!11 [sync] PR-9: Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd for flatpak fix CVE-2024-42472

From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd for flatpak fix CVE-2024-42472
2024-08-16 09:39:01 +00:00 · 2024-08-16 17:31:28 +08:00 · 2020-07-22 19:32:11 +08:00 · 2020-07-22 18:08:45 +08:00 · 2020-07-22 18:07:42 +08:00 · 2020-07-21 12:09:02 +08:00
5 changed files with 131 additions and 3 deletions
--- a/backport-Add--bind-fd-and--ro-bind-fd-to-let-you-bind-a-O_PATH-fd.patch
+++ b/backport-Add--bind-fd-and--ro-bind-fd-to-let-you-bind-a-O_PATH-fd.patch
@ -0,0 +1,117 @@
+From 68e75c3091c87583c28a439b45c45627a94d622c Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Tue, 18 Jun 2024 10:20:36 +0200
+Subject: [PATCH] Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd.
+
+Origin: https://github.com/containers/bubblewrap/commit/68e75c3091c87583c28a439b45c45627a94d622c
+
+This is useful for example if you for some reason don't have the real
+path. It is also a way to make bind-mounts race-free (i.e. to have the
+mount actually be the thing you wanted to be mounted, avoiding issues
+where some other process replaces the target in parallel with the bwrap
+launch.
+
+Unfortunately due to some technical details we can't actually directly
+mount the dirfd, as they come from different user namespace which is not
+permitted, but at least we can delay resolving the fd to a path as much as
+possible, and then validate after mount that we actually mounted the right
+thing.
+
+Signed-off-by: Alexander Larsson <alexl@redhat.com>
+(cherry picked from commit a253257cd298892da43e15201d83f9a02c9b58b5)
+[smcv: Backport to 0.6.x]
+Signed-off-by: Simon McVittie <smcv@debian.org>
+---
+ bubblewrap.c      | 50 +++++++++++++++++++++++++++++++++++++++++++++++
+ tests/test-run.sh |  7 ++++++-
+ 2 files changed, 56 insertions(+), 1 deletion(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index b17ff990..1d2cc41c 100644
+--- a/bubblewrap.c
+++ b/bubblewrap.c
+@@ -317,6 +317,8 @@ usage (int ecode, FILE *out)
+            "    --dev-bind-try SRC DEST      Equal to --dev-bind but ignores non-existent SRC\n"
+            "    --ro-bind SRC DEST           Bind mount the host path SRC readonly on DEST\n"
+            "    --ro-bind-try SRC DEST       Equal to --ro-bind but ignores non-existent SRC\n"
+           "    --bind-fd FD DEST            Bind open directory or path fd on DEST\n"
+           "    --ro-bind-fd FD DEST         Bind open directory or path fd read-only on DEST\n"
+            "    --remount-ro DEST            Remount DEST as readonly; does not recursively remount\n"
+            "    --exec-label LABEL           Exec label for the sandbox\n"
+            "    --file-label LABEL           File label for temporary sandbox content\n"
+@@ -1198,6 +1200,30 @@ setup_newroot (bool unshare_pid,
+                          (op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) |
+                          (op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0),
+                          source, dest);
+
+          if (op->fd >= 0)
+            {
+              struct stat fd_st, mount_st;
+
+              /* When using bind-fd, there is a race condition between resolving the fd as a magic symlink
+               * and mounting it, where someone could replace what is at the symlink target. Ideally
+               * we would not even resolve the symlink and directly bind-mount from the fd, but unfortunately
+               * we can't do that, because its not permitted to bind mount a fd from another user namespace.
+               * So, we resolve, mount and then compare fstat+stat to detect the race. */
+
+              if (fstat(op->fd, &fd_st) != 0)
+                die_with_error("Can't stat fd %d", op->fd);
+              if (lstat(dest, &mount_st) != 0)
+                die_with_error("Can't stat mount at %s", dest);
+
+              if (fd_st.st_ino != mount_st.st_ino ||
+                  fd_st.st_dev != mount_st.st_dev)
+                die_with_error("Race condition binding dirfd");
+
+              close(op->fd);
+              op->fd = -1;
+            }
+
+           break;
+ 
+         case SETUP_REMOUNT_RO_NO_RECURSIVE:
+@@ -1819,6 +1845,30 @@ parse_args_recurse (int          *argcp,
+           if (strcmp(arg, "--dev-bind-try") == 0)
+             op->flags = ALLOW_NOTEXIST;
+ 
+          argv += 2;
+          argc -= 2;
+        }
+      else if (strcmp (arg, "--bind-fd") == 0 ||
+               strcmp (arg, "--ro-bind-fd") == 0)
+        {
+          int src_fd;
+          char *endptr;
+
+          if (argc < 3)
+            die ("--bind-fd takes two arguments");
+
+          src_fd = strtol (argv[1], &endptr, 10);
+          if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0)
+            die ("Invalid fd: %s", argv[1]);
+
+          if (strcmp(arg, "--ro-bind-fd") == 0)
+            op = setup_op_new (SETUP_RO_BIND_MOUNT);
+          else
+            op = setup_op_new (SETUP_BIND_MOUNT);
+          op->source = xasprintf ("/proc/self/fd/%d", src_fd);
+          op->fd = src_fd;
+          op->dest = argv[2];
+
+           argv += 2;
+           argc -= 2;
+         }
+diff --git a/tests/test-run.sh b/tests/test-run.sh
+index f25a9bc3..c5ce1866 100755
+--- a/tests/test-run.sh
+++ b/tests/test-run.sh
+@@ -382,5 +382,9 @@
+     echo "ok - Test --pidns"
+ fi
+
+echo "foobar" > file-data
+$RUN --proc /proc --dev /dev --bind / / --bind-fd 100 /tmp cat /tmp/file-data 100< . > stdout
+assert_file_has_content stdout foobar
+echo "ok - bind-fd"
+
+ echo "ok - End of test"
--- a/bubblewrap-0.3.3.tar.xz
+++ b/bubblewrap-0.3.3.tar.xz
--- a/bubblewrap-0.4.1.tar.xz
+++ b/bubblewrap-0.4.1.tar.xz
--- a/bubblewrap.spec
+++ b/bubblewrap.spec
@ -1,10 +1,11 @@
 Name:		bubblewrap
-Version:	0.3.3
-Release:	1
+Version:	0.4.1
+Release:	2
 Summary:	Core execution tool for unprivileged containers
 License:	LGPLv2+
 URL:		https://github.com/projectatomic/bubblewrap
-Source0:	https://github.com/containers/bubblewrap/archive/bubblewrap-%{version}.tar.xz
+Source0:	https://github.com/containers/bubblewrap/releases/download/v%{version}/bubblewrap-%{version}.tar.xz
+Patch0:         backport-Add--bind-fd-and--ro-bind-fd-to-let-you-bind-a-O_PATH-fd.patch

 BuildRequires:	autoconf automake libtool gcc libcap-devel
 BuildRequires:  pkgconfig(libselinux) libxslt docbook-style-xsl
@ -39,5 +40,11 @@ if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; fi
 %{_mandir}/man1/*

 %changelog
+* Fri Aug 16 2024 wangkai <13474090681@163.com> - 0.4.1-2
+- Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd for flatpak fix CVE-2024-42472
+
+* Tue Jun 23 2020 shixuantong <shixuantong@huawei.com> -0.4.1-1
+- Update to 0.4.1
+
 * Mon Oct 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.3.3-1
 - Package init
--- a/bubblewrap.yaml
+++ b/bubblewrap.yaml
@ -0,0 +1,4 @@
+version_control: github
+src_repo: projectatomic/bubblewrap
+tag_prefix: "^v"
+separator: "."
Author	SHA1	Message	Date
openeuler-ci-bot	cd4e3f2c5d	!11 [sync] PR-9: Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd for flatpak fix CVE-2024-42472 From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen	2024-08-16 09:39:01 +00:00
wk333	63d451e423	Add --bind-fd and --ro-bind-fd to let you bind a O_PATH fd for flatpak fix CVE-2024-42472 (cherry picked from commit f51fbfb3eb755e05e707857792a419a4600c5529)	2024-08-16 17:31:28 +08:00
openeuler-ci-bot	8ee219956a	!3 add yaml file in package Merge pull request !3 from 桐小哥/master	2020-07-22 19:32:11 +08:00
桐小哥	fc168e8e35	update bubblewrap.yaml.	2020-07-22 18:08:45 +08:00
sxt1001	a5aafde3e2	add yaml file	2020-07-22 18:07:42 +08:00
openeuler-ci-bot	4afa941d3a	!2 update to 0.4.1 Merge pull request !2 from 桐小哥/master	2020-07-21 12:09:02 +08:00
桐小哥	9b723e7dd5	删除文件 bubblewrap.yaml	2020-06-24 11:31:04 +08:00
桐小哥	357c604bc2	删除文件 bubblewrap-0.3.3.tar.xz	2020-06-24 09:41:46 +08:00
xinghe_1	c4ea48a3bf	update to 0.4.1	2020-06-24 09:40:43 +08:00
tong_1001	accb639beb	add yaml file in package	2020-06-16 18:18:33 +08:00