From beffb076ba604198017836cc8e1589e1af46471c Mon Sep 17 00:00:00 2001 From: wang--ge Date: Mon, 21 Nov 2022 16:06:15 +0800 Subject: [PATCH] add errnoRet in Syscall struct --- ...-runc-add-errnoRet-in-Syscall-struct.patch | 182 ++++++++++++++++++ runc.spec | 8 +- series.conf | 1 + 3 files changed, 190 insertions(+), 1 deletion(-) create mode 100644 patch/0134-runc-add-errnoRet-in-Syscall-struct.patch diff --git a/patch/0134-runc-add-errnoRet-in-Syscall-struct.patch b/patch/0134-runc-add-errnoRet-in-Syscall-struct.patch new file mode 100644 index 0000000..1504f03 --- /dev/null +++ b/patch/0134-runc-add-errnoRet-in-Syscall-struct.patch @@ -0,0 +1,182 @@ +From f3daefee2a044dac912afccb52a724a7fe710caf Mon Sep 17 00:00:00 2001 +From: wang--ge +Date: Sat, 19 Nov 2022 15:43:51 +0800 +Subject: [PATCH] honor seccomp errnoRet + +--- + libcontainer/configs/config.go | 1 + + libcontainer/integration/seccomp_test.go | 72 +++++++++++++++++++ + libcontainer/seccomp/seccomp_linux.go | 12 +++- + libcontainer/specconv/spec_linux.go | 1 + + .../runtime-spec/specs-go/config.go | 1 + + 5 files changed, 84 insertions(+), 3 deletions(-) + +diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go +index 9074c86..7dd4bde 100644 +--- a/libcontainer/configs/config.go ++++ b/libcontainer/configs/config.go +@@ -78,6 +78,7 @@ type Arg struct { + type Syscall struct { + Name string `json:"name"` + Action Action `json:"action"` ++ ErrnoRet *uint `json:"errnoRet"` + Priority uint8 `json:"priority,omitempty"` + Args []*Arg `json:"args"` + } +diff --git a/libcontainer/integration/seccomp_test.go b/libcontainer/integration/seccomp_test.go +index 8e2c7cd..72d0d96 100644 +--- a/libcontainer/integration/seccomp_test.go ++++ b/libcontainer/integration/seccomp_test.go +@@ -12,6 +12,78 @@ import ( + libseccomp "github.com/seccomp/libseccomp-golang" + ) + ++func TestSeccompDenyGetcwdWithErrno(t *testing.T) { ++ if testing.Short() { ++ return ++ } ++ ++ rootfs, err := newRootfs() ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer remove(rootfs) ++ ++ errnoRet := uint(syscall.ESRCH) ++ ++ config := newTemplateConfig(rootfs) ++ config.Seccomp = &configs.Seccomp{ ++ DefaultAction: configs.Allow, ++ Syscalls: []*configs.Syscall{ ++ { ++ Name: "getcwd", ++ Action: configs.Errno, ++ ErrnoRet: &errnoRet, ++ }, ++ }, ++ } ++ ++ container, err := newContainer(config) ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer container.Destroy() ++ ++ buffers := newStdBuffers() ++ pwd := &libcontainer.Process{ ++ Cwd: "/", ++ Args: []string{"pwd"}, ++ Env: standardEnvironment, ++ Stdin: buffers.Stdin, ++ Stdout: buffers.Stdout, ++ Stderr: buffers.Stderr, ++ Init: true, ++ } ++ ++ err = container.Run(pwd) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ps, err := pwd.Wait() ++ if err == nil { ++ t.Fatal("Expecting error (negative return code); instead exited cleanly!") ++ } ++ ++ var exitCode int ++ status := ps.Sys().(syscall.WaitStatus) ++ if status.Exited() { ++ exitCode = status.ExitStatus() ++ } else if status.Signaled() { ++ exitCode = -int(status.Signal()) ++ } else { ++ t.Fatalf("Unrecognized exit reason!") ++ } ++ ++ if exitCode == 0 { ++ t.Fatalf("Getcwd should fail with negative exit code, instead got %d!", exitCode) ++ } ++ ++ expected := "pwd: getcwd: No such process" ++ actual := strings.Trim(buffers.Stderr.String(), "\n") ++ if actual != expected { ++ t.Fatalf("Expected output %s but got %s\n", expected, actual) ++ } ++} ++ + func TestSeccompDenyGetcwd(t *testing.T) { + if testing.Short() { + return +diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go +index 0c97da6..26cec43 100644 +--- a/libcontainer/seccomp/seccomp_linux.go ++++ b/libcontainer/seccomp/seccomp_linux.go +@@ -36,7 +36,7 @@ func InitSeccomp(config *configs.Seccomp) error { + return fmt.Errorf("cannot initialize Seccomp - nil config passed") + } + +- defaultAction, err := getAction(config.DefaultAction) ++ defaultAction, err := getAction(config.DefaultAction, nil) + if err != nil { + return fmt.Errorf("error initializing seccomp - invalid default action") + } +@@ -100,17 +100,23 @@ func IsEnabled() bool { + } + + // Convert Libcontainer Action to Libseccomp ScmpAction +-func getAction(act configs.Action) (libseccomp.ScmpAction, error) { ++func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error) { + switch act { + case configs.Kill: + return actKill, nil + case configs.Errno: ++ if errnoRet != nil { ++ return libseccomp.ActErrno.SetReturnCode(int16(*errnoRet)), nil ++ } + return actErrno, nil + case configs.Trap: + return actTrap, nil + case configs.Allow: + return actAllow, nil + case configs.Trace: ++ if errnoRet != nil { ++ return libseccomp.ActTrace.SetReturnCode(int16(*errnoRet)), nil ++ } + return actTrace, nil + default: + return libseccomp.ActInvalid, fmt.Errorf("invalid action, cannot use in rule") +@@ -173,7 +179,7 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error { + } + + // Convert the call's action to the libseccomp equivalent +- callAct, err := getAction(call.Action) ++ callAct, err := getAction(call.Action, call.ErrnoRet) + if err != nil { + return err + } +diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go +index 0cbc66f..8177739 100644 +--- a/libcontainer/specconv/spec_linux.go ++++ b/libcontainer/specconv/spec_linux.go +@@ -758,6 +758,7 @@ func setupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) { + newCall := configs.Syscall{ + Name: name, + Action: newAction, ++ ErrnoRet: call.ErrnoRet, + Priority: call.Priority, + Args: []*configs.Arg{}, + } +diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +index 8439744..ec8096a 100644 +--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go ++++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +@@ -556,6 +556,7 @@ type LinuxSeccompArg struct { + type LinuxSyscall struct { + Names []string `json:"names"` + Action LinuxSeccompAction `json:"action"` ++ ErrnoRet *uint `json:"errnoRet,omitempty"` + Priority uint8 `json:"priority,omitempty"` + Args []LinuxSeccompArg `json:"args"` + Comment string `json:"comment"` +-- +2.27.0 + diff --git a/runc.spec b/runc.spec index 99e65ac..906fda8 100644 --- a/runc.spec +++ b/runc.spec @@ -4,7 +4,7 @@ Name: docker-runc Version: 1.0.0.rc3 -Release: 305 +Release: 306 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -53,6 +53,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Mon Nov 21 2022 Ge Wang - 1.0.0.rc3-306 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:add errnoRet in Syscall struct + * Wed Sep 28 2022 zhongjiawei - 1.0.0.rc3-305 - Type:bugfix - CVE:NA diff --git a/series.conf b/series.conf index bbc44b0..468ec84 100644 --- a/series.conf +++ b/series.conf @@ -132,4 +132,5 @@ patch/0128-runc-fix-CVE-2022-29162.patch patch/0131-runc-change-Umask-to-0022.patch patch/0132-runc-fix-systemd-cgroup-after-memory-type-changed.patch patch/0133-runc-add-CGO-sercuity-build-options.patch +patch/0134-runc-add-errnoRet-in-Syscall-struct.patch #end -- Gitee