changed debian/source/format to native
This commit is contained in:
openKylinBot
parent
2ac0563dcb
commit
f28d963d73
|
|
@ -1,85 +0,0 @@
|
|||
From: Alexander Larsson <alexl@redhat.com>
|
||||
Date: Thu, 26 Mar 2020 15:36:44 +0100
|
||||
Subject: [PATCH 1/3] Don't rely on geteuid() to know when to switch back from
|
||||
setuid root
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
As pointed out by Stephen Röttger <sroettger@google.com>, in
|
||||
drop_privs() we only drop root in the setuid case if geteuid() is
|
||||
0. Typically geteuid() == 0 means we were setuid root and have not yet
|
||||
switched away from it.
|
||||
|
||||
However, it is possible to make the geteuid call fail by passing a
|
||||
--userns2 namespace which doesn't have 0 mapped (i.e. where geteuid()
|
||||
will return the owerflow uid instead).
|
||||
|
||||
If you do this, the pid 1 process in the sandbox will continue running
|
||||
as host uid 0, while dropping the dumpable flag, and at this point the
|
||||
user can ptrace attach the process and have root permissions.
|
||||
|
||||
We fix this by not relying on the geteuid() call to know when we need
|
||||
to drop root uid, but rather keep track of whether we already switched
|
||||
from it.
|
||||
---
|
||||
bubblewrap.c | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/bubblewrap.c b/bubblewrap.c
|
||||
index 8d0c5f7..87000e8 100644
|
||||
--- a/bubblewrap.c
|
||||
+++ b/bubblewrap.c
|
||||
@@ -834,11 +834,13 @@ switch_to_user_with_privs (void)
|
||||
|
||||
/* Call setuid() and use capset() to adjust capabilities */
|
||||
static void
|
||||
-drop_privs (bool keep_requested_caps)
|
||||
+drop_privs (bool keep_requested_caps,
|
||||
+ bool already_changed_uid)
|
||||
{
|
||||
assert (!keep_requested_caps || !is_privileged);
|
||||
/* Drop root uid */
|
||||
- if (geteuid () == 0 && setuid (opt_sandbox_uid) < 0)
|
||||
+ if (is_privileged && !already_changed_uid &&
|
||||
+ setuid (opt_sandbox_uid) < 0)
|
||||
die_with_error ("unable to drop root uid");
|
||||
|
||||
drop_all_caps (keep_requested_caps);
|
||||
@@ -2296,6 +2298,9 @@ main (int argc,
|
||||
if (opt_userns_fd != -1 && is_privileged)
|
||||
die ("--userns doesn't work in setuid mode");
|
||||
|
||||
+ if (opt_userns2_fd != -1 && is_privileged)
|
||||
+ die ("--userns2 doesn't work in setuid mode");
|
||||
+
|
||||
/* We have to do this if we weren't installed setuid (and we're not
|
||||
* root), so let's just DWIM */
|
||||
if (!is_privileged && getuid () != 0 && opt_userns_fd == -1)
|
||||
@@ -2499,7 +2504,7 @@ main (int argc,
|
||||
die_with_error ("Setting userns2 failed");
|
||||
|
||||
/* We don't need any privileges in the launcher, drop them immediately. */
|
||||
- drop_privs (FALSE);
|
||||
+ drop_privs (FALSE, FALSE);
|
||||
|
||||
/* Optionally bind our lifecycle to that of the parent */
|
||||
handle_die_with_parent ();
|
||||
@@ -2674,7 +2679,7 @@ main (int argc,
|
||||
if (child == 0)
|
||||
{
|
||||
/* Unprivileged setup process */
|
||||
- drop_privs (FALSE);
|
||||
+ drop_privs (FALSE, TRUE);
|
||||
close (privsep_sockets[0]);
|
||||
setup_newroot (opt_unshare_pid, privsep_sockets[1]);
|
||||
exit (0);
|
||||
@@ -2769,7 +2774,7 @@ main (int argc,
|
||||
}
|
||||
|
||||
/* All privileged ops are done now, so drop caps we don't need */
|
||||
- drop_privs (!is_privileged);
|
||||
+ drop_privs (!is_privileged, TRUE);
|
||||
|
||||
if (opt_block_fd != -1)
|
||||
{
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From: Simon McVittie <smcv@debian.org>
|
||||
Date: Wed, 17 Jan 2018 14:10:40 +0000
|
||||
Subject: Use Python 3 for test/demo code
|
||||
|
||||
Forwarded: not-needed
|
||||
---
|
||||
demos/userns-block-fd.py | 2 +-
|
||||
tests/test-run.sh | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/demos/userns-block-fd.py b/demos/userns-block-fd.py
|
||||
index 4c68242..2ef2fd6 100755
|
||||
--- a/demos/userns-block-fd.py
|
||||
+++ b/demos/userns-block-fd.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
|
||||
import os, select, subprocess, sys, json
|
||||
|
||||
diff --git a/tests/test-run.sh b/tests/test-run.sh
|
||||
index a01f41c..535e9b6 100755
|
||||
--- a/tests/test-run.sh
|
||||
+++ b/tests/test-run.sh
|
||||
@@ -226,7 +226,7 @@ fi
|
||||
# Test --die-with-parent
|
||||
|
||||
cat >lockf-n.py <<EOF
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python3
|
||||
import struct,fcntl,sys
|
||||
path = sys.argv[1]
|
||||
if sys.argv[2] == 'wait':
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
debian/Use-Python-3-for-test-demo-code.patch
|
||||
update-output-patterns-libcap-2.29.patch
|
||||
CVE-2020-5291.patch
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From: Christian Kastner <ckk@kvr.at>
|
||||
Date: Wed, 19 Feb 2020 10:03:05 +0100
|
||||
Subject: [PATCH] tests: Update output patterns for libcap >= 2.29
|
||||
|
||||
---
|
||||
tests/test-run.sh | 15 +++++++++++----
|
||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/tests/test-run.sh b/tests/test-run.sh
|
||||
index 535e9b6..95c77d8 100755
|
||||
--- a/tests/test-run.sh
|
||||
+++ b/tests/test-run.sh
|
||||
@@ -215,11 +215,18 @@ else
|
||||
$RUN $OPT --cap-drop ALL --unshare-pid capsh --print >caps.test
|
||||
assert_file_has_content caps.test 'Current: =$'
|
||||
# Check for dropping kill/fowner (we assume all uid 0 callers have this)
|
||||
- $RUN $OPT --cap-drop CAP_KILL --cap-drop CAP_FOWNER --unshare-pid capsh --print >caps.test
|
||||
- assert_not_file_has_content caps.test '^Current: =.*cap_kill'
|
||||
- assert_not_file_has_content caps.test '^Current: =.*cap_fowner'
|
||||
# But we should still have net_bind_service for example
|
||||
- assert_file_has_content caps.test '^Current: =.*cap_net_bind_service'
|
||||
+ $RUN $OPT --cap-drop CAP_KILL --cap-drop CAP_FOWNER --unshare-pid capsh --print >caps.test
|
||||
+ # capsh's output format changed from v2.29 -> drops are now indicated with -eip
|
||||
+ if grep 'Current: =.*+eip$' caps.test; then
|
||||
+ assert_not_file_has_content caps.test '^Current: =.*cap_kill.*+eip$'
|
||||
+ assert_not_file_has_content caps.test '^Current: =.*cap_fowner.*+eip$'
|
||||
+ assert_file_has_content caps.test '^Current: =.*cap_net_bind_service.*+eip$'
|
||||
+ else
|
||||
+ assert_file_has_content caps.test '^Current: =eip.*cap_kill.*-eip$'
|
||||
+ assert_file_has_content caps.test '^Current: =eip.*cap_fowner.*-eip$'
|
||||
+ assert_not_file_has_content caps.test '^Current: =.*cap_net_bind_service.*-eip$'
|
||||
+ fi
|
||||
echo "ok - we have the expected caps as uid 0"
|
||||
fi
|
||||
|
||||
|
|
@ -1 +1 @@
|
|||
3.0 (quilt)
|
||||
3.0 (native)
|
||||
|
|
|
|||
Loading…
Reference in New Issue