fix cve 2022-27649

(cherry picked from commit 4e6e04b214542f793218c78a8328d7731de1eb50)
2025-01-17 01:43:01 +08:00 · 2025-01-17 01:43:01 +08:00 · 351785158b
commit 351785158b
parent f4d2d0b65a
2 changed files with 102 additions and 1 deletions
--- a/0007-fix-cve-2022-27649.patch
+++ b/0007-fix-cve-2022-27649.patch
@ -0,0 +1,96 @@
 From 0cd2fb0a45d863075658f3c7bbdeaa8338390fdf Mon Sep 17 00:00:00 2001
 From: duyiwei <duyiwei@kylinos.cn>
 Date: Fri, 17 Jan 2025 01:32:57 +0800
 Subject: [PATCH] fix cve 2022-27649
 Signed-off-by: duyiwei <duyiwei@kylinos.cn>
 ---
 libpod/oci_conmon_exec_linux.go  | 7 +++++--
 pkg/specgen/generate/security.go | 8 ++++++--
 test/e2e/run_test.go             | 4 ++--
 3 files changed, 13 insertions(+), 6 deletions(-)
 diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go
 index 553c918..5be8144 100644
 --- a/libpod/oci_conmon_exec_linux.go
 +++ b/libpod/oci_conmon_exec_linux.go
@@ -757,11 +757,14 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
 	} else {
 		pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
 	}
 +
 +	// Always unset the inheritable capabilities similarly to what the Linux kernel does
 +	// They are used only when using capabilities with uid != 0.
 +	pspec.Capabilities.Inheritable = []string{}
 +
 	if execUser.Uid == 0 {
 		pspec.Capabilities.Effective = pspec.Capabilities.Bounding
 -		pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
 		pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
 -		pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
 	} else {
 		if user == c.config.User {
 			pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective
 diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
 index a12cc09..1c43fb7 100644
 --- a/pkg/specgen/generate/security.go
 +++ b/pkg/specgen/generate/security.go
@@ -146,6 +146,11 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 	configSpec := g.Config
 	configSpec.Process.Capabilities.Ambient = []string{}
 +
 +	// Always unset the inheritable capabilities similarly to what the Linux kernel does
 +	// They are used only when using capabilities with uid != 0.
 +	configSpec.Process.Capabilities.Inheritable = []string{}
 +
 	configSpec.Process.Capabilities.Bounding = caplist
 	user := strings.Split(s.User, ":")[0]
@@ -153,7 +158,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 	if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
 		configSpec.Process.Capabilities.Effective = caplist
 		configSpec.Process.Capabilities.Permitted = caplist
 -		configSpec.Process.Capabilities.Inheritable = caplist
 	} else {
 		mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
 		if err != nil {
@@ -175,12 +179,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		}
 		configSpec.Process.Capabilities.Effective = userCaps
 		configSpec.Process.Capabilities.Permitted = userCaps
 -		configSpec.Process.Capabilities.Inheritable = userCaps
 		// Ambient capabilities were added to Linux 4.3.  Set ambient
 		// capabilities only when the kernel supports them.
 		if supportAmbientCapabilities() {
 			configSpec.Process.Capabilities.Ambient = userCaps
 +			configSpec.Process.Capabilities.Inheritable = userCaps
 		}
 	}
 diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
 index 3385f9d..e675025 100644
 --- a/test/e2e/run_test.go
 +++ b/test/e2e/run_test.go
@@ -454,7 +454,7 @@ var _ = Describe("Podman run", func() {
 		session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 -		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
 +		Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
 		session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
@@ -489,7 +489,7 @@ var _ = Describe("Podman run", func() {
 		session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 -		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
 +		Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
 		if os.Geteuid() > 0 {
 			if os.Getenv("SKIP_USERNS") != "" {
 -- 
 2.33.0
--- a/podman.spec
+++ b/podman.spec
@ -2,7 +2,7 @@
 Name:          podman
 Version:       3.4.4
-Release:       7
+Release:       8
 Summary:       A daemonless container engine for managing Containers
 Epoch:         1
 License:       ASL 2.0
@ -27,6 +27,7 @@ Patch3:   0003-CVE-2022-32149.patch
 Patch4:   0004-fix-CVE-2024-37298.patch
 Patch5:   0005-Fix-CVE-2023-0778.patch
 Patch6:   0006-fix-cve-2022-2989.patch
 Patch7:   0007-fix-cve-2022-27649.patch
 %description
 Podman manages the entire container ecosystem which includes pods,
@ -119,6 +120,7 @@ tar -xf %{SOURCE4}
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %build
 GO_MD2MAN_PATH="$(pwd)%{_bindir}"
@ -289,6 +291,9 @@ done
 %{_libexecdir}/%{name}/gvproxy
 %changelog
 * Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-8
 - fix cve 2022-27649
 * Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-7
 - fix cve-2022-2989