remove process inheritable capability

Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>

0023-remove-process-inheritable-capability.patch

@@ -0,0 +1,27 @@
+From d232c098c9a75fce2b7e6da55faa89cd546d3dc9 Mon Sep 17 00:00:00 2001
+From: isuladci <isulad@ci.com>
+Date: Tue, 31 Jan 2023 19:14:57 +0800
+Subject: [PATCH] remove process inheritable capability
+
+Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
+---
+ src/lxc/conf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 439601a..c478bf2 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -5528,7 +5528,8 @@ int lxc_drop_caps(struct lxc_conf *conf)
+ 		if (caplist[i]) {
+ 			cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
+ 			cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
+-			cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
++			// fix CVE-2022-24769
++			// inheritable capability should be empty
+ 		}
+ 	}
+ 
+-- 
+2.25.1
+

apply-patches

@@ -16,15 +16,18 @@
 
 set -ex
 
-pkg=lxc-4.0.3
+dir_name=$(tar -tzf *.tar.gz | head -1 | cut -f1 -d"/")
+if [ -e $dir_name ]; then
+    echo "directory $dir_name exist, please remove it"
+    exit 1
+fi
+
+tar -xzvf $dir_name.tar.gz
+
 cwd=$PWD
-src=$cwd/lxc-4.0.3
+cd $cwd/$dir_name
 
-tar -xzvf $pkg.tar.gz
-
-cd $src
-
-cat $cwd/series.conf | while read line
+grep -E "Patch[0-9]{4}:\s*[0-9]{4}-.*\.patch" $cwd/lxc.spec | awk '{print $2}' | while read line
 do
     if [[ $line == '' || $line =~ ^\s*# ]]; then
         continue
@@ -38,5 +41,7 @@ git add .
 git config --local user.name "isuladci"
 git config --local user.email "isulad@ci.com"
 git commit -m "init repo"
+git config --local --unset user.name
+git config --local --unset user.email
 
 cd $cwd

lxc.spec

@@ -1,4 +1,4 @@
-%global _release 2022102408
+%global _release 2022102409
 
 Name:           lxc
 Version:        4.0.3
@@ -30,6 +30,7 @@ Patch0019:	0019-add-lxc-attach-add-gids-option.patch
 Patch0020:	0020-add-sscanf-adapation-code-for-musl.patch
 Patch0021:	0021-change-the-suffi-parameter-in-lxc-attach-help-output.patch
 Patch0022:	0022-fix-cve-CVE-2022-47952-log-leaks-root-information.patch
+Patch0023:	0023-remove-process-inheritable-capability.patch
 
 BuildRequires:  systemd-units git libtool graphviz docbook2X doxygen chrpath
 BuildRequires:  pkgconfig(libseccomp)
@@ -210,6 +211,12 @@ rm -rf %{buildroot}%{_sysconfdir}/default/%{name}
 %endif
 
 %changelog
+* Fri Feb 17 2023 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022102409
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: remove process inheritable capabilities
+
 * Mon Feb 13 2023 jiangxinyu <jiangxinyu@kylinos.cn> - 4.0.3-2022102408
 - Type:enhancement
 - ID:NA

series.conf

@@ -1,21 +0,0 @@
-0001-refactor-patch-code-of-utils-commands-and-so-on.patch
-0002-refactor-patch-code-of-isulad-for-conf-exec-attach.patch
-0003-refactor-patch-code-of-isulad-for-selinux-attach.patch
-0004-refactor-patch-code-of-lxccontianer-and-so-on.patch
-0005-refactor-patch-code-of-attach-and-seccomp.patch
-0006-refactor-patch-about-namespace-log-terminal.patch
-0007-refactor-patches-on-terminal.c-start.c-and-so-on.patch
-0008-refactor-patch-code-of-json.patch
-0009-fix-HOME-env-of-container-unset-error.patch
-0010-check-yajl-only-when-have-isulad.patch
-0011-drop-security_context_t.patch
-0012-only-set-user-or-image-set-non-empty-HOME.patch
-0013-return-fail-if-no-args-or-no-rootfs-path-found.patch
-0014-fix-tools-using-option-give-error-message.patch
-0015-fix-do-mask-pathes-after-parent-mounted.patch
-0017-lxc-Add-sw64-architecture.patch
-0018-add-macro-to-adapt-musl-libc.patch
-0019-add-lxc-attach-add-gids-option.patch
-0020-add-sscanf-adapation-code-for-musl.patch
-0021-change-the-suffi-parameter-in-lxc-attach-help-output.patch
-0022-fix-cve-CVE-2022-47952-log-leaks-root-information.patch