Package: runc / 1.0.0~rc93+ds1-5

Metadata

Package Version Patches format
runc 1.0.0~rc93+ds1-5 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 skip test hugetlb_test.go random failures on ppc64el.patch | (download)

libcontainer/cgroups/fs/hugetlb_test.go | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 skip test: hugetlb_test.go, random failures on ppc64el, s390x

0002 skip privileged test TestFactoryNewTmpfs.patch | (download)

libcontainer/factory_linux_test.go | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 skip privileged test: testfactorynewtmpfs

0003 fix gccgo.patch | (download)

libcontainer/stacktrace/capture.go | 21 12 + 9 - 0 !
libcontainer/stacktrace/capture_test.go | 4 2 + 2 - 0 !
libcontainer/stacktrace/frame.go | 15 5 + 10 - 0 !
3 files changed, 19 insertions(+), 21 deletions(-)

 fix gccgo

0004 skip privileged test nsenter_test.go.patch | (download)

libcontainer/nsenter/nsenter_test.go | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 skip privileged test: nsenter_test.go


0005 skip privileged test fs_test.go.patch | (download)

libcontainer/cgroups/fs/fs_test.go | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 skip privileged test: fs_test.go


0006 skip privileged test fscommon_test.go.patch | (download)

libcontainer/cgroups/fscommon/fscommon_test.go | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 skip privileged test: fscommon_test.go


0007 skip test cgroups_test.go fail when cgroups is not m.patch | (download)

libcontainer/cgroups/cgroups_test.go | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 skip test: cgroups_test.go, fail when cgroups is not mounted


0008 fix patchpbf test on 32 bit.patch | (download)

libcontainer/seccomp/patchbpf/enosys_linux_test.go | 17 10 + 7 - 0 !
1 file changed, 10 insertions(+), 7 deletions(-)

 fix patchpbf test on 32-bit

0009 skip integration when no dev kmsg.patch | (download)

tests/integration/dev.bats | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 skip integration when no /dev/kmsg

By default, privileged lxc container doesn't have /dev/kmsg

0010 Ensure the seccomp pipe is being read while exportin.patch | (download)

libcontainer/seccomp/patchbpf/enosys_linux.go | 15 14 + 1 - 0 !
libcontainer/seccomp/patchbpf/enosys_linux_test.go | 20 20 + 0 - 0 !
2 files changed, 34 insertions(+), 1 deletion(-)

 ensure the seccomp pipe is being read while exporting bpf

CVE 2021 30465/rc93 0001 libct newInitConfig nit.patch | (download)

libcontainer/container_linux.go | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch 1/5] libct/newinitconfig: nit

Move the initialization of Console* fields as they are unconditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

CVE 2021 30465/rc93 0002 libct rootfs introduce and use mountConfig.patch | (download)

libcontainer/rootfs_linux.go | 42 26 + 16 - 0 !
1 file changed, 26 insertions(+), 16 deletions(-)

 [patch 2/5] libct/rootfs: introduce and use mountconfig

The code is already passing three parameters around from
mountToRootfs to mountCgroupV* to mountToRootfs again.

I am about to add another parameter, so let's introduce and
use struct mountConfig to pass around.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

CVE 2021 30465/rc93 0003 libct rootfs mountCgroupV2 minor refactor.patch | (download)

libcontainer/rootfs_linux.go | 10 6 + 4 - 0 !
1 file changed, 6 insertions(+), 4 deletions(-)

 [patch 3/5] libct/rootfs/mountcgroupv2: minor refactor

1. s/cgroupPath/dest/

2. don't hardcode /sys/fs/cgroup

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

CVE 2021 30465/rc93 0004 Fix cgroup2 mount for rootless case.patch | (download)

libcontainer/container_linux.go | 3 3 + 0 - 0 !
libcontainer/init_linux.go | 1 1 + 0 - 0 !
libcontainer/rootfs_linux.go | 28 21 + 7 - 0 !
libcontainer/specconv/example.go | 18 9 + 9 - 0 !
4 files changed, 34 insertions(+), 16 deletions(-)

 [patch 4/5] fix cgroup2 mount for rootless case

In case of rootless, cgroup2 mount is not possible (see [1] for more
details), so since commit 9c81440fb5a7 runc bind-mounts the whole
/sys/fs/cgroup into container.

Problem is, if cgroupns is enabled, /sys/fs/cgroup inside the container
is supposed to show the cgroup files for this cgroup, not the root one.

The fix is to pass through and use the cgroup path in case cgroup2
mount failed, cgroupns is enabled, and the path is non-empty.

Surely this requires the /sys/fs/cgroup mount in the spec, so modify
runc spec --rootless to keep it.

Before:

	$ ./runc run aaa
	# find /sys/fs/cgroup/ -type d
	/sys/fs/cgroup
	/sys/fs/cgroup/user.slice
	/sys/fs/cgroup/user.slice/user-1000.slice
	/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service
	...
	# ls -l /sys/fs/cgroup/cgroup.controllers
	-r--r--r--    1 nobody   nogroup          0 Feb 24 02:22 /sys/fs/cgroup/cgroup.controllers
	# wc -w /sys/fs/cgroup/cgroup.procs
	142 /sys/fs/cgroup/cgroup.procs
	# cat /sys/fs/cgroup/memory.current
	cat: can't open '/sys/fs/cgroup/memory.current': No such file or directory

After:

	# find /sys/fs/cgroup/ -type d
	/sys/fs/cgroup/
	# ls -l /sys/fs/cgroup/cgroup.controllers
	-r--r--r--    1 root     root             0 Feb 24 02:43 /sys/fs/cgroup/cgroup.controllers
	# wc -w /sys/fs/cgroup/cgroup.procs
	2 /sys/fs/cgroup/cgroup.procs
	# cat /sys/fs/cgroup/memory.current
	577536

[1] https://github.com/opencontainers/runc/issues/2158

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

CVE 2021 30465/rc93 0005 rootfs add mount destination validation.patch | (download)

libcontainer/container_linux.go | 1 0 + 1 - 0 !
libcontainer/rootfs_linux.go | 251 124 + 127 - 0 !
libcontainer/utils/utils.go | 54 54 + 0 - 0 !
libcontainer/utils/utils_test.go | 35 35 + 0 - 0 !
4 files changed, 213 insertions(+), 128 deletions(-)

 [patch 5/5] rootfs: add mount destination validation

Because the target of a mount is inside a container (which may be a
volume that is shared with another container), there exists a race
condition where the target of the mount may change to a path containing
a symlink after we have sanitised the path -- resulting in us
inadvertently mounting the path outside of the container.

This is not immediately useful because we are in a mount namespace with
MS_SLAVE mount propagation applied to "/", so we cannot mount on top of
host paths in the host namespace. However, if any subsequent mountpoints
in the configuration use a subdirectory of that host path as a source,
those subsequent mounts will use an attacker-controlled source path
(resolved within the host rootfs) -- allowing the bind-mounting of "/"
into the container.

While arguably configuration issues like this are not entirely within
runc's threat model, within the context of Kubernetes (and possibly
other container managers that provide semi-arbitrary container creation
privileges to untrusted users) this is a legitimate issue. Since we
cannot block mounting from the host into the container, we need to block
the first stage of this attack (mounting onto a path outside the
container).

The long-term plan to solve this would be to migrate to libpathrs, but
as a stop-gap we implement libpathrs-like path verification through
readlink(/proc/self/fd/$n) and then do mount operations through the
procfd once it's been verified to be inside the container. The target
could move after we've checked it, but if it is inside the container
then we can assume that it is safe for the same reason that libpathrs
operations would be safe.

A slight wrinkle is the "copyup" functionality we provide for tmpfs,
which is the only case where we want to do a mount on the host
filesystem. To facilitate this, I split out the copy-up functionality
entirely so that the logic isn't interspersed with the regular tmpfs
logic. In addition, all dependencies on m.Destination being overwritten
have been removed since that pattern was just begging to be a source of
more mount-target bugs (we do still have to modify m.Destination for
tmpfs-copyup but we only do it temporarily).

Fixes: CVE-2021-30465
Reported-by: Etienne Champetier <champetier.etienne@gmail.com>
Co-authored-by: Noah Meyerhans <nmeyerha@amazon.com>