah"
GO_INSTALL = "${GO_IMPORT}"
GO_WORKDIR = "${GO_INSTALL}"
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [meta-virtualization][kirkstone][PATCH 3/5] buildah: fix CVE-2024-9676
2025-01-22 8:28 [meta-virtualization][kirkstone][PATCH 1/5] buildah: update to 1.26.8 Qi.Chen
2025-01-22 8:28 ` [meta-virtualization][kirkstone][PATCH 2/5] buildah: add seccomp and ipv6 to REQUIRED_DISTRO_FEATURES Qi.Chen
@ 2025-01-22 8:28 ` Qi.Chen
2025-01-22 8:28 ` [meta-virtualization][kirkstone][PATCH 4/5] cri-o: " Qi.Chen
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Qi.Chen @ 2025-01-22 8:28 UTC (permalink / raw)
To: meta-virtualization
From: Chen Qi <Qi.Chen@windriver.com>
Backport patch to fix CVE-2024-9676.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
recipes-containers/buildah/buildah_git.bb | 1 +
...SecureJoin-when-forming-userns-paths.patch | 191 ++++++++++++++++++
2 files changed, 192 insertions(+)
create mode 100644 recipes-containers/buildah/files/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
diff --git a/recipes-containers/buildah/buildah_git.bb b/recipes-containers/buildah/buildah_git.bb
index 1c33291a..45d7b31d 100644
--- a/recipes-containers/buildah/buildah_git.bb
+++ b/recipes-containers/buildah/buildah_git.bb
@@ -27,6 +27,7 @@ GOBUILDFLAGS += "-mod vendor"
SRC_URI = " \
git://github.com/containers/buildah;branch=release-1.26;name=buildah;protocol=https \
+ file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/github.com/containers/buildah/vendor/github.com/containers/storage \
"
DEPENDS = "libdevmapper btrfs-tools gpgme"
diff --git a/recipes-containers/buildah/files/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch b/recipes-containers/buildah/files/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
new file mode 100644
index 00000000..d2e3dbbd
--- /dev/null
+++ b/recipes-containers/buildah/files/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
@@ -0,0 +1,191 @@
+From b92233f24f22bc509e2f9fad2dc67f49e482f363 Mon Sep 17 00:00:00 2001
+From: Matt Heon <mheon@redhat.com>
+Date: Wed, 9 Oct 2024 09:54:22 -0400
+Subject: [PATCH] Use securejoin.SecureJoin when forming userns paths
+
+We need to read /etc/passwd and /etc/group in the container to
+get an idea of how many UIDs and GIDs we need to allocate for a
+user namespace when `--userns=auto` is specified. We were forming
+paths for these using filepath.Join, which is not safe for paths
+within a container, resulting in this CVE allowing crafted
+symlinks in the container to access paths on the host instead.
+
+Cherry-pick conflict fixed for v1.51 branch, and converted to use
+the old securejoin API (securejoin.SecureJoin and then os.Open)
+as this branch is too old to have the new API.
+
+Addresses CVE-2024-9676
+
+Signed-off-by: Matt Heon <mheon@redhat.com>
+
+CVE: CVE-2024-9676
+
+Upstream-Status: Backport [0dc4fc9bb826e08b6e25af0af6a296ac172b5e15]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ userns.go | 93 ++++++++++++++++++++++++++++++-------------
+ userns_unsupported.go | 14 +++++++
+ 2 files changed, 80 insertions(+), 27 deletions(-)
+ create mode 100644 userns_unsupported.go
+
+diff --git a/userns.go b/userns.go
+index e0e530275..bea2a9520 100644
+--- a/userns.go
++++ b/userns.go
+@@ -1,18 +1,21 @@
++//go:build linux
++
+ package storage
+
+ import (
+ "fmt"
+ "os"
+ "os/user"
+- "path/filepath"
+ "strconv"
+
+ drivers "github.com/containers/storage/drivers"
+ "github.com/containers/storage/pkg/idtools"
+ "github.com/containers/storage/pkg/unshare"
+ "github.com/containers/storage/types"
++ securejoin "github.com/cyphar/filepath-securejoin"
+ libcontainerUser "github.com/opencontainers/runc/libcontainer/user"
+ "github.com/sirupsen/logrus"
++ "golang.org/x/sys/unix"
+ )
+
+ // getAdditionalSubIDs looks up the additional IDs configured for
+@@ -78,43 +81,63 @@ func (s *store) getAvailableIDs() (*idSet, *idSet, error) {
+ return u, g, nil
+ }
+
++const nobodyUser = 65534
+ // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
+ // /etc/group files.
+ func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
++ var (
++ passwd *os.File
++ group *os.File
++ size int
++ err error
++ )
+ if passwdFile == "" {
+- passwdFile = filepath.Join(containerMount, "etc/passwd")
+- }
+- if groupFile == "" {
+- groupFile = filepath.Join(groupFile, "etc/group")
++ passwd, err = secureOpen(containerMount, "/etc/passwd")
++ } else {
++ // User-specified override from a volume. Will not be in
++ // container root.
++ passwd, err = os.Open(passwdFile)
+ }
+-
+- size := 0
+-
+- users, err := libcontainerUser.ParsePasswdFile(passwdFile)
+ if err == nil {
+- for _, u := range users {
+- // Skip the "nobody" user otherwise we end up with 65536
+- // ids with most images
+- if u.Name == "nobody" {
+- continue
+- }
+- if u.Uid > size {
+- size = u.Uid
+- }
+- if u.Gid > size {
+- size = u.Gid
++ defer passwd.Close()
++
++ users, err := libcontainerUser.ParsePasswd(passwd)
++ if err == nil {
++ for _, u := range users {
++ // Skip the "nobody" user otherwise we end up with 65536
++ // ids with most images
++ if u.Name == "nobody" || u.Name == "nogroup" {
++ continue
++ }
++ if u.Uid > size && u.Uid != nobodyUser {
++ size = u.Uid + 1
++ }
++ if u.Gid > size && u.Gid != nobodyUser {
++ size = u.Gid + 1
++ }
+ }
+ }
+ }
+
+- groups, err := libcontainerUser.ParseGroupFile(groupFile)
++ if groupFile == "" {
++ group, err = secureOpen(containerMount, "/etc/group")
++ } else {
++ // User-specified override from a volume. Will not be in
++ // container root.
++ group, err = os.Open(groupFile)
++ }
+ if err == nil {
+- for _, g := range groups {
+- if g.Name == "nobody" {
+- continue
+- }
+- if g.Gid > size {
+- size = g.Gid
++ defer group.Close()
++
++ groups, err := libcontainerUser.ParseGroup(group)
++ if err == nil {
++ for _, g := range groups {
++ if g.Name == "nobody" || g.Name == "nogroup" {
++ continue
++ }
++ if g.Gid > size && g.Gid != nobodyUser {
++ size = g.Gid + 1
++ }
+ }
+ }
+ }
+@@ -300,3 +323,19 @@ func getAutoUserNSIDMappings(
+ gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...)
+ return uidMap, gidMap, nil
+ }
++
++// Securely open (read-only) a file in a container mount.
++func secureOpen(containerMount, file string) (*os.File, error) {
++ filePath, err := securejoin.SecureJoin(containerMount, file)
++ if err != nil {
++ return nil, err
++ }
++
++ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY
++ fileHandle, err := os.OpenFile(filePath, flags, 0)
++ if err != nil {
++ return nil, err
++ }
++
++ return fileHandle, nil
++}
+diff --git a/userns_unsupported.go b/userns_unsupported.go
+new file mode 100644
+index 000000000..e37c18fe4
+--- /dev/null
++++ b/userns_unsupported.go
+@@ -0,0 +1,14 @@
++//go:build !linux
++
++package storage
++
++import (
++ "errors"
++
++ "github.com/containers/storage/pkg/idtools"
++ "github.com/containers/storage/types"
++)
++
++func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
++ return nil, nil, errors.New("user namespaces are not supported on this platform")
++}
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [meta-virtualization][kirkstone][PATCH 4/5] cri-o: fix CVE-2024-9676
2025-01-22 8:28 [meta-virtualization][kirkstone][PATCH 1/5] buildah: update to 1.26.8 Qi.Chen
2025-01-22 8:28 ` [meta-virtualization][kirkstone][PATCH 2/5] buildah: add seccomp and ipv6 to REQUIRED_DISTRO_FEATURES Qi.Chen
2025-01-22 8:28 ` [meta-virtualization][kirkstone][PATCH 3/5] buildah: fix CVE-2024-9676 Qi.Chen
@ 2025-01-22 8:28 ` Qi.Chen
2025-01-22 8:28 ` [meta-virtualization][kirkstone][PATCH 5/5] podman: " Qi.Chen
2025-01-30 18:54 ` [meta-virtualization][kirkstone][PATCH 1/5] buildah: update to 1.26.8 Bruce Ashfield
4 siblings, 0 replies; 6+ messages in thread
From: Qi.Chen @ 2025-01-22 8:28 UTC (permalink / raw)
To: meta-virtualization
From: Chen Qi <Qi.Chen@windriver.com>
Backport patch to fix CVE-2024-9676.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
recipes-containers/cri-o/cri-o_git.bb | 1 +
...SecureJoin-when-forming-userns-paths.patch | 191 ++++++++++++++++++
2 files changed, 192 insertions(+)
create mode 100644 recipes-containers/cri-o/files/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
diff --git a/recipes-containers/cri-o/cri-o_git.bb b/recipes-containers/cri-o/cri-o_git.bb
index d74a17fc..429c49a7 100644
--- a/recipes-containers/cri-o/cri-o_git.bb
+++ b/recipes-containers/cri-o/cri-o_git.bb
@@ -19,6 +19,7 @@ SRC_URI = "\
git://github.com/kubernetes-sigs/cri-o.git;branch=release-1.23;name=cri-o;protocol=https \
file://0001-Makefile-force-symlinks.patch \
file://crio.conf \
+ file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
"
# Apache-2.0 for docker
diff --git a/recipes-containers/cri-o/files/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch b/recipes-containers/cri-o/files/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
new file mode 100644
index 00000000..1cb7eb0e
--- /dev/null
+++ b/recipes-containers/cri-o/files/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
@@ -0,0 +1,191 @@
+From 03aff6270b389f27bc1edc4985dab753a38e7c7b Mon Sep 17 00:00:00 2001
+From: Matt Heon <mheon@redhat.com>
+Date: Wed, 9 Oct 2024 09:54:22 -0400
+Subject: [PATCH] Use securejoin.SecureJoin when forming userns paths
+
+We need to read /etc/passwd and /etc/group in the container to
+get an idea of how many UIDs and GIDs we need to allocate for a
+user namespace when `--userns=auto` is specified. We were forming
+paths for these using filepath.Join, which is not safe for paths
+within a container, resulting in this CVE allowing crafted
+symlinks in the container to access paths on the host instead.
+
+Cherry-pick conflict fixed for v1.51 branch, and converted to use
+the old securejoin API (securejoin.SecureJoin and then os.Open)
+as this branch is too old to have the new API.
+
+Addresses CVE-2024-9676
+
+Signed-off-by: Matt Heon <mheon@redhat.com>
+
+Upstream-Status: Backport [0dc4fc9bb826e08b6e25af0af6a296ac172b5e15]
+
+CVE: CVE-2024-9676
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ userns.go | 93 ++++++++++++++++++++++++++++++-------------
+ userns_unsupported.go | 14 +++++++
+ 2 files changed, 80 insertions(+), 27 deletions(-)
+ create mode 100644 userns_unsupported.go
+
+diff --git a/userns.go b/userns.go
+index 523c92dc8..c234414ef 100644
+--- a/userns.go
++++ b/userns.go
+@@ -1,18 +1,21 @@
++//go:build linux
++
+ package storage
+
+ import (
+ "os"
+ "os/user"
+- "path/filepath"
+ "strconv"
+
+ drivers "github.com/containers/storage/drivers"
+ "github.com/containers/storage/pkg/idtools"
+ "github.com/containers/storage/pkg/unshare"
+ "github.com/containers/storage/types"
++ securejoin "github.com/cyphar/filepath-securejoin"
+ libcontainerUser "github.com/opencontainers/runc/libcontainer/user"
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
++ "golang.org/x/sys/unix"
+ )
+
+ // getAdditionalSubIDs looks up the additional IDs configured for
+@@ -78,43 +81,63 @@ func (s *store) getAvailableIDs() (*idSet, *idSet, error) {
+ return u, g, nil
+ }
+
++const nobodyUser = 65534
+ // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
+ // /etc/group files.
+ func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
++ var (
++ passwd *os.File
++ group *os.File
++ size int
++ err error
++ )
+ if passwdFile == "" {
+- passwdFile = filepath.Join(containerMount, "etc/passwd")
+- }
+- if groupFile == "" {
+- groupFile = filepath.Join(groupFile, "etc/group")
++ passwd, err = secureOpen(containerMount, "/etc/passwd")
++ } else {
++ // User-specified override from a volume. Will not be in
++ // container root.
++ passwd, err = os.Open(passwdFile)
+ }
+-
+- size := 0
+-
+- users, err := libcontainerUser.ParsePasswdFile(passwdFile)
+ if err == nil {
+- for _, u := range users {
+- // Skip the "nobody" user otherwise we end up with 65536
+- // ids with most images
+- if u.Name == "nobody" {
+- continue
+- }
+- if u.Uid > size {
+- size = u.Uid
+- }
+- if u.Gid > size {
+- size = u.Gid
++ defer passwd.Close()
++
++ users, err := libcontainerUser.ParsePasswd(passwd)
++ if err == nil {
++ for _, u := range users {
++ // Skip the "nobody" user otherwise we end up with 65536
++ // ids with most images
++ if u.Name == "nobody" || u.Name == "nogroup" {
++ continue
++ }
++ if u.Uid > size && u.Uid != nobodyUser {
++ size = u.Uid + 1
++ }
++ if u.Gid > size && u.Gid != nobodyUser {
++ size = u.Gid + 1
++ }
+ }
+ }
+ }
+
+- groups, err := libcontainerUser.ParseGroupFile(groupFile)
++ if groupFile == "" {
++ group, err = secureOpen(containerMount, "/etc/group")
++ } else {
++ // User-specified override from a volume. Will not be in
++ // container root.
++ group, err = os.Open(groupFile)
++ }
+ if err == nil {
+- for _, g := range groups {
+- if g.Name == "nobody" {
+- continue
+- }
+- if g.Gid > size {
+- size = g.Gid
++ defer group.Close()
++
++ groups, err := libcontainerUser.ParseGroup(group)
++ if err == nil {
++ for _, g := range groups {
++ if g.Name == "nobody" || g.Name == "nogroup" {
++ continue
++ }
++ if g.Gid > size && g.Gid != nobodyUser {
++ size = g.Gid + 1
++ }
+ }
+ }
+ }
+@@ -300,3 +323,19 @@ func getAutoUserNSIDMappings(
+ gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...)
+ return uidMap, gidMap, nil
+ }
++
++// Securely open (read-only) a file in a container mount.
++func secureOpen(containerMount, file string) (*os.File, error) {
++ filePath, err := securejoin.SecureJoin(containerMount, file)
++ if err != nil {
++ return nil, err
++ }
++
++ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY
++ fileHandle, err := os.OpenFile(filePath, flags, 0)
++ if err != nil {
++ return nil, err
++ }
++
++ return fileHandle, nil
++}
+diff --git a/userns_unsupported.go b/userns_unsupported.go
+new file mode 100644
+index 000000000..e37c18fe4
+--- /dev/null
++++ b/userns_unsupported.go
+@@ -0,0 +1,14 @@
++//go:build !linux
++
++package storage
++
++import (
++ "errors"
++
++ "github.com/containers/storage/pkg/idtools"
++ "github.com/containers/storage/types"
++)
++
++func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
++ return nil, nil, errors.New("user namespaces are not supported on this platform")
++}
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [meta-virtualization][kirkstone][PATCH 5/5] podman: fix CVE-2024-9676
2025-01-22 8:28 [meta-virtualization][kirkstone][PATCH 1/5] buildah: update to 1.26.8 Qi.Chen
` (2 preceding siblings ...)
2025-01-22 8:28 ` [meta-virtualization][kirkstone][PATCH 4/5] cri-o: " Qi.Chen
@ 2025-01-22 8:28 ` Qi.Chen
2025-01-30 18:54 ` [meta-virtualization][kirkstone][PATCH 1/5] buildah: update to 1.26.8 Bruce Ashfield
4 siblings, 0 replies; 6+ messages in thread
From: Qi.Chen @ 2025-01-22 8:28 UTC (permalink / raw)
To: meta-virtualization
From: Chen Qi <Qi.Chen@windriver.com>
Backport patch to fix CVE-2024-9676.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
...SecureJoin-when-forming-userns-paths.patch | 191 ++++++++++++++++++
recipes-containers/podman/podman_git.bb | 1 +
2 files changed, 192 insertions(+)
create mode 100644 recipes-containers/podman/podman/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
diff --git a/recipes-containers/podman/podman/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch b/recipes-containers/podman/podman/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
new file mode 100644
index 00000000..1cb7eb0e
--- /dev/null
+++ b/recipes-containers/podman/podman/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
@@ -0,0 +1,191 @@
+From 03aff6270b389f27bc1edc4985dab753a38e7c7b Mon Sep 17 00:00:00 2001
+From: Matt Heon <mheon@redhat.com>
+Date: Wed, 9 Oct 2024 09:54:22 -0400
+Subject: [PATCH] Use securejoin.SecureJoin when forming userns paths
+
+We need to read /etc/passwd and /etc/group in the container to
+get an idea of how many UIDs and GIDs we need to allocate for a
+user namespace when `--userns=auto` is specified. We were forming
+paths for these using filepath.Join, which is not safe for paths
+within a container, resulting in this CVE allowing crafted
+symlinks in the container to access paths on the host instead.
+
+Cherry-pick conflict fixed for v1.51 branch, and converted to use
+the old securejoin API (securejoin.SecureJoin and then os.Open)
+as this branch is too old to have the new API.
+
+Addresses CVE-2024-9676
+
+Signed-off-by: Matt Heon <mheon@redhat.com>
+
+Upstream-Status: Backport [0dc4fc9bb826e08b6e25af0af6a296ac172b5e15]
+
+CVE: CVE-2024-9676
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ userns.go | 93 ++++++++++++++++++++++++++++++-------------
+ userns_unsupported.go | 14 +++++++
+ 2 files changed, 80 insertions(+), 27 deletions(-)
+ create mode 100644 userns_unsupported.go
+
+diff --git a/userns.go b/userns.go
+index 523c92dc8..c234414ef 100644
+--- a/userns.go
++++ b/userns.go
+@@ -1,18 +1,21 @@
++//go:build linux
++
+ package storage
+
+ import (
+ "os"
+ "os/user"
+- "path/filepath"
+ "strconv"
+
+ drivers "github.com/containers/storage/drivers"
+ "github.com/containers/storage/pkg/idtools"
+ "github.com/containers/storage/pkg/unshare"
+ "github.com/containers/storage/types"
++ securejoin "github.com/cyphar/filepath-securejoin"
+ libcontainerUser "github.com/opencontainers/runc/libcontainer/user"
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
++ "golang.org/x/sys/unix"
+ )
+
+ // getAdditionalSubIDs looks up the additional IDs configured for
+@@ -78,43 +81,63 @@ func (s *store) getAvailableIDs() (*idSet, *idSet, error) {
+ return u, g, nil
+ }
+
++const nobodyUser = 65534
+ // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
+ // /etc/group files.
+ func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
++ var (
++ passwd *os.File
++ group *os.File
++ size int
++ err error
++ )
+ if passwdFile == "" {
+- passwdFile = filepath.Join(containerMount, "etc/passwd")
+- }
+- if groupFile == "" {
+- groupFile = filepath.Join(groupFile, "etc/group")
++ passwd, err = secureOpen(containerMount, "/etc/passwd")
++ } else {
++ // User-specified override from a volume. Will not be in
++ // container root.
++ passwd, err = os.Open(passwdFile)
+ }
+-
+- size := 0
+-
+- users, err := libcontainerUser.ParsePasswdFile(passwdFile)
+ if err == nil {
+- for _, u := range users {
+- // Skip the "nobody" user otherwise we end up with 65536
+- // ids with most images
+- if u.Name == "nobody" {
+- continue
+- }
+- if u.Uid > size {
+- size = u.Uid
+- }
+- if u.Gid > size {
+- size = u.Gid
++ defer passwd.Close()
++
++ users, err := libcontainerUser.ParsePasswd(passwd)
++ if err == nil {
++ for _, u := range users {
++ // Skip the "nobody" user otherwise we end up with 65536
++ // ids with most images
++ if u.Name == "nobody" || u.Name == "nogroup" {
++ continue
++ }
++ if u.Uid > size && u.Uid != nobodyUser {
++ size = u.Uid + 1
++ }
++ if u.Gid > size && u.Gid != nobodyUser {
++ size = u.Gid + 1
++ }
+ }
+ }
+ }
+
+- groups, err := libcontainerUser.ParseGroupFile(groupFile)
++ if groupFile == "" {
++ group, err = secureOpen(containerMount, "/etc/group")
++ } else {
++ // User-specified override from a volume. Will not be in
++ // container root.
++ group, err = os.Open(groupFile)
++ }
+ if err == nil {
+- for _, g := range groups {
+- if g.Name == "nobody" {
+- continue
+- }
+- if g.Gid > size {
+- size = g.Gid
++ defer group.Close()
++
++ groups, err := libcontainerUser.ParseGroup(group)
++ if err == nil {
++ for _, g := range groups {
++ if g.Name == "nobody" || g.Name == "nogroup" {
++ continue
++ }
++ if g.Gid > size && g.Gid != nobodyUser {
++ size = g.Gid + 1
++ }
+ }
+ }
+ }
+@@ -300,3 +323,19 @@ func getAutoUserNSIDMappings(
+ gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...)
+ return uidMap, gidMap, nil
+ }
++
++// Securely open (read-only) a file in a container mount.
++func secureOpen(containerMount, file string) (*os.File, error) {
++ filePath, err := securejoin.SecureJoin(containerMount, file)
++ if err != nil {
++ return nil, err
++ }
++
++ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY
++ fileHandle, err := os.OpenFile(filePath, flags, 0)
++ if err != nil {
++ return nil, err
++ }
++
++ return fileHandle, nil
++}
+diff --git a/userns_unsupported.go b/userns_unsupported.go
+new file mode 100644
+index 000000000..e37c18fe4
+--- /dev/null
++++ b/userns_unsupported.go
+@@ -0,0 +1,14 @@
++//go:build !linux
++
++package storage
++
++import (
++ "errors"
++
++ "github.com/containers/storage/pkg/idtools"
++ "github.com/containers/storage/types"
++)
++
++func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
++ return nil, nil, errors.New("user namespaces are not supported on this platform")
++}
+--
+2.25.1
+
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 09bf8270..6d9e4749 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -23,6 +23,7 @@ SRC_URI = " \
file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \
file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang \
file://CVE-2022-27649.patch;patchdir=src/import \
+ file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
"
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [meta-virtualization][kirkstone][PATCH 1/5] buildah: update to 1.26.8
2025-01-22 8:28 [meta-virtualization][kirkstone][PATCH 1/5] buildah: update to 1.26.8 Qi.Chen
` (3 preceding siblings ...)
2025-01-22 8:28 ` [meta-virtualization][kirkstone][PATCH 5/5] podman: " Qi.Chen
@ 2025-01-30 18:54 ` Bruce Ashfield
4 siblings, 0 replies; 6+ messages in thread
From: Bruce Ashfield @ 2025-01-30 18:54 UTC (permalink / raw)
To: Qi.Chen; +Cc: meta-virtualization
merged.
Bruce
In message: [meta-virtualization][kirkstone][PATCH 1/5] buildah: update to 1.26.8
on 22/01/2025 Chen Qi via lists.yoctoproject.org wrote:
> From: Chen Qi <Qi.Chen@windriver.com>
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> recipes-containers/buildah/buildah_git.bb | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/recipes-containers/buildah/buildah_git.bb b/recipes-containers/buildah/buildah_git.bb
> index 024e82c1..9e074415 100644
> --- a/recipes-containers/buildah/buildah_git.bb
> +++ b/recipes-containers/buildah/buildah_git.bb
> @@ -8,10 +8,9 @@ LIC_FILES_CHKSUM = "file://src/github.com/containers/buildah/LICENSE;md5=e3fc50a
>
> S = "${WORKDIR}/git"
>
> -BUILDAH_VERSION = "1.26"
> -SRCREV_buildah = "0a9d6e6eaef2e2e7936313d449a4e226022eb865"
> +SRCREV_buildah = "e2feca77516568553dc1318019cea90ae000e0f3"
>
> -PV = "${BUILDAH_VERSION}"
> +PV = "1.26.8"
>
> inherit go
> inherit goarch
> @@ -23,7 +22,7 @@ GO_WORKDIR = "${GO_INSTALL}"
> GOBUILDFLAGS += "-mod vendor"
>
> SRC_URI = " \
> - git://github.com/containers/buildah;branch=release-${BUILDAH_VERSION};name=buildah;protocol=https \
> + git://github.com/containers/buildah;branch=release-1.26;name=buildah;protocol=https \
> "
>
> DEPENDS = "libdevmapper btrfs-tools gpgme"
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9107): https://lists.yoctoproject.org/g/meta-virtualization/message/9107
> Mute This Topic: https://lists.yoctoproject.org/mt/110749645/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 6+ messages in thread