From 18630b721889b940bb05d0d79eee3ed91b2236f3 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Mon, 1 Mar 2021 14:01:48 +0100 Subject: [PATCH] app-emulation/docker-runc: disable NoNewPrivileges options Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able to make docker/runc work with "--security-opt=no-new-privileges". So far it has worked without disabling NoNewPrivileges until runc 1.0.0-rc92, which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however, the selinux build tag is now gone, so selinux is always enabled. That's why `docker run --security-opt=no-new-privileges` failed. Until we could figure out its real reason, let's temporarily disable NoNewPrivilges to make the CI pass. --- .../docker-runc/docker-runc-1.0.0_rc93.ebuild | 3 +- ...ble-selinux.GetEnabled-error-checks.patch} | 0 ...r-disable-prctl-with-NoNewPrivileges.patch | 55 +++++++++++++++++++ 3 files changed, 57 insertions(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/{0001-temporarily-disable-selinux.GetEnabled-error-checks.patch => 0002-temporarily-disable-selinux.GetEnabled-error-checks.patch} (100%) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild index f2f62290b8..d7dcdea583 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild @@ -42,7 +42,8 @@ src_unpack() { PATCHES=( "${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch" - "${FILESDIR}/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch" + "${FILESDIR}/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch" + "${FILESDIR}/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch" ) src_compile() { diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch new file mode 100644 index 0000000000..b720280147 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch @@ -0,0 +1,55 @@ +From 657e01b0d909cce33bc5176e5ef618e039ba187f Mon Sep 17 00:00:00 2001 +Message-Id: <657e01b0d909cce33bc5176e5ef618e039ba187f.1614603215.git.dongsu@kinvolk.io> +From: Dongsu Park +Date: Fri, 26 Feb 2021 15:51:04 +0100 +Subject: [PATCH] libcontainer: disable prctl with NoNewPrivileges + +Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able +to make docker/runc work with "--security-opt=no-new-privileges". + +So far it has worked without disabling NoNewPrivileges until runc 1.0.0-rc92, +which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however, +the selinux build tag is now gone, so selinux is always enabled. +That's why `docker run --security-opt=no-new-privileges` failed. + +Until we could figure out its real reason, let's temporarily disable +NoNewPrivileges to make the CI pass. + +--- + libcontainer/standard_init_linux.go | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go +index 7ec506c4..fc4121a9 100644 +--- a/libcontainer/standard_init_linux.go ++++ b/libcontainer/standard_init_linux.go +@@ -135,11 +135,6 @@ func (l *linuxStandardInit) Init() error { + if err != nil { + return errors.Wrap(err, "get pdeath signal") + } +- if l.config.NoNewPrivileges { +- if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil { +- return errors.Wrap(err, "set nonewprivileges") +- } +- } + // Tell our parent that we're ready to Execv. This must be done before the + // Seccomp rules have been applied, because we need to be able to read and + // write to a socket. +@@ -199,14 +194,6 @@ func (l *linuxStandardInit) Init() error { + // since been resolved. + // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 + unix.Close(l.fifoFd) +- // Set seccomp as close to execve as possible, so as few syscalls take +- // place afterward (reducing the amount of syscalls that users need to +- // enable in their seccomp profiles). +- if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges { +- if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil { +- return newSystemErrorWithCause(err, "init seccomp") +- } +- } + + s := l.config.SpecState + s.Pid = unix.Getpid() +-- +2.29.2 +