!88 docker:fix CVE-2022-24769

From: @duyiwei7w 
Reviewed-by: @yangzhao_kl, @jackchan8 
Signed-off-by: @yangzhao_kl

VERSION-openeuler

@@ -1 +1 @@
-18.09.0.118
+18.09.0.121

docker.spec

@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 120
+Release: 121
 Summary: The open-source application container engine
 Group: Tools/Docker
 
@@ -166,9 +166,6 @@ install -p -m 644 components/engine/contrib/syntax/nano/Dockerfile.nanorc $RPM_B
 /usr/share/zsh/vendor-completions/_docker
 /usr/share/fish/vendor_completions.d/docker.fish
 %doc
-#/%{_mandir}/man1/*
-#/%{_mandir}/man5/*
-#/%{_mandir}/man8/*
 
 %config(noreplace,missingok) /etc/sysconfig/docker
 %config(noreplace,missingok) /etc/sysconfig/docker-storage
@@ -215,6 +212,12 @@ fi
 %endif
 
 %changelog
+* Thu Jun 09 2022 duyiwei <duyiwei@kylinos.cn> - 18.09.0-121
+- Type:bugfix
+- CVE:CVE-2022-24769
+- SUG:NA
+- DESC:fix CVE-2022-24769
+
 * Mon Apr 11 2022 fushanqing <fushanqing@kylinos.cn> - 18.09.0-120
 - Integrated runc
 
@@ -261,14 +264,14 @@ fi
 - SUG:restart
 - DESC:remove go-md2man build require
 
-* Mon Jan 4 2021 yangyanchao<yangyanchao6@huawei.com> - 18.09.0-111
+* Mon Jan 18 2021 yangyanchao<yangyanchao6@huawei.com> - 18.09.0-111
 - Type:requirement
 - ID:NA
 - CVE:NA
 - SUG:restart
 - docker:components:add config files for riscv
 
-* Mon Jan 18 2021 jingrui<jingrui@huawei.com> - 18.09.0-107
+* Mon Jan 4 2021 jingrui<jingrui@huawei.com> - 18.09.0-107
 - Type:bugfix
 - ID:NA
 - SUG:NA

patch/0195-docker-fix-CVE-2022-24769.patch

@@ -0,0 +1,81 @@
+From 5d90b8a13a76e296a27b63896f86a109158dcdd5 Mon Sep 17 00:00:00 2001
+From: build <build@obs.com>
+Date: Fri, 10 Jun 2022 15:11:21 +0800
+Subject: [PATCH] 2022
+
+Signed-off-by: build <build@obs.com>
+---
+ components/engine/daemon/exec_linux.go | 10 ++++------
+ components/engine/daemon/oci.go        | 20 ++++++++++++--------
+ components/engine/oci/defaults.go      |  1 -
+ 3 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/components/engine/daemon/exec_linux.go b/components/engine/daemon/exec_linux.go
+index cd52f48..8720aa9 100644
+--- a/components/engine/daemon/exec_linux.go
++++ b/components/engine/daemon/exec_linux.go
+@@ -21,13 +21,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
+ 		}
+ 	}
+ 	if ec.Privileged {
+-		if p.Capabilities == nil {
+-			p.Capabilities = &specs.LinuxCapabilities{}
++		p.Capabilities = &specs.LinuxCapabilities{
++			Bounding:  caps.GetAllCapabilities(),
++			Permitted: caps.GetAllCapabilities(),
++			Effective: caps.GetAllCapabilities(),
+ 		}
+-		p.Capabilities.Bounding = caps.GetAllCapabilities()
+-		p.Capabilities.Permitted = p.Capabilities.Bounding
+-		p.Capabilities.Inheritable = p.Capabilities.Bounding
+-		p.Capabilities.Effective = p.Capabilities.Bounding
+ 	}
+ 	if apparmor.IsEnabled() {
+ 		var appArmorProfile string
+diff --git a/components/engine/daemon/oci.go b/components/engine/daemon/oci.go
+index 52050e2..4148e90 100644
+--- a/components/engine/daemon/oci.go
++++ b/components/engine/daemon/oci.go
+@@ -26,15 +26,19 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
+ 			return err
+ 		}
+ 	}
+-	s.Process.Capabilities.Effective = caplist
+-	s.Process.Capabilities.Bounding = caplist
+-	s.Process.Capabilities.Permitted = caplist
+-	s.Process.Capabilities.Inheritable = caplist
+ 	// setUser has already been executed here
+-	// if non root drop capabilities in the way execve does
+-	if s.Process.User.UID != 0 {
+-		s.Process.Capabilities.Effective = []string{}
+-		s.Process.Capabilities.Permitted = []string{}
++	if s.Process.User.UID == 0 {
++		s.Process.Capabilities = &specs.LinuxCapabilities{
++			Effective: caplist,
++			Bounding:  caplist,
++			Permitted: caplist,
++		}
++	} else {
++		// Do not set Effective and Permitted capabilities for non-root users,
++		// to match what execve does.
++		s.Process.Capabilities = &specs.LinuxCapabilities{
++			Bounding: caplist,
++		}
+ 	}
+ 	return nil
+ }
+diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go
+index ff027d8..57cbddb 100644
+--- a/components/engine/oci/defaults.go
++++ b/components/engine/oci/defaults.go
+@@ -61,7 +61,6 @@ func DefaultLinuxSpec() specs.Spec {
+ 			Capabilities: &specs.LinuxCapabilities{
+ 				Bounding:    defaultCapabilities(),
+ 				Permitted:   defaultCapabilities(),
+-				Inheritable: defaultCapabilities(),
+ 				Effective:   defaultCapabilities(),
+ 			},
+ 		},
+-- 
+2.33.0
+

series.conf

@@ -192,4 +192,5 @@ patch/0191-rollback-if-docker-restart-when-doing-BlkDiscard.patch
 patch/0192-fix-dangling-unpigz.patch
 patch/0193-docker-add-clone3-to-seccomp-whitelist-to-fix-curl-f.patch
 patch/0194-docker-update-seccomp-whitelist-to-Linux-5.10-syscal.patch
+patch/0195-docker-fix-CVE-2022-24769.patch
 #end