CVE-2022-24769 安全更新：在20.10.14版之前的Moby（Docker Engine）中发现了一个错误

2023-03-03 12:53:25 +08:00 · 2023-03-03 12:53:25 +08:00 · 7d2aef157c
parent 1861b5bdbf
commit 7d2aef157c
6 changed files with 13 additions and 17 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
 containerd (1.5.9-ok4) yangtze; urgency=medium
  * eric-teng CVE-2022-24769 安全更新：在20.10.14版之前的Moby（Docker Engine）中发现了一个错误
 -- dht <haotian_deng@bupt.edu.cn>  Fri, 03 Mar 2023 12:51:31 +0800
 containerd (1.5.9-ok3) yangtze; urgency=medium
  * xie_shang CVE-2022-23471 安全更新：containerd 1.6.12之前版本、1.5.16之前版本中存在资源管理错误漏洞. 
--- a/oci/spec.go
+++ b/oci/spec.go
@ -148,10 +148,9 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error {
 				GID: 0,
 			},
 			Capabilities: &specs.LinuxCapabilities{
-				Bounding:    defaultUnixCaps(),
+				Bounding:  defaultUnixCaps(),
-				Permitted:   defaultUnixCaps(),
+				Permitted: defaultUnixCaps(),
-				Inheritable: defaultUnixCaps(),
+				Effective: defaultUnixCaps(),
 				Effective:   defaultUnixCaps(),
 			},
 			Rlimits: []specs.POSIXRlimit{
 				{
--- a/oci/spec_opts.go
+++ b/oci/spec_opts.go
@ -788,7 +788,6 @@ func WithCapabilities(caps []string) SpecOpts {
 		s.Process.Capabilities.Bounding = caps
 		s.Process.Capabilities.Effective = caps
 		s.Process.Capabilities.Permitted = caps
 		s.Process.Capabilities.Inheritable = caps
 		return nil
 	}
@ -823,7 +822,6 @@ func WithAddedCapabilities(caps []string) SpecOpts {
 				&s.Process.Capabilities.Bounding,
 				&s.Process.Capabilities.Effective,
 				&s.Process.Capabilities.Permitted,
 				&s.Process.Capabilities.Inheritable,
 			} {
 				if !capsContain(*cl, c) {
 					*cl = append(*cl, c)
@ -843,7 +841,6 @@ func WithDroppedCapabilities(caps []string) SpecOpts {
 				&s.Process.Capabilities.Bounding,
 				&s.Process.Capabilities.Effective,
 				&s.Process.Capabilities.Permitted,
 				&s.Process.Capabilities.Inheritable,
 			} {
 				removeCap(cl, c)
 			}
@ -858,7 +855,7 @@ func WithDroppedCapabilities(caps []string) SpecOpts {
 func WithAmbientCapabilities(caps []string) SpecOpts {
 	return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
 		setCapabilities(s)
-
+		s.Process.Capabilities.Inheritable = caps
 		s.Process.Capabilities.Ambient = caps
 		return nil
 	}
--- a/oci/spec_opts_linux_test.go
+++ b/oci/spec_opts_linux_test.go
@ -40,7 +40,6 @@ func TestAddCaps(t *testing.T) {
 		s.Process.Capabilities.Bounding,
 		s.Process.Capabilities.Effective,
 		s.Process.Capabilities.Permitted,
 		s.Process.Capabilities.Inheritable,
 	} {
 		if !capsContain(cl, "CAP_CHOWN") {
 			t.Errorf("cap list %d does not contain added cap", i)
@ -64,7 +63,6 @@ func TestDropCaps(t *testing.T) {
 		s.Process.Capabilities.Bounding,
 		s.Process.Capabilities.Effective,
 		s.Process.Capabilities.Permitted,
 		s.Process.Capabilities.Inheritable,
 	} {
 		if capsContain(cl, "CAP_CHOWN") {
 			t.Errorf("cap list %d contains dropped cap", i)
@ -83,7 +81,6 @@ func TestDropCaps(t *testing.T) {
 		s.Process.Capabilities.Bounding,
 		s.Process.Capabilities.Effective,
 		s.Process.Capabilities.Permitted,
 		s.Process.Capabilities.Inheritable,
 	} {
 		if capsContain(cl, "CAP_FOWNER") {
 			t.Errorf("cap list %d contains dropped cap", i)
@ -104,7 +101,6 @@ func TestDropCaps(t *testing.T) {
 		s.Process.Capabilities.Bounding,
 		s.Process.Capabilities.Effective,
 		s.Process.Capabilities.Permitted,
 		s.Process.Capabilities.Inheritable,
 	} {
 		if len(cl) != 0 {
 			t.Errorf("cap list %d is not empty", i)
--- a/oci/spec_test.go
+++ b/oci/spec_test.go
@ -45,7 +45,6 @@ func TestGenerateSpec(t *testing.T) {
 		for _, cl := range [][]string{
 			s.Process.Capabilities.Bounding,
 			s.Process.Capabilities.Permitted,
 			s.Process.Capabilities.Inheritable,
 			s.Process.Capabilities.Effective,
 		} {
 			for i := 0; i < len(defaults); i++ {
@ -193,8 +192,8 @@ func TestWithCapabilities(t *testing.T) {
 	if len(s.Process.Capabilities.Permitted) != 1 || s.Process.Capabilities.Permitted[0] != "CAP_SYS_ADMIN" {
 		t.Error("Unexpected capabilities set")
 	}
-	if len(s.Process.Capabilities.Inheritable) != 1 || s.Process.Capabilities.Inheritable[0] != "CAP_SYS_ADMIN" {
+	if len(s.Process.Capabilities.Inheritable) != 0 {
-		t.Error("Unexpected capabilities set")
+		t.Errorf("Unexpected capabilities set: length is non zero (%d)", len(s.Process.Capabilities.Inheritable))
 	}
 }
--- a/pkg/cri/server/container_create_linux_test.go
+++ b/pkg/cri/server/container_create_linux_test.go
@ -254,15 +254,14 @@ func TestContainerCapabilities(t *testing.T) {
 		for _, include := range test.includes {
 			assert.Contains(t, spec.Process.Capabilities.Bounding, include)
 			assert.Contains(t, spec.Process.Capabilities.Effective, include)
 			assert.Contains(t, spec.Process.Capabilities.Inheritable, include)
 			assert.Contains(t, spec.Process.Capabilities.Permitted, include)
 		}
 		for _, exclude := range test.excludes {
 			assert.NotContains(t, spec.Process.Capabilities.Bounding, exclude)
 			assert.NotContains(t, spec.Process.Capabilities.Effective, exclude)
 			assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude)
 			assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude)
 		}
 		assert.Empty(t, spec.Process.Capabilities.Inheritable)
 		assert.Empty(t, spec.Process.Capabilities.Ambient)
 	}
 }