Version in base suite: 1.0.0~rc93+ds1-5 Base version: runc_1.0.0~rc93+ds1-5 Target version: runc_1.0.0~rc93+ds1-5+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/runc/runc_1.0.0~rc93+ds1-5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/runc/runc_1.0.0~rc93+ds1-5+deb11u2.dsc changelog | 14 + patches/CVE-2022-29162.patch | 103 +++++++++ patches/default_retno.patch | 459 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 4 files changed, 578 insertions(+) diff -Nru runc-1.0.0~rc93+ds1/debian/changelog runc-1.0.0~rc93+ds1/debian/changelog --- runc-1.0.0~rc93+ds1/debian/changelog 2021-05-19 18:46:14.000000000 +0000 +++ runc-1.0.0~rc93+ds1/debian/changelog 2022-06-13 11:06:00.000000000 +0000 @@ -1,3 +1,17 @@ +runc (1.0.0~rc93+ds1-5+deb11u2) bullseye; urgency=medium + + * Backport upstream patch: + - do not set inheritable capabilities, Fixes: CVE-2022-29162 + + -- Reinhard Tartler Mon, 13 Jun 2022 07:06:00 -0400 + +runc (1.0.0~rc93+ds1-5+deb11u1) bullseye; urgency=medium + + * Team upload. + * backport upstream patch: Honor seccomp defaultErrnoRet, Closes: #1012030 + + -- Reinhard Tartler Sun, 12 Jun 2022 14:49:36 -0400 + runc (1.0.0~rc93+ds1-5) unstable; urgency=high * Team upload. diff -Nru runc-1.0.0~rc93+ds1/debian/patches/CVE-2022-29162.patch runc-1.0.0~rc93+ds1/debian/patches/CVE-2022-29162.patch --- runc-1.0.0~rc93+ds1/debian/patches/CVE-2022-29162.patch 1970-01-01 00:00:00.000000000 +0000 +++ runc-1.0.0~rc93+ds1/debian/patches/CVE-2022-29162.patch 2022-06-13 11:06:00.000000000 +0000 @@ -0,0 +1,103 @@ +commit 364ec0f1b4fa188ad96049c590ecb42fa70ea165 +Author: Kir Kolyshkin +Date: Tue Mar 1 12:04:43 2022 -0800 + + runc: do not set inheritable capabilities + + Do not set inheritable capabilities in runc spec, runc exec --cap, + and in libcontainer integration tests. + + Signed-off-by: Kir Kolyshkin + +--- a/exec.go ++++ b/exec.go +@@ -193,7 +193,6 @@ + if caps := context.StringSlice("cap"); len(caps) > 0 { + for _, c := range caps { + p.Capabilities.Bounding = append(p.Capabilities.Bounding, c) +- p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c) + p.Capabilities.Effective = append(p.Capabilities.Effective, c) + p.Capabilities.Permitted = append(p.Capabilities.Permitted, c) + p.Capabilities.Ambient = append(p.Capabilities.Ambient, c) +--- a/libcontainer/README.md ++++ b/libcontainer/README.md +@@ -92,22 +92,6 @@ + "CAP_KILL", + "CAP_AUDIT_WRITE", + }, +- Inheritable: []string{ +- "CAP_CHOWN", +- "CAP_DAC_OVERRIDE", +- "CAP_FSETID", +- "CAP_FOWNER", +- "CAP_MKNOD", +- "CAP_NET_RAW", +- "CAP_SETGID", +- "CAP_SETUID", +- "CAP_SETFCAP", +- "CAP_SETPCAP", +- "CAP_NET_BIND_SERVICE", +- "CAP_SYS_CHROOT", +- "CAP_KILL", +- "CAP_AUDIT_WRITE", +- }, + Permitted: []string{ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", +--- a/libcontainer/integration/exec_test.go ++++ b/libcontainer/integration/exec_test.go +@@ -412,7 +412,6 @@ + pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN") + pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN") + pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN") +- pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN") + err = container.Run(&pconfig) + ok(t, err) + +@@ -1593,7 +1592,6 @@ + pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN") + pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN") + pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN") +- pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN") + + err = container.Run(pconfig2) + stdinR2.Close() +--- a/libcontainer/integration/template_test.go ++++ b/libcontainer/integration/template_test.go +@@ -69,22 +69,6 @@ + "CAP_KILL", + "CAP_AUDIT_WRITE", + }, +- Inheritable: []string{ +- "CAP_CHOWN", +- "CAP_DAC_OVERRIDE", +- "CAP_FSETID", +- "CAP_FOWNER", +- "CAP_MKNOD", +- "CAP_NET_RAW", +- "CAP_SETGID", +- "CAP_SETUID", +- "CAP_SETFCAP", +- "CAP_SETPCAP", +- "CAP_NET_BIND_SERVICE", +- "CAP_SYS_CHROOT", +- "CAP_KILL", +- "CAP_AUDIT_WRITE", +- }, + Ambient: []string{ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", +--- a/libcontainer/specconv/example.go ++++ b/libcontainer/specconv/example.go +@@ -41,11 +41,6 @@ + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + }, +- Inheritable: []string{ +- "CAP_AUDIT_WRITE", +- "CAP_KILL", +- "CAP_NET_BIND_SERVICE", +- }, + Ambient: []string{ + "CAP_AUDIT_WRITE", + "CAP_KILL", diff -Nru runc-1.0.0~rc93+ds1/debian/patches/default_retno.patch runc-1.0.0~rc93+ds1/debian/patches/default_retno.patch --- runc-1.0.0~rc93+ds1/debian/patches/default_retno.patch 1970-01-01 00:00:00.000000000 +0000 +++ runc-1.0.0~rc93+ds1/debian/patches/default_retno.patch 2022-06-13 11:06:00.000000000 +0000 @@ -0,0 +1,459 @@ +commit c61f6062547d20b80a07e9593e9617e115773b28 +Author: Giuseppe Scrivano +Date: Fri May 14 10:58:16 2021 +0200 + + libcontainer: honor seccomp defaultErrnoRet + + https://github.com/opencontainers/runtime-spec/pull/1087 added support + for defaultErrnoRet to the OCI runtime specs. + + If a defaultErrnoRet is specified, disable patching the generated + libseccomp cBPF. + + Closes: https://github.com/opencontainers/runc/issues/2943 + + Signed-off-by: Giuseppe Scrivano + +--- a/libcontainer/configs/config.go ++++ b/libcontainer/configs/config.go +@@ -31,9 +31,10 @@ + // for syscalls. Additional architectures can be added by specifying them in + // Architectures. + type Seccomp struct { +- DefaultAction Action `json:"default_action"` +- Architectures []string `json:"architectures"` +- Syscalls []*Syscall `json:"syscalls"` ++ DefaultAction Action `json:"default_action"` ++ Architectures []string `json:"architectures"` ++ Syscalls []*Syscall `json:"syscalls"` ++ DefaultErrnoRet *uint `json:"default_errno_ret"` + } + + // Action is taken upon rule match in Seccomp +--- a/libcontainer/seccomp/patchbpf/enosys_linux.go ++++ b/libcontainer/seccomp/patchbpf/enosys_linux.go +@@ -523,6 +523,11 @@ + } + + func generatePatch(config *configs.Seccomp) ([]bpf.Instruction, error) { ++ // Patch the generated cBPF only when there is not a defaultErrnoRet set ++ // and it is different from ENOSYS ++ if config.DefaultErrnoRet != nil && *config.DefaultErrnoRet == uint(retErrnoEnosys) { ++ return nil, nil ++ } + // We only add the stub if the default action is not permissive. + if isAllowAction(config.DefaultAction) { + logrus.Debugf("seccomp: skipping -ENOSYS stub filter generation") +--- a/libcontainer/seccomp/seccomp_linux.go ++++ b/libcontainer/seccomp/seccomp_linux.go +@@ -39,7 +39,7 @@ + return errors.New("cannot initialize Seccomp - nil config passed") + } + +- defaultAction, err := getAction(config.DefaultAction, nil) ++ defaultAction, err := getAction(config.DefaultAction, config.DefaultErrnoRet) + if err != nil { + return errors.New("error initializing seccomp - invalid default action") + } +--- a/libcontainer/specconv/spec_linux.go ++++ b/libcontainer/specconv/spec_linux.go +@@ -872,6 +872,7 @@ + return nil, err + } + newConfig.DefaultAction = newDefaultAction ++ newConfig.DefaultErrnoRet = config.DefaultErrnoRet + + // Loop through all syscall blocks and convert them to libcontainer format + for _, call := range config.Syscalls { +--- a/tests/integration/seccomp.bats ++++ b/tests/integration/seccomp.bats +@@ -22,3 +22,15 @@ + runc run test_busybox + [ "$status" -eq 0 ] + } ++ ++@test "runc run [seccomp defaultErrnoRet=ENXIO]" { ++ TEST_NAME="seccomp_syscall_test2" ++ ++ # Compile the test binary and update the config to run it. ++ gcc -static -o rootfs/seccomp_test2 "${TESTDATA}/${TEST_NAME}.c" ++ update_config ".linux.seccomp = $(<"${TESTDATA}/${TEST_NAME}.json")" ++ update_config '.process.args = ["/seccomp_test2"]' ++ ++ runc run test_busybox ++ [ "$status" -eq 0 ] ++} +--- /dev/null ++++ b/tests/integration/testdata/seccomp_syscall_test2.c +@@ -0,0 +1,12 @@ ++#include ++#include ++#include ++#include ++ ++int main() ++{ ++ if (chdir("/") < 0 && errno == ENXIO) ++ exit(EXIT_SUCCESS); ++ fprintf(stderr, "got errno=%m\n"); ++ exit(EXIT_FAILURE); ++} +--- /dev/null ++++ b/tests/integration/testdata/seccomp_syscall_test2.json +@@ -0,0 +1,356 @@ ++{ ++ "defaultAction": "SCMP_ACT_ERRNO", ++ "defaultErrnoRet": 6, ++ "architectures": [ ++ "SCMP_ARCH_X86", ++ "SCMP_ARCH_X32", ++ "SCMP_ARCH_X86_64", ++ "SCMP_ARCH_AARCH64", ++ "SCMP_ARCH_ARM" ++ ], ++ "syscalls": [ ++ { ++ "action": "SCMP_ACT_ALLOW", ++ "names": [ ++ "accept", ++ "accept4", ++ "access", ++ "adjtimex", ++ "alarm", ++ "arch_prctl", ++ "bind", ++ "brk", ++ "capget", ++ "capset", ++ "chmod", ++ "chown", ++ "chown32", ++ "clock_adjtime", ++ "clock_adjtime64", ++ "clock_getres", ++ "clock_getres_time64", ++ "clock_gettime", ++ "clock_gettime64", ++ "clock_nanosleep", ++ "clock_nanosleep_time64", ++ "close", ++ "connect", ++ "copy_file_range", ++ "creat", ++ "dup", ++ "dup2", ++ "epoll_create", ++ "epoll_create1", ++ "epoll_ctl", ++ "epoll_ctl_old", ++ "epoll_pwait", ++ "epoll_wait", ++ "epoll_wait_old", ++ "eventfd", ++ "eventfd2", ++ "execve", ++ "execveat", ++ "exit", ++ "exit_group", ++ "faccessat", ++ "faccessat2", ++ "fadvise64", ++ "fadvise64_64", ++ "fallocate", ++ "fanotify_mark", ++ "fchdir", ++ "fchmod", ++ "fchmodat", ++ "fchown", ++ "fchown32", ++ "fchownat", ++ "fcntl", ++ "fcntl64", ++ "fdatasync", ++ "fgetxattr", ++ "flistxattr", ++ "flock", ++ "fork", ++ "fremovexattr", ++ "fsetxattr", ++ "fstat", ++ "fstat64", ++ "fstatat64", ++ "fstatfs", ++ "fstatfs64", ++ "fsync", ++ "ftruncate", ++ "ftruncate64", ++ "futex", ++ "futex_time64", ++ "futimesat", ++ "getcpu", ++ "getcwd", ++ "getdents", ++ "getdents64", ++ "getegid", ++ "getegid32", ++ "geteuid", ++ "geteuid32", ++ "getgid", ++ "getgid32", ++ "getgroups", ++ "getgroups32", ++ "getitimer", ++ "getpeername", ++ "getpgid", ++ "getpgrp", ++ "getpid", ++ "getppid", ++ "getpriority", ++ "getrandom", ++ "getresgid", ++ "getresgid32", ++ "getresuid", ++ "getresuid32", ++ "getrlimit", ++ "get_robust_list", ++ "getrusage", ++ "getsid", ++ "getsockname", ++ "getsockopt", ++ "get_thread_area", ++ "gettid", ++ "gettimeofday", ++ "getuid", ++ "getuid32", ++ "getxattr", ++ "inotify_add_watch", ++ "inotify_init", ++ "inotify_init1", ++ "inotify_rm_watch", ++ "io_cancel", ++ "ioctl", ++ "io_destroy", ++ "io_getevents", ++ "io_pgetevents", ++ "io_pgetevents_time64", ++ "ioprio_get", ++ "ioprio_set", ++ "io_setup", ++ "io_submit", ++ "io_uring_enter", ++ "io_uring_register", ++ "io_uring_setup", ++ "ipc", ++ "kill", ++ "lchown", ++ "lchown32", ++ "lgetxattr", ++ "link", ++ "linkat", ++ "listen", ++ "listxattr", ++ "llistxattr", ++ "_llseek", ++ "lremovexattr", ++ "lseek", ++ "lsetxattr", ++ "lstat", ++ "lstat64", ++ "madvise", ++ "membarrier", ++ "memfd_create", ++ "mincore", ++ "mkdir", ++ "mkdirat", ++ "mknod", ++ "mknodat", ++ "mlock", ++ "mlock2", ++ "mlockall", ++ "mmap", ++ "mmap2", ++ "modify_ldt", ++ "mprotect", ++ "mq_getsetattr", ++ "mq_notify", ++ "mq_open", ++ "mq_timedreceive", ++ "mq_timedreceive_time64", ++ "mq_timedsend", ++ "mq_timedsend_time64", ++ "mq_unlink", ++ "mremap", ++ "msgctl", ++ "msgget", ++ "msgrcv", ++ "msgsnd", ++ "msync", ++ "munlock", ++ "munlockall", ++ "munmap", ++ "nanosleep", ++ "newfstatat", ++ "_newselect", ++ "open", ++ "openat", ++ "openat2", ++ "pause", ++ "pidfd_open", ++ "pidfd_send_signal", ++ "pipe", ++ "pipe2", ++ "poll", ++ "ppoll", ++ "ppoll_time64", ++ "prctl", ++ "pread64", ++ "preadv", ++ "preadv2", ++ "prlimit64", ++ "pselect6", ++ "pselect6_time64", ++ "pwrite64", ++ "pwritev", ++ "pwritev2", ++ "read", ++ "readahead", ++ "readlink", ++ "readlinkat", ++ "readv", ++ "recv", ++ "recvfrom", ++ "recvmmsg", ++ "recvmmsg_time64", ++ "recvmsg", ++ "remap_file_pages", ++ "removexattr", ++ "rename", ++ "renameat", ++ "renameat2", ++ "restart_syscall", ++ "rmdir", ++ "rseq", ++ "rt_sigaction", ++ "rt_sigpending", ++ "rt_sigprocmask", ++ "rt_sigqueueinfo", ++ "rt_sigreturn", ++ "rt_sigsuspend", ++ "rt_sigtimedwait", ++ "rt_sigtimedwait_time64", ++ "rt_tgsigqueueinfo", ++ "sched_getaffinity", ++ "sched_getattr", ++ "sched_getparam", ++ "sched_get_priority_max", ++ "sched_get_priority_min", ++ "sched_getscheduler", ++ "sched_rr_get_interval", ++ "sched_rr_get_interval_time64", ++ "sched_setaffinity", ++ "sched_setattr", ++ "sched_setparam", ++ "sched_setscheduler", ++ "sched_yield", ++ "seccomp", ++ "select", ++ "semctl", ++ "semget", ++ "semop", ++ "semtimedop", ++ "semtimedop_time64", ++ "send", ++ "sendfile", ++ "sendfile64", ++ "sendmmsg", ++ "sendmsg", ++ "sendto", ++ "setfsgid", ++ "setfsgid32", ++ "setfsuid", ++ "setfsuid32", ++ "setgid", ++ "setgid32", ++ "setgroups", ++ "setgroups32", ++ "setitimer", ++ "setpgid", ++ "setpriority", ++ "setregid", ++ "setregid32", ++ "setresgid", ++ "setresgid32", ++ "setresuid", ++ "setresuid32", ++ "setreuid", ++ "setreuid32", ++ "setrlimit", ++ "set_robust_list", ++ "setsid", ++ "setsockopt", ++ "set_thread_area", ++ "set_tid_address", ++ "setuid", ++ "setuid32", ++ "setxattr", ++ "shmat", ++ "shmctl", ++ "shmdt", ++ "shmget", ++ "shutdown", ++ "sigaltstack", ++ "signalfd", ++ "signalfd4", ++ "sigprocmask", ++ "sigreturn", ++ "socketcall", ++ "socketpair", ++ "splice", ++ "stat", ++ "stat64", ++ "statfs", ++ "statfs64", ++ "statx", ++ "symlink", ++ "symlinkat", ++ "sync", ++ "sync_file_range", ++ "syncfs", ++ "sysinfo", ++ "tee", ++ "tgkill", ++ "time", ++ "timer_create", ++ "timer_delete", ++ "timer_getoverrun", ++ "timer_gettime", ++ "timer_gettime64", ++ "timer_settime", ++ "timer_settime64", ++ "timerfd_create", ++ "timerfd_gettime", ++ "timerfd_gettime64", ++ "timerfd_settime", ++ "timerfd_settime64", ++ "times", ++ "tkill", ++ "truncate", ++ "truncate64", ++ "ugetrlimit", ++ "umask", ++ "uname", ++ "unlink", ++ "unlinkat", ++ "utime", ++ "utimensat", ++ "utimensat_time64", ++ "utimes", ++ "vfork", ++ "vmsplice", ++ "wait4", ++ "waitid", ++ "waitpid", ++ "write", ++ "writev" ++ ] ++ } ++ ] ++} ++ diff -Nru runc-1.0.0~rc93+ds1/debian/patches/series runc-1.0.0~rc93+ds1/debian/patches/series --- runc-1.0.0~rc93+ds1/debian/patches/series 2021-05-19 18:46:14.000000000 +0000 +++ runc-1.0.0~rc93+ds1/debian/patches/series 2022-06-13 11:06:00.000000000 +0000 @@ -13,3 +13,5 @@ CVE-2021-30465/rc93-0003-libct-rootfs-mountCgroupV2-minor-refactor.patch CVE-2021-30465/rc93-0004-Fix-cgroup2-mount-for-rootless-case.patch CVE-2021-30465/rc93-0005-rootfs-add-mount-destination-validation.patch +default_retno.patch +CVE-2022-29162.patch