packages/runc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!98 Add errnoRet in Syscall struct to sovle k3s function defect

Browse Source 
From: @wang--ge 
Reviewed-by: @Vanient, @duguhaotian 
Signed-off-by: @duguhaotian
This commit is contained in:
openeuler-ci-bot 2022-11-22 01:48:09 +00:00 committed by Gitee
commit 202438daf9
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 190 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
patch/0134-runc-add-errnoRet-in-Syscall-struct.patch Normal file
View File

@ -0,0 +1,182 @@
From f3daefee2a044dac912afccb52a724a7fe710caf Mon Sep 17 00:00:00 2001
From: wang--ge <wang__ge@126.com>
Date: Sat, 19 Nov 2022 15:43:51 +0800
Subject: [PATCH] honor seccomp errnoRet
---
libcontainer/configs/config.go | 1 +
libcontainer/integration/seccomp_test.go | 72 +++++++++++++++++++
libcontainer/seccomp/seccomp_linux.go | 12 +++-
libcontainer/specconv/spec_linux.go | 1 +
.../runtime-spec/specs-go/config.go | 1 +
5 files changed, 84 insertions(+), 3 deletions(-)
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index 9074c86..7dd4bde 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -78,6 +78,7 @@ type Arg struct {
type Syscall struct {
Name string `json:"name"`
Action Action `json:"action"`
+ ErrnoRet *uint `json:"errnoRet"`
Priority uint8 `json:"priority,omitempty"`
Args []*Arg `json:"args"`
}
diff --git a/libcontainer/integration/seccomp_test.go b/libcontainer/integration/seccomp_test.go
index 8e2c7cd..72d0d96 100644
--- a/libcontainer/integration/seccomp_test.go
+++ b/libcontainer/integration/seccomp_test.go
@@ -12,6 +12,78 @@ import (
libseccomp "github.com/seccomp/libseccomp-golang"
)
+func TestSeccompDenyGetcwdWithErrno(t *testing.T) {
+ if testing.Short() {
+ return
+ }
+
+ rootfs, err := newRootfs()
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer remove(rootfs)
+
+ errnoRet := uint(syscall.ESRCH)
+
+ config := newTemplateConfig(rootfs)
+ config.Seccomp = &configs.Seccomp{
+ DefaultAction: configs.Allow,
+ Syscalls: []*configs.Syscall{
+ {
+ Name: "getcwd",
+ Action: configs.Errno,
+ ErrnoRet: &errnoRet,
+ },
+ },
+ }
+
+ container, err := newContainer(config)
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer container.Destroy()
+
+ buffers := newStdBuffers()
+ pwd := &libcontainer.Process{
+ Cwd: "/",
+ Args: []string{"pwd"},
+ Env: standardEnvironment,
+ Stdin: buffers.Stdin,
+ Stdout: buffers.Stdout,
+ Stderr: buffers.Stderr,
+ Init: true,
+ }
+
+ err = container.Run(pwd)
+ if err != nil {
+ t.Fatal(err)
+ }
+ ps, err := pwd.Wait()
+ if err == nil {
+ t.Fatal("Expecting error (negative return code); instead exited cleanly!")
+ }
+
+ var exitCode int
+ status := ps.Sys().(syscall.WaitStatus)
+ if status.Exited() {
+ exitCode = status.ExitStatus()
+ } else if status.Signaled() {
+ exitCode = -int(status.Signal())
+ } else {
+ t.Fatalf("Unrecognized exit reason!")
+ }
+
+ if exitCode == 0 {
+ t.Fatalf("Getcwd should fail with negative exit code, instead got %d!", exitCode)
+ }
+
+ expected := "pwd: getcwd: No such process"
+ actual := strings.Trim(buffers.Stderr.String(), "\n")
+ if actual != expected {
+ t.Fatalf("Expected output %s but got %s\n", expected, actual)
+ }
+}
+
func TestSeccompDenyGetcwd(t *testing.T) {
if testing.Short() {
return
diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go
index 0c97da6..26cec43 100644
--- a/libcontainer/seccomp/seccomp_linux.go
+++ b/libcontainer/seccomp/seccomp_linux.go
@@ -36,7 +36,7 @@ func InitSeccomp(config *configs.Seccomp) error {
return fmt.Errorf("cannot initialize Seccomp - nil config passed")
}
- defaultAction, err := getAction(config.DefaultAction)
+ defaultAction, err := getAction(config.DefaultAction, nil)
if err != nil {
return fmt.Errorf("error initializing seccomp - invalid default action")
}
@@ -100,17 +100,23 @@ func IsEnabled() bool {
}
// Convert Libcontainer Action to Libseccomp ScmpAction
-func getAction(act configs.Action) (libseccomp.ScmpAction, error) {
+func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error) {
switch act {
case configs.Kill:
return actKill, nil
case configs.Errno:
+ if errnoRet != nil {
+ return libseccomp.ActErrno.SetReturnCode(int16(*errnoRet)), nil
+ }
return actErrno, nil
case configs.Trap:
return actTrap, nil
case configs.Allow:
return actAllow, nil
case configs.Trace:
+ if errnoRet != nil {
+ return libseccomp.ActTrace.SetReturnCode(int16(*errnoRet)), nil
+ }
return actTrace, nil
default:
return libseccomp.ActInvalid, fmt.Errorf("invalid action, cannot use in rule")
@@ -173,7 +179,7 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
}
// Convert the call's action to the libseccomp equivalent
- callAct, err := getAction(call.Action)
+ callAct, err := getAction(call.Action, call.ErrnoRet)
if err != nil {
return err
}
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 0cbc66f..8177739 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -758,6 +758,7 @@ func setupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
newCall := configs.Syscall{
Name: name,
Action: newAction,
+ ErrnoRet: call.ErrnoRet,
Priority: call.Priority,
Args: []*configs.Arg{},
}
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index 8439744..ec8096a 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -556,6 +556,7 @@ type LinuxSeccompArg struct {
type LinuxSyscall struct {
Names []string `json:"names"`
Action LinuxSeccompAction `json:"action"`
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
Priority uint8 `json:"priority,omitempty"`
Args []LinuxSeccompArg `json:"args"`
Comment string `json:"comment"`
--
2.27.0

8
runc.spec
View File

@ -4,7 +4,7 @@
Name: docker-runc Name: docker-runc
Version: 1.0.0.rc3 Version: 1.0.0.rc3
Release: 305 Release: 306
Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
License: ASL 2.0 License: ASL 2.0
@ -53,6 +53,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
%{_bindir}/runc %{_bindir}/runc
%changelog %changelog
* Mon Nov 21 2022 Ge Wang <wangge20@h-partners.com> - 1.0.0.rc3-306
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:add errnoRet in Syscall struct
* Wed Sep 28 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-305 * Wed Sep 28 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-305
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA

1
series.conf
View File

@ -132,4 +132,5 @@ patch/0128-runc-fix-CVE-2022-29162.patch
patch/0131-runc-change-Umask-to-0022.patch patch/0131-runc-change-Umask-to-0022.patch
patch/0132-runc-fix-systemd-cgroup-after-memory-type-changed.patch patch/0132-runc-fix-systemd-cgroup-after-memory-type-changed.patch
patch/0133-runc-add-CGO-sercuity-build-options.patch patch/0133-runc-add-CGO-sercuity-build-options.patch
patch/0134-runc-add-errnoRet-in-Syscall-struct.patch
#end #end