packages/docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-24769

Browse Source
This commit is contained in:
duyiwei 2022-06-16 10:05:51 +08:00
parent e4c0fb82df
commit fbc718add8
4 changed files with 90 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION-openeuler
View File

@ -1 +1 @@
18.09.0.206 18.09.0.207

11
docker-engine-openeuler.spec
View File

@ -1,6 +1,6 @@
Name: docker-engine Name: docker-engine
Version: 18.09.0 Version: 18.09.0
Release: 206 Release: 207
Summary: The open-source application container engine Summary: The open-source application container engine
Group: Tools/Docker Group: Tools/Docker
@ -152,9 +152,6 @@ install -p -m 644 components/engine/contrib/syntax/nano/Dockerfile.nanorc $RPM_B
/usr/share/zsh/vendor-completions/_docker /usr/share/zsh/vendor-completions/_docker
/usr/share/fish/vendor_completions.d/docker.fish /usr/share/fish/vendor_completions.d/docker.fish
%doc %doc
# /%{_mandir}/man1/*
# /%{_mandir}/man5/*
# /%{_mandir}/man8/*
%config(noreplace,missingok) /etc/sysconfig/docker %config(noreplace,missingok) /etc/sysconfig/docker
%config(noreplace,missingok) /etc/sysconfig/docker-storage %config(noreplace,missingok) /etc/sysconfig/docker-storage
@ -201,6 +198,12 @@ fi
%endif %endif
%changelog %changelog
* Thu Jun 16 2022 duyiwei <duyiwei@kylinos.cn> - 18.09.0-207
- Type:bugfix
- CVE:CVE-2022-24769
- SUG:NA
- DESC:fix CVE-2022-24769
* Tue Oct 12 2021 xiadanni<xiadanni1@huawei.com> - 18.09.0-206 * Tue Oct 12 2021 xiadanni<xiadanni1@huawei.com> - 18.09.0-206
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA

81
patch/0193-docker-fix-CVE-2022-24769.patch Normal file
View File

@ -0,0 +1,81 @@
From d3bf68367fe708a1d74d89a8d57c9b85c4fd292d Mon Sep 17 00:00:00 2001
From: build <build@obs.com>
Date: Thu, 16 Jun 2022 09:53:40 +0800
Subject: [PATCH] CVE-2022-24769
Signed-off-by: build <build@obs.com>
---
components/engine/daemon/exec_linux.go | 10 ++++------
components/engine/daemon/oci.go | 20 ++++++++++++--------
components/engine/oci/defaults.go | 1 -
3 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/components/engine/daemon/exec_linux.go b/components/engine/daemon/exec_linux.go
index cd52f48..8720aa9 100644
--- a/components/engine/daemon/exec_linux.go
+++ b/components/engine/daemon/exec_linux.go
@@ -21,13 +21,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
}
}
if ec.Privileged {
- if p.Capabilities == nil {
- p.Capabilities = &specs.LinuxCapabilities{}
+ p.Capabilities = &specs.LinuxCapabilities{
+ Bounding: caps.GetAllCapabilities(),
+ Permitted: caps.GetAllCapabilities(),
+ Effective: caps.GetAllCapabilities(),
}
- p.Capabilities.Bounding = caps.GetAllCapabilities()
- p.Capabilities.Permitted = p.Capabilities.Bounding
- p.Capabilities.Inheritable = p.Capabilities.Bounding
- p.Capabilities.Effective = p.Capabilities.Bounding
}
if apparmor.IsEnabled() {
var appArmorProfile string
diff --git a/components/engine/daemon/oci.go b/components/engine/daemon/oci.go
index 52050e2..4148e90 100644
--- a/components/engine/daemon/oci.go
+++ b/components/engine/daemon/oci.go
@@ -26,15 +26,19 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
return err
}
}
- s.Process.Capabilities.Effective = caplist
- s.Process.Capabilities.Bounding = caplist
- s.Process.Capabilities.Permitted = caplist
- s.Process.Capabilities.Inheritable = caplist
// setUser has already been executed here
- // if non root drop capabilities in the way execve does
- if s.Process.User.UID != 0 {
- s.Process.Capabilities.Effective = []string{}
- s.Process.Capabilities.Permitted = []string{}
+ if s.Process.User.UID == 0 {
+ s.Process.Capabilities = &specs.LinuxCapabilities{
+ Effective: caplist,
+ Bounding: caplist,
+ Permitted: caplist,
+ }
+ } else {
+ // Do not set Effective and Permitted capabilities for non-root users,
+ // to match what execve does.
+ s.Process.Capabilities = &specs.LinuxCapabilities{
+ Bounding: caplist,
+ }
}
return nil
}
diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go
index ff027d8..57cbddb 100644
--- a/components/engine/oci/defaults.go
+++ b/components/engine/oci/defaults.go
@@ -61,7 +61,6 @@ func DefaultLinuxSpec() specs.Spec {
Capabilities: &specs.LinuxCapabilities{
Bounding: defaultCapabilities(),
Permitted: defaultCapabilities(),
- Inheritable: defaultCapabilities(),
Effective: defaultCapabilities(),
},
},
--
2.33.0

1
series.conf
View File

@ -186,4 +186,5 @@ patch/0189-docker-fix-Access-to-remapped-root-allows-privilege-.patch
patch/0190-docker-fix-CVE-2021-21285.patch patch/0190-docker-fix-CVE-2021-21285.patch
patch/0191-docker-add-clone3-to-seccomp-whitelist-to-fix-curl-f.patch patch/0191-docker-add-clone3-to-seccomp-whitelist-to-fix-curl-f.patch
patch/0192-docker-update-seccomp-whitelist-to-Linux-5.10-syscal.patch patch/0192-docker-update-seccomp-whitelist-to-Linux-5.10-syscal.patch
patch/0193-docker-fix-CVE-2022-24769.patch
#end #end