+++ /dev/null
-From f2314625c5702cfd25974929599fa439bdac8bdf Mon Sep 17 00:00:00 2001
-From: Christian Brauner <christian.brauner@ubuntu.com>
-Date: Wed, 25 Jul 2018 19:56:54 +0200
-Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
-
-Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
----
- src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
- src/lxc/utils.c | 12 ++++++++++++
- src/lxc/utils.h | 5 +++++
- 3 files changed, 49 insertions(+), 3 deletions(-)
-
-diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c
-index ec9cd97e..c5beb6c8 100644
---- a/src/lxc/cmd/lxc_user_nic.c
-+++ b/src/lxc/cmd/lxc_user_nic.c
-@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[])
- exit(EXIT_FAILURE);
- }
- } else if (request == LXC_USERNIC_DELETE) {
-- netns_fd = open(args.pid, O_RDONLY);
-+ char opath[LXC_PROC_PID_FD_LEN];
-+
-+ /* Open the path with O_PATH which will not trigger an actual
-+ * open(). Don't report an errno to the caller to not leak
-+ * information whether the path exists or not.
-+ * When stracing setuid is stripped so this is not a concern
-+ * either.
-+ */
-+ netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
- if (netns_fd < 0) {
-- usernic_error("Could not open \"%s\": %s\n", args.pid,
-- strerror(errno));
-+ usernic_error("Failed to open \"%s\"\n", args.pid);
-+ exit(EXIT_FAILURE);
-+ }
-+
-+ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
-+ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
-+ close(netns_fd);
-+ exit(EXIT_FAILURE);
-+ }
-+
-+ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
-+ if (ret < 0 || (size_t)ret >= sizeof(opath)) {
-+ close(netns_fd);
-+ exit(EXIT_FAILURE);
-+ }
-+
-+ /* Now get an fd that we can use in setns() calls. */
-+ ret = open(opath, O_RDONLY | O_CLOEXEC);
-+ if (ret < 0) {
-+ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
-+ close(netns_fd);
- exit(EXIT_FAILURE);
- }
-+ close(netns_fd);
-+ netns_fd = ret;
- }
-
- if (!create_db_dir(LXC_USERNIC_DB)) {
-diff --git a/src/lxc/utils.c b/src/lxc/utils.c
-index 26f1b058..69d362dc 100644
---- a/src/lxc/utils.c
-+++ b/src/lxc/utils.c
-@@ -2548,6 +2548,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
- return has_type;
- }
-
-+bool fhas_fs_type(int fd, fs_type_magic magic_val)
-+{
-+ int ret;
-+ struct statfs sb;
-+
-+ ret = fstatfs(fd, &sb);
-+ if (ret < 0)
-+ return false;
-+
-+ return is_fs_type(&sb, magic_val);
-+}
-+
- bool lxc_nic_exists(char *nic)
- {
- #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
-diff --git a/src/lxc/utils.h b/src/lxc/utils.h
-index 7d672b77..fedc395b 100644
---- a/src/lxc/utils.h
-+++ b/src/lxc/utils.h
-@@ -95,6 +95,10 @@
- #define CGROUP2_SUPER_MAGIC 0x63677270
- #endif
-
-+#ifndef NSFS_MAGIC
-+#define NSFS_MAGIC 0x6e736673
-+#endif
-+
- /* Useful macros */
- /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
- #define LXC_NUMSTRLEN64 21
-@@ -581,6 +585,7 @@ extern void *must_realloc(void *orig, size_t sz);
- /* __typeof__ should be safe to use with all compilers. */
- typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
- extern bool has_fs_type(const char *path, fs_type_magic magic_val);
-+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
- extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
- extern bool lxc_nic_exists(char *nic);
- extern int lxc_make_tmpfile(char *template, bool rm);
---
-2.17.1
-
+++ /dev/null
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit autotools bash-completion-r1 linux-info flag-o-matic systemd readme.gentoo-r1 pam
-
-DESCRIPTION="LinuX Containers userspace utilities"
-HOMEPAGE="https://linuxcontainers.org/"
-SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz"
-
-KEYWORDS="amd64 ~arm ~arm64 ~ppc64 x86"
-
-LICENSE="LGPL-3"
-SLOT="0"
-IUSE="examples pam python seccomp selinux +templates"
-
-RDEPEND="
- net-libs/gnutls
- sys-libs/libcap
- pam? ( virtual/pam )
- seccomp? ( sys-libs/libseccomp )
- selinux? ( sys-libs/libselinux )"
-
-DEPEND="${RDEPEND}
- >=app-text/docbook-sgml-utils-0.6.14-r2
- >=sys-kernel/linux-headers-3.2"
-
-RDEPEND="${RDEPEND}
- sys-apps/util-linux
- app-misc/pax-utils
- virtual/awk"
-
-PDEPEND="templates? ( app-emulation/lxc-templates )
- python? ( dev-python/python3-lxc )"
-
-CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE
- ~CPUSETS ~CGROUP_CPUACCT
- ~CGROUP_SCHED
-
- ~NAMESPACES
- ~IPC_NS ~USER_NS ~PID_NS
-
- ~CGROUP_FREEZER
- ~UTS_NS ~NET_NS
- ~VETH ~MACVLAN
-
- ~POSIX_MQUEUE
- ~!NETPRIO_CGROUP
-
- ~!GRKERNSEC_CHROOT_MOUNT
- ~!GRKERNSEC_CHROOT_DOUBLE
- ~!GRKERNSEC_CHROOT_PIVOT
- ~!GRKERNSEC_CHROOT_CHMOD
- ~!GRKERNSEC_CHROOT_CAPS
- ~!GRKERNSEC_PROC
- ~!GRKERNSEC_SYSFS_RESTRICT
-"
-
-ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container"
-
-ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers"
-
-ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info"
-ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network"
-
-ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking"
-ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking"
-
-ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command"
-
-ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting."
-
-ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers"
-ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers"
-
-DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt)
-
-pkg_setup() {
- kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES"
- linux-info_pkg_setup
-}
-
-src_prepare() {
- eapply "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch
- #558854
- eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch
- eapply "${FILESDIR}"/${PN}-3.0.1-cve-2018-6556.patch
- eapply_user
- eautoreconf
-}
-
-src_configure() {
- append-flags -fno-strict-aliasing
-
- # I am not sure about the --with-rootfs-path
- # /var/lib/lxc is probably more appropriate than
- # /usr/lib/lxc.
- # Note by holgersson: Why is apparmor disabled?
-
- # --enable-doc is for manpages which is why we don't link it to a "doc"
- # USE flag. We always want man pages.
- econf \
- --localstatedir=/var \
- --bindir=/usr/bin \
- --sbindir=/usr/bin \
- --with-config-path=/var/lib/lxc \
- --with-rootfs-path=/var/lib/lxc/rootfs \
- --with-distro=gentoo \
- --with-runtime-path=/run \
- --disable-apparmor \
- --disable-werror \
- --enable-doc \
- $(use_enable examples) \
- $(use_enable pam) \
- $(use_with pam pamdir $(getpam_mod_dir)) \
- $(use_enable seccomp) \
- $(use_enable selinux)
-}
-
-src_install() {
- default
-
- mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die
- bashcomp_alias ${PN}-start \
- ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait}
-
- keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc
- rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed"
-
- find "${D}" -name '*.la' -delete
-
- # Gentoo-specific additions!
- newinitd "${FILESDIR}/${PN}.initd.7" ${PN}
-
- # Remember to compare our systemd unit file with the upstream one
- # config/init/systemd/lxc.service.in
- systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service"
-
- DOC_CONTENTS="
- For openrc, there is an init script provided with the package.
- You _should_ only need to symlink /etc/init.d/lxc to
- /etc/init.d/lxc.configname to start the container defined in
- /etc/lxc/configname.conf.
-
- Correspondingly, for systemd a service file lxc@.service is installed.
- Enable and start lxc@configname in order to start the container defined
- in /etc/lxc/configname.conf.
-
- If you want checkpoint/restore functionality, please install criu
- (sys-process/criu)."
- DISABLE_AUTOFORMATTING=true
- readme.gentoo_create_doc
-}
-
-pkg_postinst() {
- readme.gentoo_print_elog
-}
projects / gentoo.git / commitdiff