diff --git a/0023-remove-process-inheritable-capability.patch b/0023-remove-process-inheritable-capability.patch new file mode 100644 index 0000000000000000000000000000000000000000..f8b7984d39e38485ab4571c954265e825fb9bce6 --- /dev/null +++ b/0023-remove-process-inheritable-capability.patch @@ -0,0 +1,27 @@ +From d232c098c9a75fce2b7e6da55faa89cd546d3dc9 Mon Sep 17 00:00:00 2001 +From: isuladci +Date: Tue, 31 Jan 2023 19:14:57 +0800 +Subject: [PATCH] remove process inheritable capability + +Signed-off-by: zhangxiaoyu +--- + src/lxc/conf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 439601a..c478bf2 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -5528,7 +5528,8 @@ int lxc_drop_caps(struct lxc_conf *conf) + if (caplist[i]) { + cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i)); + cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i)); +- cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i)); ++ // fix CVE-2022-24769 ++ // inheritable capability should be empty + } + } + +-- +2.25.1 + diff --git a/apply-patches b/apply-patches index da3fc371fce458188def87dabb7bb3ab5aa3ccb3..136ca222f7342c0bd70378f07514f68b0261a7f1 100755 --- a/apply-patches +++ b/apply-patches @@ -16,15 +16,18 @@ set -ex -pkg=lxc-4.0.3 -cwd=$PWD -src=$cwd/lxc-4.0.3 +dir_name=$(tar -tzf *.tar.gz | head -1 | cut -f1 -d"/") +if [ -e $dir_name ]; then + echo "directory $dir_name exist, please remove it" + exit 1 +fi -tar -xzvf $pkg.tar.gz +tar -xzvf $dir_name.tar.gz -cd $src +cwd=$PWD +cd $cwd/$dir_name -cat $cwd/series.conf | while read line +grep -E "Patch[0-9]{4}:\s*[0-9]{4}-.*\.patch" $cwd/lxc.spec | awk '{print $2}' | while read line do if [[ $line == '' || $line =~ ^\s*# ]]; then continue @@ -38,5 +41,7 @@ git add . git config --local user.name "isuladci" git config --local user.email "isulad@ci.com" git commit -m "init repo" +git config --local --unset user.name +git config --local --unset user.email cd $cwd diff --git a/lxc.spec b/lxc.spec index 235c17ab47a2478c112a12bbe8c8f0f1b7a4cc25..edee370f7ccb7acf9ee2c81db7bc286a5322f962 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,4 +1,4 @@ -%global _release 2022102408 +%global _release 2022102409 Name: lxc Version: 4.0.3 @@ -30,6 +30,7 @@ Patch0019: 0019-add-lxc-attach-add-gids-option.patch Patch0020: 0020-add-sscanf-adapation-code-for-musl.patch Patch0021: 0021-change-the-suffi-parameter-in-lxc-attach-help-output.patch Patch0022: 0022-fix-cve-CVE-2022-47952-log-leaks-root-information.patch +Patch0023: 0023-remove-process-inheritable-capability.patch BuildRequires: systemd-units git libtool graphviz docbook2X doxygen chrpath BuildRequires: pkgconfig(libseccomp) @@ -210,6 +211,12 @@ rm -rf %{buildroot}%{_sysconfdir}/default/%{name} %endif %changelog +* Fri Feb 17 2023 zhangxiaoyu - 4.0.3-2022102409 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: remove process inheritable capabilities + * Mon Feb 13 2023 jiangxinyu - 4.0.3-2022102408 - Type:enhancement - ID:NA diff --git a/series.conf b/series.conf deleted file mode 100644 index 1d8bad9504069bafaaebfc0765ff8f5a53f627e9..0000000000000000000000000000000000000000 --- a/series.conf +++ /dev/null @@ -1,21 +0,0 @@ -0001-refactor-patch-code-of-utils-commands-and-so-on.patch -0002-refactor-patch-code-of-isulad-for-conf-exec-attach.patch -0003-refactor-patch-code-of-isulad-for-selinux-attach.patch -0004-refactor-patch-code-of-lxccontianer-and-so-on.patch -0005-refactor-patch-code-of-attach-and-seccomp.patch -0006-refactor-patch-about-namespace-log-terminal.patch -0007-refactor-patches-on-terminal.c-start.c-and-so-on.patch -0008-refactor-patch-code-of-json.patch -0009-fix-HOME-env-of-container-unset-error.patch -0010-check-yajl-only-when-have-isulad.patch -0011-drop-security_context_t.patch -0012-only-set-user-or-image-set-non-empty-HOME.patch -0013-return-fail-if-no-args-or-no-rootfs-path-found.patch -0014-fix-tools-using-option-give-error-message.patch -0015-fix-do-mask-pathes-after-parent-mounted.patch -0017-lxc-Add-sw64-architecture.patch -0018-add-macro-to-adapt-musl-libc.patch -0019-add-lxc-attach-add-gids-option.patch -0020-add-sscanf-adapation-code-for-musl.patch -0021-change-the-suffi-parameter-in-lxc-attach-help-output.patch -0022-fix-cve-CVE-2022-47952-log-leaks-root-information.patch