remove process inheritable capabilities
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com> (cherry picked from commit f10a758ebd8f96de1f6a5f578f69907291a3f8c1)
This commit is contained in:
zhangxiaoyu
openeuler-sync-bot
parent
3ca9f4e98c
commit
7bcfe31bee
@ -12,7 +12,7 @@ diff --git a/src/lxc/syscall_numbers.h b/src/lxc/syscall_numbers.h
|
||||
index bfd0e57..803eab7 100644
|
||||
--- a/src/lxc/syscall_numbers.h
|
||||
+++ b/src/lxc/syscall_numbers.h
|
||||
@@ -377,6 +377,8 @@
|
||||
@@ -357,6 +357,8 @@
|
||||
#ifndef __NR_pidfd_send_signal
|
||||
#if defined __alpha__
|
||||
#define __NR_pidfd_send_signal 534
|
||||
|
||||
27
0059-remove-process-inheritable-capability.patch
Normal file
27
0059-remove-process-inheritable-capability.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 581c6ae008a3ff1f36f00572371326b0d86efd9c Mon Sep 17 00:00:00 2001
|
||||
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
|
||||
Date: Tue, 21 Feb 2023 10:38:45 +0800
|
||||
Subject: [PATCH] remove process inheritable capability
|
||||
|
||||
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
|
||||
---
|
||||
src/lxc/conf.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
|
||||
index 7f98811..19cf5e3 100644
|
||||
--- a/src/lxc/conf.c
|
||||
+++ b/src/lxc/conf.c
|
||||
@@ -5284,7 +5284,8 @@ int lxc_drop_caps(struct lxc_conf *conf)
|
||||
if (caplist[i]) {
|
||||
cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
|
||||
cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
|
||||
- cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
|
||||
+ // fix CVE-2022-24769
|
||||
+ // inheritable capability should be empty
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
#!/bin/bash
|
||||
#######################################################################
|
||||
##- @Copyright (C) Huawei Technologies., Ltd. 2019. All rights reserved.
|
||||
# - lcr licensed under the Mulan PSL v2.
|
||||
@ -12,19 +13,21 @@
|
||||
##- @Author: lifeng
|
||||
##- @Create: 2019-04-25
|
||||
#######################################################################
|
||||
#!/bin/bash
|
||||
|
||||
set -ex
|
||||
|
||||
pkg=lxc-4.0.3
|
||||
dir_name=$(tar -tzf *.tar.gz | head -1 | cut -f1 -d"/")
|
||||
if [ -e $dir_name ]; then
|
||||
echo "directory $dir_name exist, please remove it"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
tar -xzvf $dir_name.tar.gz
|
||||
|
||||
cwd=$PWD
|
||||
src=$cwd/lxc-4.0.3
|
||||
cd $cwd/$dir_name
|
||||
|
||||
tar -xzvf $pkg.tar.gz
|
||||
|
||||
cd $src
|
||||
|
||||
cat $cwd/series.conf | while read line
|
||||
grep -E "Patch[0-9]{4}:\s*[0-9]{4}-.*\.patch" $cwd/lxc.spec | awk '{print $2}' | while read line
|
||||
do
|
||||
if [[ $line == '' || $line =~ ^\s*# ]]; then
|
||||
continue
|
||||
@ -33,4 +36,12 @@ do
|
||||
patch -p1 -F1 -s < $cwd/$line
|
||||
done
|
||||
|
||||
git init .
|
||||
git add .
|
||||
git config --local user.name "isuladci"
|
||||
git config --local user.email "isulad@ci.com"
|
||||
git commit -m "init repo"
|
||||
git config --local --unset user.name
|
||||
git config --local --unset user.email
|
||||
|
||||
cd $cwd
|
||||
|
||||
9
lxc.spec
9
lxc.spec
@ -1,4 +1,4 @@
|
||||
%global _release 2022102410
|
||||
%global _release 2022102411
|
||||
|
||||
Name: lxc
|
||||
Version: 4.0.3
|
||||
@ -66,6 +66,7 @@ Patch0055: 0055-add-sscanf-adapation-code-for-musl.patch
|
||||
Patch0056: 0056-fix-cve-CVE-2022-47952-log-leaks-root-information.patch
|
||||
Patch0057: 0057-fix-lxc-write-error-message.patch
|
||||
Patch0058: 0058-add-loongarch64-support-for-lxc.patch
|
||||
Patch0059: 0059-remove-process-inheritable-capability.patch
|
||||
|
||||
BuildRequires: systemd-units git libtool graphviz docbook2X doxygen chrpath
|
||||
BuildRequires: pkgconfig(libseccomp)
|
||||
@ -246,6 +247,12 @@ make check
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Feb 21 2023 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022102411
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC: remove process inheritable capabilities
|
||||
|
||||
* Thu Feb 09 2023 Wenlong Zhang<zhangwenlong@loongson.cn> - 4.0.3-2022102410
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
|
||||
58
series.conf
58
series.conf
@ -1,58 +0,0 @@
|
||||
0001-huawei-adapt-to-huawei-4.0.3.patch
|
||||
0002-add-mount-label-for-rootfs.patch
|
||||
0003-format-code-and-verify-mount-mode.patch
|
||||
0004-Removes-the-definition-of-the-thread-attributes-obje.patch
|
||||
0005-solve-coredump-bug-caused-by-fstype-being-NULL-durin.patch
|
||||
0006-SIGTERM-do-not-catch-signal-SIGTERM-in-lxc-monitor.patch
|
||||
0007-Using-string-type-instead-of-security_context_t-beca.patch
|
||||
0008-hook-pass-correct-mount-dir-as-root-to-hook.patch
|
||||
0009-cgroup-refact-cgroup-manager-to-single-file.patch
|
||||
0010-cgfsng-adjust-log-level-from-error-to-warn.patch
|
||||
0011-rootfs-add-make-private-for-root.path-parent.patch
|
||||
0012-mount-make-possible-to-bind-mount-proc-and-sys-fs.patch
|
||||
0013-use-path-based-unix-domain-sockets-instead-of-abstra.patch
|
||||
0014-api-add-get-container-metrics-api.patch
|
||||
0015-Streaming-IO-solution-optimization-and-enhancement.patch
|
||||
0016-avoid-using-void-pointers-in-caclulation.patch
|
||||
0017-fix-compilation-errors-without-libcap.patch
|
||||
0018-IO-fix-io-data-miss-when-exec-with-pipes.patch
|
||||
0019-metrics-add-total_inactive_file-metric-for-memory.patch
|
||||
0020-support-cgroup-v2.patch
|
||||
0021-support-isula-exec-workdir.patch
|
||||
0022-print-error-message-if-process-workdir-failed.patch
|
||||
0023-log-support-long-syslog-tag.patch
|
||||
0024-log-adjust-log-level-from-error-to-warn.patch
|
||||
0025-get-cgroup-data-len-first-and-malloc-read-buff-by-le.patch
|
||||
0026-coredump-fix-coredump-when-cgroup-get-return-error.patch
|
||||
0027-add-help-for-new-arguments.patch
|
||||
0028-seccomp-init-and-destroy-notifier.cookie.patch
|
||||
0029-just-use-origin-loop-if-do-not-have-io.patch
|
||||
0030-conf-fix-a-memory-leak.patch
|
||||
0031-fix-lsm_se_mount_context-memory-leak.patch
|
||||
0032-disable-lxc_keep-with-oci-image.patch
|
||||
0033-conf-ensure-that-the-idmap-pointer-itself-is-freed.patch
|
||||
0034-cgfsng-fix-cgroup-attach-cgroup-creation.patch
|
||||
0035-adapt-upstream-compiler-settings.patch
|
||||
0036-compile-in-android-env.patch
|
||||
0037-fix-always-print-and-temp-len.patch
|
||||
0038-just-print-error-when-new-lock-failed.patch
|
||||
0039-fix-bug-of-memory-free.patch
|
||||
0040-refactor-the-way-to-convert-selinux-label-to-shared.patch
|
||||
0041-do-not-free-the-pointer-returned-by-dirname.patch
|
||||
0042-add-x-permission-when-create-directory.patch
|
||||
0043-do-not-operate-playload-and-attach-cgroup-if-no-cont.patch
|
||||
0044-fix-HOME-env-unset-error.patch
|
||||
0045-only-set-user-or-image-set-non-empty-HOME.patch
|
||||
0046-return-fail-if-no-args-or-no-rootfs-path-found.patch
|
||||
0047-fix-tools-with-option-give-error-message.patch
|
||||
0048-fix-do-mask-paths-after-parent-mounted.patch
|
||||
0049-skip-kill-cgroup-processes-if-no-hierarchies.patch
|
||||
0050-lxc-Add-sw64-architecture.patch
|
||||
0051-add-macro-to-adapt-musl-libc.patch
|
||||
0052-add-lxc-attach-add-gids-option.patch
|
||||
0053-change-the-suffi-parameter-in-lxc-attach-help-output.patch
|
||||
0054-rollback-strprint-code-modified.patch
|
||||
0055-add-sscanf-adapation-code-for-musl.patch
|
||||
0056-fix-cve-CVE-2022-47952-log-leaks-root-information.patch
|
||||
0057-fix-lxc-write-error-message.patch
|
||||
0058-add-loongarch64-support-for-lxc.patch
|
||||
Loading…
x
Reference in New Issue
Block a user