cri-o/backport-CVE-2022-2995.patch

From db3b399a8d7dabf7f073db73894bee98311d7909 Mon Sep 17 00:00:00 2001
From: Peter Hunt~ <pehunt@redhat.com>
Date: Mon, 22 Aug 2022 15:10:05 -0400
Subject: [PATCH] server: add container GID to additional groups

Signed-off-by: Peter Hunt~ <pehunt@redhat.com>
---
 server/container_create.go |  5 +++--
 test/ctr.bats              | 12 ++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/server/container_create.go b/server/container_create.go
index 1acfa182133..80867de29fc 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -249,10 +249,11 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs
 	}
 
 	specgen.SetProcessUID(uid)
-	specgen.SetProcessGID(gid)
 	if sc.RunAsGroup != nil {
-		specgen.SetProcessGID(uint32(sc.RunAsGroup.Value))
+		gid = uint32(sc.RunAsGroup.Value)
 	}
+	specgen.SetProcessGID(gid)
+	specgen.AddProcessAdditionalGid(gid)
 
 	for _, group := range addGroups {
 		specgen.AddProcessAdditionalGid(group)
diff --git a/test/ctr.bats b/test/ctr.bats
index 82fed4f883f..801f26c55db 100644
--- a/test/ctr.bats
+++ b/test/ctr.bats
@@ -885,6 +885,18 @@ function check_oci_annotation() {
 	crictl exec --sync "$ctr_id" grep "CapEff:\s0000000000000000" /proc/1/status
 }
 
+@test "ctr has gid in supplimental groups" {
+	start_crio
+
+	jq '	  .linux.security_context.run_as_user.value = 1000
+		|     .linux.security_context.run_as_group.value = 1000' \
+		"$TESTDATA"/container_redis.json > "$newconfig"
+
+	ctr_id=$(crictl run "$newconfig" "$TESTDATA"/sandbox_config.json)
+
+	crictl exec --sync "$ctr_id" grep Groups:.1000 /proc/1/status
+}
+
 @test "ctr with low memory configured should not be created" {
 	start_crio
 	pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)