- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Reinhard Tartler
- Date:
- 2022-07-09 10:53:05 UTC
- Severity:
- normal
- Tags:
[ Reason ]
In a recent stable update to podman changes to the seccomp filter where
introduced to allow podman to work with glibc found in bookwork See #994451,
#1006138. That update was successful in the sense it allows to run such
containers in the default configuration.
What was overlooked is that podman can run with two competing container runtime
engines: runc and crun. In bullseye, the default runtime is crun, and works
with the updates. However, some users prefer to run with runc, which is the
default in bookworm (and used by docker), which is currently broken (unless one
disables seccomp filtering completely). See #1012030 for full context,
[ Impact ]
This update backports a necessary upstream patch to allow podman to run with
runc in stable again. Without it, users need to make sure to use crun, or
disable seccomp filtering
[ Tests ]
There are unit tests and manual functional tests.
[ Risks ]
The functional change is small and easy to review. The majority of changes are
from updates to the unit tests.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
This is the functional code change:
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -31,9 +31,10 @@
// for syscalls. Additional architectures can be added by specifying them in
// Architectures.
type Seccomp struct {
- DefaultAction Action `json:"default_action"`
- Architectures []string `json:"architectures"`
- Syscalls []*Syscall `json:"syscalls"`
+ DefaultAction Action `json:"default_action"`
+ Architectures []string `json:"architectures"`
+ Syscalls []*Syscall `json:"syscalls"`
+ DefaultErrnoRet *uint `json:"default_errno_ret"`
}
// Action is taken upon rule match in Seccomp
--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
@@ -523,6 +523,11 @@
}
func generatePatch(config *configs.Seccomp) ([]bpf.Instruction, error) {
+ // Patch the generated cBPF only when there is not a defaultErrnoRet set
+ // and it is different from ENOSYS
+ if config.DefaultErrnoRet != nil && *config.DefaultErrnoRet == uint(retErrnoEnosys) {
+ return nil, nil
+ }
// We only add the stub if the default action is not permissive.
if isAllowAction(config.DefaultAction) {
logrus.Debugf("seccomp: skipping -ENOSYS stub filter generation")
--- a/libcontainer/seccomp/seccomp_linux.go
+++ b/libcontainer/seccomp/seccomp_linux.go
@@ -39,7 +39,7 @@
return errors.New("cannot initialize Seccomp - nil config passed")
}
- defaultAction, err := getAction(config.DefaultAction, nil)
+ defaultAction, err := getAction(config.DefaultAction, config.DefaultErrnoRet)
if err != nil {
return errors.New("error initializing seccomp - invalid default action")
}
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -872,6 +872,7 @@
return nil, err
}
newConfig.DefaultAction = newDefaultAction
+ newConfig.DefaultErrnoRet = config.DefaultErrnoRet
// Loop through all syscall blocks and convert them to libcontainer format
for _, call := range config.Syscalls {
[ Other info ]
full debdiff attached
Hi, Could you include the patch for CVE-2022-29162? https://security-tracker.debian.org/tracker/CVE-2022-29162 If you don't have time, I can work on this later in this week.
backported as https://salsa.debian.org/go-team/packages/runc/-/commit/05b0597cb4db36f70c3bf737c87466a740a9eadf -- builds fine (and thus passes unit tests), still need to test it on a real machine. Thanks for pointing me to it!
The Security Tracker says it's not fixed in unstable - is that correct? If so, that needs addressing first before it can be considered for p-u. Regards, Adam
The tracker is corrected now, the issue was fixed in 1.1.2. Cheers, Emilio
On Tue, Jun 14, 2022 at 5:54 AM Emilio Pozuelo Monfort <pochu@debian.org> wrote: Thanks, I've tested the new runc and concluded it works fine. The effective (additional) security patch reads:--- a/exec.go +++ b/exec.go @@ -193,7 +193,6 @@ if caps := context.StringSlice("cap"); len(caps) > 0 { for _, c := range caps { p.Capabilities.Bounding = append(p.Capabilities.Bounding, c) - p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c) p.Capabilities.Effective = append(p.Capabilities.Effective, c) p.Capabilities.Permitted = append(p.Capabilities.Permitted, c) p.Capabilities.Ambient = append(p.Capabilities.Ambient, c) --- a/libcontainer/README.md +++ b/libcontainer/README.md @@ -92,22 +92,6 @@ "CAP_KILL", "CAP_AUDIT_WRITE", }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, Permitted: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", --- a/libcontainer/integration/exec_test.go +++ b/libcontainer/integration/exec_test.go @@ -412,7 +412,6 @@ pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN") pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN") pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN") - pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN") err = container.Run(&pconfig) ok(t, err) @@ -1593,7 +1592,6 @@ pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN") pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN") pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN") - pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN") err = container.Run(pconfig2) stdinR2.Close() --- a/libcontainer/integration/template_test.go +++ b/libcontainer/integration/template_test.go @@ -69,22 +69,6 @@ "CAP_KILL", "CAP_AUDIT_WRITE", }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, Ambient: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", --- a/libcontainer/specconv/example.go +++ b/libcontainer/specconv/example.go @@ -41,11 +41,6 @@ "CAP_KILL", "CAP_NET_BIND_SERVICE", }, - Inheritable: []string{ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - }, Ambient: []string{ "CAP_AUDIT_WRITE", "CAP_KILL", Full updated debdiff attached to this email
package release.debian.org tags 1012723 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details ============== Package: runc Version: 1.0.0~rc93+ds1-5+deb11u1 Explanation: honour seccomp defaultErrnoRet
package release.debian.org tags 1012723 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details ============== Package: runc Version: 1.0.0~rc93+ds1-5+deb11u2 Explanation: honour seccomp defaultErrnoRet; do not set inheritable capabilities [CVE-2022-29162]
package release.debian.org tags 1012723 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details ============== Package: runc Version: 1.0.0~rc93+ds1-5+deb11u1 Explanation: honour seccomp defaultErrnoRet
package release.debian.org tags 1012723 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details ============== Package: runc Version: 1.0.0~rc93+ds1-5+deb11u2 Explanation: honour seccomp defaultErrnoRet; do not set inheritable capabilities [CVE-2022-29162]
(re-sending with fixed bug numbers) Hi, The updates discussed in these bugs were included in today's bullseye point release. Regards, Adam