Resolves: #2066840,#2070114 - Security fix for CVE-2022-27651

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -598,140 +598,17 @@
 /buildah-8f63761.tar.gz
 /buildah-885e9c1.tar.gz
 /buildah-9eb048a.tar.gz
-/buildah-0508fba.tar.gz
-/buildah-3679b9f.tar.gz
-/buildah-2e59c37.tar.gz
-/buildah-6421c84.tar.gz
-/buildah-457c75c.tar.gz
-/buildah-0a064b3.tar.gz
-/buildah-013883e.tar.gz
-/buildah-e1c7a5c.tar.gz
-/buildah-d5326ef.tar.gz
-/buildah-de6c0da.tar.gz
-/buildah-a6eeca7.tar.gz
-/buildah-d47032f.tar.gz
-/buildah-1b49e62.tar.gz
-/buildah-72ef182.tar.gz
-/buildah-1296778.tar.gz
-/buildah-a5e80a5.tar.gz
-/buildah-d5c503c.tar.gz
-/buildah-eb42398.tar.gz
-/buildah-b51f63a.tar.gz
-/buildah-06d974b.tar.gz
-/buildah-c15269d.tar.gz
-/buildah-1688944.tar.gz
-/buildah-c0915a5.tar.gz
-/buildah-0ade935.tar.gz
-/buildah-0d8da0a.tar.gz
-/buildah-35300f3.tar.gz
-/buildah-17d8e1b.tar.gz
-/buildah-8614456.tar.gz
-/buildah-d5d782f.tar.gz
-/buildah-e481c9b.tar.gz
-/buildah-5352624.tar.gz
-/buildah-ced3c7b.tar.gz
-/buildah-fd48180.tar.gz
-/buildah-3b8acfb.tar.gz
-/buildah-9cdde41.tar.gz
-/buildah-30ed95a.tar.gz
-/buildah-b2f7e27.tar.gz
-/buildah-0a38651.tar.gz
-/buildah-ecbb651.tar.gz
-/buildah-915de2e.tar.gz
-/buildah-98f7b3d.tar.gz
-/buildah-2e5732b.tar.gz
-/buildah-61f5dff.tar.gz
-/v1.19.6.tar.gz
-/buildah-2f99c2e.tar.gz
-/buildah-9428d03.tar.gz
-/buildah-1065fd2.tar.gz
-/buildah-c4fc67f.tar.gz
-/buildah-d78dfd1.tar.gz
-/buildah-22fc573.tar.gz
-/buildah-135d63d.tar.gz
-/buildah-a0853c3.tar.gz
-/buildah-5119393.tar.gz
-/buildah-162fbaf.tar.gz
-/buildah-2ab877e.tar.gz
-/buildah-f30b420.tar.gz
-/buildah-f629ded.tar.gz
-/buildah-2a83637.tar.gz
-/buildah-19d3065.tar.gz
-/buildah-df14b1c.tar.gz
-/buildah-d677bf0.tar.gz
-/buildah-23e2b79.tar.gz
-/buildah-8a6d840.tar.gz
-/buildah-4fa566e.tar.gz
-/buildah-bbbe10a.tar.gz
-/buildah-d08dbe7.tar.gz
-/buildah-9c7f50b.tar.gz
+/v1.20.0.tar.gz
+/v1.20.1.tar.gz
+/v1.21.0.tar.gz
+/v1.21.1.tar.gz
 /buildah-8d08247.tar.gz
-/buildah-d99221f.tar.gz
-/buildah-30c07b7.tar.gz
-/buildah-814868e.tar.gz
-/buildah-5181b9c.tar.gz
-/buildah-802a904.tar.gz
-/buildah-6d5d1ae.tar.gz
+/v1.21.2.tar.gz
 /buildah-ec35bc4.tar.gz
+/v1.21.3.tar.gz
+/v1.21.4.tar.gz
 /v1.22.0.tar.gz
+/v1.22.3.tar.gz
 /v1.23.0.tar.gz
 /v1.23.1.tar.gz
-/v1.23.2.tar.gz
-/v1.24.0.tar.gz
-/v1.24.1.tar.gz
-/v1.24.2.tar.gz
-/v1.25.0.tar.gz
-/v1.25.1.tar.gz
-/v1.26.0.tar.gz
-/v1.26.1.tar.gz
-/v1.26.2.tar.gz
-/v1.26.3.tar.gz
-/v1.26.4.tar.gz
-/v1.27.0.tar.gz
-/v1.27.1.tar.gz
-/v1.27.2.tar.gz
-/v1.28.0.tar.gz
-/v1.28.2.tar.gz
-/v1.29.0.tar.gz
-/v1.29.1.tar.gz
-/v1.30.0.tar.gz
-/v1.31.0.tar.gz
-/v1.31.1.tar.gz
-/v1.31.2.tar.gz
-/v1.31.3.tar.gz
-/v1.32.0.tar.gz
-/v1.32.1.tar.gz
-/v1.32.2.tar.gz
-/v1.33.2.tar.gz
-/v1.34.0.tar.gz
-/v1.34.1.tar.gz
-/v1.35.0.tar.gz
-/v1.35.1.tar.gz
-/v1.35.2.tar.gz
-/v1.35.3.tar.gz
-/v1.35.4.tar.gz
-/v1.36.0.tar.gz
-/v1.37.0.tar.gz
-/v1.37.1.tar.gz
-/v1.37.2.tar.gz
-/v1.37.3.tar.gz
-/v1.37.4.tar.gz
-/v1.37.5.tar.gz
-/v1.38.0.tar.gz
-/v1.38.1.tar.gz
-/v1.39.0.tar.gz
-/v1.39.1.tar.gz
-/v1.39.2.tar.gz
-/v1.39.3.tar.gz
-/v1.39.4.tar.gz
-/v1.40.0.tar.gz
-/v1.40.1.tar.gz
-/v1.41.0.tar.gz
-/v1.41.1.tar.gz
-/v1.41.2.tar.gz
-/v1.41.3.tar.gz
-/v1.41.4.tar.gz
-/v1.41.5.tar.gz
-/v1.42.0.tar.gz
-/v1.42.1.tar.gz
-/v1.42.2.tar.gz
+/v1.23.3.tar.gz

.packit.yaml

@@ -1,149 +0,0 @@
----
-# See the documentation for more information:
-# https://packit.dev/docs/configuration/
-
-downstream_package_name: buildah
-upstream_tag_template: v{version}
-
-# These files get synced from upstream to downstream (Fedora / CentOS Stream) on every
-# propose-downstream job. This is done so tests maintained upstream can be run
-# downstream in Zuul CI and Bodhi.
-# Ref: https://packit.dev/docs/configuration#files_to_sync
-files_to_sync:
-  - src: rpm/gating.yaml
-    dest: gating.yaml
-    delete: true
-  - src: plans/
-    dest: plans/
-    delete: true
-    mkpath: true
-  - src: tests/tmt/
-    dest: tests/tmt/
-    delete: true
-    mkpath: true
-  - src: .fmf/
-    dest: .fmf/
-    delete: true
-  - .packit.yaml
-
-packages:
-  buildah-fedora:
-    pkg_tool: fedpkg
-    specfile_path: rpm/buildah.spec
-  buildah-centos:
-    pkg_tool: centpkg
-    specfile_path: rpm/buildah.spec
-  buildah-eln:
-    specfile_path: rpm/buildah.spec
-
-srpm_build_deps:
-  - make
-
-jobs:
-  - job: copr_build
-    trigger: pull_request
-    packages: [buildah-fedora]
-    notifications: &copr_build_failure_notification
-      failure_comment:
-        message: "Ephemeral COPR build failed. @containers/packit-build please check."
-    # Fedora aliases documentation: https://packit.dev/docs/configuration#aliases
-    # python3-fedora-distro-aliases provides `resolve-fedora-aliases` command
-    targets: &fedora_copr_targets
-      - fedora-all-x86_64
-      - fedora-all-aarch64
-    enable_net: true
-    # Disable osh diff scan until Go support is available
-    # Ref: https://github.com/openscanhub/known-false-positives/pull/30#issuecomment-2858698495
-    osh_diff_scan_after_copr_build: false
-
-  # Ignore until golang is updated in distro buildroot to 1.23.3+
-  - job: copr_build
-    trigger: ignore
-    packages: [buildah-eln]
-    notifications: *copr_build_failure_notification
-    targets:
-      fedora-eln-x86_64:
-        additional_repos:
-          - "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/x86_64/"
-      fedora-eln-aarch64:
-        additional_repos:
-          - "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/aarch64/"
-    enable_net: true
-
-  # Ignore until golang is updated in distro buildroot to 1.23.3+
-  - job: copr_build
-    trigger: ignore
-    packages: [buildah-centos]
-    notifications: *copr_build_failure_notification
-    targets: &centos_copr_targets
-      - centos-stream-9-x86_64
-      - centos-stream-9-aarch64
-      - centos-stream-10-x86_64
-      - centos-stream-10-aarch64
-    enable_net: true
-
-  # Run on commit to main branch
-  - job: copr_build
-    trigger: commit
-    packages: [buildah-fedora]
-    notifications:
-      failure_comment:
-        message: "podman-next COPR build failed. @containers/packit-build please check."
-    branch: main
-    owner: rhcontainerbot
-    project: podman-next
-    enable_net: true
-
-  # Tests on Fedora for main branch PRs
-  - job: tests
-    trigger: pull_request
-    packages: [buildah-fedora]
-    targets:
-      - fedora-all-x86_64
-    tf_extra_params:
-      environments:
-        - artifacts:
-          - type: repository-file
-            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
-
-  # Ignore until golang is updated in distro buildroot to 1.23.3+
-  # Tests on CentOS Stream for main branch PRs
-  - job: tests
-    trigger: ignore
-    packages: [buildah-centos]
-    targets:
-      - centos-stream-9-x86_64
-      - centos-stream-10-x86_64
-    tf_extra_params:
-      environments:
-        - artifacts:
-          - type: repository-file
-            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo
-
-  # Sync to Fedora
-  - job: propose_downstream
-    trigger: release
-    packages: [buildah-fedora]
-    update_release: false
-    dist_git_branches: &fedora_targets
-      - fedora-all
-
-  # Sync to CentOS Stream
-  - job: propose_downstream
-    trigger: release
-    packages: [buildah-centos]
-    update_release: false
-    dist_git_branches:
-      - c10s
-
-  # Fedora Koji build
-  - job: koji_build
-    trigger: commit
-    packages: [buildah-fedora]
-    sidetag_group: podman-releases
-    # Dependents are not rpm dependencies, but the package whose bodhi update
-    # should include this package.
-    # Ref: https://packit.dev/docs/fedora-releases-guide/releasing-multiple-packages
-    dependents:
-      - podman
-    dist_git_branches: *fedora_targets

CVE-2022-27651-1.patch

@@ -0,0 +1,58 @@
+From d16cb975d83acb5a30d3a4c3e2ef78b8070c6a7b Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Mon, 28 Feb 2022 10:38:48 +0100
+Subject: [PATCH 1/2] do not set the inheritable capabilities
+
+The kernel never sets the inheritable capabilities for a process, they
+are only set by userspace.  Emulate the same behavior.
+
+Closes: CVE-2022-27651
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+(cherry picked from commit e7e55c988c05dd74005184ceb64f097a0cfe645b)
+Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
+---
+ chroot/run.go | 2 +-
+ run_linux.go  | 6 ------
+ 2 files changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/chroot/run.go b/chroot/run.go
+index e6f28e81..5634240a 100644
+--- a/chroot/run.go
++++ b/chroot/run.go
+@@ -894,7 +894,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
+ 	capMap := map[capability.CapType][]string{
+ 		capability.BOUNDING:    spec.Process.Capabilities.Bounding,
+ 		capability.EFFECTIVE:   spec.Process.Capabilities.Effective,
+-		capability.INHERITABLE: spec.Process.Capabilities.Inheritable,
++		capability.INHERITABLE: []string{},
+ 		capability.PERMITTED:   spec.Process.Capabilities.Permitted,
+ 		capability.AMBIENT:     spec.Process.Capabilities.Ambient,
+ 	}
+diff --git a/run_linux.go b/run_linux.go
+index 113c83ef..5905d888 100644
+--- a/run_linux.go
++++ b/run_linux.go
+@@ -1935,9 +1935,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
+ 		if err := g.AddProcessCapabilityEffective(cap); err != nil {
+ 			return errors.Wrapf(err, "error adding %q to the effective capability set", cap)
+ 		}
+-		if err := g.AddProcessCapabilityInheritable(cap); err != nil {
+-			return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap)
+-		}
+ 		if err := g.AddProcessCapabilityPermitted(cap); err != nil {
+ 			return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)
+ 		}
+@@ -1956,9 +1953,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
+ 		if err := g.DropProcessCapabilityEffective(cap); err != nil {
+ 			return errors.Wrapf(err, "error removing %q from the effective capability set", cap)
+ 		}
+-		if err := g.DropProcessCapabilityInheritable(cap); err != nil {
+-			return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap)
+-		}
+ 		if err := g.DropProcessCapabilityPermitted(cap); err != nil {
+ 			return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)
+ 		}
+-- 
+2.35.1
+

CVE-2022-27651-2.patch

@@ -0,0 +1,54 @@
+From d190df39916fcb559798d0fc0ade6307ebe5f4cd Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Thu, 24 Mar 2022 16:32:47 -0400
+Subject: [PATCH 2/2] Add a test for CVE-2022-27651
+
+Check that the inheritable capabilities are set to 0, even when we
+explicitly try to add capabilities.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+(cherry picked from commit 90b3254c7404039c1c786999ac189654228f6e0e)
+Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
+---
+ tests/run.bats | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tests/run.bats b/tests/run.bats
+index 6044d673..c974018c 100644
+--- a/tests/run.bats
++++ b/tests/run.bats
+@@ -687,3 +687,31 @@ _EOF
+ 	uncolored="$output"
+ 	[ "$colored" != "$uncolored" ]
+ }
++
++@test "rootless on cgroupv2 and systemd runs under user.slice" {
++	skip_if_no_runtime
++	skip_if_cgroupsv1
++	skip_if_in_container
++	if test "$DBUS_SESSION_BUS_ADDRESS" = ""; then
++		skip "${1:-test does not work when \$BUILDAH_ISOLATION = chroot}"
++	fi
++	_prefetch alpine
++
++	run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json alpine
++	cid=$output
++	run_buildah run --cgroupns=host $cid cat /proc/self/cgroup
++	expect_output --substring "/user.slice/"
++}
++
++@test "run-inheritable-capabilities" {
++	skip_if_no_runtime
++
++	_prefetch alpine
++
++	run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json alpine
++	cid=$output
++	run_buildah run $cid grep ^CapInh: /proc/self/status
++	expect_output "CapInh:	0000000000000000"
++	run_buildah run --cap-add=ALL $cid grep ^CapInh: /proc/self/status
++	expect_output "CapInh:	0000000000000000"
++}
+-- 
+2.35.1
+

README.packit

@@ -1,3 +0,0 @@
-This repository is maintained by packit.
-https://packit.dev/
-The file was generated using packit 1.12.0.post1.dev20+g7d30dac21.

gating.yaml

@@ -1,16 +1,14 @@
 --- !Policy
 product_versions:
   - fedora-*
-decision_contexts:
-  - bodhi_update_push_stable
-  - bodhi_update_push_testing
+decision_context: bodhi_update_push_stable
 subject_type: koji_build
 rules:
   - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
-
 --- !Policy
 product_versions:
-  - rhel-*
-decision_context: osci_compose_gate
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
 rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

plans/main.fmf

@@ -1,34 +0,0 @@
-discover:
-    how: fmf
-
-execute:
-    how: tmt
-
-prepare:
-    - when: distro == centos-stream or distro == rhel
-      how: shell
-      script: |
-        dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm --eval '%{?rhel}').noarch.rpm
-        dnf -y config-manager --set-enabled epel
-      order: 10
-    - when: initiator == packit
-      how: shell
-      script: |
-        COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo"
-        if compgen -G $COPR_REPO_FILE > /dev/null; then
-            sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE
-        fi
-        dnf -y upgrade --allowerasing
-      order: 20
-
-provision:
-    how: artemis
-    hardware:
-        memory: ">= 16 GB"
-        cpu:
-            cores: ">= 4"
-            threads: ">=8"
-        disk:
-            - size: ">= 512 GB"
-
-

sources

@@ -1 +1 @@
-SHA512 (v1.42.2.tar.gz) = adb1de700db9b589639f6fd02cad95d9bedacb9d0363838315f33c978a8c900570d55af95073992ff69cff4f2a9d18776c5d786af294aaa1604144580c957414
+SHA512 (v1.23.3.tar.gz) = c3f42d580bafd5a359709d65ae41376ab83e4fa59fcfb4e2522e13f8ae343997512aece0691326b689250a13498c91f3d9a5043a761608c2f2ea6d9a77568399

tests/test_buildah.sh

@@ -0,0 +1,66 @@
+#!/bin/bash -e
+
+# Log program and kernel versions
+echo "Important package versions:"
+(
+    uname -r
+    rpm -qa | egrep 'buildah|podman|conmon|crun|runc|iptable|slirp|systemd' | sort
+) | sed -e 's/^/  /'
+
+# Log environment; or at least the useful bits
+echo "Environment:"
+env | grep -v LS_COLORS= | sort | sed -e 's/^/  /'
+
+export BUILDAH_BINARY=/usr/bin/buildah
+export IMGTYPE_BINARY=/usr/bin/buildah-imgtype
+export COPY_BINARY=/usr/bin/buildah-copy
+
+###############################################################################
+# BEGIN setup/teardown
+
+# Start a registry
+pre_bats_setup() {
+    REGISTRY_FQIN=quay.io/libpod/registry:2
+
+    AUTHDIR=/tmp/buildah-tests-auth.$$
+    mkdir -p $AUTHDIR
+
+    CERT=$AUTHDIR/domain.crt
+    if [ ! -e $CERT ]; then
+        openssl req -newkey rsa:4096 -nodes -sha256 \
+                -keyout $AUTHDIR/domain.key -x509 -days 2 \
+                -out $AUTHDIR/domain.crt \
+                -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=registry host certificate" \
+                -addext subjectAltName=DNS:localhost
+    fi
+
+    if [ ! -e $AUTHDIR/htpasswd ]; then
+        htpasswd -Bbn testuser testpassword > $AUTHDIR/htpasswd
+    fi
+
+    podman rm -f registry || true
+    podman run -d -p 5000:5000 \
+           --name registry \
+           -v $AUTHDIR:/auth:Z \
+           -e "REGISTRY_AUTH=htpasswd" \
+           -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
+           -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
+           -e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt \
+           -e REGISTRY_HTTP_TLS_KEY=/auth/domain.key \
+           $REGISTRY_FQIN
+}
+
+post_bats_teardown() {
+    podman rm -f registry
+}
+
+# END   setup/teardown
+###############################################################################
+# BEGIN actual test
+
+pre_bats_setup
+bats /usr/share/buildah/test/system
+rc=$?
+post_bats_teardown
+
+exit $rc

tests/test_buildah.yml

@@ -0,0 +1,17 @@
+---
+- hosts: localhost
+  environment:
+    TMPDIR: /var/tmp
+  roles:
+    - role: standard-test-basic
+      tags:
+        - classic
+        - container
+      required_packages:
+        - buildah
+        - buildah-tests
+      tests:
+        - root-test:
+            dir: ./
+            run: ./test_buildah.sh
+            timeout: 60m

tests/tests.yml

@@ -0,0 +1 @@
+- import_playbook: test_buildah.yml

tests/tmt/system.fmf

@@ -1,24 +0,0 @@
-require:
-    - buildah-tests
-    - git-daemon
-    - slirp4netns
-
-environment:
-    BUILDAH_BINARY: /usr/bin/buildah
-    IMGTYPE_BINARY: /usr/bin/buildah-imgtype
-    INET_BINARY: /usr/bin/buildah-inet
-    COPY_BINARY: /usr/bin/buildah-copy
-    TUTORIAL_BINARY: /usr/bin/buildah-tutorial
-    DUMPSPEC_BINARY: /usr/bin/buildah-dumpspec
-    PASSWD_BINARY: /usr/bin/buildah-passwd
-    TMPDIR: /var/tmp
-
-adjust:
-    - when: initiator != "packit"
-      environment+:
-        RELEASE_TESTING: true
-
-/local/root:
-    summary: System test
-    test: bash ./system.sh
-    duration: 60m

tests/tmt/system.sh

@@ -1,18 +0,0 @@
-#!/usr/bin/env bash
-
-set -exo pipefail
-
-uname -r
-
-rpm -q \
-    aardvark-dns \
-    buildah \
-    buildah-tests \
-    conmon \
-    container-selinux \
-    containers-common \
-    crun \
-    netavark \
-    systemd
-
-bats /usr/share/buildah/test/system