[pkg-go] Bug#1020906: libpod: CVE-2022-27649
Vignesh Raman
vignesh.raman at collabora.com
Wed Sep 28 11:20:38 BST 2022
Source: libpod
Version: 3.0.1+dfsg1-3+deb11u1
Severity: important
Tags: patch
X-Debbugs-Cc: vignesh.raman at collabora.com
Dear Maintainer,
The following vulnerability for libpod is fixed in bookworm,
https://security-tracker.debian.org/tracker/CVE-2022-27649
We have backported the CVE fixes to bullseye since we are working on
debian bullseye derivative and want to send the patches to debian.
We understand these issues are not DSA and have to go though a point
release.
Please could you review the attached patch and apply in bullseye.
Have created a merge request also for review
https://salsa.debian.org/debian/libpod/-/merge_requests/7
Regards,
Vignesh
-- System Information:
Debian Release: 11.1
APT prefers stable
APT policy: (700, 'stable'), (650, 'testing'), (600, 'unstable'), (500, 'stable-updates'), (500, 'stable-security')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
>From d2848c44440281ed94992c4b23c5899e36afc1af Mon Sep 17 00:00:00 2001
From: Andre Moreira Magalhaes <andrunko at gmail.com>
Date: Mon, 19 Sep 2022 11:03:21 -0300
Subject: [PATCH] do not set the inheritable capabilities
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27649
(backported from upstream commit 7b368768c2990b9781b2b6813e1c7f91c7e6cb13)
---
libpod/oci_conmon_linux.go | 7 +++++--
pkg/specgen/generate/security.go | 7 +++++--
test/e2e/run_test.go | 6 +++---
3 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 38ffba7d2..b073feee1 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1281,11 +1281,14 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
} else {
pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
}
+
+ // Always unset the inheritable capabilities similarly to what the Linux kernel does
+ // They are used only when using capabilities with uid != 0.
+ pspec.Capabilities.Inheritable = []string{}
+
if execUser.Uid == 0 {
pspec.Capabilities.Effective = pspec.Capabilities.Bounding
- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
} else {
if user == c.config.User {
pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index fb45d87db..c18f83217 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -130,6 +130,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec := g.Config
configSpec.Process.Capabilities.Ambient = []string{}
+
+ // Always unset the inheritable capabilities similarly to what the Linux kernel does
+ // They are used only when using capabilities with uid != 0.
+ configSpec.Process.Capabilities.Inheritable = []string{}
configSpec.Process.Capabilities.Bounding = caplist
user := strings.Split(s.User, ":")[0]
@@ -137,7 +141,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
configSpec.Process.Capabilities.Effective = caplist
configSpec.Process.Capabilities.Permitted = caplist
- configSpec.Process.Capabilities.Inheritable = caplist
} else {
userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
if err != nil {
@@ -145,12 +148,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
}
configSpec.Process.Capabilities.Effective = userCaps
configSpec.Process.Capabilities.Permitted = userCaps
- configSpec.Process.Capabilities.Inheritable = userCaps
// Ambient capabilities were added to Linux 4.3. Set ambient
// capabilities only when the kernel supports them.
if supportAmbientCapabilities() {
configSpec.Process.Capabilities.Ambient = userCaps
+ configSpec.Process.Capabilities.Inheritable = userCaps
}
}
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index bff3995df..17fea3b99 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -383,7 +383,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"})
session.WaitWithDefaultTimeout()
@@ -418,7 +418,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
if os.Geteuid() > 0 {
if os.Getenv("SKIP_USERNS") != "" {
@@ -435,7 +435,7 @@ var _ = Describe("Podman run", func() {
session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
- Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+ Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
session.WaitWithDefaultTimeout()
--
2.37.2
More information about the Pkg-go-maintainers
mailing list