commit 2f512db245a05e322795e94025fa78ed13bd0bd3 Author: Matt Housh <jaeger@crux.ninja> Date: Sun Jun 2 17:44:06 2019 -0500 runc: updated to version 2b18fe1 diff --git a/runc/.signature b/runc/.signature index 92e74db1..462fcf61 100644 --- a/runc/.signature +++ b/runc/.signature @@ -1,7 +1,6 @@ untrusted comment: verify with /etc/ports/contrib.pub -RWSagIOpLGJF34MdvU/RaYEsNKz1flNyFoNCaBDhZXX/lme4RNZNOWf3G/LDwkXpfkTIZkD2nhkuDOcMI8qTHFcx1rMviAVjwwM= -SHA256 (Pkgfile) = 13bf9f471802924b68028d1bee0424944ea79a3a428b5aca4a590995307523e7 +RWSagIOpLGJF35eA3b3MAbVIYqDvqWE1WT07WANLscwpmK89QxqG0KeCIbVRxYRAz1KaG556VOPy4vd8kn6I66FqQgVITEwvxww= +SHA256 (Pkgfile) = 0aaa52b09c65852e5c03862d3c3b2225a4624f5940f7ec9cd1dac697dd1c8799 SHA256 (.footprint) = f033b7c8e0449cbdaee2cceaebd87cad55400663407bf395f8ed5c22db96c300 -SHA256 (runc-96ec217.tar.xz) = 4b0f7fdad9e4ed743cc8fdff97683b92e3338a49e036ba653c0ebdd037360b3a -SHA256 (runc-man-pages-96ec217.tar.xz) = 71ba39bb01780056d3272641ed4187ef54a5bdbdb64e51e4aeb63f95a7ebad57 -SHA256 (0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch) = 61857fc05e149aecb517b8c59518c866b25ac2ca79707f1daf4a233859fa9859 +SHA256 (runc-2b18fe1.tar.xz) = c6d3b0e231ca003758010fcf636fdaea2460da9f3221b859744769e93c3052f9 +SHA256 (runc-man-pages-2b18fe1.tar.xz) = d4e635faff6a6b3b915baa4c02be32c1949e2d54221d6bf1c244c7eca3e787d5 diff --git a/runc/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch b/runc/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch deleted file mode 100644 index 4e087ab0..00000000 --- a/runc/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch +++ /dev/null @@ -1,303 +0,0 @@ -From 604a8f8120ef128c0a5bc778e71909eeb0906842 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai <asarai () suse de> -Date: Wed, 9 Jan 2019 13:40:01 +1100 -Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary - to container - -There are quite a few circumstances where /proc/self/exe pointing to a -pretty important container binary is a _bad_ thing, so to avoid this we -have to make a copy (preferably doing self-clean-up and not being -writeable). - -As a hotfix we require memfd_create(2), but we can always extend this to -use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this -approach is no page-cache sharing for the runc binary (which overlayfs -would give us) but this is far less complicated. - -This is only done during nsenter so that it happens transparently to the -Go code, and any libcontainer users benefit from it. This also makes -ExtraFiles and --preserve-fds handling trivial (because we don't need to -worry about it). - -Fixes: CVE-2019-5736 -Signed-off-by: Aleksa Sarai <asarai () suse de> ---- - libcontainer/nsenter/cloned_binary.c | 236 +++++++++++++++++++++++++++ - libcontainer/nsenter/nsexec.c | 11 ++ - 2 files changed, 247 insertions(+) - create mode 100644 libcontainer/nsenter/cloned_binary.c - -diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c -new file mode 100644 -index 000000000000..ec383c173dd2 ---- /dev/null -+++ b/libcontainer/nsenter/cloned_binary.c -@@ -0,0 +1,236 @@ -+#define _GNU_SOURCE -+#include <unistd.h> -+#include <stdio.h> -+#include <stdlib.h> -+#include <stdbool.h> -+#include <string.h> -+#include <limits.h> -+#include <fcntl.h> -+ -+#include <sys/types.h> -+#include <sys/stat.h> -+#include <sys/vfs.h> -+#include <sys/mman.h> -+#include <sys/sendfile.h> -+#include <sys/syscall.h> -+ -+#include <linux/magic.h> -+#include <linux/memfd.h> -+ -+#define MEMFD_COMMENT "runc_cloned:/proc/self/exe" -+#define MEMFD_LNKNAME "/memfd:" MEMFD_COMMENT " (deleted)" -+ -+/* Use our own wrapper for memfd_create. */ -+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create) -+# define SYS_memfd_create __NR_memfd_create -+#endif -+#ifndef SYS_memfd_create -+# error "memfd_create(2) syscall not supported by this glibc version" -+#endif -+int memfd_create(const char *name, unsigned int flags) -+{ -+ return syscall(SYS_memfd_create, name, flags); -+} -+ -+/* This comes directly from <linux/fcntl.h>. */ -+#ifndef F_LINUX_SPECIFIC_BASE -+# define F_LINUX_SPECIFIC_BASE 1024 -+#endif -+#ifndef F_ADD_SEALS -+# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) -+# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) -+#endif -+#ifndef F_SEAL_SEAL -+# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */ -+# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */ -+# define F_SEAL_GROW 0x0004 /* prevent file from growing */ -+# define F_SEAL_WRITE 0x0008 /* prevent writes */ -+#endif -+ -+/* -+ * Verify whether we are currently in a self-cloned program. It's not really -+ * possible to trivially identify a memfd compared to a regular tmpfs file, so -+ * the best we can do is to check whether the readlink(2) looks okay and that -+ * it is on a tmpfs. -+ */ -+static int is_self_cloned(void) -+{ -+ struct statfs statfsbuf = {0}; -+ char linkname[PATH_MAX + 1] = {0}; -+ -+ if (statfs("/proc/self/exe", &statfsbuf) < 0) -+ return -1; -+ if (readlink("/proc/self/exe", linkname, PATH_MAX) < 0) -+ return -1; -+ -+ return statfsbuf.f_type == TMPFS_MAGIC && -+ !strncmp(linkname, MEMFD_LNKNAME, PATH_MAX); -+} -+ -+/* -+ * Basic wrapper around mmap(2) that gives you the file length so you can -+ * safely treat it as an ordinary buffer. Only gives you read access. -+ */ -+static char *read_file(char *path, size_t *length) -+{ -+ int fd; -+ char buf[4096], *copy = NULL; -+ -+ if (!length) -+ goto err; -+ *length = 0; -+ -+ fd = open(path, O_RDONLY|O_CLOEXEC); -+ if (fd < 0) -+ goto err_free; -+ -+ for (;;) { -+ int n; -+ char *old = copy; -+ -+ n = read(fd, buf, sizeof(buf)); -+ if (n < 0) -+ goto err_fd; -+ if (!n) -+ break; -+ -+ do { -+ copy = realloc(old, (*length + n) * sizeof(*old)); -+ } while(!copy); -+ -+ memcpy(copy + *length, buf, n); -+ *length += n; -+ } -+ close(fd); -+ return copy; -+ -+err_fd: -+ close(fd); -+err_free: -+ free(copy); -+err: -+ return NULL; -+} -+ -+/* -+ * A poor-man's version of "xargs -0". Basically parses a given block of -+ * NUL-delimited data, within the given length and adds a pointer to each entry -+ * to the array of pointers. -+ */ -+static int parse_xargs(char *data, int data_length, char ***output) -+{ -+ int num = 0; -+ char *cur = data; -+ -+ if (!data || *output) -+ return -1; -+ -+ do { -+ *output = malloc(sizeof(**output)); -+ } while (!*output); -+ -+ while (cur < data + data_length) { -+ char **old = *output; -+ -+ num++; -+ do { -+ *output = realloc(old, (num + 1) * sizeof(*old)); -+ } while (!*output); -+ -+ (*output)[num - 1] = cur; -+ cur += strlen(cur) + 1; -+ } -+ (*output)[num] = NULL; -+ return num; -+} -+ -+/* -+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ. -+ * This is necessary because we are running in a context where we don't have a -+ * main() that we can just get the arguments from. -+ */ -+static int fetchve(char ***argv, char ***envp) -+{ -+ char *cmdline, *environ; -+ size_t cmdline_size, environ_size; -+ -+ cmdline = read_file("/proc/self/cmdline", &cmdline_size); -+ if (!cmdline) -+ goto err; -+ environ = read_file("/proc/self/environ", &environ_size); -+ if (!environ) -+ goto err_free; -+ -+ if (parse_xargs(cmdline, cmdline_size, argv) <= 0) -+ goto err_free_both; -+ if (parse_xargs(environ, environ_size, envp) <= 0) -+ goto err_free_both; -+ -+ return 0; -+ -+err_free_both: -+ free(environ); -+err_free: -+ free(cmdline); -+err: -+ return -1; -+} -+ -+static int clone_binary(void) -+{ -+ int binfd, memfd, err; -+ ssize_t sent = 0; -+ struct stat statbuf = {0}; -+ -+ binfd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC); -+ if (binfd < 0) -+ goto err; -+ if (fstat(binfd, &statbuf) < 0) -+ goto err_binfd; -+ -+ memfd = memfd_create(MEMFD_COMMENT, MFD_CLOEXEC|MFD_ALLOW_SEALING); -+ if (memfd < 0) -+ goto err_binfd; -+ -+ while (sent < statbuf.st_size) { -+ ssize_t n = sendfile(memfd, binfd, NULL, statbuf.st_size - sent); -+ if (n < 0) -+ goto err_memfd; -+ sent += n; -+ } -+ -+ err = fcntl(memfd, F_ADD_SEALS, F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE|F_SEAL_SEAL); -+ if (err < 0) -+ goto err_memfd; -+ -+ close(binfd); -+ return memfd; -+ -+err_memfd: -+ close(memfd); -+err_binfd: -+ close(binfd); -+err: -+ return -1; -+} -+ -+int ensure_cloned_binary(void) -+{ -+ int execfd; -+ char **argv = NULL, **envp = NULL; -+ -+ /* Check that we're not self-cloned, and if we are then bail. */ -+ int cloned = is_self_cloned(); -+ if (cloned != 0) -+ return cloned; -+ -+ if (fetchve(&argv, &envp) < 0) -+ return -1; -+ -+ execfd = clone_binary(); -+ if (execfd < 0) -+ return -1; -+ -+ fexecve(execfd, argv, envp); -+ return -1; -+} -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index 28269dfc027f..4fdfec1b7b89 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -534,6 +534,9 @@ void join_namespaces(char *nslist) - free(namespaces); - } - -+/* Defined in cloned_binary.c. */ -+int ensure_cloned_binary(void); -+ - void nsexec(void) - { - int pipenum; -@@ -549,6 +552,14 @@ void nsexec(void) - if (pipenum == -1) - return; - -+ /* -+ * We need to re-exec if we are not in a cloned binary. This is necessary -+ * to ensure that containers won't be able to access the host binary -+ * through /proc/self/exe. See CVE-2019-5736. -+ */ -+ if (ensure_cloned_binary() < 0) -+ bail("could not ensure we are a cloned binary"); -+ - /* Parse all of the netlink configuration. */ - nl_parse(pipenum, &config); - --- -2.20.1 - diff --git a/runc/Pkgfile b/runc/Pkgfile index dab8ab62..f6ef1ff0 100644 --- a/runc/Pkgfile +++ b/runc/Pkgfile @@ -4,22 +4,20 @@ # Depends on: go libseccomp git name=runc -version=96ec217 +version=2b18fe1 release=2 source=(http://jaeger.morpheus.net/linux/crux/files/$name-$version.tar.xz \ - http://jaeger.morpheus.net/linux/crux/files/$name-man-pages-$version.tar.xz \ - 0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch) + http://jaeger.morpheus.net/linux/crux/files/$name-man-pages-$version.tar.xz) build() { mkdir -pv src/github.com/opencontainers cd src/github.com/opencontainers ln -sf $SRC/$name-$version $name cd $name - patch -p1 -i $SRC/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch export GOPATH=$SRC export BUILDTAGS="seccomp" # use the long commit hash here - make COMMIT=96ec2177ae841256168fcf76954f7177af9446eb + make COMMIT=2b18fe1d885ee5083ef9f0838fee39b62d653e30 install -D -m 0755 $name $PKG/usr/bin/$name install -d -m 0755 $PKG/usr/share/man/man8