82 lines
2.8 KiB
Diff
82 lines
2.8 KiB
Diff
From d3bf68367fe708a1d74d89a8d57c9b85c4fd292d Mon Sep 17 00:00:00 2001
|
|
From: build <build@obs.com>
|
|
Date: Thu, 16 Jun 2022 09:53:40 +0800
|
|
Subject: [PATCH] CVE-2022-24769
|
|
|
|
Signed-off-by: build <build@obs.com>
|
|
---
|
|
components/engine/daemon/exec_linux.go | 10 ++++------
|
|
components/engine/daemon/oci.go | 20 ++++++++++++--------
|
|
components/engine/oci/defaults.go | 1 -
|
|
3 files changed, 16 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/components/engine/daemon/exec_linux.go b/components/engine/daemon/exec_linux.go
|
|
index cd52f48..8720aa9 100644
|
|
--- a/components/engine/daemon/exec_linux.go
|
|
+++ b/components/engine/daemon/exec_linux.go
|
|
@@ -21,13 +21,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
|
|
}
|
|
}
|
|
if ec.Privileged {
|
|
- if p.Capabilities == nil {
|
|
- p.Capabilities = &specs.LinuxCapabilities{}
|
|
+ p.Capabilities = &specs.LinuxCapabilities{
|
|
+ Bounding: caps.GetAllCapabilities(),
|
|
+ Permitted: caps.GetAllCapabilities(),
|
|
+ Effective: caps.GetAllCapabilities(),
|
|
}
|
|
- p.Capabilities.Bounding = caps.GetAllCapabilities()
|
|
- p.Capabilities.Permitted = p.Capabilities.Bounding
|
|
- p.Capabilities.Inheritable = p.Capabilities.Bounding
|
|
- p.Capabilities.Effective = p.Capabilities.Bounding
|
|
}
|
|
if apparmor.IsEnabled() {
|
|
var appArmorProfile string
|
|
diff --git a/components/engine/daemon/oci.go b/components/engine/daemon/oci.go
|
|
index 52050e2..4148e90 100644
|
|
--- a/components/engine/daemon/oci.go
|
|
+++ b/components/engine/daemon/oci.go
|
|
@@ -26,15 +26,19 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
|
|
return err
|
|
}
|
|
}
|
|
- s.Process.Capabilities.Effective = caplist
|
|
- s.Process.Capabilities.Bounding = caplist
|
|
- s.Process.Capabilities.Permitted = caplist
|
|
- s.Process.Capabilities.Inheritable = caplist
|
|
// setUser has already been executed here
|
|
- // if non root drop capabilities in the way execve does
|
|
- if s.Process.User.UID != 0 {
|
|
- s.Process.Capabilities.Effective = []string{}
|
|
- s.Process.Capabilities.Permitted = []string{}
|
|
+ if s.Process.User.UID == 0 {
|
|
+ s.Process.Capabilities = &specs.LinuxCapabilities{
|
|
+ Effective: caplist,
|
|
+ Bounding: caplist,
|
|
+ Permitted: caplist,
|
|
+ }
|
|
+ } else {
|
|
+ // Do not set Effective and Permitted capabilities for non-root users,
|
|
+ // to match what execve does.
|
|
+ s.Process.Capabilities = &specs.LinuxCapabilities{
|
|
+ Bounding: caplist,
|
|
+ }
|
|
}
|
|
return nil
|
|
}
|
|
diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go
|
|
index ff027d8..57cbddb 100644
|
|
--- a/components/engine/oci/defaults.go
|
|
+++ b/components/engine/oci/defaults.go
|
|
@@ -61,7 +61,6 @@ func DefaultLinuxSpec() specs.Spec {
|
|
Capabilities: &specs.LinuxCapabilities{
|
|
Bounding: defaultCapabilities(),
|
|
Permitted: defaultCapabilities(),
|
|
- Inheritable: defaultCapabilities(),
|
|
Effective: defaultCapabilities(),
|
|
},
|
|
},
|
|
--
|
|
2.33.0
|
|
|