packages/runc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
runc/patch
History
xiadanni1 1029fc9d1c rootfs: do not permit /proc mounts to non-directories 
mount(2) will blindly follow symlinks, which is a problem because it
allows a malicious container to trick runc into mounting /proc to an
entirely different location (and thus within the attacker's control for
a rename-exchange attack).

This is just a hotfix (to "stop the bleeding"), and the more complete
fix would be finish libpathrs and port runc to it (to avoid these types
of attacks entirely, and defend against a variety of other /proc-related
attacks). It can be bypased by someone having "/" be a volume controlled
by another container.

Fixes: CVE-2019-19921
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
2020-04-15 17:01:50 +08:00
..
0001-.travis.yml-Don-t-require-FETCH_HEAD.patch
runc: package init
2019-12-29 15:34:20 +08:00
0002-Don-t-try-to-read-freezer.state-from-the-cu.patch
runc: package init
2019-12-29 15:34:20 +08:00
0003-Use-opencontainers-selinux-package.patch
runc: package init
2019-12-29 15:34:20 +08:00
0004-handle-unprivileged-operations-and-dumpable.patch
runc: package init
2019-12-29 15:34:20 +08:00
0005-runc-add-support-for-rootless-containers.patch
runc: package init
2019-12-29 15:34:20 +08:00
0006-rootless-add-rootless-cgroup-manager.patch
runc: package init
2019-12-29 15:34:20 +08:00
0007-libcontainer-configs-add-proper-HostUID-and.patch
runc: package init
2019-12-29 15:34:20 +08:00
0008-libcontainer-init-fix-unmapped-console-fcho.patch
runc: package init
2019-12-29 15:34:20 +08:00
0009-rootless-add-autogenerated-rootless-config-.patch
runc: package init
2019-12-29 15:34:20 +08:00
0010-integration-added-root-requires.patch
runc: package init
2019-12-29 15:34:20 +08:00
0011-tests-add-rootless-integration-tests.patch
runc: package init
2019-12-29 15:34:20 +08:00
0012-vendor-add-golang.org-x-sys-unix-9a7256cb28.patch
runc: package init
2019-12-29 15:34:20 +08:00
0013-libcontainer-rewrite-cmsg-to-use-sys-unix.patch
runc: package init
2019-12-29 15:34:20 +08:00
0014-Set-container-state-only-once-during-start.patch
runc: package init
2019-12-29 15:34:20 +08:00
0015-checkpoint-check-if-system-supports-pre-dum.patch
runc: package init
2019-12-29 15:34:20 +08:00
0016-Fix-console-syscalls.patch
runc: package init
2019-12-29 15:34:20 +08:00
0017-restore-apply-resource-limits.patch
runc: package init
2019-12-29 15:34:20 +08:00
0018-could-load-a-stopped-container.patch
runc: package init
2019-12-29 15:34:20 +08:00
0019-Revert-back-to-using-sbin.patch
runc: package init
2019-12-29 15:34:20 +08:00
0020-add-testcase-in-generic_error_test.go.patch
runc: package init
2019-12-29 15:34:20 +08:00
0021-Fix-misspelling-of-properties-in-various-pl.patch
runc: package init
2019-12-29 15:34:20 +08:00
0022-Add-a-rootless-containers-section-on-README.patch
runc: package init
2019-12-29 15:34:20 +08:00
0023-vendor-clean-up-to-be-better-written.patch
runc: package init
2019-12-29 15:34:20 +08:00
0024-Optimizing-looping-over-namespaces.patch
runc: package init
2019-12-29 15:34:20 +08:00
0025-Add-a-rootless-section-to-spec-man-page-and.patch
runc: package init
2019-12-29 15:34:20 +08:00
0026-Allow-updating-container-pids-limit.patch
runc: package init
2019-12-29 15:34:20 +08:00
0027-Remove-redundant-declaraion-of-namespace-sl.patch
runc: package init
2019-12-29 15:34:20 +08:00
0028-Revert-saneTerminal.patch
runc: package init
2019-12-29 15:34:20 +08:00
0029-vendor-runtime-spec-fork-docker-runtime-spe.patch
runc: package init
2019-12-29 15:34:20 +08:00
0030-Update-memory-specs-to-use-int64-not-uint64.patch
runc: package init
2019-12-29 15:34:20 +08:00
0031-Add-spec-for-euleros.patch
runc: package init
2019-12-29 15:34:20 +08:00
0032-runc-17-Always-save-own-namespace-paths.patch
runc: package init
2019-12-29 15:34:20 +08:00
0033-runc-change-runc-default-umask-to-027.patch
runc: package init
2019-12-29 15:34:20 +08:00
0034-runc-17-Add-some-compatibility-code-to-surpor.patch
runc: package init
2019-12-29 15:34:20 +08:00
0035-runc-17-Add-root-to-HookState-for-compatibili.patch
runc: package init
2019-12-29 15:34:20 +08:00
0036-runc-17-add-compatibility-for-docker-1.11.2.patch
runc: package init
2019-12-29 15:34:20 +08:00
0037-docker-Don-t-enalbe-kmem-accounting-by-defa.patch
runc: package init
2019-12-29 15:34:20 +08:00
0039-Fix-unittest-and-integration-test-error-cause.patch
runc: package init
2019-12-29 15:34:20 +08:00
0041-Add-timeout-for-syscall.Openat.patch
runc: package init
2019-12-29 15:34:20 +08:00
0042-update-state-earlier-to-avoid-cgroup-leak-whe.patch
runc: package init
2019-12-29 15:34:20 +08:00
0043-runc-Use-rslave-instead-of-rprivate-in-chro.patch
runc: package init
2019-12-29 15:34:20 +08:00
0044-runc-default-mount-propagation-correctly.patch
runc: package init
2019-12-29 15:34:20 +08:00
0045-runc-add-hook-specific-info-when-error-occurr.patch
runc: package init
2019-12-29 15:34:20 +08:00
0046-runc-print-cgroup-info-if-cpuset-missing-occu.patch
runc: package init
2019-12-29 15:34:20 +08:00
0047-runc-add-more-specific-log-for-hooks.patch
runc: package init
2019-12-29 15:34:20 +08:00
0048-runc-Only-configure-networking.patch
runc: package init
2019-12-29 15:34:20 +08:00
0049-cgroups-fs-fix-NPE-on-Destroy-than-no-cgrou.patch
runc: package init
2019-12-29 15:34:20 +08:00
0050-runc-Avoid-race-when-opening-exec-fifo.patch
runc: package init
2019-12-29 15:34:20 +08:00
0051-runc-Return-from-goroutine-when-it-should-t.patch
runc: package init
2019-12-29 15:34:20 +08:00
0052-runc-reduce-max-number-of-retries-to-10.patch
runc: package init
2019-12-29 15:34:20 +08:00
0053-runc-print-error-message-during-start-into-co.patch
runc: package init
2019-12-29 15:34:20 +08:00
0054-runc-ignore-exec.fifo-removing-not-exist-erro.patch
runc: package init
2019-12-29 15:34:20 +08:00
0055-Add-file-fds-limit.patch
runc: package init
2019-12-29 15:34:20 +08:00
0056-runc-Modify-max-files.limit-to-max-because-of.patch
runc: package init
2019-12-29 15:34:20 +08:00
0057-runc-change-read-value-of-cgroup-files.limit-.patch
runc: package init
2019-12-29 15:34:20 +08:00
0058-runc-fix-panic-when-Linux-is-nil.patch
runc: package init
2019-12-29 15:34:20 +08:00
0059-Fix-setup-cgroup-before-prestart-hook.patch
runc: package init
2019-12-29 15:34:20 +08:00
0060-runc-runc-logs-forwarding-to-syslog.patch
runc: package init
2019-12-29 15:34:20 +08:00
0061-runc-17-change-golang-build-version-to-make-o.patch
runc: package init
2019-12-29 15:34:20 +08:00
0062-runc-Check-the-hook-timeout-in-case-overflow.patch
runc: package init
2019-12-29 15:34:20 +08:00
0063-docker-close-openchan-immediately-to-avoid-er.patch
runc: package init
2019-12-29 15:34:20 +08:00
0064-runc-bump-to-v1.0.0.rc3.4-after-normalization.patch
runc: package init
2019-12-29 15:34:20 +08:00
0065-runc-support-namespaced-kernel-params-can-be-.patch
runc: package init
2019-12-29 15:34:20 +08:00
0066-runc-bump-to-v1.0.0.rc3.6.patch
runc: package init
2019-12-29 15:34:20 +08:00
0067-runc-make-the-runc-log-more-useful.patch
runc: package init
2019-12-29 15:34:20 +08:00
0068-runc-reduced-the-same-log-when-the-hook-exect.patch
runc: package init
2019-12-29 15:34:20 +08:00
0069-runc-Change-Files-to-LinuxFiles-for-file-limi.patch
runc: package init
2019-12-29 15:34:20 +08:00
0070-runc-not-print-no-such-file-when-cli-err.patch
runc: package init
2019-12-29 15:34:20 +08:00
0071-runc-revert-Change-Files-to-LinuxFiles-for-fi.patch
runc: package init
2019-12-29 15:34:20 +08:00
0072-Revert-runc-not-print-no-such-file-when-cli-e.patch
runc: package init
2019-12-29 15:34:20 +08:00
0073-runc-fix-state.json-no-such-file-or-directory.patch
runc: package init
2019-12-29 15:34:20 +08:00
0074-runc-fix-check-sysctl-in-host-network-mode.patch
runc: package init
2019-12-29 15:34:20 +08:00
0075-runc-Fix-systemd-journald-service-dependency.patch
runc: package init
2019-12-29 15:34:20 +08:00
0076-runc-Fix-syslog-hook-bug.patch
runc: package init
2019-12-29 15:34:20 +08:00
0077-runc-Require-libseccomp-static-lib-for-upgrade-f.patch
runc: package init
2019-12-29 15:34:20 +08:00
0078-runc-Fix-race-in-runc-exec.patch
runc: package init
2019-12-29 15:34:20 +08:00
0079-runc-modify-spec-file-for-upgrade.patch
runc: package init
2019-12-29 15:34:20 +08:00
0080-runc-support-specify-umask.patch
runc: package init
2019-12-29 15:34:20 +08:00
0081-runc-fix-oom-killer-disable-unhandled-due-t.patch
runc: package init
2019-12-29 15:34:20 +08:00
0082-runc-make-runc-spec-and-docker-18.9-compati.patch
runc: package init
2019-12-29 15:34:20 +08:00
0083-log-fix-runc-log-decode-failed.patch
runc: package init
2019-12-29 15:34:20 +08:00
0084-oci-fix-runc-panic-and-support-oom-score.patch
runc: package init
2019-12-29 15:34:20 +08:00
0085-runc-do-not-setup-sysctl-in-runc-when-userns-.patch
runc: package init
2019-12-29 15:34:20 +08:00
0086-runc-support-set-seccomp-priority.patch
runc: package init
2019-12-29 15:34:20 +08:00
0087-runc-fix-spec-LinuxSyscall-struct.patch
runc: package init
2019-12-29 15:34:20 +08:00
0088-nsenter-clone-proc-self-exe-to-avoid-exposi.patch
runc: package init
2019-12-29 15:34:20 +08:00
0089-Revert-nsenter-clone-proc-self-exe-to-avoid.patch
runc: package init
2019-12-29 15:34:20 +08:00
0090-nsenter-clone-proc-self-exe-to-avoid-exposi.patch
runc: package init
2019-12-29 15:34:20 +08:00
0091-runc-cve-2019-5736-workaround-if-memfd_create.patch
runc: package init
2019-12-29 15:34:20 +08:00
0092-runc-cve-2019-5736-fix-build-failure.patch
runc: package init
2019-12-29 15:34:20 +08:00
0093-runc-fix-error-when-check-the-init-process.patch
runc: package init
2019-12-29 15:34:20 +08:00
0094-runc-If-tmp-is-mounted-by-option-noexec-docke.patch
runc: package init
2019-12-29 15:34:20 +08:00
0095-runc-just-warning-when-poststart-and-poststop.patch
runc: package init
2019-12-29 15:34:20 +08:00
0096-runc-do-not-kill-container-if-poststart-hooks.patch
runc: package init
2019-12-29 15:34:20 +08:00
0097-runc-Fix-mountpoint-leak-and-pivot_root-error.patch
runc: package init
2019-12-29 15:34:20 +08:00
0098-runc-fix-read-only-containers-under-userns-.patch
runc: package init
2019-12-29 15:34:20 +08:00
0099-runc-enable-bep-ldflags.patch
runc: package init
2019-12-29 15:34:20 +08:00
0100-runc-set-makefile-buildid.patch
runc: package init
2019-12-29 15:34:20 +08:00
0101-runc-print-memory-info-when-syscall.Exec-fail.patch
runc: package init
2019-12-29 15:34:20 +08:00
0102-runc-add-sysctl-kernel.pid_max-to-whitelist.patch
runc: package init
2019-12-29 15:34:20 +08:00
0104-runc-Retry-adding-pids-to-cgroups-when-EINV.patch
runc: package init
2019-12-29 15:34:20 +08:00
0105-runc-disable-core-dump-during-pipe-io.patch
runc: package init
2019-12-29 15:34:20 +08:00
0106-runc-do-not-override-devices.allow-file-when-.patch
runc: package init
2019-12-29 15:34:20 +08:00
0107-runc-fix-exec-problem-caused-by-libseccomp-up.patch
runc: package init
2019-12-29 15:34:20 +08:00
0108-runc-print-files-limit-and-usage-when-exec-fa.patch
runc: package init
2019-12-29 15:34:20 +08:00
0109-runc-add-copyright.patch
runc: package init
2019-12-29 15:34:20 +08:00
0110-runc-add-lisence.patch
runc: package init
2019-12-29 15:34:20 +08:00
0111-runc-add-log-message-for-cgroup-file-check.patch
runc: package init
2019-12-29 15:34:20 +08:00
0112-runc-add-log-message-for-cgroup-file-check.patch
runc: package init
2019-12-29 15:34:20 +08:00
0112-runc-Fixes-1585-config.Namespaces-is-empty-.patch
runc: sync patches
2020-03-05 19:34:03 +08:00
0113-runc-modify-files-cgroup-info-reading-path.patch
runc: package init
2019-12-29 15:34:20 +08:00
0113-runc-Write-freezer-state-after-every-state-.patch
runc: sync patches
2020-03-05 19:34:03 +08:00
0114-runc-may-kill-other-process-when-container-.patch
runc: sync patches
2020-03-05 19:34:03 +08:00
0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch
runc: sync patches
2020-03-05 19:34:03 +08:00
0116-runc-check-nil-pointers-in-cgroup-manager.patch
runc: sync patches
2020-03-05 19:34:03 +08:00
0117-runc-Pass-back-the-pid-of-runc-1-CHILD-so-w.patch
runc:Pass back the pid of runc:[1:CHILD] so we can wait on it
2020-03-20 21:31:32 +08:00
0118-runc-rootfs-do-not-permit-proc-mounts-to-no.patch
rootfs: do not permit /proc mounts to non-directories
2020-04-15 17:01:50 +08:00