microsoft
diff --git a/‎SPECS/moby-runc/0001-cgroups-cpuset-fix-byte-order-while-parsing-cpuset-r.patch‎
Lines changed: 0 additions & 78 deletions b/‎SPECS/moby-runc/0001-cgroups-cpuset-fix-byte-order-while-parsing-cpuset-r.patch‎
Lines changed: 0 additions & 78 deletions
diff --git a/‎SPECS/moby-runc/CVE-2024-21626.patch‎
Lines changed: 291 additions & 0 deletions b/‎SPECS/moby-runc/CVE-2024-21626.patch‎
Lines changed: 291 additions & 0 deletions
@@ -0,0 +1,291 @@
+From 7362cd5afe9d40131fb62cb075092025c7c71064 Mon Sep 17 00:00:00 2001
+From: "hang.jiang" <hang.jiang@daocloud.io>
+Date: Fri, 1 Sep 2023 16:17:13 +0800
+Subject: [runc v1.1.z PATCH 1/6] Fix File to Close
+
+(This is a cherry-pick of 937ca107c3d22da77eb8e8030f2342253b980980.)
+
+Signed-off-by: hang.jiang <hang.jiang@daocloud.io>
+Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ libcontainer/cgroups/fs/paths.go | 1 +
+ update.go                        | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/libcontainer/cgroups/fs/paths.go b/libcontainer/cgroups/fs/paths.go
+index 1092331b25d8..2cb970a3d55b 100644
+--- a/libcontainer/cgroups/fs/paths.go
++++ b/libcontainer/cgroups/fs/paths.go
+@@ -83,6 +83,7 @@ func tryDefaultCgroupRoot() string {
+ 	if err != nil {
+ 		return ""
+ 	}
++	defer dir.Close()
+ 	names, err := dir.Readdirnames(1)
+ 	if err != nil {
+ 		return ""
+diff --git a/update.go b/update.go
+index 9ce5a2e835b2..6d582ddddecb 100644
+--- a/update.go
++++ b/update.go
+@@ -174,6 +174,7 @@ other options are ignored.
+ 				if err != nil {
+ 					return err
+ 				}
++				defer f.Close()
+ 			}
+ 			err = json.NewDecoder(f).Decode(&r)
+ 			if err != nil {
+-- 
+2.43.0
+
+From 2ed79a6c91e56dcd2d1da47f8ffd663066153746 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Tue, 26 Dec 2023 23:53:07 +1100
+Subject: [runc v1.1.z PATCH 2/6] init: verify after chdir that cwd is inside
+ the container
+
+If a file descriptor of a directory in the host's mount namespace is
+leaked to runc init, a malicious config.json could use /proc/self/fd/...
+as a working directory to allow for host filesystem access after the
+container runs. This can also be exploited by a container process if it
+knows that an administrator will use "runc exec --cwd" and the target
+--cwd (the attacker can change that cwd to be a symlink pointing to
+/proc/self/fd/... and wait for the process to exec and then snoop on
+/proc/$pid/cwd to get access to the host). The former issue can lead to
+a critical vulnerability in Docker and Kubernetes, while the latter is a
+container breakout.
+
+We can (ab)use the fact that getcwd(2) on Linux detects this exact case,
+and getcwd(3) and Go's Getwd() return an error as a result. Thus, if we
+just do os.Getwd() after chdir we can easily detect this case and error
+out.
+
+In runc 1.1, a /sys/fs/cgroup handle happens to be leaked to "runc
+init", making this exploitable. On runc main it just so happens that the
+leaked /sys/fs/cgroup gets clobbered and thus this is only consistently
+exploitable for runc 1.1.
+
+Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
+Co-developed-by: lifubang <lifubang@acmcoder.com>
+Signed-off-by: lifubang <lifubang@acmcoder.com>
+[refactored the implementation and added more comments]
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ libcontainer/init_linux.go               | 31 ++++++++++++++++++++++++
+ libcontainer/integration/seccomp_test.go | 20 +++++++--------
+ 2 files changed, 41 insertions(+), 10 deletions(-)
+
+diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
+index 5b88c71fc83a..057b30669811 100644
+--- a/libcontainer/init_linux.go
++++ b/libcontainer/init_linux.go
+@@ -8,6 +8,7 @@ import (
+ 	"io"
+ 	"net"
+ 	"os"
++	"path/filepath"
+ 	"strings"
+ 	"unsafe"
+ 
+@@ -135,6 +136,32 @@ func populateProcessEnvironment(env []string) error {
+ 	return nil
+ }
+ 
++// verifyCwd ensures that the current directory is actually inside the mount
++// namespace root of the current process.
++func verifyCwd() error {
++	// getcwd(2) on Linux detects if cwd is outside of the rootfs of the
++	// current mount namespace root, and in that case prefixes "(unreachable)"
++	// to the returned string. glibc's getcwd(3) and Go's Getwd() both detect
++	// when this happens and return ENOENT rather than returning a non-absolute
++	// path. In both cases we can therefore easily detect if we have an invalid
++	// cwd by checking the return value of getcwd(3). See getcwd(3) for more
++	// details, and CVE-2024-21626 for the security issue that motivated this
++	// check.
++	//
++	// We have to use unix.Getwd() here because os.Getwd() has a workaround for
++	// $PWD which involves doing stat(.), which can fail if the current
++	// directory is inaccessible to the container process.
++	if wd, err := unix.Getwd(); err == unix.ENOENT {
++		return errors.New("current working directory is outside of container mount namespace root -- possible container breakout detected")
++	} else if err != nil {
++		return fmt.Errorf("failed to verify if current working directory is safe: %w", err)
++	} else if !filepath.IsAbs(wd) {
++		// We shouldn't ever hit this, but check just in case.
++		return fmt.Errorf("current working directory is not absolute -- possible container breakout detected: cwd is %q", wd)
++	}
++	return nil
++}
++
+ // finalizeNamespace drops the caps, sets the correct user
+ // and working dir, and closes any leaked file descriptors
+ // before executing the command inside the namespace
+@@ -193,6 +220,10 @@ func finalizeNamespace(config *initConfig) error {
+ 			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %w", config.Cwd, err)
+ 		}
+ 	}
++	// Make sure our final working directory is inside the container.
++	if err := verifyCwd(); err != nil {
++		return err
++	}
+ 	if err := system.ClearKeepCaps(); err != nil {
+ 		return fmt.Errorf("unable to clear keep caps: %w", err)
+ 	}
+diff --git a/libcontainer/integration/seccomp_test.go b/libcontainer/integration/seccomp_test.go
+index 31092a0a5d21..ecdfa7957df1 100644
+--- a/libcontainer/integration/seccomp_test.go
++++ b/libcontainer/integration/seccomp_test.go
+@@ -13,7 +13,7 @@ import (
+ 	libseccomp "github.com/seccomp/libseccomp-golang"
+ )
+ 
+-func TestSeccompDenyGetcwdWithErrno(t *testing.T) {
++func TestSeccompDenySyslogWithErrno(t *testing.T) {
+ 	if testing.Short() {
+ 		return
+ 	}
+@@ -25,7 +25,7 @@ func TestSeccompDenyGetcwdWithErrno(t *testing.T) {
+ 		DefaultAction: configs.Allow,
+ 		Syscalls: []*configs.Syscall{
+ 			{
+-				Name:     "getcwd",
++				Name:     "syslog",
+ 				Action:   configs.Errno,
+ 				ErrnoRet: &errnoRet,
+ 			},
+@@ -39,7 +39,7 @@ func TestSeccompDenyGetcwdWithErrno(t *testing.T) {
+ 	buffers := newStdBuffers()
+ 	pwd := &libcontainer.Process{
+ 		Cwd:    "/",
+-		Args:   []string{"pwd"},
++		Args:   []string{"dmesg"},
+ 		Env:    standardEnvironment,
+ 		Stdin:  buffers.Stdin,
+ 		Stdout: buffers.Stdout,
+@@ -65,17 +65,17 @@ func TestSeccompDenyGetcwdWithErrno(t *testing.T) {
+ 	}
+ 
+ 	if exitCode == 0 {
+-		t.Fatalf("Getcwd should fail with negative exit code, instead got %d!", exitCode)
++		t.Fatalf("dmesg should fail with negative exit code, instead got %d!", exitCode)
+ 	}
+ 
+-	expected := "pwd: getcwd: No such process"
++	expected := "dmesg: klogctl: No such process"
+ 	actual := strings.Trim(buffers.Stderr.String(), "\n")
+ 	if actual != expected {
+ 		t.Fatalf("Expected output %s but got %s\n", expected, actual)
+ 	}
+ }
+ 
+-func TestSeccompDenyGetcwd(t *testing.T) {
++func TestSeccompDenySyslog(t *testing.T) {
+ 	if testing.Short() {
+ 		return
+ 	}
+@@ -85,7 +85,7 @@ func TestSeccompDenyGetcwd(t *testing.T) {
+ 		DefaultAction: configs.Allow,
+ 		Syscalls: []*configs.Syscall{
+ 			{
+-				Name:   "getcwd",
++				Name:   "syslog",
+ 				Action: configs.Errno,
+ 			},
+ 		},
+@@ -98,7 +98,7 @@ func TestSeccompDenyGetcwd(t *testing.T) {
+ 	buffers := newStdBuffers()
+ 	pwd := &libcontainer.Process{
+ 		Cwd:    "/",
+-		Args:   []string{"pwd"},
++		Args:   []string{"dmesg"},
+ 		Env:    standardEnvironment,
+ 		Stdin:  buffers.Stdin,
+ 		Stdout: buffers.Stdout,
+@@ -124,10 +124,10 @@ func TestSeccompDenyGetcwd(t *testing.T) {
+ 	}
+ 
+ 	if exitCode == 0 {
+-		t.Fatalf("Getcwd should fail with negative exit code, instead got %d!", exitCode)
++		t.Fatalf("dmesg should fail with negative exit code, instead got %d!", exitCode)
+ 	}
+ 
+-	expected := "pwd: getcwd: Operation not permitted"
++	expected := "dmesg: klogctl: Operation not permitted"
+ 	actual := strings.Trim(buffers.Stderr.String(), "\n")
+ 	if actual != expected {
+ 		t.Fatalf("Expected output %s but got %s\n", expected, actual)
+-- 
+2.43.0
+
+From b2b5754eb34174e032f1048beb1b27db83e77c5a Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Fri, 5 Jan 2024 01:42:32 +1100
+Subject: [runc v1.1.z PATCH 3/6] setns init: do explicit lookup of execve
+ argument early
+
+(This is a partial backport of a minor change included in commit
+dac41717465462b21fab5b5942fe4cb3f47d7e53.)
+
+This mirrors the logic in standard_init_linux.go, and also ensures that
+we do not call exec.LookPath in the final execve step.
+
+While this is okay for regular binaries, it seems exec.LookPath calls
+os.Getenv which tries to emit a log entry to the test harness when
+running in "go test" mode. In a future patch (in order to fix
+CVE-2024-21626), we will close all of the file descriptors immediately
+before execve, which would mean the file descriptor for test harness
+logging would be closed at execve time. So, moving exec.LookPath earlier
+is necessary.
+
+Ref: dac417174654 ("runc-dmz: reduce memfd binary cloning cost with small C binary")
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ libcontainer/setns_init_linux.go | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
+index 09ab552b3d12..e891773ec578 100644
+--- a/libcontainer/setns_init_linux.go
++++ b/libcontainer/setns_init_linux.go
+@@ -4,6 +4,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"os"
++	"os/exec"
+ 	"strconv"
+ 
+ 	"github.com/opencontainers/selinux/go-selinux"
+@@ -82,6 +83,21 @@ func (l *linuxSetnsInit) Init() error {
+ 	if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
+ 		return err
+ 	}
++
++	// Check for the arg before waiting to make sure it exists and it is
++	// returned as a create time error.
++	name, err := exec.LookPath(l.config.Args[0])
++	if err != nil {
++		return err
++	}
++	// exec.LookPath in Go < 1.20 might return no error for an executable
++	// residing on a file system mounted with noexec flag, so perform this
++	// extra check now while we can still return a proper error.
++	// TODO: remove this once go < 1.20 is not supported.
++	if err := eaccess(name); err != nil {
++		return &os.PathError{Op: "eaccess", Path: name, Err: err}
++	}
++
+ 	// Set seccomp as close to execve as possible, so as few syscalls take
+ 	// place afterward (reducing the amount of syscalls that users need to
+ 	// enable in their seccomp profiles).
+@@ -101,5 +117,5 @@ func (l *linuxSetnsInit) Init() error {
+ 		return &os.PathError{Op: "close log pipe", Path: "fd " + strconv.Itoa(l.logFd), Err: err}
+ 	}
+ 
+-	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
++	return system.Exec(name, l.config.Args[0:], os.Environ())
+ }
+-- 
+2.43.0
+