remove process inheritable capability
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
This commit is contained in:
zhangxiaoyu
parent
1d7af45644
commit
8f5856efd2
27
0023-remove-process-inheritable-capability.patch
Normal file
27
0023-remove-process-inheritable-capability.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From d232c098c9a75fce2b7e6da55faa89cd546d3dc9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: isuladci <isulad@ci.com>
|
||||||
|
Date: Tue, 31 Jan 2023 19:14:57 +0800
|
||||||
|
Subject: [PATCH] remove process inheritable capability
|
||||||
|
|
||||||
|
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
|
||||||
|
---
|
||||||
|
src/lxc/conf.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
|
||||||
|
index 439601a..c478bf2 100644
|
||||||
|
--- a/src/lxc/conf.c
|
||||||
|
+++ b/src/lxc/conf.c
|
||||||
|
@@ -5528,7 +5528,8 @@ int lxc_drop_caps(struct lxc_conf *conf)
|
||||||
|
if (caplist[i]) {
|
||||||
|
cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
|
||||||
|
cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
|
||||||
|
- cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
|
||||||
|
+ // fix CVE-2022-24769
|
||||||
|
+ // inheritable capability should be empty
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
||||||
@ -16,15 +16,18 @@
|
|||||||
|
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
pkg=lxc-4.0.3
|
dir_name=$(tar -tzf *.tar.gz | head -1 | cut -f1 -d"/")
|
||||||
|
if [ -e $dir_name ]; then
|
||||||
|
echo "directory $dir_name exist, please remove it"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
tar -xzvf $dir_name.tar.gz
|
||||||
|
|
||||||
cwd=$PWD
|
cwd=$PWD
|
||||||
src=$cwd/lxc-4.0.3
|
cd $cwd/$dir_name
|
||||||
|
|
||||||
tar -xzvf $pkg.tar.gz
|
grep -E "Patch[0-9]{4}:\s*[0-9]{4}-.*\.patch" $cwd/lxc.spec | awk '{print $2}' | while read line
|
||||||
|
|
||||||
cd $src
|
|
||||||
|
|
||||||
cat $cwd/series.conf | while read line
|
|
||||||
do
|
do
|
||||||
if [[ $line == '' || $line =~ ^\s*# ]]; then
|
if [[ $line == '' || $line =~ ^\s*# ]]; then
|
||||||
continue
|
continue
|
||||||
@ -38,5 +41,7 @@ git add .
|
|||||||
git config --local user.name "isuladci"
|
git config --local user.name "isuladci"
|
||||||
git config --local user.email "isulad@ci.com"
|
git config --local user.email "isulad@ci.com"
|
||||||
git commit -m "init repo"
|
git commit -m "init repo"
|
||||||
|
git config --local --unset user.name
|
||||||
|
git config --local --unset user.email
|
||||||
|
|
||||||
cd $cwd
|
cd $cwd
|
||||||
|
|||||||
9
lxc.spec
9
lxc.spec
@ -1,4 +1,4 @@
|
|||||||
%global _release 2022102408
|
%global _release 2022102409
|
||||||
|
|
||||||
Name: lxc
|
Name: lxc
|
||||||
Version: 4.0.3
|
Version: 4.0.3
|
||||||
@ -30,6 +30,7 @@ Patch0019: 0019-add-lxc-attach-add-gids-option.patch
|
|||||||
Patch0020: 0020-add-sscanf-adapation-code-for-musl.patch
|
Patch0020: 0020-add-sscanf-adapation-code-for-musl.patch
|
||||||
Patch0021: 0021-change-the-suffi-parameter-in-lxc-attach-help-output.patch
|
Patch0021: 0021-change-the-suffi-parameter-in-lxc-attach-help-output.patch
|
||||||
Patch0022: 0022-fix-cve-CVE-2022-47952-log-leaks-root-information.patch
|
Patch0022: 0022-fix-cve-CVE-2022-47952-log-leaks-root-information.patch
|
||||||
|
Patch0023: 0023-remove-process-inheritable-capability.patch
|
||||||
|
|
||||||
BuildRequires: systemd-units git libtool graphviz docbook2X doxygen chrpath
|
BuildRequires: systemd-units git libtool graphviz docbook2X doxygen chrpath
|
||||||
BuildRequires: pkgconfig(libseccomp)
|
BuildRequires: pkgconfig(libseccomp)
|
||||||
@ -210,6 +211,12 @@ rm -rf %{buildroot}%{_sysconfdir}/default/%{name}
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 17 2023 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022102409
|
||||||
|
- Type:bugfix
|
||||||
|
- ID:NA
|
||||||
|
- SUG:NA
|
||||||
|
- DESC: remove process inheritable capabilities
|
||||||
|
|
||||||
* Mon Feb 13 2023 jiangxinyu <jiangxinyu@kylinos.cn> - 4.0.3-2022102408
|
* Mon Feb 13 2023 jiangxinyu <jiangxinyu@kylinos.cn> - 4.0.3-2022102408
|
||||||
- Type:enhancement
|
- Type:enhancement
|
||||||
- ID:NA
|
- ID:NA
|
||||||
|
|||||||
21
series.conf
21
series.conf
@ -1,21 +0,0 @@
|
|||||||
0001-refactor-patch-code-of-utils-commands-and-so-on.patch
|
|
||||||
0002-refactor-patch-code-of-isulad-for-conf-exec-attach.patch
|
|
||||||
0003-refactor-patch-code-of-isulad-for-selinux-attach.patch
|
|
||||||
0004-refactor-patch-code-of-lxccontianer-and-so-on.patch
|
|
||||||
0005-refactor-patch-code-of-attach-and-seccomp.patch
|
|
||||||
0006-refactor-patch-about-namespace-log-terminal.patch
|
|
||||||
0007-refactor-patches-on-terminal.c-start.c-and-so-on.patch
|
|
||||||
0008-refactor-patch-code-of-json.patch
|
|
||||||
0009-fix-HOME-env-of-container-unset-error.patch
|
|
||||||
0010-check-yajl-only-when-have-isulad.patch
|
|
||||||
0011-drop-security_context_t.patch
|
|
||||||
0012-only-set-user-or-image-set-non-empty-HOME.patch
|
|
||||||
0013-return-fail-if-no-args-or-no-rootfs-path-found.patch
|
|
||||||
0014-fix-tools-using-option-give-error-message.patch
|
|
||||||
0015-fix-do-mask-pathes-after-parent-mounted.patch
|
|
||||||
0017-lxc-Add-sw64-architecture.patch
|
|
||||||
0018-add-macro-to-adapt-musl-libc.patch
|
|
||||||
0019-add-lxc-attach-add-gids-option.patch
|
|
||||||
0020-add-sscanf-adapation-code-for-musl.patch
|
|
||||||
0021-change-the-suffi-parameter-in-lxc-attach-help-output.patch
|
|
||||||
0022-fix-cve-CVE-2022-47952-log-leaks-root-information.patch
|
|
||||||
Loading…
x
Reference in New Issue
Block a user