6 files changed, 39 insertions, 245 deletions
diff --git a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
index 94cbb4cb..f004a476 100644
--- a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
+++ b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
@@ -9,27 +9,24 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
 Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
-diff --git a/Makefile b/Makefile
+Index: git/src/import/Makefile
-index 0f26a1c8..a0c6b40b 100644
+===================================================================
--- a/src/import/Makefile
+--- git.orig/src/import/Makefile
-+++ b/src/import/Makefile
+++ git/src/import/Makefile
-@@ -30,7 +30,7 @@ SHELL := $(shell command -v bash 2>/dev/null)
+@@ -23,7 +23,7 @@
- .DEFAULT: runc
+                GO_BUILDMODE := "-buildmode=pie"
+        endif
+ endif
+-GO_BUILD := $(GO) build $(MOD_VENDOR) $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
+GO_BUILD := $(GO) build $(GOBUILDFLAGS) $(MOD_VENDOR) $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
+        -ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
+ GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build $(MOD_VENDOR) $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
+        -ldflags "-w -extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
+@@ -40,7 +40,6 @@
 
- runc: $(SOURCES)
+ static:
-       $(GO) build -buildmode=pie $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o runc .
+        $(GO_BUILD_STATIC) -o runc .
-+       $(GO) build $(GOBUILDFLAGS) $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o runc .
+-       $(GO_BUILD_STATIC) -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
- 
- all: runc recvtty
- 
-@@ -41,7 +41,6 @@ contrib/cmd/recvtty/recvtty: $(SOURCES)
- 
- static: $(SOURCES)
-        CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o runc .
-       CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
 
 release:
        script/release.sh -r release/$(VERSION) -v $(VERSION)
-- 
-2.17.1
diff --git a/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch b/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch
deleted file mode 100644
index 5aca99e2..00000000
--- a/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch
+++ /dev/null
@@ -1,201 +0,0 @@
-From d75b05441772417a0828465a9483f16287937724 Mon Sep 17 00:00:00 2001
-From: Michael Crosby <crosbymichael@gmail.com>
-Date: Mon, 23 Sep 2019 16:45:45 -0400
-Subject: [PATCH] Only allow proc mount if it is procfs
-Fixes #2128
-This allows proc to be bind mounted for host and rootless namespace usecases but
-it removes the ability to mount over the top of proc with a directory.
-```bash
-> sudo docker run --rm  apparmor
-docker: Error response from daemon: OCI runtime create failed:
-container_linux.go:346: starting container process caused "process_linux.go:449:
-container init caused \"rootfs_linux.go:58: mounting
-\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\"
-to rootfs
-\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\"
-at \\\"/proc\\\" caused
-\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\"
-cannot be mounted because it is not of type proc\\\"\"": unknown.
-> sudo docker run --rm -v /proc:/proc apparmor
-docker-default (enforce)        root     18989  0.9  0.0   1288     4 ?
-Ss   16:47   0:00 sleep 20
-```
-Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
-Upstream-Status: Backport [https://github.com/opencontainers/runc/pull/2129/commits/331692baa7afdf6c186f8667cb0e6362ea0802b3]
-CVE: CVE-2019-16884
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
- libcontainer/container_linux.go   |  4 +--
- libcontainer/rootfs_linux.go      | 50 +++++++++++++++++++++++--------
- libcontainer/rootfs_linux_test.go |  8 ++---
- 3 files changed, 43 insertions(+), 19 deletions(-)
-diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
-index 7e58e5e0..d51e35df 100644
--- a/src/import/libcontainer/container_linux.go
-+++ b/src/import/libcontainer/container_linux.go
-@@ -19,7 +19,7 @@ import (
-        "syscall" // only for SysProcAttr and Signal
-        "time"
- 
-       "github.com/cyphar/filepath-securejoin"
-+       securejoin "github.com/cyphar/filepath-securejoin"
-        "github.com/opencontainers/runc/libcontainer/cgroups"
-        "github.com/opencontainers/runc/libcontainer/configs"
-        "github.com/opencontainers/runc/libcontainer/intelrdt"
-@@ -1160,7 +1160,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error {
-                if err != nil {
-                        return err
-                }
-               if err := checkMountDestination(c.config.Rootfs, dest); err != nil {
-+               if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil {
-                        return err
-                }
-                m.Destination = dest
-diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
-index f13b226e..5650b0ac 100644
--- a/src/import/libcontainer/rootfs_linux.go
-+++ b/src/import/libcontainer/rootfs_linux.go
-@@ -13,7 +13,7 @@ import (
-        "strings"
-        "time"
- 
-       "github.com/cyphar/filepath-securejoin"
-+       securejoin "github.com/cyphar/filepath-securejoin"
-        "github.com/mrunalp/fileutils"
-        "github.com/opencontainers/runc/libcontainer/cgroups"
-        "github.com/opencontainers/runc/libcontainer/configs"
-@@ -197,7 +197,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) error {
-        if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
-                return err
-        }
-       if err := checkMountDestination(rootfs, dest); err != nil {
-+       if err := checkProcMount(rootfs, dest, m.Source); err != nil {
-                return err
-        }
-        // update the mount with the correct dest after symlinks are resolved.
-@@ -388,7 +388,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
-                if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
-                        return err
-                }
-               if err := checkMountDestination(rootfs, dest); err != nil {
-+               if err := checkProcMount(rootfs, dest, m.Source); err != nil {
-                        return err
-                }
-                // update the mount with the correct dest after symlinks are resolved.
-@@ -435,12 +435,12 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) {
-        return binds, nil
- }
- 
-// checkMountDestination checks to ensure that the mount destination is not over the top of /proc.
-+// checkProcMount checks to ensure that the mount destination is not over the top of /proc.
- // dest is required to be an abs path and have any symlinks resolved before calling this function.
-func checkMountDestination(rootfs, dest string) error {
-       invalidDestinations := []string{
-               "/proc",
-       }
-+//
-+// if source is nil, don't stat the filesystem.  This is used for restore of a checkpoint.
-+func checkProcMount(rootfs, dest, source string) error {
-+       const procPath = "/proc"
-        // White list, it should be sub directories of invalid destinations
-        validDestinations := []string{
-                // These entries can be bind mounted by files emulated by fuse,
-@@ -463,16 +463,40 @@ func checkMountDestination(rootfs, dest string) error {
-                        return nil
-                }
-        }
-       for _, invalid := range invalidDestinations {
-               path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest)
-+       path, err := filepath.Rel(filepath.Join(rootfs, procPath), dest)
-+       if err != nil {
-+               return err
-+       }
-+       // pass if the mount path is located outside of /proc
-+       if strings.HasPrefix(path, "..") {
-+               return nil
-+       }
-+       if path == "." {
-+               // an empty source is pasted on restore
-+               if source == "" {
-+                       return nil
-+               }
-+               // only allow a mount on-top of proc if it's source is "proc"
-+               isproc, err := isProc(source)
-                if err != nil {
-                        return err
-                }
-               if path != "." && !strings.HasPrefix(path, "..") {
-                       return fmt.Errorf("%q cannot be mounted because it is located inside %q", dest, invalid)
-+               // pass if the mount is happening on top of /proc and the source of
-+               // the mount is a proc filesystem
-+               if isproc {
-+                       return nil
-                }
-+               return fmt.Errorf("%q cannot be mounted because it is not of type proc", dest)
-        }
-       return nil
-+       return fmt.Errorf("%q cannot be mounted because it is inside /proc", dest)
-+}
-+
-+func isProc(path string) (bool, error) {
-+       var s unix.Statfs_t
-+       if err := unix.Statfs(path, &s); err != nil {
-+               return false, err
-+       }
-+       return s.Type == unix.PROC_SUPER_MAGIC, nil
- }
- 
- func setupDevSymlinks(rootfs string) error {
-diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go
-index d755984b..1bfe7c66 100644
--- a/src/import/libcontainer/rootfs_linux_test.go
-+++ b/src/import/libcontainer/rootfs_linux_test.go
-@@ -10,7 +10,7 @@ import (
- 
- func TestCheckMountDestOnProc(t *testing.T) {
-        dest := "/rootfs/proc/sys"
-       err := checkMountDestination("/rootfs", dest)
-+       err := checkProcMount("/rootfs", dest, "")
-        if err == nil {
-                t.Fatal("destination inside proc should return an error")
-        }
-@@ -18,7 +18,7 @@ func TestCheckMountDestOnProc(t *testing.T) {
- 
- func TestCheckMountDestOnProcChroot(t *testing.T) {
-        dest := "/rootfs/proc/"
-       err := checkMountDestination("/rootfs", dest)
-+       err := checkProcMount("/rootfs", dest, "/proc")
-        if err != nil {
-                t.Fatal("destination inside proc when using chroot should not return an error")
-        }
-@@ -26,7 +26,7 @@ func TestCheckMountDestOnProcChroot(t *testing.T) {
- 
- func TestCheckMountDestInSys(t *testing.T) {
-        dest := "/rootfs//sys/fs/cgroup"
-       err := checkMountDestination("/rootfs", dest)
-+       err := checkProcMount("/rootfs", dest, "")
-        if err != nil {
-                t.Fatal("destination inside /sys should not return an error")
-        }
-@@ -34,7 +34,7 @@ func TestCheckMountDestInSys(t *testing.T) {
- 
- func TestCheckMountDestFalsePositive(t *testing.T) {
-        dest := "/rootfs/sysfiles/fs/cgroup"
-       err := checkMountDestination("/rootfs", dest)
-+       err := checkProcMount("/rootfs", dest, "")
-        if err != nil {
-                t.Fatal(err)
-        }
-- 
-2.17.1
diff --git a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch
index 48c1250d..bcf4c103 100644
--- a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch
+++ b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch
@@ -12,11 +12,11 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
 utils_linux.go | 5 +++++
 1 file changed, 5 insertions(+)
-diff --git a/utils_linux.go b/utils_linux.go
+Index: git/src/import/utils_linux.go
-index 8085f7fe..e6d31b35 100644
+===================================================================
--- a/src/import/utils_linux.go
+--- git.orig/src/import/utils_linux.go
-+++ b/src/import/utils_linux.go
+++ git/src/import/utils_linux.go
-@@ -227,6 +227,11 @@ type runner struct {
+@@ -267,6 +267,11 @@
 }
 
 func (r *runner) run(config *specs.Process) (int, error) {
@@ -25,9 +25,6 @@ index 8085f7fe..e6d31b35 100644
 +               r.consoleSocket = ""
 +               config.Terminal = false
 +       }
-        if err := r.checkTerminal(config); err != nil {
+        var err error
-                r.destroy()
+        defer func() {
-                return -1, err
+                if err != nil {
-- 
-2.11.0
diff --git a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
index 0af74952..98b02044 100644
--- a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
+++ b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
@@ -33,15 +33,17 @@ Index: git/src/import/signals.go
 ===================================================================
 --- git.orig/src/import/signals.go
 +++ git/src/import/signals.go
-@@ -6,6 +6,7 @@
+@@ -5,7 +5,9 @@
+ import (
        "os"
        "os/signal"
-        "syscall" // only for Signal
+       "syscall" // only for Signal
-+       "strconv"
 
+        "strconv"
        "github.com/opencontainers/runc/libcontainer"
        "github.com/opencontainers/runc/libcontainer/system"
-@@ -56,9 +57,6 @@
+        "github.com/opencontainers/runc/libcontainer/utils"
+@@ -55,9 +57,6 @@
 func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach bool) (int, error) {
        // make sure we know the pid of our main process so that we can return
        // after it dies.
@@ -51,12 +53,13 @@ Index: git/src/import/signals.go
 
        pid1, err := process.Pid()
        if err != nil {
-@@ -68,11 +66,60 @@
+@@ -67,12 +66,61 @@
        if h.notifySocket != nil {
                if detach {
                        h.notifySocket.run(pid1)
 -                       return 0, nil
                }
+                h.notifySocket.run(os.Getpid())
                go h.notifySocket.run(0)
        }
 
@@ -117,7 +120,7 @@ Index: git/src/import/utils_linux.go
 ===================================================================
 --- git.orig/src/import/utils_linux.go
 +++ git/src/import/utils_linux.go
-@@ -347,7 +347,7 @@
+@@ -349,7 +349,7 @@
        if err != nil {
                r.terminate(process)
        }
@@ -125,4 +128,4 @@ Index: git/src/import/utils_linux.go
 +       if (detach && os.Getenv("SIGUSR1_PARENT_PID") == "") {
                return 0, nil
        }
-        r.destroy()
+        if err == nil {
diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb
index 8d810d01..6b7069ba 100644
--- a/recipes-containers/runc/runc-docker_git.bb
+++ b/recipes-containers/runc/runc-docker_git.bb
@@ -2,12 +2,11 @@ include runc.inc
 # Note: this rev is before the required protocol field, update when all components
 #       have been updated to match.
-SRCREV_runc-docker = "425e105d5a03fabd737a126ad93d62a9eeede87f"
+SRCREV_runc-docker = "49a73463331bd8ff44bb8349e33f4b2e1ae34b4f"
 SRC_URI = "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker \
           file://0001-runc-Add-console-socket-dev-null.patch \
           file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
           file://0001-runc-docker-SIGUSR1-daemonize.patch \
-           file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \
          "
-RUNC_VERSION = "1.0.0-rc8"
+RUNC_VERSION = "1.0.0-rc92"
diff --git a/recipes-containers/runc/runc-opencontainers_git.bb b/recipes-containers/runc/runc-opencontainers_git.bb
index 3a7e7aaf..e3e0ac30 100644
--- a/recipes-containers/runc/runc-opencontainers_git.bb
+++ b/recipes-containers/runc/runc-opencontainers_git.bb
@@ -1,9 +1,8 @@
 include runc.inc
-SRCREV = "652297c7c7e6c94e8d064ad5916c32891a6fd388"
+SRCREV = "49a73463331bd8ff44bb8349e33f4b2e1ae34b4f"
 SRC_URI = " \
    git://github.com/opencontainers/runc;branch=master \
    file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
-    file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \
    "
-RUNC_VERSION = "1.0.0-rc8"
+RUNC_VERSION = "1.0.0-rc92"

diff --git a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch index 94cbb4cb..f004a476 100644 --- a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch +++ b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
@@ -9,27 +9,24 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
9	Makefile \| 3 +--	9	Makefile \| 3 +--
10	1 file changed, 1 insertion(+), 2 deletions(-)	10	1 file changed, 1 insertion(+), 2 deletions(-)
11		11
12	diff --git a/Makefile b/Makefile	12	Index: git/src/import/Makefile
13	index 0f26a1c8..a0c6b40b 100644	13	===================================================================
14	--- a/src/import/Makefile	14	--- git.orig/src/import/Makefile
15	+++ b/src/import/Makefile	15	+++ git/src/import/Makefile
16	@@ -30,7 +30,7 @@ SHELL := $(shell command -v bash 2>/dev/null)	16	@@ -23,7 +23,7 @@
17	.DEFAULT: runc	17	GO_BUILDMODE := "-buildmode=pie"
		18	endif
		19	endif
		20	-GO_BUILD := $(GO) build $(MOD_VENDOR) $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
		21	+GO_BUILD := $(GO) build $(GOBUILDFLAGS) $(MOD_VENDOR) $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
		22	-ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
		23	GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build $(MOD_VENDOR) $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
		24	-ldflags "-w -extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
		25	@@ -40,7 +40,6 @@
18		26
19	runc: $(SOURCES)	27	static:
20	- $(GO) build -buildmode=pie $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o runc .	28	$(GO_BUILD_STATIC) -o runc .
21	+ $(GO) build $(GOBUILDFLAGS) $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o runc .	29	- $(GO_BUILD_STATIC) -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
22
23	all: runc recvtty
24
25	@@ -41,7 +41,6 @@ contrib/cmd/recvtty/recvtty: $(SOURCES)
26
27	static: $(SOURCES)
28	CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o runc .
29	- CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
30		30
31	release:	31	release:
32	script/release.sh -r release/$(VERSION) -v $(VERSION)	32	script/release.sh -r release/$(VERSION) -v $(VERSION)
33	--
34	2.17.1
35


diff --git a/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch b/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch deleted file mode 100644 index 5aca99e2..00000000 --- a/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch +++ /dev/null
@@ -1,201 +0,0 @@
1	From d75b05441772417a0828465a9483f16287937724 Mon Sep 17 00:00:00 2001
2	From: Michael Crosby <crosbymichael@gmail.com>
3	Date: Mon, 23 Sep 2019 16:45:45 -0400
4	Subject: [PATCH] Only allow proc mount if it is procfs
5
6	Fixes #2128
7
8	This allows proc to be bind mounted for host and rootless namespace usecases but
9	it removes the ability to mount over the top of proc with a directory.
10
11	```bash
12	> sudo docker run --rm apparmor
13	docker: Error response from daemon: OCI runtime create failed:
14	container_linux.go:346: starting container process caused "process_linux.go:449:
15	container init caused \"rootfs_linux.go:58: mounting
16	\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\"
17	to rootfs
18	\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\"
19	at \\\"/proc\\\" caused
20	\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\"
21	cannot be mounted because it is not of type proc\\\"\"": unknown.
22
23	> sudo docker run --rm -v /proc:/proc apparmor
24
25	docker-default (enforce) root 18989 0.9 0.0 1288 4 ?
26	Ss 16:47 0:00 sleep 20
27	```
28
29	Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
30
31	Upstream-Status: Backport [https://github.com/opencontainers/runc/pull/2129/commits/331692baa7afdf6c186f8667cb0e6362ea0802b3]
32
33	CVE: CVE-2019-16884
34
35	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
36	---
37	libcontainer/container_linux.go \| 4 +--
38	libcontainer/rootfs_linux.go \| 50 +++++++++++++++++++++++--------
39	libcontainer/rootfs_linux_test.go \| 8 ++---
40	3 files changed, 43 insertions(+), 19 deletions(-)
41
42	diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
43	index 7e58e5e0..d51e35df 100644
44	--- a/src/import/libcontainer/container_linux.go
45	+++ b/src/import/libcontainer/container_linux.go
46	@@ -19,7 +19,7 @@ import (
47	"syscall" // only for SysProcAttr and Signal
48	"time"
49
50	- "github.com/cyphar/filepath-securejoin"
51	+ securejoin "github.com/cyphar/filepath-securejoin"
52	"github.com/opencontainers/runc/libcontainer/cgroups"
53	"github.com/opencontainers/runc/libcontainer/configs"
54	"github.com/opencontainers/runc/libcontainer/intelrdt"
55	@@ -1160,7 +1160,7 @@ func (c linuxContainer) makeCriuRestoreMountpoints(m configs.Mount) error {
56	if err != nil {
57	return err
58	}
59	- if err := checkMountDestination(c.config.Rootfs, dest); err != nil {
60	+ if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil {
61	return err
62	}
63	m.Destination = dest
64	diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
65	index f13b226e..5650b0ac 100644
66	--- a/src/import/libcontainer/rootfs_linux.go
67	+++ b/src/import/libcontainer/rootfs_linux.go
68	@@ -13,7 +13,7 @@ import (
69	"strings"
70	"time"
71
72	- "github.com/cyphar/filepath-securejoin"
73	+ securejoin "github.com/cyphar/filepath-securejoin"
74	"github.com/mrunalp/fileutils"
75	"github.com/opencontainers/runc/libcontainer/cgroups"
76	"github.com/opencontainers/runc/libcontainer/configs"
77	@@ -197,7 +197,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) error {
78	if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
79	return err
80	}
81	- if err := checkMountDestination(rootfs, dest); err != nil {
82	+ if err := checkProcMount(rootfs, dest, m.Source); err != nil {
83	return err
84	}
85	// update the mount with the correct dest after symlinks are resolved.
86	@@ -388,7 +388,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
87	if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
88	return err
89	}
90	- if err := checkMountDestination(rootfs, dest); err != nil {
91	+ if err := checkProcMount(rootfs, dest, m.Source); err != nil {
92	return err
93	}
94	// update the mount with the correct dest after symlinks are resolved.
95	@@ -435,12 +435,12 @@ func getCgroupMounts(m configs.Mount) ([]configs.Mount, error) {
96	return binds, nil
97	}
98
99	-// checkMountDestination checks to ensure that the mount destination is not over the top of /proc.
100	+// checkProcMount checks to ensure that the mount destination is not over the top of /proc.
101	// dest is required to be an abs path and have any symlinks resolved before calling this function.
102	-func checkMountDestination(rootfs, dest string) error {
103	- invalidDestinations := []string{
104	- "/proc",
105	- }
106	+//
107	+// if source is nil, don't stat the filesystem. This is used for restore of a checkpoint.
108	+func checkProcMount(rootfs, dest, source string) error {
109	+ const procPath = "/proc"
110	// White list, it should be sub directories of invalid destinations
111	validDestinations := []string{
112	// These entries can be bind mounted by files emulated by fuse,
113	@@ -463,16 +463,40 @@ func checkMountDestination(rootfs, dest string) error {
114	return nil
115	}
116	}
117	- for _, invalid := range invalidDestinations {
118	- path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest)
119	+ path, err := filepath.Rel(filepath.Join(rootfs, procPath), dest)
120	+ if err != nil {
121	+ return err
122	+ }
123	+ // pass if the mount path is located outside of /proc
124	+ if strings.HasPrefix(path, "..") {
125	+ return nil
126	+ }
127	+ if path == "." {
128	+ // an empty source is pasted on restore
129	+ if source == "" {
130	+ return nil
131	+ }
132	+ // only allow a mount on-top of proc if it's source is "proc"
133	+ isproc, err := isProc(source)
134	if err != nil {
135	return err
136	}
137	- if path != "." && !strings.HasPrefix(path, "..") {
138	- return fmt.Errorf("%q cannot be mounted because it is located inside %q", dest, invalid)
139	+ // pass if the mount is happening on top of /proc and the source of
140	+ // the mount is a proc filesystem
141	+ if isproc {
142	+ return nil
143	}
144	+ return fmt.Errorf("%q cannot be mounted because it is not of type proc", dest)
145	}
146	- return nil
147	+ return fmt.Errorf("%q cannot be mounted because it is inside /proc", dest)
148	+}
149	+
150	+func isProc(path string) (bool, error) {
151	+ var s unix.Statfs_t
152	+ if err := unix.Statfs(path, &s); err != nil {
153	+ return false, err
154	+ }
155	+ return s.Type == unix.PROC_SUPER_MAGIC, nil
156	}
157
158	func setupDevSymlinks(rootfs string) error {
159	diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go
160	index d755984b..1bfe7c66 100644
161	--- a/src/import/libcontainer/rootfs_linux_test.go
162	+++ b/src/import/libcontainer/rootfs_linux_test.go
163	@@ -10,7 +10,7 @@ import (
164
165	func TestCheckMountDestOnProc(t *testing.T) {
166	dest := "/rootfs/proc/sys"
167	- err := checkMountDestination("/rootfs", dest)
168	+ err := checkProcMount("/rootfs", dest, "")
169	if err == nil {
170	t.Fatal("destination inside proc should return an error")
171	}
172	@@ -18,7 +18,7 @@ func TestCheckMountDestOnProc(t *testing.T) {
173
174	func TestCheckMountDestOnProcChroot(t *testing.T) {
175	dest := "/rootfs/proc/"
176	- err := checkMountDestination("/rootfs", dest)
177	+ err := checkProcMount("/rootfs", dest, "/proc")
178	if err != nil {
179	t.Fatal("destination inside proc when using chroot should not return an error")
180	}
181	@@ -26,7 +26,7 @@ func TestCheckMountDestOnProcChroot(t *testing.T) {
182
183	func TestCheckMountDestInSys(t *testing.T) {
184	dest := "/rootfs//sys/fs/cgroup"
185	- err := checkMountDestination("/rootfs", dest)
186	+ err := checkProcMount("/rootfs", dest, "")
187	if err != nil {
188	t.Fatal("destination inside /sys should not return an error")
189	}
190	@@ -34,7 +34,7 @@ func TestCheckMountDestInSys(t *testing.T) {
191
192	func TestCheckMountDestFalsePositive(t *testing.T) {
193	dest := "/rootfs/sysfiles/fs/cgroup"
194	- err := checkMountDestination("/rootfs", dest)
195	+ err := checkProcMount("/rootfs", dest, "")
196	if err != nil {
197	t.Fatal(err)
198	}
199	--
200	2.17.1
201


diff --git a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch index 48c1250d..bcf4c103 100644 --- a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch +++ b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch
@@ -12,11 +12,11 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
12	utils_linux.go \| 5 +++++	12	utils_linux.go \| 5 +++++
13	1 file changed, 5 insertions(+)	13	1 file changed, 5 insertions(+)
14		14
15	diff --git a/utils_linux.go b/utils_linux.go	15	Index: git/src/import/utils_linux.go
16	index 8085f7fe..e6d31b35 100644	16	===================================================================
17	--- a/src/import/utils_linux.go	17	--- git.orig/src/import/utils_linux.go
18	+++ b/src/import/utils_linux.go	18	+++ git/src/import/utils_linux.go
19	@@ -227,6 +227,11 @@ type runner struct {	19	@@ -267,6 +267,11 @@
20	}	20	}
21		21
22	func (r runner) run(config specs.Process) (int, error) {	22	func (r runner) run(config specs.Process) (int, error) {
@@ -25,9 +25,6 @@ index 8085f7fe..e6d31b35 100644
25	+ r.consoleSocket = ""	25	+ r.consoleSocket = ""
26	+ config.Terminal = false	26	+ config.Terminal = false
27	+ }	27	+ }
28	if err := r.checkTerminal(config); err != nil {	28	var err error
29	r.destroy()	29	defer func() {
30	return -1, err	30	if err != nil {
31	--
32	2.11.0
33


diff --git a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch index 0af74952..98b02044 100644 --- a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch +++ b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch
@@ -33,15 +33,17 @@ Index: git/src/import/signals.go
33	===================================================================	33	===================================================================
34	--- git.orig/src/import/signals.go	34	--- git.orig/src/import/signals.go
35	+++ git/src/import/signals.go	35	+++ git/src/import/signals.go
36	@@ -6,6 +6,7 @@	36	@@ -5,7 +5,9 @@
		37	import (
37	"os"	38	"os"
38	"os/signal"	39	"os/signal"
39	"syscall" // only for Signal	40	+ "syscall" // only for Signal
40	+ "strconv"
41		41
		42	+ "strconv"
42	"github.com/opencontainers/runc/libcontainer"	43	"github.com/opencontainers/runc/libcontainer"
43	"github.com/opencontainers/runc/libcontainer/system"	44	"github.com/opencontainers/runc/libcontainer/system"
44	@@ -56,9 +57,6 @@	45	"github.com/opencontainers/runc/libcontainer/utils"
		46	@@ -55,9 +57,6 @@
45	func (h signalHandler) forward(process libcontainer.Process, tty *tty, detach bool) (int, error) {	47	func (h signalHandler) forward(process libcontainer.Process, tty *tty, detach bool) (int, error) {
46	// make sure we know the pid of our main process so that we can return	48	// make sure we know the pid of our main process so that we can return
47	// after it dies.	49	// after it dies.
@@ -51,12 +53,13 @@ Index: git/src/import/signals.go
51		53
52	pid1, err := process.Pid()	54	pid1, err := process.Pid()
53	if err != nil {	55	if err != nil {
54	@@ -68,11 +66,60 @@	56	@@ -67,12 +66,61 @@
55	if h.notifySocket != nil {	57	if h.notifySocket != nil {
56	if detach {	58	if detach {
57	h.notifySocket.run(pid1)	59	h.notifySocket.run(pid1)
58	- return 0, nil	60	- return 0, nil
59	}	61	}
		62	h.notifySocket.run(os.Getpid())
60	go h.notifySocket.run(0)	63	go h.notifySocket.run(0)
61	}	64	}
62		65
@@ -117,7 +120,7 @@ Index: git/src/import/utils_linux.go
117	===================================================================	120	===================================================================
118	--- git.orig/src/import/utils_linux.go	121	--- git.orig/src/import/utils_linux.go
119	+++ git/src/import/utils_linux.go	122	+++ git/src/import/utils_linux.go
120	@@ -347,7 +347,7 @@	123	@@ -349,7 +349,7 @@
121	if err != nil {	124	if err != nil {
122	r.terminate(process)	125	r.terminate(process)
123	}	126	}
@@ -125,4 +128,4 @@ Index: git/src/import/utils_linux.go
125	+ if (detach && os.Getenv("SIGUSR1_PARENT_PID") == "") {	128	+ if (detach && os.Getenv("SIGUSR1_PARENT_PID") == "") {
126	return 0, nil	129	return 0, nil
127	}	130	}
128	r.destroy()	131	if err == nil {


diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb index 8d810d01..6b7069ba 100644 --- a/recipes-containers/runc/runc-docker_git.bb +++ b/recipes-containers/runc/runc-docker_git.bb
@@ -2,12 +2,11 @@ include runc.inc
2		2
3	# Note: this rev is before the required protocol field, update when all components	3	# Note: this rev is before the required protocol field, update when all components
4	# have been updated to match.	4	# have been updated to match.
5	SRCREV_runc-docker = "425e105d5a03fabd737a126ad93d62a9eeede87f"	5	SRCREV_runc-docker = "49a73463331bd8ff44bb8349e33f4b2e1ae34b4f"
6	SRC_URI = "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker \	6	SRC_URI = "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker \
7	file://0001-runc-Add-console-socket-dev-null.patch \	7	file://0001-runc-Add-console-socket-dev-null.patch \
8	file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \	8	file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
9	file://0001-runc-docker-SIGUSR1-daemonize.patch \	9	file://0001-runc-docker-SIGUSR1-daemonize.patch \
10	file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \
11	"	10	"
12		11
13	RUNC_VERSION = "1.0.0-rc8"	12	RUNC_VERSION = "1.0.0-rc92"


diff --git a/recipes-containers/runc/runc-opencontainers_git.bb b/recipes-containers/runc/runc-opencontainers_git.bb index 3a7e7aaf..e3e0ac30 100644 --- a/recipes-containers/runc/runc-opencontainers_git.bb +++ b/recipes-containers/runc/runc-opencontainers_git.bb
@@ -1,9 +1,8 @@
1	include runc.inc	1	include runc.inc
2		2
3	SRCREV = "652297c7c7e6c94e8d064ad5916c32891a6fd388"	3	SRCREV = "49a73463331bd8ff44bb8349e33f4b2e1ae34b4f"
4	SRC_URI = " \	4	SRC_URI = " \
5	git://github.com/opencontainers/runc;branch=master \	5	git://github.com/opencontainers/runc;branch=master \
6	file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \	6	file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
7	file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \
8	"	7	"
9	RUNC_VERSION = "1.0.0-rc8"	8	RUNC_VERSION = "1.0.0-rc92"