Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
In a recent stable update to podman changes to the seccomp filter where
introduced to allow podman to work with glibc found in bookwork See #994451,
#1006138. That update was successful in the sense it allows to run such
containers in the default configuration.
What was overlooked is that podman can run with two competing container runtime
engines: runc and crun. In bullseye, the default runtime is crun, and works
with the updates. However, some users prefer to run with runc, which is the
default in bookworm (and used by docker), which is currently broken (unless one
disables seccomp filtering completely). See #1012030 for full context,
[ Impact ]
This update backports a necessary upstream patch to allow podman to run with
runc in stable again. Without it, users need to make sure to use crun, or
disable seccomp filtering
[ Tests ]
There are unit tests and manual functional tests.
[ Risks ]
The functional change is small and easy to review. The majority of changes are
from updates to the unit tests.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
This is the functional code change:
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -31,9 +31,10 @@
// for syscalls. Additional architectures can be added by specifying them in
// Architectures.
type Seccomp struct {
- DefaultAction Action `json:"default_action"`
- Architectures []string `json:"architectures"`
- Syscalls []*Syscall `json:"syscalls"`
+ DefaultAction Action `json:"default_action"`
+ Architectures []string `json:"architectures"`
+ Syscalls []*Syscall `json:"syscalls"`
+ DefaultErrnoRet *uint `json:"default_errno_ret"`
}
// Action is taken upon rule match in Seccomp
--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
@@ -523,6 +523,11 @@
}
func generatePatch(config *configs.Seccomp) ([]bpf.Instruction, error) {
+ // Patch the generated cBPF only when there is not a defaultErrnoRet set
+ // and it is different from ENOSYS
+ if config.DefaultErrnoRet != nil && *config.DefaultErrnoRet ==
uint(retErrnoEnosys) {
+ return nil, nil
+ }
// We only add the stub if the default action is not permissive.
if isAllowAction(config.DefaultAction) {
logrus.Debugf("seccomp: skipping -ENOSYS stub filter
generation")
--- a/libcontainer/seccomp/seccomp_linux.go
+++ b/libcontainer/seccomp/seccomp_linux.go
@@ -39,7 +39,7 @@
return errors.New("cannot initialize Seccomp - nil config
passed")
}
- defaultAction, err := getAction(config.DefaultAction, nil)
+ defaultAction, err := getAction(config.DefaultAction,
config.DefaultErrnoRet)
if err != nil {
return errors.New("error initializing seccomp - invalid default
action")
}
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -872,6 +872,7 @@
return nil, err
}
newConfig.DefaultAction = newDefaultAction
+ newConfig.DefaultErrnoRet = config.DefaultErrnoRet
// Loop through all syscall blocks and convert them to libcontainer
format
for _, call := range config.Syscalls {
[ Other info ]
full debdiff attached
diff -Nru runc-1.0.0~rc93+ds1/debian/changelog
runc-1.0.0~rc93+ds1/debian/changelog
--- runc-1.0.0~rc93+ds1/debian/changelog 2022-06-12 14:49:36.000000000
-0400
+++ runc-1.0.0~rc93+ds1/debian/changelog 2021-05-19 14:46:14.000000000
-0400
@@ -1,10 +1,3 @@
-runc (1.0.0~rc93+ds1-5+deb11u1) bullseye; urgency=medium
-
- * Team upload.
- * backport upstream patch: Honor seccomp defaultErrnoRet, Closes: #1012030
-
- -- Reinhard Tartler <siret...@tauware.de> Sun, 12 Jun 2022 14:49:36 -0400
-
runc (1.0.0~rc93+ds1-5) unstable; urgency=high
* Team upload.
diff -Nru runc-1.0.0~rc93+ds1/debian/patches/default_retno.patch
runc-1.0.0~rc93+ds1/debian/patches/default_retno.patch
--- runc-1.0.0~rc93+ds1/debian/patches/default_retno.patch 2022-06-12
14:49:36.000000000 -0400
+++ runc-1.0.0~rc93+ds1/debian/patches/default_retno.patch 1969-12-31
19:00:00.000000000 -0500
@@ -1,459 +0,0 @@
-commit c61f6062547d20b80a07e9593e9617e115773b28
-Author: Giuseppe Scrivano <gscri...@redhat.com>
-Date: Fri May 14 10:58:16 2021 +0200
-
- libcontainer: honor seccomp defaultErrnoRet
-
- https://github.com/opencontainers/runtime-spec/pull/1087 added support
- for defaultErrnoRet to the OCI runtime specs.
-
- If a defaultErrnoRet is specified, disable patching the generated
- libseccomp cBPF.
-
- Closes: https://github.com/opencontainers/runc/issues/2943
-
- Signed-off-by: Giuseppe Scrivano <gscri...@redhat.com>
-
---- a/libcontainer/configs/config.go
-+++ b/libcontainer/configs/config.go
-@@ -31,9 +31,10 @@
- // for syscalls. Additional architectures can be added by specifying them in
- // Architectures.
- type Seccomp struct {
-- DefaultAction Action `json:"default_action"`
-- Architectures []string `json:"architectures"`
-- Syscalls []*Syscall `json:"syscalls"`
-+ DefaultAction Action `json:"default_action"`
-+ Architectures []string `json:"architectures"`
-+ Syscalls []*Syscall `json:"syscalls"`
-+ DefaultErrnoRet *uint `json:"default_errno_ret"`
- }
-
- // Action is taken upon rule match in Seccomp
---- a/libcontainer/seccomp/patchbpf/enosys_linux.go
-+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
-@@ -523,6 +523,11 @@
- }
-
- func generatePatch(config *configs.Seccomp) ([]bpf.Instruction, error) {
-+ // Patch the generated cBPF only when there is not a defaultErrnoRet set
-+ // and it is different from ENOSYS
-+ if config.DefaultErrnoRet != nil && *config.DefaultErrnoRet ==
uint(retErrnoEnosys) {
-+ return nil, nil
-+ }
- // We only add the stub if the default action is not permissive.
- if isAllowAction(config.DefaultAction) {
- logrus.Debugf("seccomp: skipping -ENOSYS stub filter
generation")
---- a/libcontainer/seccomp/seccomp_linux.go
-+++ b/libcontainer/seccomp/seccomp_linux.go
-@@ -39,7 +39,7 @@
- return errors.New("cannot initialize Seccomp - nil config
passed")
- }
-
-- defaultAction, err := getAction(config.DefaultAction, nil)
-+ defaultAction, err := getAction(config.DefaultAction,
config.DefaultErrnoRet)
- if err != nil {
- return errors.New("error initializing seccomp - invalid default
action")
- }
---- a/libcontainer/specconv/spec_linux.go
-+++ b/libcontainer/specconv/spec_linux.go
-@@ -872,6 +872,7 @@
- return nil, err
- }
- newConfig.DefaultAction = newDefaultAction
-+ newConfig.DefaultErrnoRet = config.DefaultErrnoRet
-
- // Loop through all syscall blocks and convert them to libcontainer
format
- for _, call := range config.Syscalls {
---- a/tests/integration/seccomp.bats
-+++ b/tests/integration/seccomp.bats
-@@ -22,3 +22,15 @@
- runc run test_busybox
- [ "$status" -eq 0 ]
- }
-+
-+@test "runc run [seccomp defaultErrnoRet=ENXIO]" {
-+ TEST_NAME="seccomp_syscall_test2"
-+
-+ # Compile the test binary and update the config to run it.
-+ gcc -static -o rootfs/seccomp_test2 "${TESTDATA}/${TEST_NAME}.c"
-+ update_config ".linux.seccomp = $(<"${TESTDATA}/${TEST_NAME}.json")"
-+ update_config '.process.args = ["/seccomp_test2"]'
-+
-+ runc run test_busybox
-+ [ "$status" -eq 0 ]
-+}
---- /dev/null
-+++ b/tests/integration/testdata/seccomp_syscall_test2.c
-@@ -0,0 +1,12 @@
-+#include <unistd.h>
-+#include <errno.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+
-+int main()
-+{
-+ if (chdir("/") < 0 && errno == ENXIO)
-+ exit(EXIT_SUCCESS);
-+ fprintf(stderr, "got errno=%m\n");
-+ exit(EXIT_FAILURE);
-+}
---- /dev/null
-+++ b/tests/integration/testdata/seccomp_syscall_test2.json
-@@ -0,0 +1,356 @@
-+{
-+ "defaultAction": "SCMP_ACT_ERRNO",
-+ "defaultErrnoRet": 6,
-+ "architectures": [
-+ "SCMP_ARCH_X86",
-+ "SCMP_ARCH_X32",
-+ "SCMP_ARCH_X86_64",
-+ "SCMP_ARCH_AARCH64",
-+ "SCMP_ARCH_ARM"
-+ ],
-+ "syscalls": [
-+ {
-+ "action": "SCMP_ACT_ALLOW",
-+ "names": [
-+ "accept",
-+ "accept4",
-+ "access",
-+ "adjtimex",
-+ "alarm",
-+ "arch_prctl",
-+ "bind",
-+ "brk",
-+ "capget",
-+ "capset",
-+ "chmod",
-+ "chown",
-+ "chown32",
-+ "clock_adjtime",
-+ "clock_adjtime64",
-+ "clock_getres",
-+ "clock_getres_time64",
-+ "clock_gettime",
-+ "clock_gettime64",
-+ "clock_nanosleep",
-+ "clock_nanosleep_time64",
-+ "close",
-+ "connect",
-+ "copy_file_range",
-+ "creat",
-+ "dup",
-+ "dup2",
-+ "epoll_create",
-+ "epoll_create1",
-+ "epoll_ctl",
-+ "epoll_ctl_old",
-+ "epoll_pwait",
-+ "epoll_wait",
-+ "epoll_wait_old",
-+ "eventfd",
-+ "eventfd2",
-+ "execve",
-+ "execveat",
-+ "exit",
-+ "exit_group",
-+ "faccessat",
-+ "faccessat2",
-+ "fadvise64",
-+ "fadvise64_64",
-+ "fallocate",
-+ "fanotify_mark",
-+ "fchdir",
-+ "fchmod",
-+ "fchmodat",
-+ "fchown",
-+ "fchown32",
-+ "fchownat",
-+ "fcntl",
-+ "fcntl64",
-+ "fdatasync",
-+ "fgetxattr",
-+ "flistxattr",
-+ "flock",
-+ "fork",
-+ "fremovexattr",
-+ "fsetxattr",
-+ "fstat",
-+ "fstat64",
-+ "fstatat64",
-+ "fstatfs",
-+ "fstatfs64",
-+ "fsync",
-+ "ftruncate",
-+ "ftruncate64",
-+ "futex",
-+ "futex_time64",
-+ "futimesat",
-+ "getcpu",
-+ "getcwd",
-+ "getdents",
-+ "getdents64",
-+ "getegid",
-+ "getegid32",
-+ "geteuid",
-+ "geteuid32",
-+ "getgid",
-+ "getgid32",
-+ "getgroups",
-+ "getgroups32",
-+ "getitimer",
-+ "getpeername",
-+ "getpgid",
-+ "getpgrp",
-+ "getpid",
-+ "getppid",
-+ "getpriority",
-+ "getrandom",
-+ "getresgid",
-+ "getresgid32",
-+ "getresuid",
-+ "getresuid32",
-+ "getrlimit",
-+ "get_robust_list",
-+ "getrusage",
-+ "getsid",
-+ "getsockname",
-+ "getsockopt",
-+ "get_thread_area",
-+ "gettid",
-+ "gettimeofday",
-+ "getuid",
-+ "getuid32",
-+ "getxattr",
-+ "inotify_add_watch",
-+ "inotify_init",
-+ "inotify_init1",
-+ "inotify_rm_watch",
-+ "io_cancel",
-+ "ioctl",
-+ "io_destroy",
-+ "io_getevents",
-+ "io_pgetevents",
-+ "io_pgetevents_time64",
-+ "ioprio_get",
-+ "ioprio_set",
-+ "io_setup",
-+ "io_submit",
-+ "io_uring_enter",
-+ "io_uring_register",
-+ "io_uring_setup",
-+ "ipc",
-+ "kill",
-+ "lchown",
-+ "lchown32",
-+ "lgetxattr",
-+ "link",
-+ "linkat",
-+ "listen",
-+ "listxattr",
-+ "llistxattr",
-+ "_llseek",
-+ "lremovexattr",
-+ "lseek",
-+ "lsetxattr",
-+ "lstat",
-+ "lstat64",
-+ "madvise",
-+ "membarrier",
-+ "memfd_create",
-+ "mincore",
-+ "mkdir",
-+ "mkdirat",
-+ "mknod",
-+ "mknodat",
-+ "mlock",
-+ "mlock2",
-+ "mlockall",
-+ "mmap",
-+ "mmap2",
-+ "modify_ldt",
-+ "mprotect",
-+ "mq_getsetattr",
-+ "mq_notify",
-+ "mq_open",
-+ "mq_timedreceive",
-+ "mq_timedreceive_time64",
-+ "mq_timedsend",
-+ "mq_timedsend_time64",
-+ "mq_unlink",
-+ "mremap",
-+ "msgctl",
-+ "msgget",
-+ "msgrcv",
-+ "msgsnd",
-+ "msync",
-+ "munlock",
-+ "munlockall",
-+ "munmap",
-+ "nanosleep",
-+ "newfstatat",
-+ "_newselect",
-+ "open",
-+ "openat",
-+ "openat2",
-+ "pause",
-+ "pidfd_open",
-+ "pidfd_send_signal",
-+ "pipe",
-+ "pipe2",
-+ "poll",
-+ "ppoll",
-+ "ppoll_time64",
-+ "prctl",
-+ "pread64",
-+ "preadv",
-+ "preadv2",
-+ "prlimit64",
-+ "pselect6",
-+ "pselect6_time64",
-+ "pwrite64",
-+ "pwritev",
-+ "pwritev2",
-+ "read",
-+ "readahead",
-+ "readlink",
-+ "readlinkat",
-+ "readv",
-+ "recv",
-+ "recvfrom",
-+ "recvmmsg",
-+ "recvmmsg_time64",
-+ "recvmsg",
-+ "remap_file_pages",
-+ "removexattr",
-+ "rename",
-+ "renameat",
-+ "renameat2",
-+ "restart_syscall",
-+ "rmdir",
-+ "rseq",
-+ "rt_sigaction",
-+ "rt_sigpending",
-+ "rt_sigprocmask",
-+ "rt_sigqueueinfo",
-+ "rt_sigreturn",
-+ "rt_sigsuspend",
-+ "rt_sigtimedwait",
-+ "rt_sigtimedwait_time64",
-+ "rt_tgsigqueueinfo",
-+ "sched_getaffinity",
-+ "sched_getattr",
-+ "sched_getparam",
-+ "sched_get_priority_max",
-+ "sched_get_priority_min",
-+ "sched_getscheduler",
-+ "sched_rr_get_interval",
-+ "sched_rr_get_interval_time64",
-+ "sched_setaffinity",
-+ "sched_setattr",
-+ "sched_setparam",
-+ "sched_setscheduler",
-+ "sched_yield",
-+ "seccomp",
-+ "select",
-+ "semctl",
-+ "semget",
-+ "semop",
-+ "semtimedop",
-+ "semtimedop_time64",
-+ "send",
-+ "sendfile",
-+ "sendfile64",
-+ "sendmmsg",
-+ "sendmsg",
-+ "sendto",
-+ "setfsgid",
-+ "setfsgid32",
-+ "setfsuid",
-+ "setfsuid32",
-+ "setgid",
-+ "setgid32",
-+ "setgroups",
-+ "setgroups32",
-+ "setitimer",
-+ "setpgid",
-+ "setpriority",
-+ "setregid",
-+ "setregid32",
-+ "setresgid",
-+ "setresgid32",
-+ "setresuid",
-+ "setresuid32",
-+ "setreuid",
-+ "setreuid32",
-+ "setrlimit",
-+ "set_robust_list",
-+ "setsid",
-+ "setsockopt",
-+ "set_thread_area",
-+ "set_tid_address",
-+ "setuid",
-+ "setuid32",
-+ "setxattr",
-+ "shmat",
-+ "shmctl",
-+ "shmdt",
-+ "shmget",
-+ "shutdown",
-+ "sigaltstack",
-+ "signalfd",
-+ "signalfd4",
-+ "sigprocmask",
-+ "sigreturn",
-+ "socketcall",
-+ "socketpair",
-+ "splice",
-+ "stat",
-+ "stat64",
-+ "statfs",
-+ "statfs64",
-+ "statx",
-+ "symlink",
-+ "symlinkat",
-+ "sync",
-+ "sync_file_range",
-+ "syncfs",
-+ "sysinfo",
-+ "tee",
-+ "tgkill",
-+ "time",
-+ "timer_create",
-+ "timer_delete",
-+ "timer_getoverrun",
-+ "timer_gettime",
-+ "timer_gettime64",
-+ "timer_settime",
-+ "timer_settime64",
-+ "timerfd_create",
-+ "timerfd_gettime",
-+ "timerfd_gettime64",
-+ "timerfd_settime",
-+ "timerfd_settime64",
-+ "times",
-+ "tkill",
-+ "truncate",
-+ "truncate64",
-+ "ugetrlimit",
-+ "umask",
-+ "uname",
-+ "unlink",
-+ "unlinkat",
-+ "utime",
-+ "utimensat",
-+ "utimensat_time64",
-+ "utimes",
-+ "vfork",
-+ "vmsplice",
-+ "wait4",
-+ "waitid",
-+ "waitpid",
-+ "write",
-+ "writev"
-+ ]
-+ }
-+ ]
-+}
-+
diff -Nru runc-1.0.0~rc93+ds1/debian/patches/series
runc-1.0.0~rc93+ds1/debian/patches/series
--- runc-1.0.0~rc93+ds1/debian/patches/series 2022-06-12 14:49:36.000000000
-0400
+++ runc-1.0.0~rc93+ds1/debian/patches/series 2021-05-19 14:46:14.000000000
-0400
@@ -13,4 +13,3 @@
CVE-2021-30465/rc93-0003-libct-rootfs-mountCgroupV2-minor-refactor.patch
CVE-2021-30465/rc93-0004-Fix-cgroup2-mount-for-rootless-case.patch
CVE-2021-30465/rc93-0005-rootfs-add-mount-destination-validation.patch
-default_retno.patch
