diff --git a/.gitignore b/.gitignore index 0607064..b6a8154 100644 --- a/.gitignore +++ b/.gitignore @@ -598,3 +598,17 @@ /buildah-8f63761.tar.gz /buildah-885e9c1.tar.gz /buildah-9eb048a.tar.gz +/v1.20.0.tar.gz +/v1.20.1.tar.gz +/v1.21.0.tar.gz +/v1.21.1.tar.gz +/buildah-8d08247.tar.gz +/v1.21.2.tar.gz +/buildah-ec35bc4.tar.gz +/v1.21.3.tar.gz +/v1.21.4.tar.gz +/v1.22.0.tar.gz +/v1.22.3.tar.gz +/v1.23.0.tar.gz +/v1.23.1.tar.gz +/v1.23.3.tar.gz diff --git a/CVE-2022-27651-1.patch b/CVE-2022-27651-1.patch new file mode 100644 index 0000000..ee07d9d --- /dev/null +++ b/CVE-2022-27651-1.patch @@ -0,0 +1,58 @@ +From d16cb975d83acb5a30d3a4c3e2ef78b8070c6a7b Mon Sep 17 00:00:00 2001 +From: Giuseppe Scrivano +Date: Mon, 28 Feb 2022 10:38:48 +0100 +Subject: [PATCH 1/2] do not set the inheritable capabilities + +The kernel never sets the inheritable capabilities for a process, they +are only set by userspace. Emulate the same behavior. + +Closes: CVE-2022-27651 + +Signed-off-by: Giuseppe Scrivano +(cherry picked from commit e7e55c988c05dd74005184ceb64f097a0cfe645b) +Signed-off-by: Lokesh Mandvekar +--- + chroot/run.go | 2 +- + run_linux.go | 6 ------ + 2 files changed, 1 insertion(+), 7 deletions(-) + +diff --git a/chroot/run.go b/chroot/run.go +index e6f28e81..5634240a 100644 +--- a/chroot/run.go ++++ b/chroot/run.go +@@ -894,7 +894,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error { + capMap := map[capability.CapType][]string{ + capability.BOUNDING: spec.Process.Capabilities.Bounding, + capability.EFFECTIVE: spec.Process.Capabilities.Effective, +- capability.INHERITABLE: spec.Process.Capabilities.Inheritable, ++ capability.INHERITABLE: []string{}, + capability.PERMITTED: spec.Process.Capabilities.Permitted, + capability.AMBIENT: spec.Process.Capabilities.Ambient, + } +diff --git a/run_linux.go b/run_linux.go +index 113c83ef..5905d888 100644 +--- a/run_linux.go ++++ b/run_linux.go +@@ -1935,9 +1935,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error { + if err := g.AddProcessCapabilityEffective(cap); err != nil { + return errors.Wrapf(err, "error adding %q to the effective capability set", cap) + } +- if err := g.AddProcessCapabilityInheritable(cap); err != nil { +- return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap) +- } + if err := g.AddProcessCapabilityPermitted(cap); err != nil { + return errors.Wrapf(err, "error adding %q to the permitted capability set", cap) + } +@@ -1956,9 +1953,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error { + if err := g.DropProcessCapabilityEffective(cap); err != nil { + return errors.Wrapf(err, "error removing %q from the effective capability set", cap) + } +- if err := g.DropProcessCapabilityInheritable(cap); err != nil { +- return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap) +- } + if err := g.DropProcessCapabilityPermitted(cap); err != nil { + return errors.Wrapf(err, "error removing %q from the permitted capability set", cap) + } +-- +2.35.1 + diff --git a/CVE-2022-27651-2.patch b/CVE-2022-27651-2.patch new file mode 100644 index 0000000..9de16d6 --- /dev/null +++ b/CVE-2022-27651-2.patch @@ -0,0 +1,54 @@ +From d190df39916fcb559798d0fc0ade6307ebe5f4cd Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Thu, 24 Mar 2022 16:32:47 -0400 +Subject: [PATCH 2/2] Add a test for CVE-2022-27651 + +Check that the inheritable capabilities are set to 0, even when we +explicitly try to add capabilities. + +Signed-off-by: Nalin Dahyabhai +(cherry picked from commit 90b3254c7404039c1c786999ac189654228f6e0e) +Signed-off-by: Lokesh Mandvekar +--- + tests/run.bats | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/tests/run.bats b/tests/run.bats +index 6044d673..c974018c 100644 +--- a/tests/run.bats ++++ b/tests/run.bats +@@ -687,3 +687,31 @@ _EOF + uncolored="$output" + [ "$colored" != "$uncolored" ] + } ++ ++@test "rootless on cgroupv2 and systemd runs under user.slice" { ++ skip_if_no_runtime ++ skip_if_cgroupsv1 ++ skip_if_in_container ++ if test "$DBUS_SESSION_BUS_ADDRESS" = ""; then ++ skip "${1:-test does not work when \$BUILDAH_ISOLATION = chroot}" ++ fi ++ _prefetch alpine ++ ++ run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json alpine ++ cid=$output ++ run_buildah run --cgroupns=host $cid cat /proc/self/cgroup ++ expect_output --substring "/user.slice/" ++} ++ ++@test "run-inheritable-capabilities" { ++ skip_if_no_runtime ++ ++ _prefetch alpine ++ ++ run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json alpine ++ cid=$output ++ run_buildah run $cid grep ^CapInh: /proc/self/status ++ expect_output "CapInh: 0000000000000000" ++ run_buildah run --cap-add=ALL $cid grep ^CapInh: /proc/self/status ++ expect_output "CapInh: 0000000000000000" ++} +-- +2.35.1 + diff --git a/buildah.spec b/buildah.spec index 461d17d..16ec325 100644 --- a/buildah.spec +++ b/buildah.spec @@ -24,24 +24,26 @@ # https://github.com/containers/buildah %global import_path %{provider}.%{provider_tld}/%{project}/%{repo} %global git0 https://%{import_path} -%global commit0 9eb048a8b3c02fd5e946a01d72a4facf6c1700bc -%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) +# To build random commit +#%%global commit0 baba8de3ddad18bb6eb7abd6d17972c8403f8f25 -# Used for comparing with latest upstream tag -# to decide whether to autobuild (non-rawhide only) -%define built_tag v1.19.4 -%define built_tag_strip %(b=%{built_tag}; echo ${b:1}) -%define download_url https://%{import_path}/archive/%{built_tag}.tar.gz +%global built_tag v1.23.3 +%global built_tag_strip %(b=%{built_tag}; echo ${b:1}) Name: %{repo} -Version: 1.20.0 -Release: 0.19.dev.git%{shortcommit0}%{?dist} +Version: 1.23.3 +Release: 1%{?dist} Summary: A command line tool used for creating OCI Images License: ASL 2.0 URL: https://%{name}.io -Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +Source0: %{git0}/archive/%{built_tag}.tar.gz +Patch0: CVE-2022-27651-1.patch +Patch1: CVE-2022-27651-2.patch +# To build random commit +#Source0: %%{git0}/archive/%%{commit0}.tar.gz BuildRequires: device-mapper-devel -BuildRequires: golang +BuildRequires: golang >= 1.16.6 +BuildRequires: go-rpm-macros BuildRequires: git BuildRequires: glib2-devel BuildRequires: glibc-static @@ -49,30 +51,14 @@ BuildRequires: go-md2man BuildRequires: gpgme-devel BuildRequires: libassuan-devel BuildRequires: make -Requires: containers-common -Requires: oci-runtime >= 2 -# No ostree for centos 7 -%if 0%{?fedora} || 0%{?centos} >= 8 BuildRequires: ostree-devel -%endif -# No btrfs for centos 8 -%if 0%{?fedora} || 0%{?centos} <= 7 && ! 0%{?eln} -BuildRequires: btrfs-progs-devel -%endif -%if 0%{?fedora} BuildRequires: libseccomp-static +Requires: containers-common >= 4:1-20 Requires: libseccomp >= 2.4.1-0 -Recommends: crun >= 0.17.1-1 -Recommends: container-selinux -Recommends: slirp4netns >= 0.3-0 -Recommends: fuse-overlayfs Suggests: cpp -%else -BuildRequires: libseccomp-devel -Requires: crun >= 0.17.1-1 -Requires: libseccomp -Requires: container-selinux -Requires: slirp4netns >= 0.3-0 +# No btrfs for centos 8 +%if 0%{?fedora} +BuildRequires: btrfs-progs-devel %endif %description @@ -95,6 +81,7 @@ Requires: golang Requires: jq Requires: httpd-tools Requires: openssl +Requires: nmap-ncat %description tests %{summary} @@ -102,7 +89,8 @@ Requires: openssl This package contains system tests for %{name} %prep -%autosetup -Sgit -n %{name}-%{commit0} +%autosetup -Sgit -n %{name}-%{built_tag_strip} +#%%autosetup -Sgit -n %%{name}-%%{commit0} sed -i 's/GOMD2MAN =/GOMD2MAN ?=/' docs/Makefile sed -i '/docs install/d' Makefile @@ -118,13 +106,13 @@ mv vendor src export GOPATH=$(pwd)/_build:$(pwd) export CGO_CFLAGS="-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" %ifarch x86_64 -export CGO_CFLAGS="$CGO_CFLAGS -m64 -mtune=generic" -%if 0%{?fedora} || 0%{?centos} >= 8 -export CGO_CFLAGS="$CGO_CFLAGS -fcf-protection" -%endif +export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full" %endif # These extra flags present in %%{optflags} have been skipped for now as they break the build -#export CGO_CFLAGS="$CGO_CFLAGS -flto=auto -Wp,D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1" +#export CGO_CFLAGS+=" -flto=auto -Wp,D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1" + +export CNI_VERSION=`grep '^# github.com/containernetworking/cni ' src/modules.txt | sed 's,.* ,,'` +export LDFLAGS="-X main.buildInfo=`date +%s` -X main.cniVersion=${CNI_VERSION}" export BUILDTAGS='seccomp selinux' %if 0%{?centos} >= 8 @@ -132,6 +120,7 @@ export BUILDTAGS+=' exclude_graphdriver_btrfs' %endif %gobuild -o bin/%{name} %{import_path}/cmd/%{name} %gobuild -o bin/imgtype %{import_path}/tests/imgtype +%gobuild -o bin/copy %{import_path}/tests/copy GOMD2MAN=go-md2man %{__make} -C docs %install @@ -142,6 +131,7 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install install -d -p %{buildroot}/%{_datadir}/%{name}/test/system cp -pav tests/. %{buildroot}/%{_datadir}/%{name}/test/system cp bin/imgtype %{buildroot}/%{_bindir}/%{name}-imgtype +cp bin/copy %{buildroot}/%{_bindir}/%{name}-copy #define license tag if not already defined %{!?_licensedir:%global license %doc} @@ -158,9 +148,75 @@ cp bin/imgtype %{buildroot}/%{_bindir}/%{name}-imgtype %files tests %license LICENSE %{_bindir}/%{name}-imgtype +%{_bindir}/%{name}-copy %{_datadir}/%{name}/test %changelog +* Wed Mar 30 2022 Lokesh Mandvekar - 1.23.3-1 +- Resolves: #2066840,#2070114 - Security fix for CVE-2022-27651 + +* Tue Sep 28 2021 RH Container Bot - 1.23.1-1 +- autobuilt v1.23.1 + +* Tue Sep 14 2021 RH Container Bot - 1.23.0-1 +- autobuilt v1.23.0 + +* Wed Aug 25 2021 RH Container Bot - 1.22.3-1 +- autobuilt v1.22.3 + +* Thu Aug 05 2021 RH Container Bot - 1.22.0-1 +- autobuilt v1.22.0 + +* Thu Aug 05 2021 Lokesh Mandvekar - 1.22.0-2 +- Resolves: #1974086 - correct build date in buildah version + +* Tue Aug 03 2021 RH Container Bot - 1.22.0-1 +- autobuilt v1.22.0 + +* Mon Aug 02 2021 Lokesh Mandvekar - 1.21.4-5 +- Resolves: #1983596, #1987738 - Security fix for CVE-2021-34558 + +* Fri Jul 23 2021 Lokesh Mandvekar - 1.21.4-4 +- ensure consistent version-release and changelog + +* Fri Jul 23 2021 Lokesh Mandvekar - 1.21.4-1 +- bump to v1.21.4 +- fix gating test issues + +* Thu Jul 22 2021 Lokesh Mandvekar - 1.21.3-3 +- try fix for copy-release + +* Thu Jul 22 2021 Eduardo Santiago - 1.21.3-2 +- Try to deal with new buildah-copy-helper nightmare + +* Fri Jul 16 2021 Lokesh Mandvekar - 1.21.3-1 +- Resolves: #1969264, #1982880 - Security fix for CVE-2021-3602 +- bump to v1.21.3 + +* Wed Jun 30 2021 Lokesh Mandvekar - 1.21.2-1 +- bump to v1.21.2 + +* Tue Jun 08 2021 RH Container Bot - 1.21.1-1 +- autobuilt v1.21.1 + +* Fri May 21 2021 RH Container Bot - 1.21.0-1 +- autobuilt v1.21.0 + +* Thu Apr 22 2021 Lokesh Mandvekar - 1.20.1-4 +- fix gating tests + +* Tue Apr 20 2021 Lokesh Mandvekar - 1.20.1-3 +- adjust deps and stay ahead of f33 + +* Fri Apr 16 2021 Lokesh Mandvekar - 1.20.1-2 +- rebuild for buildah-tests + +* Wed Apr 14 2021 RH Container Bot - 1.20.1-1 +- autobuilt v1.20.1 + +* Mon Mar 29 2021 Lokesh Mandvekar - 1.20.0-1 +- bump to v1.20.0 + * Tue Feb 09 2021 RH Container Bot - 1.20.0-0.19.dev.git9eb048a - autobuilt 9eb048a diff --git a/sources b/sources index c97215f..feed550 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (buildah-9eb048a.tar.gz) = 15318f699a3591d31db19e7254b28c69af459f8215a9f05dd065cee8dead68642e0837de78f11826278b293443bf15840c0730f1a0422835853aff0a04516848 +SHA512 (v1.23.3.tar.gz) = c3f42d580bafd5a359709d65ae41376ab83e4fa59fcfb4e2522e13f8ae343997512aece0691326b689250a13498c91f3d9a5043a761608c2f2ea6d9a77568399 diff --git a/tests/test_buildah.sh b/tests/test_buildah.sh index 13ac761..663319d 100755 --- a/tests/test_buildah.sh +++ b/tests/test_buildah.sh @@ -13,13 +13,14 @@ env | grep -v LS_COLORS= | sort | sed -e 's/^/ /' export BUILDAH_BINARY=/usr/bin/buildah export IMGTYPE_BINARY=/usr/bin/buildah-imgtype +export COPY_BINARY=/usr/bin/buildah-copy ############################################################################### # BEGIN setup/teardown # Start a registry pre_bats_setup() { - REGISTRY_FQIN=docker.io/library/registry:2 + REGISTRY_FQIN=quay.io/libpod/registry:2 AUTHDIR=/tmp/buildah-tests-auth.$$ mkdir -p $AUTHDIR