From 82bcbdf665bb828a92c4d8a79946ecfb624a8317 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Tue, 9 Aug 2022 11:26:30 +0800
Subject: [PATCH] runc : fix CVE-2022-29162

---
 patch/0128-runc-fix-CVE-2022-29162.patch | 44 ++++++++++++++++++++++++
 runc-openeuler.spec                      |  8 ++++-
 series.conf                              |  1 +
 3 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 patch/0128-runc-fix-CVE-2022-29162.patch

diff --git a/patch/0128-runc-fix-CVE-2022-29162.patch b/patch/0128-runc-fix-CVE-2022-29162.patch
new file mode 100644
index 0000000..b8d1ce3
--- /dev/null
+++ b/patch/0128-runc-fix-CVE-2022-29162.patch
@@ -0,0 +1,44 @@
+From d940c8e738ce011bbfafdc6ef8af6516f8ee2191 Mon Sep 17 00:00:00 2001
+From: Vanient <xiadanni1@huawei.com>
+Date: Mon, 6 Jun 2022 20:23:46 +0800
+Subject: [PATCH] runc: fix CVE-2022-29162
+
+do not set inheritable capabilities
+upstream:https://github.com/opencontainers/runc/commit/98fe566c527479195ce3c8167136d2a555fe6b65
+
+Signed-off-by: Vanient <xiadanni1@huawei.com>
+---
+ exec.go                          | 1 -
+ libcontainer/specconv/example.go | 5 -----
+ 2 files changed, 6 deletions(-)
+
+diff --git a/exec.go b/exec.go
+index 9ed90ea..5e5ce00 100644
+--- a/exec.go
++++ b/exec.go
+@@ -176,7 +176,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
+ 	if caps := context.StringSlice("cap"); len(caps) > 0 {
+ 		for _, c := range caps {
+ 			p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
+-			p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
+ 			p.Capabilities.Effective = append(p.Capabilities.Effective, c)
+ 			p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
+ 			p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
+diff --git a/libcontainer/specconv/example.go b/libcontainer/specconv/example.go
+index 9a4460c..973ea79 100644
+--- a/libcontainer/specconv/example.go
++++ b/libcontainer/specconv/example.go
+@@ -46,11 +46,6 @@ func Example() *specs.Spec {
+ 					"CAP_KILL",
+ 					"CAP_NET_BIND_SERVICE",
+ 				},
+-				Inheritable: []string{
+-					"CAP_AUDIT_WRITE",
+-					"CAP_KILL",
+-					"CAP_NET_BIND_SERVICE",
+-				},
+ 				Ambient: []string{
+ 					"CAP_AUDIT_WRITE",
+ 					"CAP_KILL",
+-- 
+2.27.0
diff --git a/runc-openeuler.spec b/runc-openeuler.spec
index 959955b..0b176d6 100644
--- a/runc-openeuler.spec
+++ b/runc-openeuler.spec
@@ -2,7 +2,7 @@
 
 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 203
+Release: 204
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Tue Aug 09 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-204
+- Type:CVE
+- CVE:CVE-2022-29162
+- SUG:NA
+- DESC:do not set inheritable capabilities
+
 * Fri Aug 20 2021 wangqing <wangqing@uniontech.com> - 1.0.0.rc3-203
 - Type:bugfix
 - ID:NA
diff --git a/series.conf b/series.conf
index 61705ca..2bd51ad 100644
--- a/series.conf
+++ b/series.conf
@@ -121,3 +121,4 @@
 0124-runc-fix-freezing-race.patch
 0126-runc-add-mount-destination-validation-fix-CVE-2021.patch
 0127-runc-fix-systemd-cgroup-after-memory-type-changed.patch
+0128-runc-fix-CVE-2022-29162.patch
-- 
Gitee