!28 Fix PLATYPUS attack of RAPL accessible to a container

From: @northgarden Reviewed-by: @duyiwei7w Signed-off-by: @duyiwei7w
2024-03-18 08:08:37 +00:00 · 2024-03-18 08:08:37 +00:00 · 322ca7c1cb
commit 322ca7c1cb
parent e61a63b16c f309775edf
2 changed files with 49 additions and 1 deletions
--- a/0003-fix-PLATYPUS-attack-of-RAPL-accessible-to-a-containe.patch
+++ b/0003-fix-PLATYPUS-attack-of-RAPL-accessible-to-a-containe.patch
@ -0,0 +1,41 @@
+From e3b8749e93d2412385498c9ed6cf6550b2992aaf Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Mon, 18 Mar 2024 15:06:38 +0800
+Subject: [PATCH] fix PLATYPUS attack of RAPL accessible to a container
+ Security Advisories:
+ https://github.com/containerd/containerd/security/advisories/GHSA-7ww5-4wqc-m92c
+ upstream:
+ https://github.com/containerd/containerd/commit/9e4d53df751605b2c3fa12ed062f8d7a76c0b3f3
+
+---
+ contrib/apparmor/template.go | 1 +
+ oci/spec.go                  | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
+index ba613c3..5c4f785 100644
+--- a/contrib/apparmor/template.go
+++ b/contrib/apparmor/template.go
+@@ -81,6 +81,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+   deny /sys/fs/c[^g]*/** wklx,
+   deny /sys/fs/cg[^r]*/** wklx,
+   deny /sys/firmware/** rwklx,
+  deny /sys/devices/virtual/powercap/** rwklx,
+   deny /sys/kernel/security/** rwklx,
+ 
+ {{if ge .Version 208095}}
+diff --git a/oci/spec.go b/oci/spec.go
+index a1c98dd..62d212a 100644
+--- a/oci/spec.go
+++ b/oci/spec.go
+@@ -171,6 +171,7 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error {
+ 				"/proc/timer_stats",
+ 				"/proc/sched_debug",
+ 				"/sys/firmware",
+				"/sys/devices/virtual/powercap",
+ 				"/proc/scsi",
+ 			},
+ 			ReadonlyPaths: []string{
+-- 
+2.20.1
+
--- a/k3s-containerd.spec
+++ b/k3s-containerd.spec
@ -3,7 +3,7 @@
 %global version_suffix k3s1
 Version:        1.6.6
 Name:           k3s-containerd
-Release:        6
+Release:        7
 Summary:        An industry-standard container runtime
 License:        Apache-2.0
 URL:            https://github.com/k3s-io/containerd
@ -11,6 +11,7 @@ Source0:        https://github.com/k3s-io/containerd/archive/refs/tags/v%{versio

 Patch0001:      0001-Fix-CVE-2023-25153.patch
 Patch0002:      0002-Fix-CVE-2022-23471.patch
+Patch0003:      0003-fix-PLATYPUS-attack-of-RAPL-accessible-to-a-containe.patch

 BuildRequires:  golang glibc-static make btrfs-progs-devel

@ -71,6 +72,12 @@ cp -rf %{_builddir}/containerd-%{version}-%{version_suffix}/. %{buildroot}%{_lib


 %changelog
+* Mon Mar 18 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.6.6-k3s1-7
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix PLATYPUS attack of RAPL accessible to a container
+
 * Fri Mar 15 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.6.6-k3s1-6
 - Type:bugfix
 - CVE:NA