changed debian/source/format to native
This commit is contained in:
openKylinBot
parent
2ac0563dcb
commit
f28d963d73
|
|
@ -1,85 +0,0 @@
|
||||||
From: Alexander Larsson <alexl@redhat.com>
|
|
||||||
Date: Thu, 26 Mar 2020 15:36:44 +0100
|
|
||||||
Subject: [PATCH 1/3] Don't rely on geteuid() to know when to switch back from
|
|
||||||
setuid root
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset="utf-8"
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
As pointed out by Stephen Röttger <sroettger@google.com>, in
|
|
||||||
drop_privs() we only drop root in the setuid case if geteuid() is
|
|
||||||
0. Typically geteuid() == 0 means we were setuid root and have not yet
|
|
||||||
switched away from it.
|
|
||||||
|
|
||||||
However, it is possible to make the geteuid call fail by passing a
|
|
||||||
--userns2 namespace which doesn't have 0 mapped (i.e. where geteuid()
|
|
||||||
will return the owerflow uid instead).
|
|
||||||
|
|
||||||
If you do this, the pid 1 process in the sandbox will continue running
|
|
||||||
as host uid 0, while dropping the dumpable flag, and at this point the
|
|
||||||
user can ptrace attach the process and have root permissions.
|
|
||||||
|
|
||||||
We fix this by not relying on the geteuid() call to know when we need
|
|
||||||
to drop root uid, but rather keep track of whether we already switched
|
|
||||||
from it.
|
|
||||||
---
|
|
||||||
bubblewrap.c | 15 ++++++++++-----
|
|
||||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/bubblewrap.c b/bubblewrap.c
|
|
||||||
index 8d0c5f7..87000e8 100644
|
|
||||||
--- a/bubblewrap.c
|
|
||||||
+++ b/bubblewrap.c
|
|
||||||
@@ -834,11 +834,13 @@ switch_to_user_with_privs (void)
|
|
||||||
|
|
||||||
/* Call setuid() and use capset() to adjust capabilities */
|
|
||||||
static void
|
|
||||||
-drop_privs (bool keep_requested_caps)
|
|
||||||
+drop_privs (bool keep_requested_caps,
|
|
||||||
+ bool already_changed_uid)
|
|
||||||
{
|
|
||||||
assert (!keep_requested_caps || !is_privileged);
|
|
||||||
/* Drop root uid */
|
|
||||||
- if (geteuid () == 0 && setuid (opt_sandbox_uid) < 0)
|
|
||||||
+ if (is_privileged && !already_changed_uid &&
|
|
||||||
+ setuid (opt_sandbox_uid) < 0)
|
|
||||||
die_with_error ("unable to drop root uid");
|
|
||||||
|
|
||||||
drop_all_caps (keep_requested_caps);
|
|
||||||
@@ -2296,6 +2298,9 @@ main (int argc,
|
|
||||||
if (opt_userns_fd != -1 && is_privileged)
|
|
||||||
die ("--userns doesn't work in setuid mode");
|
|
||||||
|
|
||||||
+ if (opt_userns2_fd != -1 && is_privileged)
|
|
||||||
+ die ("--userns2 doesn't work in setuid mode");
|
|
||||||
+
|
|
||||||
/* We have to do this if we weren't installed setuid (and we're not
|
|
||||||
* root), so let's just DWIM */
|
|
||||||
if (!is_privileged && getuid () != 0 && opt_userns_fd == -1)
|
|
||||||
@@ -2499,7 +2504,7 @@ main (int argc,
|
|
||||||
die_with_error ("Setting userns2 failed");
|
|
||||||
|
|
||||||
/* We don't need any privileges in the launcher, drop them immediately. */
|
|
||||||
- drop_privs (FALSE);
|
|
||||||
+ drop_privs (FALSE, FALSE);
|
|
||||||
|
|
||||||
/* Optionally bind our lifecycle to that of the parent */
|
|
||||||
handle_die_with_parent ();
|
|
||||||
@@ -2674,7 +2679,7 @@ main (int argc,
|
|
||||||
if (child == 0)
|
|
||||||
{
|
|
||||||
/* Unprivileged setup process */
|
|
||||||
- drop_privs (FALSE);
|
|
||||||
+ drop_privs (FALSE, TRUE);
|
|
||||||
close (privsep_sockets[0]);
|
|
||||||
setup_newroot (opt_unshare_pid, privsep_sockets[1]);
|
|
||||||
exit (0);
|
|
||||||
@@ -2769,7 +2774,7 @@ main (int argc,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* All privileged ops are done now, so drop caps we don't need */
|
|
||||||
- drop_privs (!is_privileged);
|
|
||||||
+ drop_privs (!is_privileged, TRUE);
|
|
||||||
|
|
||||||
if (opt_block_fd != -1)
|
|
||||||
{
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
||||||
From: Simon McVittie <smcv@debian.org>
|
|
||||||
Date: Wed, 17 Jan 2018 14:10:40 +0000
|
|
||||||
Subject: Use Python 3 for test/demo code
|
|
||||||
|
|
||||||
Forwarded: not-needed
|
|
||||||
---
|
|
||||||
demos/userns-block-fd.py | 2 +-
|
|
||||||
tests/test-run.sh | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/demos/userns-block-fd.py b/demos/userns-block-fd.py
|
|
||||||
index 4c68242..2ef2fd6 100755
|
|
||||||
--- a/demos/userns-block-fd.py
|
|
||||||
+++ b/demos/userns-block-fd.py
|
|
||||||
@@ -1,4 +1,4 @@
|
|
||||||
-#!/usr/bin/env python
|
|
||||||
+#!/usr/bin/env python3
|
|
||||||
|
|
||||||
import os, select, subprocess, sys, json
|
|
||||||
|
|
||||||
diff --git a/tests/test-run.sh b/tests/test-run.sh
|
|
||||||
index a01f41c..535e9b6 100755
|
|
||||||
--- a/tests/test-run.sh
|
|
||||||
+++ b/tests/test-run.sh
|
|
||||||
@@ -226,7 +226,7 @@ fi
|
|
||||||
# Test --die-with-parent
|
|
||||||
|
|
||||||
cat >lockf-n.py <<EOF
|
|
||||||
-#!/usr/bin/env python
|
|
||||||
+#!/usr/bin/env python3
|
|
||||||
import struct,fcntl,sys
|
|
||||||
path = sys.argv[1]
|
|
||||||
if sys.argv[2] == 'wait':
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
||||||
debian/Use-Python-3-for-test-demo-code.patch
|
|
||||||
update-output-patterns-libcap-2.29.patch
|
|
||||||
CVE-2020-5291.patch
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
||||||
From: Christian Kastner <ckk@kvr.at>
|
|
||||||
Date: Wed, 19 Feb 2020 10:03:05 +0100
|
|
||||||
Subject: [PATCH] tests: Update output patterns for libcap >= 2.29
|
|
||||||
|
|
||||||
---
|
|
||||||
tests/test-run.sh | 15 +++++++++++----
|
|
||||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/test-run.sh b/tests/test-run.sh
|
|
||||||
index 535e9b6..95c77d8 100755
|
|
||||||
--- a/tests/test-run.sh
|
|
||||||
+++ b/tests/test-run.sh
|
|
||||||
@@ -215,11 +215,18 @@ else
|
|
||||||
$RUN $OPT --cap-drop ALL --unshare-pid capsh --print >caps.test
|
|
||||||
assert_file_has_content caps.test 'Current: =$'
|
|
||||||
# Check for dropping kill/fowner (we assume all uid 0 callers have this)
|
|
||||||
- $RUN $OPT --cap-drop CAP_KILL --cap-drop CAP_FOWNER --unshare-pid capsh --print >caps.test
|
|
||||||
- assert_not_file_has_content caps.test '^Current: =.*cap_kill'
|
|
||||||
- assert_not_file_has_content caps.test '^Current: =.*cap_fowner'
|
|
||||||
# But we should still have net_bind_service for example
|
|
||||||
- assert_file_has_content caps.test '^Current: =.*cap_net_bind_service'
|
|
||||||
+ $RUN $OPT --cap-drop CAP_KILL --cap-drop CAP_FOWNER --unshare-pid capsh --print >caps.test
|
|
||||||
+ # capsh's output format changed from v2.29 -> drops are now indicated with -eip
|
|
||||||
+ if grep 'Current: =.*+eip$' caps.test; then
|
|
||||||
+ assert_not_file_has_content caps.test '^Current: =.*cap_kill.*+eip$'
|
|
||||||
+ assert_not_file_has_content caps.test '^Current: =.*cap_fowner.*+eip$'
|
|
||||||
+ assert_file_has_content caps.test '^Current: =.*cap_net_bind_service.*+eip$'
|
|
||||||
+ else
|
|
||||||
+ assert_file_has_content caps.test '^Current: =eip.*cap_kill.*-eip$'
|
|
||||||
+ assert_file_has_content caps.test '^Current: =eip.*cap_fowner.*-eip$'
|
|
||||||
+ assert_not_file_has_content caps.test '^Current: =.*cap_net_bind_service.*-eip$'
|
|
||||||
+ fi
|
|
||||||
echo "ok - we have the expected caps as uid 0"
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
3.0 (quilt)
|
3.0 (native)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue