summaryrefslogtreecommitdiffstats
path: root/external/meta-virtualization/recipes-containers/runc
diff options
context:
space:
mode:
authortakeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp>2020-11-02 11:07:33 +0900
committertakeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp>2020-11-02 11:07:33 +0900
commit1c7d6584a7811b7785ae5c1e378f14b5ba0971cf (patch)
treecd70a267a5ef105ba32f200aa088e281fbd85747 /external/meta-virtualization/recipes-containers/runc
parent4204309872da5cb401cbb2729d9e2d4869a87f42 (diff)
recipes
Diffstat (limited to 'external/meta-virtualization/recipes-containers/runc')
-rw-r--r--external/meta-virtualization/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch35
-rw-r--r--external/meta-virtualization/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch201
-rw-r--r--external/meta-virtualization/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch22
-rw-r--r--external/meta-virtualization/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch7
-rw-r--r--external/meta-virtualization/recipes-containers/runc/runc-docker_git.bb7
-rw-r--r--external/meta-virtualization/recipes-containers/runc/runc-opencontainers_git.bb6
-rw-r--r--external/meta-virtualization/recipes-containers/runc/runc.inc12
7 files changed, 255 insertions, 35 deletions
diff --git a/external/meta-virtualization/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch b/external/meta-virtualization/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
new file mode 100644
index 00000000..94cbb4cb
--- /dev/null
+++ b/external/meta-virtualization/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
@@ -0,0 +1,35 @@
+From d2c47a973f354ffd505bb4e809c59e57b543726d Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Tue, 6 Aug 2019 19:01:45 +0800
+Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty
+ from static
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ Makefile | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 0f26a1c8..a0c6b40b 100644
+--- a/src/import/Makefile
++++ b/src/import/Makefile
+@@ -30,7 +30,7 @@ SHELL := $(shell command -v bash 2>/dev/null)
+ .DEFAULT: runc
+
+ runc: $(SOURCES)
+- $(GO) build -buildmode=pie $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o runc .
++ $(GO) build $(GOBUILDFLAGS) $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o runc .
+
+ all: runc recvtty
+
+@@ -41,7 +41,6 @@ contrib/cmd/recvtty/recvtty: $(SOURCES)
+
+ static: $(SOURCES)
+ CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o runc .
+- CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
+
+ release:
+ script/release.sh -r release/$(VERSION) -v $(VERSION)
+--
+2.17.1
+
diff --git a/external/meta-virtualization/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch b/external/meta-virtualization/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch
new file mode 100644
index 00000000..5aca99e2
--- /dev/null
+++ b/external/meta-virtualization/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch
@@ -0,0 +1,201 @@
+From d75b05441772417a0828465a9483f16287937724 Mon Sep 17 00:00:00 2001
+From: Michael Crosby <crosbymichael@gmail.com>
+Date: Mon, 23 Sep 2019 16:45:45 -0400
+Subject: [PATCH] Only allow proc mount if it is procfs
+
+Fixes #2128
+
+This allows proc to be bind mounted for host and rootless namespace usecases but
+it removes the ability to mount over the top of proc with a directory.
+
+```bash
+> sudo docker run --rm apparmor
+docker: Error response from daemon: OCI runtime create failed:
+container_linux.go:346: starting container process caused "process_linux.go:449:
+container init caused \"rootfs_linux.go:58: mounting
+\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\"
+to rootfs
+\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\"
+at \\\"/proc\\\" caused
+\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\"
+cannot be mounted because it is not of type proc\\\"\"": unknown.
+
+> sudo docker run --rm -v /proc:/proc apparmor
+
+docker-default (enforce) root 18989 0.9 0.0 1288 4 ?
+Ss 16:47 0:00 sleep 20
+```
+
+Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
+
+Upstream-Status: Backport [https://github.com/opencontainers/runc/pull/2129/commits/331692baa7afdf6c186f8667cb0e6362ea0802b3]
+
+CVE: CVE-2019-16884
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ libcontainer/container_linux.go | 4 +--
+ libcontainer/rootfs_linux.go | 50 +++++++++++++++++++++++--------
+ libcontainer/rootfs_linux_test.go | 8 ++---
+ 3 files changed, 43 insertions(+), 19 deletions(-)
+
+diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
+index 7e58e5e0..d51e35df 100644
+--- a/src/import/libcontainer/container_linux.go
++++ b/src/import/libcontainer/container_linux.go
+@@ -19,7 +19,7 @@ import (
+ "syscall" // only for SysProcAttr and Signal
+ "time"
+
+- "github.com/cyphar/filepath-securejoin"
++ securejoin "github.com/cyphar/filepath-securejoin"
+ "github.com/opencontainers/runc/libcontainer/cgroups"
+ "github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/intelrdt"
+@@ -1160,7 +1160,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error {
+ if err != nil {
+ return err
+ }
+- if err := checkMountDestination(c.config.Rootfs, dest); err != nil {
++ if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil {
+ return err
+ }
+ m.Destination = dest
+diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
+index f13b226e..5650b0ac 100644
+--- a/src/import/libcontainer/rootfs_linux.go
++++ b/src/import/libcontainer/rootfs_linux.go
+@@ -13,7 +13,7 @@ import (
+ "strings"
+ "time"
+
+- "github.com/cyphar/filepath-securejoin"
++ securejoin "github.com/cyphar/filepath-securejoin"
+ "github.com/mrunalp/fileutils"
+ "github.com/opencontainers/runc/libcontainer/cgroups"
+ "github.com/opencontainers/runc/libcontainer/configs"
+@@ -197,7 +197,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) error {
+ if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
+ return err
+ }
+- if err := checkMountDestination(rootfs, dest); err != nil {
++ if err := checkProcMount(rootfs, dest, m.Source); err != nil {
+ return err
+ }
+ // update the mount with the correct dest after symlinks are resolved.
+@@ -388,7 +388,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
+ if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
+ return err
+ }
+- if err := checkMountDestination(rootfs, dest); err != nil {
++ if err := checkProcMount(rootfs, dest, m.Source); err != nil {
+ return err
+ }
+ // update the mount with the correct dest after symlinks are resolved.
+@@ -435,12 +435,12 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) {
+ return binds, nil
+ }
+
+-// checkMountDestination checks to ensure that the mount destination is not over the top of /proc.
++// checkProcMount checks to ensure that the mount destination is not over the top of /proc.
+ // dest is required to be an abs path and have any symlinks resolved before calling this function.
+-func checkMountDestination(rootfs, dest string) error {
+- invalidDestinations := []string{
+- "/proc",
+- }
++//
++// if source is nil, don't stat the filesystem. This is used for restore of a checkpoint.
++func checkProcMount(rootfs, dest, source string) error {
++ const procPath = "/proc"
+ // White list, it should be sub directories of invalid destinations
+ validDestinations := []string{
+ // These entries can be bind mounted by files emulated by fuse,
+@@ -463,16 +463,40 @@ func checkMountDestination(rootfs, dest string) error {
+ return nil
+ }
+ }
+- for _, invalid := range invalidDestinations {
+- path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest)
++ path, err := filepath.Rel(filepath.Join(rootfs, procPath), dest)
++ if err != nil {
++ return err
++ }
++ // pass if the mount path is located outside of /proc
++ if strings.HasPrefix(path, "..") {
++ return nil
++ }
++ if path == "." {
++ // an empty source is pasted on restore
++ if source == "" {
++ return nil
++ }
++ // only allow a mount on-top of proc if it's source is "proc"
++ isproc, err := isProc(source)
+ if err != nil {
+ return err
+ }
+- if path != "." && !strings.HasPrefix(path, "..") {
+- return fmt.Errorf("%q cannot be mounted because it is located inside %q", dest, invalid)
++ // pass if the mount is happening on top of /proc and the source of
++ // the mount is a proc filesystem
++ if isproc {
++ return nil
+ }
++ return fmt.Errorf("%q cannot be mounted because it is not of type proc", dest)
+ }
+- return nil
++ return fmt.Errorf("%q cannot be mounted because it is inside /proc", dest)
++}
++
++func isProc(path string) (bool, error) {
++ var s unix.Statfs_t
++ if err := unix.Statfs(path, &s); err != nil {
++ return false, err
++ }
++ return s.Type == unix.PROC_SUPER_MAGIC, nil
+ }
+
+ func setupDevSymlinks(rootfs string) error {
+diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go
+index d755984b..1bfe7c66 100644
+--- a/src/import/libcontainer/rootfs_linux_test.go
++++ b/src/import/libcontainer/rootfs_linux_test.go
+@@ -10,7 +10,7 @@ import (
+
+ func TestCheckMountDestOnProc(t *testing.T) {
+ dest := "/rootfs/proc/sys"
+- err := checkMountDestination("/rootfs", dest)
++ err := checkProcMount("/rootfs", dest, "")
+ if err == nil {
+ t.Fatal("destination inside proc should return an error")
+ }
+@@ -18,7 +18,7 @@ func TestCheckMountDestOnProc(t *testing.T) {
+
+ func TestCheckMountDestOnProcChroot(t *testing.T) {
+ dest := "/rootfs/proc/"
+- err := checkMountDestination("/rootfs", dest)
++ err := checkProcMount("/rootfs", dest, "/proc")
+ if err != nil {
+ t.Fatal("destination inside proc when using chroot should not return an error")
+ }
+@@ -26,7 +26,7 @@ func TestCheckMountDestOnProcChroot(t *testing.T) {
+
+ func TestCheckMountDestInSys(t *testing.T) {
+ dest := "/rootfs//sys/fs/cgroup"
+- err := checkMountDestination("/rootfs", dest)
++ err := checkProcMount("/rootfs", dest, "")
+ if err != nil {
+ t.Fatal("destination inside /sys should not return an error")
+ }
+@@ -34,7 +34,7 @@ func TestCheckMountDestInSys(t *testing.T) {
+
+ func TestCheckMountDestFalsePositive(t *testing.T) {
+ dest := "/rootfs/sysfiles/fs/cgroup"
+- err := checkMountDestination("/rootfs", dest)
++ err := checkProcMount("/rootfs", dest, "")
+ if err != nil {
+ t.Fatal(err)
+ }
+--
+2.17.1
+
diff --git a/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch b/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch
deleted file mode 100644
index faeac46f..00000000
--- a/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From a9a2b9e72027d0b2357f6dfe8b154762aaa8dd02 Mon Sep 17 00:00:00 2001
-From: Bruce Ashfield <bruce.ashfield@windriver.com>
-Date: Thu, 19 Apr 2018 16:39:41 -0400
-Subject: [PATCH] build: drop recvtty and use GOBUILDFLAGS
-
-Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
----
- Makefile | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-Index: git/src/import/Makefile
-===================================================================
---- git.orig/src/import/Makefile
-+++ git/src/import/Makefile
-@@ -41,7 +41,6 @@
-
- static: $(SOURCES)
- CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo cgo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o runc .
-- CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo cgo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
-
- release:
- script/release.sh -r release/$(VERSION) -v $(VERSION)
diff --git a/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch b/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
index 9ccbccb2..0af74952 100644
--- a/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
+++ b/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
@@ -51,14 +51,13 @@ Index: git/src/import/signals.go
pid1, err := process.Pid()
if err != nil {
-@@ -68,12 +66,61 @@
+@@ -68,11 +66,60 @@
if h.notifySocket != nil {
if detach {
h.notifySocket.run(pid1)
- return 0, nil
- } else {
- go h.notifySocket.run(0)
}
+ go h.notifySocket.run(0)
}
+ if (detach) {
@@ -118,7 +117,7 @@ Index: git/src/import/utils_linux.go
===================================================================
--- git.orig/src/import/utils_linux.go
+++ git/src/import/utils_linux.go
-@@ -338,7 +338,7 @@
+@@ -347,7 +347,7 @@
if err != nil {
r.terminate(process)
}
diff --git a/external/meta-virtualization/recipes-containers/runc/runc-docker_git.bb b/external/meta-virtualization/recipes-containers/runc/runc-docker_git.bb
index 02bda318..8d810d01 100644
--- a/external/meta-virtualization/recipes-containers/runc/runc-docker_git.bb
+++ b/external/meta-virtualization/recipes-containers/runc/runc-docker_git.bb
@@ -2,11 +2,12 @@ include runc.inc
# Note: this rev is before the required protocol field, update when all components
# have been updated to match.
-SRCREV_runc-docker = "6a2c15596845f6ff5182e2022f38a65e5dfa88eb"
+SRCREV_runc-docker = "425e105d5a03fabd737a126ad93d62a9eeede87f"
SRC_URI = "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker \
file://0001-runc-Add-console-socket-dev-null.patch \
- file://0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch \
+ file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
file://0001-runc-docker-SIGUSR1-daemonize.patch \
+ file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \
"
-RUNC_VERSION = "1.0.0-rc5"
+RUNC_VERSION = "1.0.0-rc8"
diff --git a/external/meta-virtualization/recipes-containers/runc/runc-opencontainers_git.bb b/external/meta-virtualization/recipes-containers/runc/runc-opencontainers_git.bb
index eaee8efa..3a7e7aaf 100644
--- a/external/meta-virtualization/recipes-containers/runc/runc-opencontainers_git.bb
+++ b/external/meta-virtualization/recipes-containers/runc/runc-opencontainers_git.bb
@@ -1,7 +1,9 @@
include runc.inc
-SRCREV = "6a2c15596845f6ff5182e2022f38a65e5dfa88eb"
+SRCREV = "652297c7c7e6c94e8d064ad5916c32891a6fd388"
SRC_URI = " \
git://github.com/opencontainers/runc;branch=master \
+ file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
+ file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \
"
-RUNC_VERSION = "1.0.0-rc5"
+RUNC_VERSION = "1.0.0-rc8"
diff --git a/external/meta-virtualization/recipes-containers/runc/runc.inc b/external/meta-virtualization/recipes-containers/runc/runc.inc
index 6d11a6ef..41ea41be 100644
--- a/external/meta-virtualization/recipes-containers/runc/runc.inc
+++ b/external/meta-virtualization/recipes-containers/runc/runc.inc
@@ -14,10 +14,11 @@ inherit go
inherit goarch
inherit pkgconfig
-PACKAGECONFIG ??= ""
+PACKAGECONFIG ??= "static"
PACKAGECONFIG[seccomp] = "seccomp,,libseccomp"
+# This PACKAGECONFIG serves the purpose of whether building runc as static or not
+PACKAGECONFIG[static] = ""
-RRECOMMENDS_${PN} = "lxc docker"
PROVIDES += "virtual/runc"
RPROVIDES_${PN} = "virtual/runc"
@@ -55,7 +56,11 @@ do_compile() {
export CFLAGS=""
export LDFLAGS=""
- oe_runmake static
+ if ${@bb.utils.contains('PACKAGECONFIG', 'static', 'true', 'false', d)}; then
+ oe_runmake static
+ else
+ oe_runmake runc
+ fi
}
do_install() {
@@ -65,4 +70,3 @@ do_install() {
ln -sf runc ${D}/${bindir}/docker-runc
}
-INHIBIT_PACKAGE_STRIP = "1"