diff --git a/0050-lxc-Add-sw64-architecture.patch b/0050-lxc-Add-sw64-architecture.patch index b8b0696cdf7a23486f3957d2141369d0aafbdfc6..59ab125e31c757e094f47012e68f4ab0fd4bf7eb 100644 --- a/0050-lxc-Add-sw64-architecture.patch +++ b/0050-lxc-Add-sw64-architecture.patch @@ -12,7 +12,7 @@ diff --git a/src/lxc/syscall_numbers.h b/src/lxc/syscall_numbers.h index bfd0e57..803eab7 100644 --- a/src/lxc/syscall_numbers.h +++ b/src/lxc/syscall_numbers.h -@@ -377,6 +377,8 @@ +@@ -357,6 +357,8 @@ #ifndef __NR_pidfd_send_signal #if defined __alpha__ #define __NR_pidfd_send_signal 534 diff --git a/0059-remove-process-inheritable-capability.patch b/0059-remove-process-inheritable-capability.patch new file mode 100644 index 0000000000000000000000000000000000000000..302b60d64704dabb069e6b9f3ce9ba7b4fb1ee35 --- /dev/null +++ b/0059-remove-process-inheritable-capability.patch @@ -0,0 +1,27 @@ +From 581c6ae008a3ff1f36f00572371326b0d86efd9c Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Tue, 21 Feb 2023 10:38:45 +0800 +Subject: [PATCH] remove process inheritable capability + +Signed-off-by: zhangxiaoyu +--- + src/lxc/conf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 7f98811..19cf5e3 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -5284,7 +5284,8 @@ int lxc_drop_caps(struct lxc_conf *conf) + if (caplist[i]) { + cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i)); + cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i)); +- cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i)); ++ // fix CVE-2022-24769 ++ // inheritable capability should be empty + } + } + +-- +2.25.1 + diff --git a/apply-patches b/apply-patches index f866a3f3f8c23714cfb58ecdba6070271c60f6e2..136ca222f7342c0bd70378f07514f68b0261a7f1 100755 --- a/apply-patches +++ b/apply-patches @@ -1,3 +1,4 @@ +#!/bin/bash ####################################################################### ##- @Copyright (C) Huawei Technologies., Ltd. 2019. All rights reserved. # - lcr licensed under the Mulan PSL v2. @@ -12,19 +13,21 @@ ##- @Author: lifeng ##- @Create: 2019-04-25 ####################################################################### -#!/bin/bash set -ex -pkg=lxc-4.0.3 -cwd=$PWD -src=$cwd/lxc-4.0.3 +dir_name=$(tar -tzf *.tar.gz | head -1 | cut -f1 -d"/") +if [ -e $dir_name ]; then + echo "directory $dir_name exist, please remove it" + exit 1 +fi -tar -xzvf $pkg.tar.gz +tar -xzvf $dir_name.tar.gz -cd $src +cwd=$PWD +cd $cwd/$dir_name -cat $cwd/series.conf | while read line +grep -E "Patch[0-9]{4}:\s*[0-9]{4}-.*\.patch" $cwd/lxc.spec | awk '{print $2}' | while read line do if [[ $line == '' || $line =~ ^\s*# ]]; then continue @@ -33,4 +36,12 @@ do patch -p1 -F1 -s < $cwd/$line done +git init . +git add . +git config --local user.name "isuladci" +git config --local user.email "isulad@ci.com" +git commit -m "init repo" +git config --local --unset user.name +git config --local --unset user.email + cd $cwd diff --git a/lxc.spec b/lxc.spec index c36369be35423336846e1f10be86ce03c5f6ffe6..180ce93596f73ae7ed4f9b9c1f69c82cd51a1f7d 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,4 +1,4 @@ -%global _release 2022102410 +%global _release 2022102411 Name: lxc Version: 4.0.3 @@ -66,6 +66,7 @@ Patch0055: 0055-add-sscanf-adapation-code-for-musl.patch Patch0056: 0056-fix-cve-CVE-2022-47952-log-leaks-root-information.patch Patch0057: 0057-fix-lxc-write-error-message.patch Patch0058: 0058-add-loongarch64-support-for-lxc.patch +Patch0059: 0059-remove-process-inheritable-capability.patch BuildRequires: systemd-units git libtool graphviz docbook2X doxygen chrpath BuildRequires: pkgconfig(libseccomp) @@ -246,6 +247,12 @@ make check %endif %changelog +* Tue Feb 21 2023 zhangxiaoyu - 4.0.3-2022102411 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: remove process inheritable capabilities + * Thu Feb 09 2023 Wenlong Zhang - 4.0.3-2022102410 - Type:bugfix - ID:NA diff --git a/series.conf b/series.conf deleted file mode 100644 index 8670976b14812a9edacca87c0eeba324bc5582d0..0000000000000000000000000000000000000000 --- a/series.conf +++ /dev/null @@ -1,58 +0,0 @@ -0001-huawei-adapt-to-huawei-4.0.3.patch -0002-add-mount-label-for-rootfs.patch -0003-format-code-and-verify-mount-mode.patch -0004-Removes-the-definition-of-the-thread-attributes-obje.patch -0005-solve-coredump-bug-caused-by-fstype-being-NULL-durin.patch -0006-SIGTERM-do-not-catch-signal-SIGTERM-in-lxc-monitor.patch -0007-Using-string-type-instead-of-security_context_t-beca.patch -0008-hook-pass-correct-mount-dir-as-root-to-hook.patch -0009-cgroup-refact-cgroup-manager-to-single-file.patch -0010-cgfsng-adjust-log-level-from-error-to-warn.patch -0011-rootfs-add-make-private-for-root.path-parent.patch -0012-mount-make-possible-to-bind-mount-proc-and-sys-fs.patch -0013-use-path-based-unix-domain-sockets-instead-of-abstra.patch -0014-api-add-get-container-metrics-api.patch -0015-Streaming-IO-solution-optimization-and-enhancement.patch -0016-avoid-using-void-pointers-in-caclulation.patch -0017-fix-compilation-errors-without-libcap.patch -0018-IO-fix-io-data-miss-when-exec-with-pipes.patch -0019-metrics-add-total_inactive_file-metric-for-memory.patch -0020-support-cgroup-v2.patch -0021-support-isula-exec-workdir.patch -0022-print-error-message-if-process-workdir-failed.patch -0023-log-support-long-syslog-tag.patch -0024-log-adjust-log-level-from-error-to-warn.patch -0025-get-cgroup-data-len-first-and-malloc-read-buff-by-le.patch -0026-coredump-fix-coredump-when-cgroup-get-return-error.patch -0027-add-help-for-new-arguments.patch -0028-seccomp-init-and-destroy-notifier.cookie.patch -0029-just-use-origin-loop-if-do-not-have-io.patch -0030-conf-fix-a-memory-leak.patch -0031-fix-lsm_se_mount_context-memory-leak.patch -0032-disable-lxc_keep-with-oci-image.patch -0033-conf-ensure-that-the-idmap-pointer-itself-is-freed.patch -0034-cgfsng-fix-cgroup-attach-cgroup-creation.patch -0035-adapt-upstream-compiler-settings.patch -0036-compile-in-android-env.patch -0037-fix-always-print-and-temp-len.patch -0038-just-print-error-when-new-lock-failed.patch -0039-fix-bug-of-memory-free.patch -0040-refactor-the-way-to-convert-selinux-label-to-shared.patch -0041-do-not-free-the-pointer-returned-by-dirname.patch -0042-add-x-permission-when-create-directory.patch -0043-do-not-operate-playload-and-attach-cgroup-if-no-cont.patch -0044-fix-HOME-env-unset-error.patch -0045-only-set-user-or-image-set-non-empty-HOME.patch -0046-return-fail-if-no-args-or-no-rootfs-path-found.patch -0047-fix-tools-with-option-give-error-message.patch -0048-fix-do-mask-paths-after-parent-mounted.patch -0049-skip-kill-cgroup-processes-if-no-hierarchies.patch -0050-lxc-Add-sw64-architecture.patch -0051-add-macro-to-adapt-musl-libc.patch -0052-add-lxc-attach-add-gids-option.patch -0053-change-the-suffi-parameter-in-lxc-attach-help-output.patch -0054-rollback-strprint-code-modified.patch -0055-add-sscanf-adapation-code-for-musl.patch -0056-fix-cve-CVE-2022-47952-log-leaks-root-information.patch -0057-fix-lxc-write-error-message.patch -0058-add-loongarch64-support-for-lxc.patch