From 7d2aef157ceb540cbba833a7edac175a9afe650a Mon Sep 17 00:00:00 2001 From: dht Date: Fri, 3 Mar 2023 12:53:25 +0800 Subject: [PATCH] =?UTF-8?q?CVE-2022-24769=20=E5=AE=89=E5=85=A8=E6=9B=B4?= =?UTF-8?q?=E6=96=B0=EF=BC=9A=E5=9C=A820.10.14=E7=89=88=E4=B9=8B=E5=89=8D?= =?UTF-8?q?=E7=9A=84Moby=EF=BC=88Docker=20Engine=EF=BC=89=E4=B8=AD?= =?UTF-8?q?=E5=8F=91=E7=8E=B0=E4=BA=86=E4=B8=80=E4=B8=AA=E9=94=99=E8=AF=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- debian/changelog | 6 ++++++ oci/spec.go | 7 +++---- oci/spec_opts.go | 5 +---- oci/spec_opts_linux_test.go | 4 ---- oci/spec_test.go | 5 ++--- pkg/cri/server/container_create_linux_test.go | 3 +-- 6 files changed, 13 insertions(+), 17 deletions(-) diff --git a/debian/changelog b/debian/changelog index 091db2d..922ef47 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +containerd (1.5.9-ok4) yangtze; urgency=medium + + * eric-teng CVE-2022-24769 安全更新:在20.10.14版之前的Moby(Docker Engine)中发现了一个错误 + + -- dht Fri, 03 Mar 2023 12:51:31 +0800 + containerd (1.5.9-ok3) yangtze; urgency=medium * xie_shang CVE-2022-23471 安全更新:containerd 1.6.12之前版本、1.5.16之前版本中存在资源管理错误漏洞. diff --git a/oci/spec.go b/oci/spec.go index 035bb7e..ff25ddf 100644 --- a/oci/spec.go +++ b/oci/spec.go @@ -148,10 +148,9 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error { GID: 0, }, Capabilities: &specs.LinuxCapabilities{ - Bounding: defaultUnixCaps(), - Permitted: defaultUnixCaps(), - Inheritable: defaultUnixCaps(), - Effective: defaultUnixCaps(), + Bounding: defaultUnixCaps(), + Permitted: defaultUnixCaps(), + Effective: defaultUnixCaps(), }, Rlimits: []specs.POSIXRlimit{ { diff --git a/oci/spec_opts.go b/oci/spec_opts.go index 5a952f6..7985387 100644 --- a/oci/spec_opts.go +++ b/oci/spec_opts.go @@ -788,7 +788,6 @@ func WithCapabilities(caps []string) SpecOpts { s.Process.Capabilities.Bounding = caps s.Process.Capabilities.Effective = caps s.Process.Capabilities.Permitted = caps - s.Process.Capabilities.Inheritable = caps return nil } @@ -823,7 +822,6 @@ func WithAddedCapabilities(caps []string) SpecOpts { &s.Process.Capabilities.Bounding, &s.Process.Capabilities.Effective, &s.Process.Capabilities.Permitted, - &s.Process.Capabilities.Inheritable, } { if !capsContain(*cl, c) { *cl = append(*cl, c) @@ -843,7 +841,6 @@ func WithDroppedCapabilities(caps []string) SpecOpts { &s.Process.Capabilities.Bounding, &s.Process.Capabilities.Effective, &s.Process.Capabilities.Permitted, - &s.Process.Capabilities.Inheritable, } { removeCap(cl, c) } @@ -858,7 +855,7 @@ func WithDroppedCapabilities(caps []string) SpecOpts { func WithAmbientCapabilities(caps []string) SpecOpts { return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error { setCapabilities(s) - + s.Process.Capabilities.Inheritable = caps s.Process.Capabilities.Ambient = caps return nil } diff --git a/oci/spec_opts_linux_test.go b/oci/spec_opts_linux_test.go index ea85a6e..23ecc5d 100644 --- a/oci/spec_opts_linux_test.go +++ b/oci/spec_opts_linux_test.go @@ -40,7 +40,6 @@ func TestAddCaps(t *testing.T) { s.Process.Capabilities.Bounding, s.Process.Capabilities.Effective, s.Process.Capabilities.Permitted, - s.Process.Capabilities.Inheritable, } { if !capsContain(cl, "CAP_CHOWN") { t.Errorf("cap list %d does not contain added cap", i) @@ -64,7 +63,6 @@ func TestDropCaps(t *testing.T) { s.Process.Capabilities.Bounding, s.Process.Capabilities.Effective, s.Process.Capabilities.Permitted, - s.Process.Capabilities.Inheritable, } { if capsContain(cl, "CAP_CHOWN") { t.Errorf("cap list %d contains dropped cap", i) @@ -83,7 +81,6 @@ func TestDropCaps(t *testing.T) { s.Process.Capabilities.Bounding, s.Process.Capabilities.Effective, s.Process.Capabilities.Permitted, - s.Process.Capabilities.Inheritable, } { if capsContain(cl, "CAP_FOWNER") { t.Errorf("cap list %d contains dropped cap", i) @@ -104,7 +101,6 @@ func TestDropCaps(t *testing.T) { s.Process.Capabilities.Bounding, s.Process.Capabilities.Effective, s.Process.Capabilities.Permitted, - s.Process.Capabilities.Inheritable, } { if len(cl) != 0 { t.Errorf("cap list %d is not empty", i) diff --git a/oci/spec_test.go b/oci/spec_test.go index 9e9f981..7078ed9 100644 --- a/oci/spec_test.go +++ b/oci/spec_test.go @@ -45,7 +45,6 @@ func TestGenerateSpec(t *testing.T) { for _, cl := range [][]string{ s.Process.Capabilities.Bounding, s.Process.Capabilities.Permitted, - s.Process.Capabilities.Inheritable, s.Process.Capabilities.Effective, } { for i := 0; i < len(defaults); i++ { @@ -193,8 +192,8 @@ func TestWithCapabilities(t *testing.T) { if len(s.Process.Capabilities.Permitted) != 1 || s.Process.Capabilities.Permitted[0] != "CAP_SYS_ADMIN" { t.Error("Unexpected capabilities set") } - if len(s.Process.Capabilities.Inheritable) != 1 || s.Process.Capabilities.Inheritable[0] != "CAP_SYS_ADMIN" { - t.Error("Unexpected capabilities set") + if len(s.Process.Capabilities.Inheritable) != 0 { + t.Errorf("Unexpected capabilities set: length is non zero (%d)", len(s.Process.Capabilities.Inheritable)) } } diff --git a/pkg/cri/server/container_create_linux_test.go b/pkg/cri/server/container_create_linux_test.go index 80c0890..a15ec2b 100644 --- a/pkg/cri/server/container_create_linux_test.go +++ b/pkg/cri/server/container_create_linux_test.go @@ -254,15 +254,14 @@ func TestContainerCapabilities(t *testing.T) { for _, include := range test.includes { assert.Contains(t, spec.Process.Capabilities.Bounding, include) assert.Contains(t, spec.Process.Capabilities.Effective, include) - assert.Contains(t, spec.Process.Capabilities.Inheritable, include) assert.Contains(t, spec.Process.Capabilities.Permitted, include) } for _, exclude := range test.excludes { assert.NotContains(t, spec.Process.Capabilities.Bounding, exclude) assert.NotContains(t, spec.Process.Capabilities.Effective, exclude) - assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude) assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude) } + assert.Empty(t, spec.Process.Capabilities.Inheritable) assert.Empty(t, spec.Process.Capabilities.Ambient) } }