packages/docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!88 docker:fix CVE-2022-24769

Browse Source 
From: @duyiwei7w 
Reviewed-by: @yangzhao_kl, @jackchan8 
Signed-off-by: @yangzhao_kl
This commit is contained in:
openeuler-ci-bot 2022-06-16 01:33:05 +00:00 committed by Gitee
commit e6424e05ea
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 92 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION-openeuler
View File

@ -1 +1 @@
18.09.0.118
18.09.0.121

15
docker.spec
View File

@ -1,6 +1,6 @@
Name: docker-engine
Version: 18.09.0
Release: 120
Release: 121
Summary: The open-source application container engine
Group: Tools/Docker
@ -166,9 +166,6 @@ install -p -m 644 components/engine/contrib/syntax/nano/Dockerfile.nanorc $RPM_B
/usr/share/zsh/vendor-completions/_docker
/usr/share/fish/vendor_completions.d/docker.fish
%doc
#/%{_mandir}/man1/*
#/%{_mandir}/man5/*
#/%{_mandir}/man8/*
%config(noreplace,missingok) /etc/sysconfig/docker
%config(noreplace,missingok) /etc/sysconfig/docker-storage
@ -215,6 +212,12 @@ fi
%endif
%changelog
* Thu Jun 09 2022 duyiwei <duyiwei@kylinos.cn> - 18.09.0-121
- Type:bugfix
- CVE:CVE-2022-24769
- SUG:NA
- DESC:fix CVE-2022-24769
* Mon Apr 11 2022 fushanqing <fushanqing@kylinos.cn> - 18.09.0-120
- Integrated runc
@ -261,14 +264,14 @@ fi
- SUG:restart
- DESC:remove go-md2man build require
* Mon Jan 4 2021 yangyanchao<yangyanchao6@huawei.com> - 18.09.0-111
* Mon Jan 18 2021 yangyanchao<yangyanchao6@huawei.com> - 18.09.0-111
- Type:requirement
- ID:NA
- CVE:NA
- SUG:restart
- docker:components:add config files for riscv
* Mon Jan 18 2021 jingrui<jingrui@huawei.com> - 18.09.0-107
* Mon Jan 4 2021 jingrui<jingrui@huawei.com> - 18.09.0-107
- Type:bugfix
- ID:NA
- SUG:NA

81
patch/0195-docker-fix-CVE-2022-24769.patch Normal file
View File

@ -0,0 +1,81 @@
From 5d90b8a13a76e296a27b63896f86a109158dcdd5 Mon Sep 17 00:00:00 2001
From: build <build@obs.com>
Date: Fri, 10 Jun 2022 15:11:21 +0800
Subject: [PATCH] 2022
Signed-off-by: build <build@obs.com>
---
components/engine/daemon/exec_linux.go | 10 ++++------
components/engine/daemon/oci.go | 20 ++++++++++++--------
components/engine/oci/defaults.go | 1 -
3 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/components/engine/daemon/exec_linux.go b/components/engine/daemon/exec_linux.go
index cd52f48..8720aa9 100644
--- a/components/engine/daemon/exec_linux.go
+++ b/components/engine/daemon/exec_linux.go
@@ -21,13 +21,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
}
}
if ec.Privileged {
- if p.Capabilities == nil {
- p.Capabilities = &specs.LinuxCapabilities{}
+ p.Capabilities = &specs.LinuxCapabilities{
+ Bounding: caps.GetAllCapabilities(),
+ Permitted: caps.GetAllCapabilities(),
+ Effective: caps.GetAllCapabilities(),
}
- p.Capabilities.Bounding = caps.GetAllCapabilities()
- p.Capabilities.Permitted = p.Capabilities.Bounding
- p.Capabilities.Inheritable = p.Capabilities.Bounding
- p.Capabilities.Effective = p.Capabilities.Bounding
}
if apparmor.IsEnabled() {
var appArmorProfile string
diff --git a/components/engine/daemon/oci.go b/components/engine/daemon/oci.go
index 52050e2..4148e90 100644
--- a/components/engine/daemon/oci.go
+++ b/components/engine/daemon/oci.go
@@ -26,15 +26,19 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
return err
}
}
- s.Process.Capabilities.Effective = caplist
- s.Process.Capabilities.Bounding = caplist
- s.Process.Capabilities.Permitted = caplist
- s.Process.Capabilities.Inheritable = caplist
// setUser has already been executed here
- // if non root drop capabilities in the way execve does
- if s.Process.User.UID != 0 {
- s.Process.Capabilities.Effective = []string{}
- s.Process.Capabilities.Permitted = []string{}
+ if s.Process.User.UID == 0 {
+ s.Process.Capabilities = &specs.LinuxCapabilities{
+ Effective: caplist,
+ Bounding: caplist,
+ Permitted: caplist,
+ }
+ } else {
+ // Do not set Effective and Permitted capabilities for non-root users,
+ // to match what execve does.
+ s.Process.Capabilities = &specs.LinuxCapabilities{
+ Bounding: caplist,
+ }
}
return nil
}
diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go
index ff027d8..57cbddb 100644
--- a/components/engine/oci/defaults.go
+++ b/components/engine/oci/defaults.go
@@ -61,7 +61,6 @@ func DefaultLinuxSpec() specs.Spec {
Capabilities: &specs.LinuxCapabilities{
Bounding: defaultCapabilities(),
Permitted: defaultCapabilities(),
- Inheritable: defaultCapabilities(),
Effective: defaultCapabilities(),
},
},
--
2.33.0

1
series.conf
View File

@ -192,4 +192,5 @@ patch/0191-rollback-if-docker-restart-when-doing-BlkDiscard.patch
patch/0192-fix-dangling-unpigz.patch
patch/0193-docker-add-clone3-to-seccomp-whitelist-to-fix-curl-f.patch
patch/0194-docker-update-seccomp-whitelist-to-Linux-5.10-syscal.patch
patch/0195-docker-fix-CVE-2022-24769.patch
#end