Similar to the (now removed) `apparmor` build tag, this build-time toggle existed for users who needed to build without the `libseccomp` library. That's no longer necessary, and given the importance of seccomp to the overall default security profile of Docker containers, it makes sense that any binary built for Linux should support (and use by default) seccomp if the underlying host does.
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.
This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).
- A bug was found in runc where runc exec --cap executed processes with
non-empty inheritable Linux process capabilities, creating an atypical Linux
environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
- runc spec no longer sets any inheritable capabilities in the created
example OCI spec (config.json) file.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Release notes:
Welcome to the v1.6.3 release of containerd!
The third patch release for containerd 1.6 includes various fixes and updates.
Notable Updates
- Fix panic when configuring tracing plugin
- Improve image pull performance in CRI plugin
- Check for duplicate nspath
- Fix deadlock in cgroup metrics collector
- Mount devmapper xfs file system with "nouuid" option
- Make the temp mount as ready only in container WithVolumes
- Fix deadlock from leaving transaction open in native snapshotter
- Monitor OOMKill events to prevent missing container events
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
pkg/urlutil (despite its poorly chosen name) is not really intended as a generic
utility to handle URLs, and should only be used by the builder to handle (remote)
build contexts.
- IsURL() only does a very rudimentary check for http(s):// prefixes, without any
other validation, but due to its name may give incorrect expectations.
- IsGitURL() is written specifically with docker build remote git contexts in
mind, and has handling for backward-compatibility, where strings that are
not URLs, but start with "github.com/" are accepted.
Because of the above, this patch:
- moves the package inside builder/remotecontext, close to where it's intended
to be used (ideally this would be part of build/remotecontext itself, but this
package imports many other dependencies, which would introduce those as extra
dependencies in the CLI).
- deprecates pkg/urlutil, but adds aliases as there are some external consumers.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This should help with CI being unstable when generating the types (due
to Go randomizing order). Unfortunately, the (file) names are a bit ugly,
but addressing that in a follow-up.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Welcome to the v1.5.10 release of containerd!
The tenth patch release for containerd 1.5 includes a fix for [CVE-2022-23648][1]
and other issues.
Notable Updates
- Use fs.RootPath when mounting volumes (GHSA-crp2-qrr5-8pq7)
- Return init pid when clean dead shim in runc.v1/v2 shims
- Handle sigint/sigterm in shimv2
- Use readonly mount to read user/group info
[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648
[2]: https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
A copy of Go's archive/tar packge was vendored with a patch applied to
mitigate CVE-2019-14271. Vendoring standard library packages is not
supported by Go in module-aware mode, which is getting in the way of
maintenance. A different approach to mitigate the vulnerability is
needed which does not involve vendoring parts of the standard library.
glibc implements name service lookups such as users, groups and DNS
using a scheme known as Name Service Switch. The services are
implemented as modules, shared libraries which glibc dynamically links
into the process the first time a function requiring the module is
called. This is the crux of the vulnerability: if a process linked
against glibc chroots, then calls one of the functions implemented with
NSS for the first time, glibc may load NSS modules out of the chrooted
filesystem.
The API underlying the `docker cp` command is implemented by forking a
new process which chroots into the container's rootfs and writes a tar
stream of files from the container over standard output. It utilizes the
Go standard library's archive/tar package to write the tar stream. It
makes use of the tar.FileInfoHeader function to construct a tar.Header
value from an fs.FileInfo value. In modern versions of Go on *nix
platforms, FileInfoHeader will attempt to resolve the file's UID and GID
to their respective user and group names by calling the os/user
functions LookupId and LookupGroupId. The cgo implementation of os/user
on *nix performs lookups by calling the corresponding libc functions. So
when linked against glibc, calls to tar.FileInfoHeader after the
process has chrooted into the container's rootfs can have the side
effect of loading NSS modules from the container! Without any
mitigations, a malicious container image author can trivially get
arbitrary code execution by leveraging this vulnerability and escape the
chroot (which is not a sandbox) into the host.
Mitigate the vulnerability without patching or forking archive/tar by
hiding the OS-dependent file info from tar.FileInfoHeader which it needs
to perform the lookups. Without that information available it falls back
to populating the tar.Header with only the information obtainable
directly from the FileInfo value without making any calls into os/user.
Fixes#42402
Signed-off-by: Cory Snider <csnider@mirantis.com>
Looks like this may be needed for Go 1.18
Also updating the golangci-lint configuration to account for updated
exclusion rules.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The hack/vendor.sh script is used to (re)vendor dependencies. However, it did
not run `go mod tidy` before doing so, wheras the vendor _validation_ script
did.
This could result in vendor validation failing if go mod tidy resulted in
changes (which could be in `vendor.sum`).
In "usual" situations, this could be easily done by the user (`go mod tidy`
before running `go mod vendor`), but due to our (curent) uses of `vendor.mod`,
and having to first set up a (dummy) `go.mod`, this is more complicated.
Instead, just make the script do this, so that `hack/vendor.sh` will always
produce the expected result.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This test is verifying that the container has the right options set (through
`docker inspect`), but also checks if the cgroup-rules are set within the container
by reading `/sys/fs/cgroup/devices/devices`
Unlike cgroups v1, on cgroups v2, there is no file interface, and rules are handled
through ebpf, which means that the test will fail because this file is not present.
From the Linux documentation for cgroups v2: https://github.com/torvalds/linux/blob/v5.16/Documentation/admin-guide/cgroup-v2.rst#device-controller
> (...)
> Device controller manages access to device files. It includes both creation of
> new device files (using mknod), and access to the existing device files.
>
> Cgroup v2 device controller has no interface files and is implemented on top of
> cgroup BPF. To control access to device files, a user may create bpf programs
> of type BPF_PROG_TYPE_CGROUP_DEVICE and att>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- use `vendor.mod` instead of `go.mod` to avoid issues to do with
use of CalVer, not SemVer
- ensure most of the dependency versions do not change
- only zookeeper client has to change (via docker/libkv#218) as
previously used version is no longer maintained and has missing
dependencies
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The eighth patch release for containerd 1.5 contains a mitigation for CVE-2021-41190
as well as several fixes and updates.
Notable Updates
* Handle ambiguous OCI manifest parsing
* Filter selinux xattr for image volumes in CRI plugin
* Use DeactiveLayer to unlock layers that cannot be renamed in Windows snapshotter
* Fix pull failure on unexpected EOF
* Close task IO before waiting on delete
* Log a warning for ignored invalid image labels rather than erroring
* Update pull to handle of non-https urls in descriptors
See the changelog for complete list of changes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The seventh patch release for containerd 1.5 is a security release to fix CVE-2021-41103.
Notable Updates:
- Fix insufficiently restricted permissions on container root and plugin directories
GHSA-c2h3-6mxw-7mvq
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Install apparmor parser for arm64 and update seccomp to 2.5.1
- Update runc binary to 1.0.2
- Update hcsshim to v0.8.21 to fix layer issue on Windows Server 2019
- Add support for 'clone3' syscall to fix issue with certain images when seccomp is enabled
- Add image config labels in CRI container creation
- Fix panic in metadata content writer on copy error
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This moves installers that are only used during CI into the Dockerfile. Some
installers are still used in the release-pipeline, so keeping thos for now.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The golangci-lint, gotestsum, shfmt, and vndr utilities should generally
be ok to be pinned by version instead of a specific sha. Also rename
the corresponding env-vars / build-args accordingly:
- GOLANGCI_LINT_COMMIT -> GOLANGCI_LINT_VERSION
- GOTESTSUM_COMMIT -> GOTESTSUM_VERSION
- SHFMT_COMMIT -> SHFMT_VERSION
- VNDR_COMMIT -> VNDR_VERSION
- CONTAINERD_COMMIT -> CONTAINERD_VERSION
- RUNC_COMMIT -> RUNC_VERSION
- ROOTLESS_COMMIT -> ROOTLESS_VERSION
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
