From fbc718add8fc7229274b6748d3f9fffdd00ed21f Mon Sep 17 00:00:00 2001
From: duyiwei <duyiwei@kylinos.cn>
Date: Thu, 16 Jun 2022 10:05:51 +0800
Subject: [PATCH] fix CVE-2022-24769

---
 VERSION-openeuler                          |  2 +-
 docker-engine-openeuler.spec               | 11 +--
 patch/0193-docker-fix-CVE-2022-24769.patch | 81 ++++++++++++++++++++++
 series.conf                                |  1 +
 4 files changed, 90 insertions(+), 5 deletions(-)
 create mode 100644 patch/0193-docker-fix-CVE-2022-24769.patch

diff --git a/VERSION-openeuler b/VERSION-openeuler
index fa5e4c1..c75fc47 100644
--- a/VERSION-openeuler
+++ b/VERSION-openeuler
@@ -1 +1 @@
-18.09.0.206
+18.09.0.207
diff --git a/docker-engine-openeuler.spec b/docker-engine-openeuler.spec
index 432c85f..86edfab 100644
--- a/docker-engine-openeuler.spec
+++ b/docker-engine-openeuler.spec
@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 206
+Release: 207
 Summary: The open-source application container engine
 Group: Tools/Docker
 
@@ -152,9 +152,6 @@ install -p -m 644 components/engine/contrib/syntax/nano/Dockerfile.nanorc $RPM_B
 /usr/share/zsh/vendor-completions/_docker
 /usr/share/fish/vendor_completions.d/docker.fish
 %doc
-# /%{_mandir}/man1/*
-# /%{_mandir}/man5/*
-# /%{_mandir}/man8/*
 
 %config(noreplace,missingok) /etc/sysconfig/docker
 %config(noreplace,missingok) /etc/sysconfig/docker-storage
@@ -201,6 +198,12 @@ fi
 %endif
 
 %changelog
+* Thu Jun 16 2022 duyiwei <duyiwei@kylinos.cn> - 18.09.0-207
+- Type:bugfix
+- CVE:CVE-2022-24769
+- SUG:NA
+- DESC:fix CVE-2022-24769
+
 * Tue Oct 12 2021 xiadanni<xiadanni1@huawei.com> - 18.09.0-206
 - Type:bugfix
 - ID:NA
diff --git a/patch/0193-docker-fix-CVE-2022-24769.patch b/patch/0193-docker-fix-CVE-2022-24769.patch
new file mode 100644
index 0000000..898d0d3
--- /dev/null
+++ b/patch/0193-docker-fix-CVE-2022-24769.patch
@@ -0,0 +1,81 @@
+From d3bf68367fe708a1d74d89a8d57c9b85c4fd292d Mon Sep 17 00:00:00 2001
+From: build <build@obs.com>
+Date: Thu, 16 Jun 2022 09:53:40 +0800
+Subject: [PATCH] CVE-2022-24769
+
+Signed-off-by: build <build@obs.com>
+---
+ components/engine/daemon/exec_linux.go | 10 ++++------
+ components/engine/daemon/oci.go        | 20 ++++++++++++--------
+ components/engine/oci/defaults.go      |  1 -
+ 3 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/components/engine/daemon/exec_linux.go b/components/engine/daemon/exec_linux.go
+index cd52f48..8720aa9 100644
+--- a/components/engine/daemon/exec_linux.go
++++ b/components/engine/daemon/exec_linux.go
+@@ -21,13 +21,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
+ 		}
+ 	}
+ 	if ec.Privileged {
+-		if p.Capabilities == nil {
+-			p.Capabilities = &specs.LinuxCapabilities{}
++		p.Capabilities = &specs.LinuxCapabilities{
++			Bounding:  caps.GetAllCapabilities(),
++			Permitted: caps.GetAllCapabilities(),
++			Effective: caps.GetAllCapabilities(),
+ 		}
+-		p.Capabilities.Bounding = caps.GetAllCapabilities()
+-		p.Capabilities.Permitted = p.Capabilities.Bounding
+-		p.Capabilities.Inheritable = p.Capabilities.Bounding
+-		p.Capabilities.Effective = p.Capabilities.Bounding
+ 	}
+ 	if apparmor.IsEnabled() {
+ 		var appArmorProfile string
+diff --git a/components/engine/daemon/oci.go b/components/engine/daemon/oci.go
+index 52050e2..4148e90 100644
+--- a/components/engine/daemon/oci.go
++++ b/components/engine/daemon/oci.go
+@@ -26,15 +26,19 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
+ 			return err
+ 		}
+ 	}
+-	s.Process.Capabilities.Effective = caplist
+-	s.Process.Capabilities.Bounding = caplist
+-	s.Process.Capabilities.Permitted = caplist
+-	s.Process.Capabilities.Inheritable = caplist
+ 	// setUser has already been executed here
+-	// if non root drop capabilities in the way execve does
+-	if s.Process.User.UID != 0 {
+-		s.Process.Capabilities.Effective = []string{}
+-		s.Process.Capabilities.Permitted = []string{}
++	if s.Process.User.UID == 0 {
++		s.Process.Capabilities = &specs.LinuxCapabilities{
++			Effective: caplist,
++			Bounding:  caplist,
++			Permitted: caplist,
++		}
++	} else {
++		// Do not set Effective and Permitted capabilities for non-root users,
++		// to match what execve does.
++		s.Process.Capabilities = &specs.LinuxCapabilities{
++			Bounding: caplist,
++		}
+ 	}
+ 	return nil
+ }
+diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go
+index ff027d8..57cbddb 100644
+--- a/components/engine/oci/defaults.go
++++ b/components/engine/oci/defaults.go
+@@ -61,7 +61,6 @@ func DefaultLinuxSpec() specs.Spec {
+ 			Capabilities: &specs.LinuxCapabilities{
+ 				Bounding:    defaultCapabilities(),
+ 				Permitted:   defaultCapabilities(),
+-				Inheritable: defaultCapabilities(),
+ 				Effective:   defaultCapabilities(),
+ 			},
+ 		},
+-- 
+2.33.0
+
diff --git a/series.conf b/series.conf
index 16c2403..53972b5 100644
--- a/series.conf
+++ b/series.conf
@@ -186,4 +186,5 @@ patch/0189-docker-fix-Access-to-remapped-root-allows-privilege-.patch
 patch/0190-docker-fix-CVE-2021-21285.patch
 patch/0191-docker-add-clone3-to-seccomp-whitelist-to-fix-curl-f.patch
 patch/0192-docker-update-seccomp-whitelist-to-Linux-5.10-syscal.patch
+patch/0193-docker-fix-CVE-2022-24769.patch
 #end