!23 [sync] PR-20: containerd:reduce permissions for bundle dir to fix CVE-2021-41103

From: @openeuler-sync-bot Reviewed-by: @caihaomin Signed-off-by: @caihaomin
2021-11-09 11:28:37 +00:00 · 2021-11-09 11:28:37 +00:00 · 25bd1e565d
commit 25bd1e565d
parent e673f35121 c5a97831ab
3 changed files with 147 additions and 1 deletions
--- a/containerd.spec
+++ b/containerd.spec
@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        200
+Release:        201
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@ -41,6 +41,12 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim
 %{_bindir}/containerd-shim

 %changelog
+* Fri Nov 5 2021 xiadanni<xiadanni1@huawei.com> - 1.2.0-201
+- Type:bugfix                                          
+- ID:NA                                                   
+- SUG:NA
+- DESC:reduce permissions for bundle dir to fix CVE-2021-41103
+
 * Wed Feb 9 2021 xiadanni<xiadanni1@huawei.com> - 1.2.0-200
 - Type:bugfix
 - ID:NA
--- a/patch/0068-containerd-reduce-permissions-for-bundle-dir-to-fix-.patch
+++ b/patch/0068-containerd-reduce-permissions-for-bundle-dir-to-fix-.patch
@ -0,0 +1,139 @@
+From 6029940872e30dac2c1bff9ff7dce3c3ab7576c8 Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Fri, 5 Nov 2021 09:56:29 +0800
+Subject: [PATCH] containerd:reduce permissions for bundle dir to fix
+ CVE-2021-41103
+
+upstream:
+https://github.com/containerd/containerd/commit/6886c6a2ec0c70dde1aa64e77b64a5ad47b983c3
+v1 runtime: reduce permissions for bundle dir
+
+https://github.com/containerd/containerd/commit/7c621e1fcc08bcf5a1a48b837342cc22eada1685
+btrfs: reduce permissions on plugin directories
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ runtime/v1/linux/bundle.go | 56 +++++++++++++++++++++++++++++++++++++-
+ snapshots/btrfs/btrfs.go   |  8 ++++--
+ 2 files changed, 61 insertions(+), 3 deletions(-)
+
+diff --git a/runtime/v1/linux/bundle.go b/runtime/v1/linux/bundle.go
+index 0442246..90a1086 100644
+--- a/runtime/v1/linux/bundle.go
+++ b/runtime/v1/linux/bundle.go
+@@ -20,6 +20,7 @@ package linux
+ 
+ import (
+ 	"context"
+	"encoding/json"
+ 	"fmt"
+ 	"io/ioutil"
+ 	"os"
+@@ -30,6 +31,7 @@ import (
+ 	"github.com/containerd/containerd/runtime/linux/runctypes"
+ 	"github.com/containerd/containerd/runtime/v1/shim"
+ 	"github.com/containerd/containerd/runtime/v1/shim/client"
+	"github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
+ )
+@@ -63,7 +65,7 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) {
+ 		time.Sleep(waitTime)
+ 	}
+ 
+-	if err := os.Mkdir(path, 0711); err != nil {
+	if err := os.Mkdir(path, 0700); err != nil {
+ 		return nil, err
+ 	}
+ 	defer func() {
+@@ -71,6 +73,9 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) {
+ 			os.RemoveAll(path)
+ 		}
+ 	}()
+	if err := prepareBundleDirectoryPermissions(path, spec); err != nil {
+		return nil, err
+	}
+ 	if err := os.MkdirAll(workDir, 0711); err != nil {
+ 		return nil, err
+ 	}
+@@ -90,6 +95,55 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) {
+ 	}, err
+ }
+ 
+// prepareBundleDirectoryPermissions prepares the permissions of the bundle
+// directory. When user namespaces are enabled, the permissions are modified
+// to allow the remapped root GID to access the bundle.
+func prepareBundleDirectoryPermissions(path string, spec []byte) error {
+	gid, err := remappedGID(spec)
+	if err != nil {
+		return err
+	}
+	if gid == 0 {
+		return nil
+	}
+	if err := os.Chown(path, -1, int(gid)); err != nil {
+		return err
+	}
+	return os.Chmod(path, 0710)
+}
+
+// ociSpecUserNS is a subset of specs.Spec used to reduce garbage during
+// unmarshal.
+type ociSpecUserNS struct {
+	Linux *linuxSpecUserNS
+}
+
+// linuxSpecUserNS is a subset of specs.Linux used to reduce garbage during
+// unmarshal.
+type linuxSpecUserNS struct {
+	GIDMappings []specs.LinuxIDMapping
+}
+
+// remappedGID reads the remapped GID 0 from the OCI spec, if it exists. If
+// there is no remapping, remappedGID returns 0. If the spec cannot be parsed,
+// remappedGID returns an error.
+func remappedGID(spec []byte) (uint32, error) {
+	var ociSpec ociSpecUserNS
+	err := json.Unmarshal(spec, &ociSpec)
+	if err != nil {
+		return 0, err
+	}
+	if ociSpec.Linux == nil || len(ociSpec.Linux.GIDMappings) == 0 {
+		return 0, nil
+	}
+	for _, mapping := range ociSpec.Linux.GIDMappings {
+		if mapping.ContainerID == 0 {
+			return mapping.HostID, nil
+		}
+	}
+	return 0, nil
+}
+
+ type bundle struct {
+ 	id      string
+ 	path    string
+diff --git a/snapshots/btrfs/btrfs.go b/snapshots/btrfs/btrfs.go
+index a89b551..da6f822 100644
+--- a/snapshots/btrfs/btrfs.go
+++ b/snapshots/btrfs/btrfs.go
+@@ -63,11 +63,15 @@ type snapshotter struct {
+ // root needs to be a mount point of btrfs.
+ func NewSnapshotter(root string) (snapshots.Snapshotter, error) {
+ 	// If directory does not exist, create it
+-	if _, err := os.Stat(root); err != nil {
+	if st, err := os.Stat(root); err != nil {
+ 		if !os.IsNotExist(err) {
+ 			return nil, err
+ 		}
+-		if err := os.Mkdir(root, 0755); err != nil {
+		if err := os.Mkdir(root, 0700); err != nil {
+			return nil, err
+		}
+	} else if st.Mode()&os.ModePerm != 0700 {
+		if err := os.Chmod(root, 0700); err != nil {
+ 			return nil, err
+ 		}
+ 	}
+-- 
+2.27.0
+
--- a/series.conf
+++ b/series.conf
@ -69,3 +69,4 @@ patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch
 patch/0065-containerd-fix-dead-loop.patch
 patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch
 patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch
+patch/0068-containerd-reduce-permissions-for-bundle-dir-to-fix-.patch