runc: updated to version 2b18fe1

runc/.signature

@@ -1,7 +1,6 @@
 untrusted comment: verify with /etc/ports/contrib.pub
-RWSagIOpLGJF34MdvU/RaYEsNKz1flNyFoNCaBDhZXX/lme4RNZNOWf3G/LDwkXpfkTIZkD2nhkuDOcMI8qTHFcx1rMviAVjwwM=
-SHA256 (Pkgfile) = 13bf9f471802924b68028d1bee0424944ea79a3a428b5aca4a590995307523e7
+RWSagIOpLGJF35eA3b3MAbVIYqDvqWE1WT07WANLscwpmK89QxqG0KeCIbVRxYRAz1KaG556VOPy4vd8kn6I66FqQgVITEwvxww=
+SHA256 (Pkgfile) = 0aaa52b09c65852e5c03862d3c3b2225a4624f5940f7ec9cd1dac697dd1c8799
 SHA256 (.footprint) = f033b7c8e0449cbdaee2cceaebd87cad55400663407bf395f8ed5c22db96c300
-SHA256 (runc-96ec217.tar.xz) = 4b0f7fdad9e4ed743cc8fdff97683b92e3338a49e036ba653c0ebdd037360b3a
-SHA256 (runc-man-pages-96ec217.tar.xz) = 71ba39bb01780056d3272641ed4187ef54a5bdbdb64e51e4aeb63f95a7ebad57
-SHA256 (0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch) = 61857fc05e149aecb517b8c59518c866b25ac2ca79707f1daf4a233859fa9859
+SHA256 (runc-2b18fe1.tar.xz) = c6d3b0e231ca003758010fcf636fdaea2460da9f3221b859744769e93c3052f9
+SHA256 (runc-man-pages-2b18fe1.tar.xz) = d4e635faff6a6b3b915baa4c02be32c1949e2d54221d6bf1c244c7eca3e787d5

runc/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch

@@ -1,303 +0,0 @@
-From 604a8f8120ef128c0a5bc778e71909eeb0906842 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai () suse de>
-Date: Wed, 9 Jan 2019 13:40:01 +1100
-Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary
- to container
-
-There are quite a few circumstances where /proc/self/exe pointing to a
-pretty important container binary is a _bad_ thing, so to avoid this we
-have to make a copy (preferably doing self-clean-up and not being
-writeable).
-
-As a hotfix we require memfd_create(2), but we can always extend this to
-use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this
-approach is no page-cache sharing for the runc binary (which overlayfs
-would give us) but this is far less complicated.
-
-This is only done during nsenter so that it happens transparently to the
-Go code, and any libcontainer users benefit from it. This also makes
-ExtraFiles and --preserve-fds handling trivial (because we don't need to
-worry about it).
-
-Fixes: CVE-2019-5736
-Signed-off-by: Aleksa Sarai <asarai () suse de>
----
- libcontainer/nsenter/cloned_binary.c | 236 +++++++++++++++++++++++++++
- libcontainer/nsenter/nsexec.c        |  11 ++
- 2 files changed, 247 insertions(+)
- create mode 100644 libcontainer/nsenter/cloned_binary.c
-
-diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
-new file mode 100644
-index 000000000000..ec383c173dd2
---- /dev/null
-+++ b/libcontainer/nsenter/cloned_binary.c
-@@ -0,0 +1,236 @@
-+#define _GNU_SOURCE
-+#include <unistd.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <stdbool.h>
-+#include <string.h>
-+#include <limits.h>
-+#include <fcntl.h>
-+
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <sys/vfs.h>
-+#include <sys/mman.h>
-+#include <sys/sendfile.h>
-+#include <sys/syscall.h>
-+
-+#include <linux/magic.h>
-+#include <linux/memfd.h>
-+
-+#define MEMFD_COMMENT "runc_cloned:/proc/self/exe"
-+#define MEMFD_LNKNAME "/memfd:" MEMFD_COMMENT " (deleted)"
-+
-+/* Use our own wrapper for memfd_create. */
-+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
-+#  define SYS_memfd_create __NR_memfd_create
-+#endif
-+#ifndef SYS_memfd_create
-+#  error "memfd_create(2) syscall not supported by this glibc version"
-+#endif
-+int memfd_create(const char *name, unsigned int flags)
-+{
-+	return syscall(SYS_memfd_create, name, flags);
-+}
-+
-+/* This comes directly from <linux/fcntl.h>. */
-+#ifndef F_LINUX_SPECIFIC_BASE
-+# define F_LINUX_SPECIFIC_BASE 1024
-+#endif
-+#ifndef F_ADD_SEALS
-+# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
-+# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
-+#endif
-+#ifndef F_SEAL_SEAL
-+# define F_SEAL_SEAL   0x0001	/* prevent further seals from being set */
-+# define F_SEAL_SHRINK 0x0002	/* prevent file from shrinking */
-+# define F_SEAL_GROW   0x0004	/* prevent file from growing */
-+# define F_SEAL_WRITE  0x0008	/* prevent writes */
-+#endif
-+
-+/*
-+ * Verify whether we are currently in a self-cloned program. It's not really
-+ * possible to trivially identify a memfd compared to a regular tmpfs file, so
-+ * the best we can do is to check whether the readlink(2) looks okay and that
-+ * it is on a tmpfs.
-+ */
-+static int is_self_cloned(void)
-+{
-+	struct statfs statfsbuf = {0};
-+	char linkname[PATH_MAX + 1] = {0};
-+
-+	if (statfs("/proc/self/exe", &statfsbuf) < 0)
-+		return -1;
-+	if (readlink("/proc/self/exe", linkname, PATH_MAX) < 0)
-+		return -1;
-+
-+	return statfsbuf.f_type == TMPFS_MAGIC &&
-+		!strncmp(linkname, MEMFD_LNKNAME, PATH_MAX);
-+}
-+
-+/*
-+ * Basic wrapper around mmap(2) that gives you the file length so you can
-+ * safely treat it as an ordinary buffer. Only gives you read access.
-+ */
-+static char *read_file(char *path, size_t *length)
-+{
-+	int fd;
-+	char buf[4096], *copy = NULL;
-+
-+	if (!length)
-+		goto err;
-+	*length = 0;
-+
-+	fd = open(path, O_RDONLY|O_CLOEXEC);
-+	if (fd < 0)
-+		goto err_free;
-+
-+	for (;;) {
-+		int n;
-+		char *old = copy;
-+
-+		n = read(fd, buf, sizeof(buf));
-+		if (n < 0)
-+			goto err_fd;
-+		if (!n)
-+			break;
-+
-+		do {
-+			copy = realloc(old, (*length + n) * sizeof(*old));
-+		} while(!copy);
-+
-+		memcpy(copy + *length, buf, n);
-+		*length += n;
-+	}
-+	close(fd);
-+	return copy;
-+
-+err_fd:
-+	close(fd);
-+err_free:
-+	free(copy);
-+err:
-+	return NULL;
-+}
-+
-+/*
-+ * A poor-man's version of "xargs -0". Basically parses a given block of
-+ * NUL-delimited data, within the given length and adds a pointer to each entry
-+ * to the array of pointers.
-+ */
-+static int parse_xargs(char *data, int data_length, char ***output)
-+{
-+	int num = 0;
-+	char *cur = data;
-+
-+	if (!data || *output)
-+		return -1;
-+
-+	do {
-+		*output = malloc(sizeof(**output));
-+	} while (!*output);
-+
-+	while (cur < data + data_length) {
-+		char **old = *output;
-+
-+		num++;
-+		do {
-+			*output = realloc(old, (num + 1) * sizeof(*old));
-+		} while (!*output);
-+
-+		(*output)[num - 1] = cur;
-+		cur += strlen(cur) + 1;
-+	}
-+	(*output)[num] = NULL;
-+	return num;
-+}
-+
-+/*
-+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
-+ * This is necessary because we are running in a context where we don't have a
-+ * main() that we can just get the arguments from.
-+ */
-+static int fetchve(char ***argv, char ***envp)
-+{
-+	char *cmdline, *environ;
-+	size_t cmdline_size, environ_size;
-+
-+	cmdline = read_file("/proc/self/cmdline", &cmdline_size);
-+	if (!cmdline)
-+		goto err;
-+	environ = read_file("/proc/self/environ", &environ_size);
-+	if (!environ)
-+		goto err_free;
-+
-+	if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
-+		goto err_free_both;
-+	if (parse_xargs(environ, environ_size, envp) <= 0)
-+		goto err_free_both;
-+
-+	return 0;
-+
-+err_free_both:
-+	free(environ);
-+err_free:
-+	free(cmdline);
-+err:
-+	return -1;
-+}
-+
-+static int clone_binary(void)
-+{
-+	int binfd, memfd, err;
-+	ssize_t sent = 0;
-+	struct stat statbuf = {0};
-+
-+	binfd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
-+	if (binfd < 0)
-+		goto err;
-+	if (fstat(binfd, &statbuf) < 0)
-+		goto err_binfd;
-+
-+	memfd = memfd_create(MEMFD_COMMENT, MFD_CLOEXEC|MFD_ALLOW_SEALING);
-+	if (memfd < 0)
-+		goto err_binfd;
-+
-+	while (sent < statbuf.st_size) {
-+		ssize_t n = sendfile(memfd, binfd, NULL, statbuf.st_size - sent);
-+		if (n < 0)
-+			goto err_memfd;
-+		sent += n;
-+	}
-+
-+	err = fcntl(memfd, F_ADD_SEALS, F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE|F_SEAL_SEAL);
-+	if (err < 0)
-+		goto err_memfd;
-+
-+	close(binfd);
-+	return memfd;
-+
-+err_memfd:
-+	close(memfd);
-+err_binfd:
-+	close(binfd);
-+err:
-+	return -1;
-+}
-+
-+int ensure_cloned_binary(void)
-+{
-+	int execfd;
-+	char **argv = NULL, **envp = NULL;
-+
-+	/* Check that we're not self-cloned, and if we are then bail. */
-+	int cloned = is_self_cloned();
-+	if (cloned != 0)
-+		return cloned;
-+
-+	if (fetchve(&argv, &envp) < 0)
-+		return -1;
-+
-+	execfd = clone_binary();
-+	if (execfd < 0)
-+		return -1;
-+
-+	fexecve(execfd, argv, envp);
-+	return -1;
-+}
-diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
-index 28269dfc027f..4fdfec1b7b89 100644
---- a/libcontainer/nsenter/nsexec.c
-+++ b/libcontainer/nsenter/nsexec.c
-@@ -534,6 +534,9 @@ void join_namespaces(char *nslist)
- 	free(namespaces);
- }
- 
-+/* Defined in cloned_binary.c. */
-+int ensure_cloned_binary(void);
-+
- void nsexec(void)
- {
- 	int pipenum;
-@@ -549,6 +552,14 @@ void nsexec(void)
- 	if (pipenum == -1)
- 		return;
- 
-+	/*
-+	 * We need to re-exec if we are not in a cloned binary. This is necessary
-+	 * to ensure that containers won't be able to access the host binary
-+	 * through /proc/self/exe. See CVE-2019-5736.
-+	 */
-+	if (ensure_cloned_binary() < 0)
-+		bail("could not ensure we are a cloned binary");
-+
- 	/* Parse all of the netlink configuration. */
- 	nl_parse(pipenum, &config);
- 
--- 
-2.20.1
-

runc/Pkgfile

@@ -4,22 +4,20 @@
 # Depends on: go libseccomp git
 
 name=runc
-version=96ec217
+version=2b18fe1
 release=2
 source=(http://jaeger.morpheus.net/linux/crux/files/$name-$version.tar.xz \
-    http://jaeger.morpheus.net/linux/crux/files/$name-man-pages-$version.tar.xz \
-    0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch)
+    http://jaeger.morpheus.net/linux/crux/files/$name-man-pages-$version.tar.xz)
 
 build() {
     mkdir -pv src/github.com/opencontainers
     cd src/github.com/opencontainers
     ln -sf $SRC/$name-$version $name
     cd $name
-    patch -p1 -i $SRC/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch
     export GOPATH=$SRC
     export BUILDTAGS="seccomp"
     # use the long commit hash here
-    make COMMIT=96ec2177ae841256168fcf76954f7177af9446eb
+    make COMMIT=2b18fe1d885ee5083ef9f0838fee39b62d653e30
 
     install -D -m 0755 $name $PKG/usr/bin/$name
     install -d -m 0755 $PKG/usr/share/man/man8