packages/docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
docker/patch/0167-docker-fix-CVE-2020-13401.patch
jingrui af6293703d docker: sync bugfix 
Change-Id: I4dc92059d90415199fcd143d75cc68cfdb67c430
Signed-off-by: jingrui <jingrui@huawei.com>
2021-01-19 14:03:29 +08:00

70 lines
2.7 KiB
Diff
Raw Permalink Blame History

From 727ce265564d1dc3031221a84f95abad20a20f11 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Thu, 11 Jun 2020 21:55:49 +0800
Subject: [PATCH] docker: fix CVE-2020-13401
Change-Id: I267bde21d88927a0beb7599651b856a2dd1371d3
Signed-off-by: jingrui <jingrui@huawei.com>
---
.../libnetwork/drivers/bridge/bridge.go | 6 ++++++
.../libnetwork/drivers/bridge/setup_device.go | 19 +++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go
index 535da3c1ad..3288ff8652 100644
--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go
+++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go
@@ -679,6 +679,12 @@ func (d *driver) createNetwork(config *networkConfiguration) (err error) {
bridgeAlreadyExists := bridgeIface.exists()
if !bridgeAlreadyExists {
bridgeSetup.queueStep(setupDevice)
+ bridgeSetup.queueStep(setupDefaultSysctl)
+ }
+
+ // For the default bridge, set expected sysctls
+ if config.DefaultBridge {
+ bridgeSetup.queueStep(setupDefaultSysctl)
}
// Even if a bridge exists try to setup IPv4.
diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/setup_device.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/setup_device.go
index a9dfd06771..9822236dfd 100644
--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/setup_device.go
+++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/setup_device.go
@@ -2,6 +2,9 @@ package bridge
import (
"fmt"
+ "io/ioutil"
+ "os"
+ "path/filepath"
"github.com/docker/docker/pkg/parsers/kernel"
"github.com/docker/libnetwork/netutils"
@@ -50,6 +53,22 @@ func setupDevice(config *networkConfiguration, i *bridgeInterface) error {
return err
}
+func setupDefaultSysctl(config *networkConfiguration, i *bridgeInterface) error {
+ // Disable IPv6 router advertisements originating on the bridge
+ sysPath := filepath.Join("/proc/sys/net/ipv6/conf/", config.BridgeName, "accept_ra")
+ if _, err := os.Stat(sysPath); err != nil {
+ logrus.
+ WithField("bridge", config.BridgeName).
+ WithField("syspath", sysPath).
+ Info("failed to read ipv6 net.ipv6.conf.<bridge>.accept_ra")
+ return nil
+ }
+ if err := ioutil.WriteFile(sysPath, []byte{'0', '\n'}, 0644); err != nil {
+ return fmt.Errorf("libnetwork: Unable to disable IPv6 router advertisement: %v", err)
+ }
+ return nil
+}
+
// SetupDeviceUp ups the given bridge interface.
func setupDeviceUp(config *networkConfiguration, i *bridgeInterface) error {
err := i.nlh.LinkSetUp(i.Link)
--
2.17.1
Reference in New Issue View Git Blame Copy Permalink