2 files changed, 104 insertions, 0 deletions
diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
new file mode 100644
index 00000000..4ae9bb63
--- /dev/null
+++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
@@ -0,0 +1,103 @@
+From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Mon, 27 Oct 2025 16:42:59 +0900
+Subject: [PATCH] Fix directory permissions
+- Create /var/lib/containerd with 0o700 (was: 0o711).
+- Create config.TempDir with 0o700 (was: 0o711).
+- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
+- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
+- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
+  as required by userns-remapped containers.
+  /run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with:
+  - 0o700 for non-userns-remapped containers
+  - 0o710 for userns-remapped containers with the remapped root group as the owner group.
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96)
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Upstream-Status: Backport [https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f]
+CVE: CVE-2024-25621
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/cri/cri.go            |  8 ++++++++
+ runtime/v2/manager.go     |  2 ++
+ services/server/server.go | 14 ++++++++++++--
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go
+index 7182716b6..dec810196 100644
+--- a/pkg/cri/cri.go
+++ b/pkg/cri/cri.go
+@@ -19,6 +19,7 @@ package cri
+ import (
+        "flag"
+        "fmt"
+       "os"
+        "path/filepath"
+ 
+        "github.com/containerd/containerd"
+@@ -68,6 +69,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
+                return nil, fmt.Errorf("invalid plugin config: %w", err)
+        }
+ 
+       if err := os.MkdirAll(ic.State, 0700); err != nil {
+               return nil, err
+       }
+       // chmod is needed for upgrading from an older release that created the dir with 0755
+       if err := os.Chmod(ic.State, 0700); err != nil {
+               return nil, err
+       }
+        c := criconfig.Config{
+                PluginConfig:       *pluginConfig,
+                ContainerdRootDir:  filepath.Dir(ic.Root),
+diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go
+index 1927cbb3f..1f26bbeac 100644
+--- a/runtime/v2/manager.go
+++ b/runtime/v2/manager.go
+@@ -109,6 +109,8 @@ type ManagerConfig struct {
+ // NewShimManager creates a manager for v2 shims
+ func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) {
+        for _, d := range []string{config.Root, config.State} {
+               // root:  the parent of this directory is created as 0700, not 0711.
+               // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers.
+                if err := os.MkdirAll(d, 0711); err != nil {
+                        return nil, err
+                }
+diff --git a/services/server/server.go b/services/server/server.go
+index 857cc9c76..bc2ddbf1f 100644
+--- a/services/server/server.go
+++ b/services/server/server.go
+@@ -82,16 +82,26 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
+                return errors.New("root and state must be different paths")
+        }
+ 
+-       if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {
+       if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil {
+               return err
+       }
+       // chmod is needed for upgrading from an older release that created the dir with 0o711
+       if err := os.Chmod(config.Root, 0700); err != nil {
+                return err
+        }
+ 
+       // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
+       // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
+        if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {
+                return err
+        }
+ 
+        if config.TempDir != "" {
+-               if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil {
+               if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil {
+                       return err
+               }
+               // chmod is needed for upgrading from an older release that created the dir with 0o711
+               if err := os.Chmod(config.Root, 0700); err != nil {
+                        return err
+                }
+                if runtime.GOOS == "windows" {
+-- 
+2.25.1
diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index dd621705..264d37a6 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -10,6 +10,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
           file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \
           file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
           file://CVE-2024-40635.patch \
+           file://CVE-2024-25621.patch \
          "
 # Apache-2.0 for containerd

diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch new file mode 100644 index 00000000..4ae9bb63 --- /dev/null +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
@@ -0,0 +1,103 @@
		1	From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001
		2	From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
		3	Date: Mon, 27 Oct 2025 16:42:59 +0900
		4	Subject: [PATCH] Fix directory permissions
		5
		6	- Create /var/lib/containerd with 0o700 (was: 0o711).
		7	- Create config.TempDir with 0o700 (was: 0o711).
		8	- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
		9	- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
		10	- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
		11	as required by userns-remapped containers.
		12	/run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with:
		13	- 0o700 for non-userns-remapped containers
		14	- 0o710 for userns-remapped containers with the remapped root group as the owner group.
		15
		16	Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
		17	(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96)
		18	Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
		19
		20	Upstream-Status: Backport [https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f]
		21	CVE: CVE-2024-25621
		22	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		23	---
		24	pkg/cri/cri.go \| 8 ++++++++
		25	runtime/v2/manager.go \| 2 ++
		26	services/server/server.go \| 14 ++++++++++++--
		27	3 files changed, 22 insertions(+), 2 deletions(-)
		28
		29	diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go
		30	index 7182716b6..dec810196 100644
		31	--- a/pkg/cri/cri.go
		32	+++ b/pkg/cri/cri.go
		33	@@ -19,6 +19,7 @@ package cri
		34	import (
		35	"flag"
		36	"fmt"
		37	+ "os"
		38	"path/filepath"
		39
		40	"github.com/containerd/containerd"
		41	@@ -68,6 +69,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
		42	return nil, fmt.Errorf("invalid plugin config: %w", err)
		43	}
		44
		45	+ if err := os.MkdirAll(ic.State, 0700); err != nil {
		46	+ return nil, err
		47	+ }
		48	+ // chmod is needed for upgrading from an older release that created the dir with 0755
		49	+ if err := os.Chmod(ic.State, 0700); err != nil {
		50	+ return nil, err
		51	+ }
		52	c := criconfig.Config{
		53	PluginConfig: *pluginConfig,
		54	ContainerdRootDir: filepath.Dir(ic.Root),
		55	diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go
		56	index 1927cbb3f..1f26bbeac 100644
		57	--- a/runtime/v2/manager.go
		58	+++ b/runtime/v2/manager.go
		59	@@ -109,6 +109,8 @@ type ManagerConfig struct {
		60	// NewShimManager creates a manager for v2 shims
		61	func NewShimManager(ctx context.Context, config ManagerConfig) (ShimManager, error) {
		62	for _, d := range []string{config.Root, config.State} {
		63	+ // root: the parent of this directory is created as 0700, not 0711.
		64	+ // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers.
		65	if err := os.MkdirAll(d, 0711); err != nil {
		66	return nil, err
		67	}
		68	diff --git a/services/server/server.go b/services/server/server.go
		69	index 857cc9c76..bc2ddbf1f 100644
		70	--- a/services/server/server.go
		71	+++ b/services/server/server.go
		72	@@ -82,16 +82,26 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
		73	return errors.New("root and state must be different paths")
		74	}
		75
		76	- if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {
		77	+ if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil {
		78	+ return err
		79	+ }
		80	+ // chmod is needed for upgrading from an older release that created the dir with 0o711
		81	+ if err := os.Chmod(config.Root, 0700); err != nil {
		82	return err
		83	}
		84
		85	+ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
		86	+ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
		87	if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {
		88	return err
		89	}
		90
		91	if config.TempDir != "" {
		92	- if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil {
		93	+ if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil {
		94	+ return err
		95	+ }
		96	+ // chmod is needed for upgrading from an older release that created the dir with 0o711
		97	+ if err := os.Chmod(config.Root, 0700); err != nil {
		98	return err
		99	}
		100	if runtime.GOOS == "windows" {
		101	--
		102	2.25.1
		103


diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb index dd621705..264d37a6 100644 --- a/recipes-containers/containerd/containerd-opencontainers_git.bb +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -10,6 +10,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
10	file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \	10	file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \
11	file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \	11	file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
12	file://CVE-2024-40635.patch \	12	file://CVE-2024-40635.patch \
		13	file://CVE-2024-25621.patch \
13	"	14	"
14		15
15	# Apache-2.0 for containerd	16	# Apache-2.0 for containerd