packages/runc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

runc:do not set inheritable capabilities(fix CVE-2022-29162)

Browse Source 
Signed-off-by: Vanient <xiadanni1@huawei.com>
This commit is contained in:
Vanient 2022-06-06 20:46:18 +08:00
parent ceadec0510
commit 5ca67e3066
3 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
patch/0128-runc-fix-CVE-2022-29162.patch Normal file
View File

@ -0,0 +1,45 @@
From d940c8e738ce011bbfafdc6ef8af6516f8ee2191 Mon Sep 17 00:00:00 2001
From: Vanient <xiadanni1@huawei.com>
Date: Mon, 6 Jun 2022 20:23:46 +0800
Subject: [PATCH] runc: fix CVE-2022-29162
do not set inheritable capabilities
upstream:https://github.com/opencontainers/runc/commit/98fe566c527479195ce3c8167136d2a555fe6b65
Signed-off-by: Vanient <xiadanni1@huawei.com>
---
exec.go | 1 -
libcontainer/specconv/example.go | 5 -----
2 files changed, 6 deletions(-)
diff --git a/exec.go b/exec.go
index 9ed90ea..5e5ce00 100644
--- a/exec.go
+++ b/exec.go
@@ -176,7 +176,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
if caps := context.StringSlice("cap"); len(caps) > 0 {
for _, c := range caps {
p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
- p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
p.Capabilities.Effective = append(p.Capabilities.Effective, c)
p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
diff --git a/libcontainer/specconv/example.go b/libcontainer/specconv/example.go
index 9a4460c..973ea79 100644
--- a/libcontainer/specconv/example.go
+++ b/libcontainer/specconv/example.go
@@ -46,11 +46,6 @@ func Example() *specs.Spec {
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
},
- Inheritable: []string{
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE",
- },
Ambient: []string{
"CAP_AUDIT_WRITE",
"CAP_KILL",
--
2.27.0

8
runc-openeuler.spec
View File

@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
Release: 203
Release: 204
Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
License: ASL 2.0
@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
%{_bindir}/runc
%changelog
* Thu Jun 03 2021 xiadanni<xiadanni1@huawei.com> - 1.0.0.rc3-204
- Type:CVE
- CVE:CVE-2022-29162
- SUG:NA
- DESC:do not set inheritable capabilities
* Fri Aug 20 2021 wangqing <wangqing@uniontech.com> - 1.0.0.rc3-203
- Type:bugfix
- ID:NA

1
series.conf
View File

@ -121,3 +121,4 @@
0124-runc-fix-freezing-race.patch
0126-runc-add-mount-destination-validation-fix-CVE-2021.patch
0127-runc-fix-systemd-cgroup-after-memory-type-changed.patch
0128-runc-fix-CVE-2022-29162.patch