#1012723 bullseye-pu: package runc/runc_1.0.0~rc93+ds1-5+deb11u1

#1012723#5
Date:
2022-06-12 21:33:48 UTC
From:
To:
[ Reason ]
In a recent stable update to podman changes to the seccomp filter where
introduced to allow podman to work with glibc found in bookwork See #​994451,
#1006138. That update was successful in the sense it allows to run such
containers in the default configuration.

What was overlooked is that podman can run with two competing container runtime
engines: runc and crun. In bullseye, the default runtime is crun, and works
with the updates. However, some users prefer to run with runc, which is the
default in bookworm (and used by docker), which is currently broken (unless one
disables seccomp filtering completely). See #1012030 for full context,

[ Impact ]
This update backports a necessary upstream patch to allow podman to run with
runc in stable again. Without it, users need to make sure to use crun, or
disable seccomp filtering


[ Tests ]
There are unit tests and manual functional tests.

[ Risks ]
The functional change is small and easy to review. The majority of changes are
from updates to the unit tests.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

This is the functional code change:
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -31,9 +31,10 @@
 // for syscalls. Additional architectures can be added by specifying them in
 // Architectures.
 type Seccomp struct {
-	DefaultAction Action     `json:"default_action"`
-	Architectures []string   `json:"architectures"`
-	Syscalls      []*Syscall `json:"syscalls"`
+	DefaultAction   Action     `json:"default_action"`
+	Architectures   []string   `json:"architectures"`
+	Syscalls        []*Syscall `json:"syscalls"`
+	DefaultErrnoRet *uint      `json:"default_errno_ret"`
 }

 // Action is taken upon rule match in Seccomp
--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
@@ -523,6 +523,11 @@
 }

 func generatePatch(config *configs.Seccomp) ([]bpf.Instruction, error) {
+	// Patch the generated cBPF only when there is not a defaultErrnoRet set
+	// and it is different from ENOSYS
+	if config.DefaultErrnoRet != nil && *config.DefaultErrnoRet == uint(retErrnoEnosys) {
+		return nil, nil
+	}
 	// We only add the stub if the default action is not permissive.
 	if isAllowAction(config.DefaultAction) {
 		logrus.Debugf("seccomp: skipping -ENOSYS stub filter generation")
--- a/libcontainer/seccomp/seccomp_linux.go
+++ b/libcontainer/seccomp/seccomp_linux.go
@@ -39,7 +39,7 @@
 		return errors.New("cannot initialize Seccomp - nil config passed")
 	}

-	defaultAction, err := getAction(config.DefaultAction, nil)
+	defaultAction, err := getAction(config.DefaultAction, config.DefaultErrnoRet)
 	if err != nil {
 		return errors.New("error initializing seccomp - invalid default action")
 	}
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -872,6 +872,7 @@
 		return nil, err
 	}
 	newConfig.DefaultAction = newDefaultAction
+	newConfig.DefaultErrnoRet = config.DefaultErrnoRet

 	// Loop through all syscall blocks and convert them to libcontainer format
 	for _, call := range config.Syscalls {



[ Other info ]
full debdiff attached

#1012723#10
Date:
2022-06-13 02:55:32 UTC
From:
To:
Hi,

Could you include the patch for CVE-2022-29162?

https://security-tracker.debian.org/tracker/CVE-2022-29162

If you don't have time, I can work on this later in this week.

#1012723#15
Date:
2022-06-13 11:09:13 UTC
From:
To:
backported as
https://salsa.debian.org/go-team/packages/runc/-/commit/05b0597cb4db36f70c3bf737c87466a740a9eadf
-- builds fine (and thus passes unit tests), still need to test it on a
real machine. Thanks for pointing me to it!

#1012723#20
Date:
2022-06-13 17:12:33 UTC
From:
To:
The Security Tracker says it's not fixed in unstable - is that correct?
If so, that needs addressing first before it can be considered for p-u.

Regards,

Adam

#1012723#25
Date:
2022-06-14 09:51:45 UTC
From:
To:
The tracker is corrected now, the issue was fixed in 1.1.2.

Cheers,
Emilio

#1012723#30
Date:
2022-06-14 12:09:35 UTC
From:
To:
On Tue, Jun 14, 2022 at 5:54 AM Emilio Pozuelo Monfort <pochu@debian.org> wrote:
Thanks, I've tested the new runc and concluded it works fine. The effective
(additional) security patch reads:
--- a/exec.go +++ b/exec.go @@ -193,7 +193,6 @@ if caps := context.StringSlice("cap"); len(caps) > 0 { for _, c := range caps { p.Capabilities.Bounding = append(p.Capabilities.Bounding, c) - p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c) p.Capabilities.Effective = append(p.Capabilities.Effective, c) p.Capabilities.Permitted = append(p.Capabilities.Permitted, c) p.Capabilities.Ambient = append(p.Capabilities.Ambient, c) --- a/libcontainer/README.md +++ b/libcontainer/README.md @@ -92,22 +92,6 @@ "CAP_KILL", "CAP_AUDIT_WRITE", }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, Permitted: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", --- a/libcontainer/integration/exec_test.go +++ b/libcontainer/integration/exec_test.go @@ -412,7 +412,6 @@ pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN") pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN") pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN") - pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN") err = container.Run(&pconfig) ok(t, err) @@ -1593,7 +1592,6 @@ pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN") pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN") pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN") - pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN") err = container.Run(pconfig2) stdinR2.Close() --- a/libcontainer/integration/template_test.go +++ b/libcontainer/integration/template_test.go @@ -69,22 +69,6 @@ "CAP_KILL", "CAP_AUDIT_WRITE", }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, Ambient: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", --- a/libcontainer/specconv/example.go +++ b/libcontainer/specconv/example.go @@ -41,11 +41,6 @@ "CAP_KILL", "CAP_NET_BIND_SERVICE", }, - Inheritable: []string{ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - }, Ambient: []string{ "CAP_AUDIT_WRITE", "CAP_KILL", Full updated debdiff attached to this email
#1012723#35
Date:
2022-06-18 12:32:11 UTC
From:
To:
package release.debian.org
tags 1012723 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: runc
Version: 1.0.0~rc93+ds1-5+deb11u1

Explanation: honour seccomp defaultErrnoRet

#1012723#40
Date:
2022-06-18 12:32:19 UTC
From:
To:
package release.debian.org
tags 1012723 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: runc
Version: 1.0.0~rc93+ds1-5+deb11u2

Explanation: honour seccomp defaultErrnoRet; do not set inheritable capabilities [CVE-2022-29162]

#1012723#45
Date:
2022-06-18 12:32:11 UTC
From:
To:
package release.debian.org
tags 1012723 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: runc
Version: 1.0.0~rc93+ds1-5+deb11u1

Explanation: honour seccomp defaultErrnoRet

#1012723#48
Date:
2022-06-18 12:32:19 UTC
From:
To:
package release.debian.org
tags 1012723 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: runc
Version: 1.0.0~rc93+ds1-5+deb11u2

Explanation: honour seccomp defaultErrnoRet; do not set inheritable capabilities [CVE-2022-29162]

#1012723#53
Date:
2022-07-09 10:47:43 UTC
From:
To:
(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam