packages/docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!349 docker:support calling clone when clone3 is not support

Browse Source 
From: @zhong-jiawei-1 
Reviewed-by: @zhangsong234 
Signed-off-by: @zhangsong234
This commit is contained in:
openeuler-ci-bot 2024-10-25 08:11:23 +00:00 committed by Gitee
commit d0616f8c6c
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
6 changed files with 135 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION-vendor
View File

@ -1 +1 @@
18.09.0.341 18.09.0.342

8
docker.spec
View File

@ -1,6 +1,6 @@
Name: docker-engine Name: docker-engine
Version: 18.09.0 Version: 18.09.0
Release: 341 Release: 342
Epoch: 2 Epoch: 2
Summary: The open-source application container engine Summary: The open-source application container engine
Group: Tools/Docker Group: Tools/Docker
@ -227,6 +227,12 @@ fi
%endif %endif
%changelog %changelog
* Fri Oct 25 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-342
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:support calling clone when clone3 is not support
* Sat Aug 31 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-341 * Sat Aug 31 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-341
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA

3
gen-commit.sh
View File

@ -18,9 +18,10 @@ echo 18.09.0.$new_version > VERSION-vendor
author=$(git config user.name) author=$(git config user.name)
email=$(git config user.email) email=$(git config user.email)
epoch=$(head -10 docker.spec | grep Epoch | awk '{print $NF}')
version=$(head -10 docker.spec | grep Version | awk '{print $NF}') version=$(head -10 docker.spec | grep Version | awk '{print $NF}')
release=$(head -10 docker.spec | grep Release | awk '{print $2}' | awk -F% '{print $1}') release=$(head -10 docker.spec | grep Release | awk '{print $2}' | awk -F% '{print $1}')
new_all=$version-$release new_all=$epoch:$version-$release
new_changelog=$(cat << EOF new_changelog=$(cat << EOF
* $(LC_ALL="C" date '+%a %b %d %Y') $author<$email> - $new_all\n- Type:\n- CVE:\n- SUG:\n- DESC:\n * $(LC_ALL="C" date '+%a %b %d %Y') $author<$email> - $new_all\n- Type:\n- CVE:\n- SUG:\n- DESC:\n
EOF EOF

2
git-commit
View File

@ -1 +1 @@
678fb4d2b2fbf91642358d82e5680aec01a15d56 26b8df427648c7fa5fef833419438cd4e9d3443b

123
patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch Normal file
View File

@ -0,0 +1,123 @@
From 28a8f3016bfba8aab5cf0495519ca41f4c43f7a3 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Fri, 25 Oct 2024 15:00:22 +0800
Subject: [PATCH] docker:support calling clone when clone3 is not support
---
components/engine/api/types/seccomp.go | 1 +
components/engine/profiles/seccomp/seccomp.go | 7 +++---
.../profiles/seccomp/seccomp_default.go | 22 ++++++++++---------
.../runtime-spec/specs-go/config.go | 1 +
4 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/components/engine/api/types/seccomp.go b/components/engine/api/types/seccomp.go
index 67a41e1a..0ed7d6ee 100644
--- a/components/engine/api/types/seccomp.go
+++ b/components/engine/api/types/seccomp.go
@@ -86,6 +86,7 @@ type Syscall struct {
Name string `json:"name,omitempty"`
Names []string `json:"names,omitempty"`
Action Action `json:"action"`
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
Args []*Arg `json:"args"`
Comment string `json:"comment"`
Includes Filter `json:"includes"`
diff --git a/components/engine/profiles/seccomp/seccomp.go b/components/engine/profiles/seccomp/seccomp.go
index 4438670a..993e8d87 100644
--- a/components/engine/profiles/seccomp/seccomp.go
+++ b/components/engine/profiles/seccomp/seccomp.go
@@ -128,21 +128,22 @@ Loop:
}
if call.Name != "" {
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args, call.ErrnoRet))
}
for _, n := range call.Names {
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args, call.ErrnoRet))
}
}
return newConfig, nil
}
-func createSpecsSyscall(name string, action types.Action, args []*types.Arg) specs.LinuxSyscall {
+func createSpecsSyscall(name string, action types.Action, args []*types.Arg, errnoRet *uint) specs.LinuxSyscall {
newCall := specs.LinuxSyscall{
Names: []string{name},
Action: specs.LinuxSeccompAction(action),
+ ErrnoRet: errnoRet,
}
// Loop through all the arguments of the syscall and convert them
diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
index a90e441c..0b96de5f 100644
--- a/components/engine/profiles/seccomp/seccomp_default.go
+++ b/components/engine/profiles/seccomp/seccomp_default.go
@@ -42,6 +42,7 @@ func arches() []types.Architecture {
// DefaultProfile defines the whitelist for the default seccomp profile.
func DefaultProfile() *types.Seccomp {
+ nosys := uint(unix.ENOSYS)
syscalls := []*types.Syscall{
{
Names: []string{
@@ -489,16 +490,6 @@ func DefaultProfile() *types.Seccomp {
Arches: []string{"amd64", "x32", "x86"},
},
},
- {
- Names: []string{
- "clone3",
- },
- Action: types.ActAllow,
- Args: []*types.Arg{},
- Includes: types.Filter{
- Arches: []string{"arm64", "amd64", "x32", "x86"},
- },
- },
{
Names: []string{
"s390_pci_mmio_read",
@@ -525,6 +516,7 @@ func DefaultProfile() *types.Seccomp {
Names: []string{
"bpf",
"clone",
+ "clone3",
"fanotify_init",
"lookup_dcookie",
"mount",
@@ -584,6 +576,16 @@ func DefaultProfile() *types.Seccomp {
Caps: []string{"CAP_SYS_ADMIN"},
},
},
+ {
+ Names: []string{
+ "clone3",
+ },
+ Action: types.ActErrno,
+ ErrnoRet: &nosys,
+ Excludes: types.Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ },
+ },
{
Names: []string{
"reboot",
diff --git a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index 46049b3b..8b17fd1e 100644
--- a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -628,6 +628,7 @@ type LinuxSeccompArg struct {
type LinuxSyscall struct {
Names []string `json:"names"`
Action LinuxSeccompAction `json:"action"`
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
Args []LinuxSeccompArg `json:"args,omitempty"`
}
--
2.33.0

1
series.conf
View File

@ -277,4 +277,5 @@ patch/0276-docker-Ignore-SIGURG-on-Linux.patch
patch/0277-backport-fix-CVE-2024-41110.patch patch/0277-backport-fix-CVE-2024-41110.patch
patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch
patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch
#end #end