From dde1c3d98c469fc092603209ff07560bb4d6a9d3 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Wed, 2 Oct 2024 11:24:01 +0200 Subject: [PATCH] vendor: update to latest c/common Includes a fix for CVE-2024-9341 Signed-off-by: Paul Holzinger --- go.mod | 2 +- go.sum | 4 +- .../containers/common/libimage/copier.go | 40 +++--- .../common/pkg/capabilities/capabilities.go | 115 +++++++++--------- .../common/pkg/config/containers.conf | 4 + .../common/pkg/config/containers.conf-freebsd | 2 + .../common/pkg/subscriptions/subscriptions.go | 6 +- vendor/modules.txt | 2 +- 8 files changed, 89 insertions(+), 86 deletions(-) diff --git a/go.mod b/go.mod index c7bcaadf9e..148f7afd7e 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/checkpoint-restore/go-criu/v7 v7.2.0 github.com/containernetworking/plugins v1.5.1 github.com/containers/buildah v1.37.0 - github.com/containers/common v0.60.1-0.20240920125326-ff6611ae40ad + github.com/containers/common v0.60.1-0.20241001171026-c3edf18f3339 github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.7.5 github.com/containers/image/v5 v5.32.3-0.20240923171149-9e1153a28c46 diff --git a/go.sum b/go.sum index 491b79f0ed..64a61edd9d 100644 --- a/go.sum +++ b/go.sum @@ -81,8 +81,8 @@ github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+ github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM= github.com/containers/buildah v1.37.0 h1:jvHwu1vIwIqnHyOSg9eef9Apdpry+5oWLrm43gdf8Rk= github.com/containers/buildah v1.37.0/go.mod h1:MKd79tkluMf6vtH06SedhBQK5OB7E0pFVIuiTTw3dJk= -github.com/containers/common v0.60.1-0.20240920125326-ff6611ae40ad h1:Ida4yFcnk+xGPynWR267zGGUddWTfpAVMSzo6PhjPFQ= -github.com/containers/common v0.60.1-0.20240920125326-ff6611ae40ad/go.mod h1:UjxkwBehRqlASg/duCPlXbsc2hu5y+iYwUt+8/N4w+8= +github.com/containers/common v0.60.1-0.20241001171026-c3edf18f3339 h1:VjK9wBKZTbmZqZ0qW2QlbW81xOu8YxXecek5MUSLGKc= +github.com/containers/common v0.60.1-0.20241001171026-c3edf18f3339/go.mod h1:vuBEtzP83Fa7mgk0BJdHF2BDfFRfNayeYyVHRJw8hSM= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/gvisor-tap-vsock v0.7.5 h1:bTy4u3DOmmUPwurL6me2rsgfypAFDhyeJleUcQmBR/E= diff --git a/vendor/github.com/containers/common/libimage/copier.go b/vendor/github.com/containers/common/libimage/copier.go index 5151343ed6..b2cd6cedb3 100644 --- a/vendor/github.com/containers/common/libimage/copier.go +++ b/vendor/github.com/containers/common/libimage/copier.go @@ -160,8 +160,8 @@ type CopyOptions struct { extendTimeoutSocket string } -// copier is an internal helper to conveniently copy images. -type copier struct { +// Copier is a helper to conveniently copy images. +type Copier struct { extendTimeoutSocket string imageCopyOptions copy.Options retryOptions retry.Options @@ -172,6 +172,13 @@ type copier struct { destinationLookup LookupReferenceFunc } +// newCopier creates a Copier based on a runtime's system context. +// Note that fields in options *may* overwrite the counterparts of +// the specified system context. Please make sure to call `(*Copier).Close()`. +func (r *Runtime) newCopier(options *CopyOptions) (*Copier, error) { + return NewCopier(options, r.SystemContext()) +} + // storageAllowedPolicyScopes overrides the policy for local storage // to ensure that we can read images from it. var storageAllowedPolicyScopes = signature.PolicyTransportScopes{ @@ -213,17 +220,14 @@ func getDockerAuthConfig(name, passwd, creds, idToken string) (*types.DockerAuth } } -// NewCopier is a simple, exported wrapper for newCopier -func NewCopier(options *CopyOptions, sc *types.SystemContext) (*copier, error) { - return newCopier(options, sc) -} +// NewCopier creates a Copier based on a provided system context. +// Note that fields in options *may* overwrite the counterparts of +// the specified system context. Please make sure to call `(*Copier).Close()`. +func NewCopier(options *CopyOptions, sc *types.SystemContext) (*Copier, error) { + c := Copier{extendTimeoutSocket: options.extendTimeoutSocket} + sysContextCopy := *sc + c.systemContext = &sysContextCopy -// newCopier creates a copier. Note that fields in options *may* overwrite the -// counterparts of the specified system context. Please make sure to call -// `(*copier).close()`. -func newCopier(options *CopyOptions, sc *types.SystemContext) (*copier, error) { - c := copier{extendTimeoutSocket: options.extendTimeoutSocket} - c.systemContext = sc if options.SourceLookupReferenceFunc != nil { c.sourceLookup = options.SourceLookupReferenceFunc } @@ -337,22 +341,14 @@ func newCopier(options *CopyOptions, sc *types.SystemContext) (*copier, error) { return &c, nil } -// newCopier creates a copier. Note that fields in options *may* overwrite the -// counterparts of the specified system context. Please make sure to call -// `(*copier).close()`. -func (r *Runtime) newCopier(options *CopyOptions) (*copier, error) { - sc := r.systemContextCopy() - return newCopier(options, sc) -} - // Close open resources. -func (c *copier) Close() error { +func (c *Copier) Close() error { return c.policyContext.Destroy() } // Copy the source to the destination. Returns the bytes of the copied // manifest which may be used for digest computation. -func (c *copier) Copy(ctx context.Context, source, destination types.ImageReference) ([]byte, error) { +func (c *Copier) Copy(ctx context.Context, source, destination types.ImageReference) ([]byte, error) { logrus.Debugf("Copying source image %s to destination image %s", source.StringWithinTransport(), destination.StringWithinTransport()) // Avoid running out of time when running inside a systemd unit by diff --git a/vendor/github.com/containers/common/pkg/capabilities/capabilities.go b/vendor/github.com/containers/common/pkg/capabilities/capabilities.go index 43fd2c1b58..371fbba9a1 100644 --- a/vendor/github.com/containers/common/pkg/capabilities/capabilities.go +++ b/vendor/github.com/containers/common/pkg/capabilities/capabilities.go @@ -9,20 +9,13 @@ import ( "errors" "fmt" "slices" - "sort" "strings" "sync" - "github.com/syndtr/gocapability/capability" + "github.com/moby/sys/capability" ) var ( - // Used internally and populated during init(). - capabilityList []string - - // Used internally and populated during init(). - capsList []capability.Cap - // ErrUnknownCapability is thrown when an unknown capability is processed. ErrUnknownCapability = errors.New("unknown capability") @@ -35,67 +28,67 @@ var ( // Useful on the CLI for `--cap-add=all` etc. const All = "ALL" -func getCapName(c capability.Cap) string { +func capName(c capability.Cap) string { return "CAP_" + strings.ToUpper(c.String()) } -func init() { - last := capability.CAP_LAST_CAP - // hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap - if last == capability.Cap(63) { - last = capability.CAP_BLOCK_SUSPEND +// capStrList returns all capabilities supported by the currently running kernel, +// or an error if the list can not be obtained. +var capStrList = sync.OnceValues(func() ([]string, error) { + list, err := capability.ListSupported() + if err != nil { + return nil, err } - for _, cap := range capability.List() { - if cap > last { - continue - } - capsList = append(capsList, cap) - capabilityList = append(capabilityList, getCapName(cap)) - sort.Strings(capabilityList) + caps := make([]string, len(list)) + for i, c := range list { + caps[i] = capName(c) } -} - -var ( - boundingSetOnce sync.Once - boundingSetRet []string - boundingSetErr error -) + slices.Sort(caps) + return caps, nil +}) -// BoundingSet returns the capabilities in the current bounding set +// BoundingSet returns the capabilities in the current bounding set. func BoundingSet() ([]string, error) { - boundingSetOnce.Do(func() { - currentCaps, err := capability.NewPid2(0) - if err != nil { - boundingSetErr = err - return - } - err = currentCaps.Load() - if err != nil { - boundingSetErr = err - return - } - var r []string - for _, c := range capsList { - if !currentCaps.Get(capability.BOUNDING, c) { - continue - } - r = append(r, getCapName(c)) - } - boundingSetRet = r - sort.Strings(boundingSetRet) - boundingSetErr = err - }) - return boundingSetRet, boundingSetErr + return boundingSet() } -// AllCapabilities returns all known capabilities. +var boundingSet = sync.OnceValues(func() ([]string, error) { + currentCaps, err := capability.NewPid2(0) + if err != nil { + return nil, err + } + err = currentCaps.Load() + if err != nil { + return nil, err + } + list, err := capability.ListSupported() + if err != nil { + return nil, err + } + var r []string + for _, c := range list { + if !currentCaps.Get(capability.BOUNDING, c) { + continue + } + r = append(r, capName(c)) + } + slices.Sort(r) + return r, nil +}) + +// AllCapabilities returns all capabilities supported by the running kernel. func AllCapabilities() []string { - return capabilityList + list, _ := capStrList() + return list } // NormalizeCapabilities normalizes caps by adding a "CAP_" prefix (if not yet // present). func NormalizeCapabilities(caps []string) ([]string, error) { + all, err := capStrList() + if err != nil { + return nil, err + } normalized := make([]string, 0, len(caps)) for _, c := range caps { c = strings.ToUpper(c) @@ -106,19 +99,23 @@ func NormalizeCapabilities(caps []string) ([]string, error) { if !strings.HasPrefix(c, "CAP_") { c = "CAP_" + c } - if !slices.Contains(capabilityList, c) { + if !slices.Contains(all, c) { return nil, fmt.Errorf("%q: %w", c, ErrUnknownCapability) } normalized = append(normalized, c) } - sort.Strings(normalized) + slices.Sort(normalized) return normalized, nil } // ValidateCapabilities validates if caps only contains valid capabilities. func ValidateCapabilities(caps []string) error { + all, err := capStrList() + if err != nil { + return err + } for _, c := range caps { - if !slices.Contains(capabilityList, c) { + if !slices.Contains(all, c) { return fmt.Errorf("%q: %w", c, ErrUnknownCapability) } } @@ -155,7 +152,7 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) { return nil, errors.New("adding all caps and removing all caps not allowed") } // "Drop" all capabilities; return what's in capAdd instead - sort.Strings(capAdd) + slices.Sort(capAdd) return capAdd, nil } @@ -195,6 +192,6 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) { } caps = append(caps, cap) } - sort.Strings(caps) + slices.Sort(caps) return caps, nil } diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf index c00efecbb3..7f09549315 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf +++ b/vendor/github.com/containers/common/pkg/config/containers.conf @@ -416,6 +416,8 @@ default_sysctls = [ #List of compression algorithms. If set makes sure that requested compression variant #for each platform is added to the manifest list keeping original instance intact in #the same manifest list on every `manifest push`. Supported values are (`gzip`, `zstd` and `zstd:chunked`). +#`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning +#in that case. # #add_compression = ["gzip", "zstd", "zstd:chunked"] @@ -438,6 +440,8 @@ default_sysctls = [ # This field is ignored when pushing images to the docker-daemon and # docker-archive formats. It is also ignored when the manifest format is set # to v2s2. +# `zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning +# in that case. # #compression_format = "gzip" diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf-freebsd b/vendor/github.com/containers/common/pkg/config/containers.conf-freebsd index 21753f4f25..894153ed33 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf-freebsd +++ b/vendor/github.com/containers/common/pkg/config/containers.conf-freebsd @@ -326,6 +326,8 @@ default_sysctls = [ # The compression format to use when pushing an image. # Valid options are: `gzip`, `zstd` and `zstd:chunked`. +# `zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning +# in that case. # #compression_format = "gzip" diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go index ded66365bb..a6538ffb90 100644 --- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go @@ -11,6 +11,7 @@ import ( "github.com/containers/common/pkg/umask" "github.com/containers/storage/pkg/fileutils" "github.com/containers/storage/pkg/idtools" + securejoin "github.com/cyphar/filepath-securejoin" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/sirupsen/logrus" @@ -346,7 +347,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" destDir := "/etc/crypto-policies/back-ends" - srcOnHost := filepath.Join(mountPoint, srcBackendDir) + srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir) + if err != nil { + return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err) + } if err := fileutils.Exists(srcOnHost); err != nil { if errors.Is(err, os.ErrNotExist) { return nil diff --git a/vendor/modules.txt b/vendor/modules.txt index 66f8a14687..c5ac16ca4f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -171,7 +171,7 @@ github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/pkg/volumes github.com/containers/buildah/util -# github.com/containers/common v0.60.1-0.20240920125326-ff6611ae40ad +# github.com/containers/common v0.60.1-0.20241001171026-c3edf18f3339 ## explicit; go 1.22.0 github.com/containers/common/internal github.com/containers/common/internal/attributedstring