diff options
Diffstat (limited to 'external/meta-virtualization/recipes-containers/runc')
7 files changed, 255 insertions, 35 deletions
diff --git a/external/meta-virtualization/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch b/external/meta-virtualization/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch new file mode 100644 index 00000000..94cbb4cb --- /dev/null +++ b/external/meta-virtualization/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch @@ -0,0 +1,35 @@ +From d2c47a973f354ffd505bb4e809c59e57b543726d Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Tue, 6 Aug 2019 19:01:45 +0800 +Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty + from static + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + Makefile | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 0f26a1c8..a0c6b40b 100644 +--- a/src/import/Makefile ++++ b/src/import/Makefile +@@ -30,7 +30,7 @@ SHELL := $(shell command -v bash 2>/dev/null) + .DEFAULT: runc + + runc: $(SOURCES) +- $(GO) build -buildmode=pie $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o runc . ++ $(GO) build $(GOBUILDFLAGS) $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o runc . + + all: runc recvtty + +@@ -41,7 +41,6 @@ contrib/cmd/recvtty/recvtty: $(SOURCES) + + static: $(SOURCES) + CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o runc . +- CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty + + release: + script/release.sh -r release/$(VERSION) -v $(VERSION) +-- +2.17.1 + diff --git a/external/meta-virtualization/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch b/external/meta-virtualization/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch new file mode 100644 index 00000000..5aca99e2 --- /dev/null +++ b/external/meta-virtualization/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch @@ -0,0 +1,201 @@ +From d75b05441772417a0828465a9483f16287937724 Mon Sep 17 00:00:00 2001 +From: Michael Crosby <crosbymichael@gmail.com> +Date: Mon, 23 Sep 2019 16:45:45 -0400 +Subject: [PATCH] Only allow proc mount if it is procfs + +Fixes #2128 + +This allows proc to be bind mounted for host and rootless namespace usecases but +it removes the ability to mount over the top of proc with a directory. + +```bash +> sudo docker run --rm apparmor +docker: Error response from daemon: OCI runtime create failed: +container_linux.go:346: starting container process caused "process_linux.go:449: +container init caused \"rootfs_linux.go:58: mounting +\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\" +to rootfs +\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\" +at \\\"/proc\\\" caused +\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\" +cannot be mounted because it is not of type proc\\\"\"": unknown. + +> sudo docker run --rm -v /proc:/proc apparmor + +docker-default (enforce) root 18989 0.9 0.0 1288 4 ? +Ss 16:47 0:00 sleep 20 +``` + +Signed-off-by: Michael Crosby <crosbymichael@gmail.com> + +Upstream-Status: Backport [https://github.com/opencontainers/runc/pull/2129/commits/331692baa7afdf6c186f8667cb0e6362ea0802b3] + +CVE: CVE-2019-16884 + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + libcontainer/container_linux.go | 4 +-- + libcontainer/rootfs_linux.go | 50 +++++++++++++++++++++++-------- + libcontainer/rootfs_linux_test.go | 8 ++--- + 3 files changed, 43 insertions(+), 19 deletions(-) + +diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go +index 7e58e5e0..d51e35df 100644 +--- a/src/import/libcontainer/container_linux.go ++++ b/src/import/libcontainer/container_linux.go +@@ -19,7 +19,7 @@ import ( + "syscall" // only for SysProcAttr and Signal + "time" + +- "github.com/cyphar/filepath-securejoin" ++ securejoin "github.com/cyphar/filepath-securejoin" + "github.com/opencontainers/runc/libcontainer/cgroups" + "github.com/opencontainers/runc/libcontainer/configs" + "github.com/opencontainers/runc/libcontainer/intelrdt" +@@ -1160,7 +1160,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error { + if err != nil { + return err + } +- if err := checkMountDestination(c.config.Rootfs, dest); err != nil { ++ if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil { + return err + } + m.Destination = dest +diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go +index f13b226e..5650b0ac 100644 +--- a/src/import/libcontainer/rootfs_linux.go ++++ b/src/import/libcontainer/rootfs_linux.go +@@ -13,7 +13,7 @@ import ( + "strings" + "time" + +- "github.com/cyphar/filepath-securejoin" ++ securejoin "github.com/cyphar/filepath-securejoin" + "github.com/mrunalp/fileutils" + "github.com/opencontainers/runc/libcontainer/cgroups" + "github.com/opencontainers/runc/libcontainer/configs" +@@ -197,7 +197,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) error { + if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil { + return err + } +- if err := checkMountDestination(rootfs, dest); err != nil { ++ if err := checkProcMount(rootfs, dest, m.Source); err != nil { + return err + } + // update the mount with the correct dest after symlinks are resolved. +@@ -388,7 +388,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b + if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil { + return err + } +- if err := checkMountDestination(rootfs, dest); err != nil { ++ if err := checkProcMount(rootfs, dest, m.Source); err != nil { + return err + } + // update the mount with the correct dest after symlinks are resolved. +@@ -435,12 +435,12 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) { + return binds, nil + } + +-// checkMountDestination checks to ensure that the mount destination is not over the top of /proc. ++// checkProcMount checks to ensure that the mount destination is not over the top of /proc. + // dest is required to be an abs path and have any symlinks resolved before calling this function. +-func checkMountDestination(rootfs, dest string) error { +- invalidDestinations := []string{ +- "/proc", +- } ++// ++// if source is nil, don't stat the filesystem. This is used for restore of a checkpoint. ++func checkProcMount(rootfs, dest, source string) error { ++ const procPath = "/proc" + // White list, it should be sub directories of invalid destinations + validDestinations := []string{ + // These entries can be bind mounted by files emulated by fuse, +@@ -463,16 +463,40 @@ func checkMountDestination(rootfs, dest string) error { + return nil + } + } +- for _, invalid := range invalidDestinations { +- path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest) ++ path, err := filepath.Rel(filepath.Join(rootfs, procPath), dest) ++ if err != nil { ++ return err ++ } ++ // pass if the mount path is located outside of /proc ++ if strings.HasPrefix(path, "..") { ++ return nil ++ } ++ if path == "." { ++ // an empty source is pasted on restore ++ if source == "" { ++ return nil ++ } ++ // only allow a mount on-top of proc if it's source is "proc" ++ isproc, err := isProc(source) + if err != nil { + return err + } +- if path != "." && !strings.HasPrefix(path, "..") { +- return fmt.Errorf("%q cannot be mounted because it is located inside %q", dest, invalid) ++ // pass if the mount is happening on top of /proc and the source of ++ // the mount is a proc filesystem ++ if isproc { ++ return nil + } ++ return fmt.Errorf("%q cannot be mounted because it is not of type proc", dest) + } +- return nil ++ return fmt.Errorf("%q cannot be mounted because it is inside /proc", dest) ++} ++ ++func isProc(path string) (bool, error) { ++ var s unix.Statfs_t ++ if err := unix.Statfs(path, &s); err != nil { ++ return false, err ++ } ++ return s.Type == unix.PROC_SUPER_MAGIC, nil + } + + func setupDevSymlinks(rootfs string) error { +diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go +index d755984b..1bfe7c66 100644 +--- a/src/import/libcontainer/rootfs_linux_test.go ++++ b/src/import/libcontainer/rootfs_linux_test.go +@@ -10,7 +10,7 @@ import ( + + func TestCheckMountDestOnProc(t *testing.T) { + dest := "/rootfs/proc/sys" +- err := checkMountDestination("/rootfs", dest) ++ err := checkProcMount("/rootfs", dest, "") + if err == nil { + t.Fatal("destination inside proc should return an error") + } +@@ -18,7 +18,7 @@ func TestCheckMountDestOnProc(t *testing.T) { + + func TestCheckMountDestOnProcChroot(t *testing.T) { + dest := "/rootfs/proc/" +- err := checkMountDestination("/rootfs", dest) ++ err := checkProcMount("/rootfs", dest, "/proc") + if err != nil { + t.Fatal("destination inside proc when using chroot should not return an error") + } +@@ -26,7 +26,7 @@ func TestCheckMountDestOnProcChroot(t *testing.T) { + + func TestCheckMountDestInSys(t *testing.T) { + dest := "/rootfs//sys/fs/cgroup" +- err := checkMountDestination("/rootfs", dest) ++ err := checkProcMount("/rootfs", dest, "") + if err != nil { + t.Fatal("destination inside /sys should not return an error") + } +@@ -34,7 +34,7 @@ func TestCheckMountDestInSys(t *testing.T) { + + func TestCheckMountDestFalsePositive(t *testing.T) { + dest := "/rootfs/sysfiles/fs/cgroup" +- err := checkMountDestination("/rootfs", dest) ++ err := checkProcMount("/rootfs", dest, "") + if err != nil { + t.Fatal(err) + } +-- +2.17.1 + diff --git a/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch b/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch deleted file mode 100644 index faeac46f..00000000 --- a/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch +++ /dev/null @@ -1,22 +0,0 @@ -From a9a2b9e72027d0b2357f6dfe8b154762aaa8dd02 Mon Sep 17 00:00:00 2001 -From: Bruce Ashfield <bruce.ashfield@windriver.com> -Date: Thu, 19 Apr 2018 16:39:41 -0400 -Subject: [PATCH] build: drop recvtty and use GOBUILDFLAGS - -Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com> ---- - Makefile | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -Index: git/src/import/Makefile -=================================================================== ---- git.orig/src/import/Makefile -+++ git/src/import/Makefile -@@ -41,7 +41,6 @@ - - static: $(SOURCES) - CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo cgo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o runc . -- CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo cgo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty - - release: - script/release.sh -r release/$(VERSION) -v $(VERSION) diff --git a/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch b/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch index 9ccbccb2..0af74952 100644 --- a/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch +++ b/external/meta-virtualization/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch @@ -51,14 +51,13 @@ Index: git/src/import/signals.go pid1, err := process.Pid() if err != nil { -@@ -68,12 +66,61 @@ +@@ -68,11 +66,60 @@ if h.notifySocket != nil { if detach { h.notifySocket.run(pid1) - return 0, nil - } else { - go h.notifySocket.run(0) } + go h.notifySocket.run(0) } + if (detach) { @@ -118,7 +117,7 @@ Index: git/src/import/utils_linux.go =================================================================== --- git.orig/src/import/utils_linux.go +++ git/src/import/utils_linux.go -@@ -338,7 +338,7 @@ +@@ -347,7 +347,7 @@ if err != nil { r.terminate(process) } diff --git a/external/meta-virtualization/recipes-containers/runc/runc-docker_git.bb b/external/meta-virtualization/recipes-containers/runc/runc-docker_git.bb index 02bda318..8d810d01 100644 --- a/external/meta-virtualization/recipes-containers/runc/runc-docker_git.bb +++ b/external/meta-virtualization/recipes-containers/runc/runc-docker_git.bb @@ -2,11 +2,12 @@ include runc.inc # Note: this rev is before the required protocol field, update when all components # have been updated to match. -SRCREV_runc-docker = "6a2c15596845f6ff5182e2022f38a65e5dfa88eb" +SRCREV_runc-docker = "425e105d5a03fabd737a126ad93d62a9eeede87f" SRC_URI = "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker \ file://0001-runc-Add-console-socket-dev-null.patch \ - file://0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch \ + file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \ file://0001-runc-docker-SIGUSR1-daemonize.patch \ + file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \ " -RUNC_VERSION = "1.0.0-rc5" +RUNC_VERSION = "1.0.0-rc8" diff --git a/external/meta-virtualization/recipes-containers/runc/runc-opencontainers_git.bb b/external/meta-virtualization/recipes-containers/runc/runc-opencontainers_git.bb index eaee8efa..3a7e7aaf 100644 --- a/external/meta-virtualization/recipes-containers/runc/runc-opencontainers_git.bb +++ b/external/meta-virtualization/recipes-containers/runc/runc-opencontainers_git.bb @@ -1,7 +1,9 @@ include runc.inc -SRCREV = "6a2c15596845f6ff5182e2022f38a65e5dfa88eb" +SRCREV = "652297c7c7e6c94e8d064ad5916c32891a6fd388" SRC_URI = " \ git://github.com/opencontainers/runc;branch=master \ + file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \ + file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \ " -RUNC_VERSION = "1.0.0-rc5" +RUNC_VERSION = "1.0.0-rc8" diff --git a/external/meta-virtualization/recipes-containers/runc/runc.inc b/external/meta-virtualization/recipes-containers/runc/runc.inc index 6d11a6ef..41ea41be 100644 --- a/external/meta-virtualization/recipes-containers/runc/runc.inc +++ b/external/meta-virtualization/recipes-containers/runc/runc.inc @@ -14,10 +14,11 @@ inherit go inherit goarch inherit pkgconfig -PACKAGECONFIG ??= "" +PACKAGECONFIG ??= "static" PACKAGECONFIG[seccomp] = "seccomp,,libseccomp" +# This PACKAGECONFIG serves the purpose of whether building runc as static or not +PACKAGECONFIG[static] = "" -RRECOMMENDS_${PN} = "lxc docker" PROVIDES += "virtual/runc" RPROVIDES_${PN} = "virtual/runc" @@ -55,7 +56,11 @@ do_compile() { export CFLAGS="" export LDFLAGS="" - oe_runmake static + if ${@bb.utils.contains('PACKAGECONFIG', 'static', 'true', 'false', d)}; then + oe_runmake static + else + oe_runmake runc + fi } do_install() { @@ -65,4 +70,3 @@ do_install() { ln -sf runc ${D}/${bindir}/docker-runc } -INHIBIT_PACKAGE_STRIP = "1" |