[release-1.27] Backport fix for CVE-2024-11218 #5946
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allow cache mounts (RUN --mount=type=cache) to refer to other stages or additional build contexts. Update the build-check-cve-2024-9675 integration test to use different directories for its main build context and the additional build context that it uses for its final run. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: David Shea <dshea@redhat.com>
Add a package that lets us open a directory in a chroot, pass its descriptor up, and then bind mount that directory to a specified location. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a helper that uses the new internal/open package to bind mount a location inside of a chroot direct to a new temporary location, for ensuring that the latter is not bind-mounted from outside of the chroot. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a ForceMount flag to pkg/overlay.Options that forces mounting the overlay filesystem and returning a bind mount to it instead of trying to leave that for later in cases where we're able to have the kernel do it. This is mainly for the sake of callers that want to do more things with the mounted overlay filesystem before passing them to the (presumably) OCI runtime. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: David Shea <dshea@redhat.com>
Add a way to pass a "set the SELinux contexts" labels to MountWithOptions. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: David Shea <dshea@redhat.com>
|
/approve |
|
Other than @nalind 's comments, LGTM |
When handling RUN --mount=type=bind, where the mount is read-write, instead of a simple bind mount, create an overlay mount with an upper directory that will be discarded after the overlay mount is unmounted. This brings us in line with the expected behavior, wherein writes to bind mounts should be discarded. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: David Shea <dshea@redhat.com>
Ensure that the temporary directory that we create is never itself the top-level directory of the content that we're downloading, in case it's an archive which includes a "." with weird permissions. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: David Shea <dshea@redhat.com>
Fix a time-of-check/time-of-use error when mounting type=bind and type=cache directories that use a "src" flag. A hostile writer could use a concurrently-running stage or build to replace that "src" location between the point when we had resolved possible symbolic links and when runc/crun/whatever actually went to create the bind mount (CVE-2024-11218). Stop ignoring the "src" option for cache mounts when there's no "from" option. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: David Shea <dshea@redhat.com>
Append to the lock list instead of replacing it. Signed-off-by: David Shea <dshea@redhat.com>
dashea
force-pushed
the
dshea-1.27-CVE-2024-11218
branch
from
8bc1301 to
2a43238
Compare
|
It's almost certainly a race condition somewhere else, but 2a43238 is consistently causing the "bud-multiple-platform-values" integration test to fail on my test system. Can anyone confirm that it's not universally observed? |
|
LGTM |
|
@nalind can you take a second look please? |
|
Same code, same test, passes today. I guess it's a flake. |
nalind
approved these changes
Jan 30, 2025
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dashea, nalind The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/override "Total Success" |
|
@nalind: Overrode contexts on behalf of nalind: Total Success In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-merge-bot
bot
merged commit 85dabc8
into
containers:release-1.27
4 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
What this PR does / why we need it:
Backport the changes for GHSA-5vpc-35f4-r8w6 to the 1.27 branch.
How to verify it
Which issue(s) this PR fixes:
RHEL-67598
Special notes for your reviewer:
Does this PR introduce a user-facing change?