CVE-2022-24769 安全更新:在20.10.14版之前的Moby(Docker Engine)中发现了一个错误
This commit is contained in:
dht
parent
1861b5bdbf
commit
7d2aef157c
|
|
@ -1,3 +1,9 @@
|
|||
containerd (1.5.9-ok4) yangtze; urgency=medium
|
||||
|
||||
* eric-teng CVE-2022-24769 安全更新:在20.10.14版之前的Moby(Docker Engine)中发现了一个错误
|
||||
|
||||
-- dht <haotian_deng@bupt.edu.cn> Fri, 03 Mar 2023 12:51:31 +0800
|
||||
|
||||
containerd (1.5.9-ok3) yangtze; urgency=medium
|
||||
|
||||
* xie_shang CVE-2022-23471 安全更新:containerd 1.6.12之前版本、1.5.16之前版本中存在资源管理错误漏洞.
|
||||
|
|
|
|||
|
|
@ -150,7 +150,6 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error {
|
|||
Capabilities: &specs.LinuxCapabilities{
|
||||
Bounding: defaultUnixCaps(),
|
||||
Permitted: defaultUnixCaps(),
|
||||
Inheritable: defaultUnixCaps(),
|
||||
Effective: defaultUnixCaps(),
|
||||
},
|
||||
Rlimits: []specs.POSIXRlimit{
|
||||
|
|
|
|||
|
|
@ -788,7 +788,6 @@ func WithCapabilities(caps []string) SpecOpts {
|
|||
s.Process.Capabilities.Bounding = caps
|
||||
s.Process.Capabilities.Effective = caps
|
||||
s.Process.Capabilities.Permitted = caps
|
||||
s.Process.Capabilities.Inheritable = caps
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
@ -823,7 +822,6 @@ func WithAddedCapabilities(caps []string) SpecOpts {
|
|||
&s.Process.Capabilities.Bounding,
|
||||
&s.Process.Capabilities.Effective,
|
||||
&s.Process.Capabilities.Permitted,
|
||||
&s.Process.Capabilities.Inheritable,
|
||||
} {
|
||||
if !capsContain(*cl, c) {
|
||||
*cl = append(*cl, c)
|
||||
|
|
@ -843,7 +841,6 @@ func WithDroppedCapabilities(caps []string) SpecOpts {
|
|||
&s.Process.Capabilities.Bounding,
|
||||
&s.Process.Capabilities.Effective,
|
||||
&s.Process.Capabilities.Permitted,
|
||||
&s.Process.Capabilities.Inheritable,
|
||||
} {
|
||||
removeCap(cl, c)
|
||||
}
|
||||
|
|
@ -858,7 +855,7 @@ func WithDroppedCapabilities(caps []string) SpecOpts {
|
|||
func WithAmbientCapabilities(caps []string) SpecOpts {
|
||||
return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
|
||||
setCapabilities(s)
|
||||
|
||||
s.Process.Capabilities.Inheritable = caps
|
||||
s.Process.Capabilities.Ambient = caps
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -40,7 +40,6 @@ func TestAddCaps(t *testing.T) {
|
|||
s.Process.Capabilities.Bounding,
|
||||
s.Process.Capabilities.Effective,
|
||||
s.Process.Capabilities.Permitted,
|
||||
s.Process.Capabilities.Inheritable,
|
||||
} {
|
||||
if !capsContain(cl, "CAP_CHOWN") {
|
||||
t.Errorf("cap list %d does not contain added cap", i)
|
||||
|
|
@ -64,7 +63,6 @@ func TestDropCaps(t *testing.T) {
|
|||
s.Process.Capabilities.Bounding,
|
||||
s.Process.Capabilities.Effective,
|
||||
s.Process.Capabilities.Permitted,
|
||||
s.Process.Capabilities.Inheritable,
|
||||
} {
|
||||
if capsContain(cl, "CAP_CHOWN") {
|
||||
t.Errorf("cap list %d contains dropped cap", i)
|
||||
|
|
@ -83,7 +81,6 @@ func TestDropCaps(t *testing.T) {
|
|||
s.Process.Capabilities.Bounding,
|
||||
s.Process.Capabilities.Effective,
|
||||
s.Process.Capabilities.Permitted,
|
||||
s.Process.Capabilities.Inheritable,
|
||||
} {
|
||||
if capsContain(cl, "CAP_FOWNER") {
|
||||
t.Errorf("cap list %d contains dropped cap", i)
|
||||
|
|
@ -104,7 +101,6 @@ func TestDropCaps(t *testing.T) {
|
|||
s.Process.Capabilities.Bounding,
|
||||
s.Process.Capabilities.Effective,
|
||||
s.Process.Capabilities.Permitted,
|
||||
s.Process.Capabilities.Inheritable,
|
||||
} {
|
||||
if len(cl) != 0 {
|
||||
t.Errorf("cap list %d is not empty", i)
|
||||
|
|
|
|||
|
|
@ -45,7 +45,6 @@ func TestGenerateSpec(t *testing.T) {
|
|||
for _, cl := range [][]string{
|
||||
s.Process.Capabilities.Bounding,
|
||||
s.Process.Capabilities.Permitted,
|
||||
s.Process.Capabilities.Inheritable,
|
||||
s.Process.Capabilities.Effective,
|
||||
} {
|
||||
for i := 0; i < len(defaults); i++ {
|
||||
|
|
@ -193,8 +192,8 @@ func TestWithCapabilities(t *testing.T) {
|
|||
if len(s.Process.Capabilities.Permitted) != 1 || s.Process.Capabilities.Permitted[0] != "CAP_SYS_ADMIN" {
|
||||
t.Error("Unexpected capabilities set")
|
||||
}
|
||||
if len(s.Process.Capabilities.Inheritable) != 1 || s.Process.Capabilities.Inheritable[0] != "CAP_SYS_ADMIN" {
|
||||
t.Error("Unexpected capabilities set")
|
||||
if len(s.Process.Capabilities.Inheritable) != 0 {
|
||||
t.Errorf("Unexpected capabilities set: length is non zero (%d)", len(s.Process.Capabilities.Inheritable))
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -254,15 +254,14 @@ func TestContainerCapabilities(t *testing.T) {
|
|||
for _, include := range test.includes {
|
||||
assert.Contains(t, spec.Process.Capabilities.Bounding, include)
|
||||
assert.Contains(t, spec.Process.Capabilities.Effective, include)
|
||||
assert.Contains(t, spec.Process.Capabilities.Inheritable, include)
|
||||
assert.Contains(t, spec.Process.Capabilities.Permitted, include)
|
||||
}
|
||||
for _, exclude := range test.excludes {
|
||||
assert.NotContains(t, spec.Process.Capabilities.Bounding, exclude)
|
||||
assert.NotContains(t, spec.Process.Capabilities.Effective, exclude)
|
||||
assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude)
|
||||
assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude)
|
||||
}
|
||||
assert.Empty(t, spec.Process.Capabilities.Inheritable)
|
||||
assert.Empty(t, spec.Process.Capabilities.Ambient)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue