.gitignore

@@ -1,2 +1,3 @@
-SOURCES/cri-o-9b1f0a0.tar.gz
+SOURCES/dnsname-bdc4ab8.tar.gz
-SOURCES/libpod-921f98f.tar.gz
+SOURCES/v0.1.7.tar.gz
+SOURCES/v5.2-rhel-6df7dfb.tar.gz

.podman.metadata

@@ -1,2 +1,3 @@
-b53ff7dd655dec8ddab85b7782a2d41e6bdcb301 SOURCES/cri-o-9b1f0a0.tar.gz
+69fb828d3028f968e46420d58cc80bc59e446051 SOURCES/dnsname-bdc4ab8.tar.gz
-14fa9349a6277355aa6a4f079a131059d194fd99 SOURCES/libpod-921f98f.tar.gz
+94419a237f932ff2a79c91f6e3005034d9c367a5 SOURCES/v0.1.7.tar.gz
+0cea444043ae555d38df4ee53e49a38226ecef3c SOURCES/v5.2-rhel-6df7dfb.tar.gz

SOURCES/0001-Only-drop-all-caps-in-exec-when-non-root.patch

@@ -1,31 +0,0 @@
-From fbc96cdd1741021f3d18e49eac3757297aaba851 Mon Sep 17 00:00:00 2001
-From: Matthew Heon <mheon@redhat.com>
-Date: Fri, 19 Feb 2021 11:34:39 -0500
-Subject: [PATCH] Only drop all caps in exec when non-root
-
-We were dropping too many capabilities otherwise, which broke
-some critical system tools (e.g. useradd) in exec sessions.
-
-Fix RHBZ#1930552
-
-Signed-off-by: Matthew Heon <mheon@redhat.com>
----
- libpod/oci_conmon_linux.go | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
-index d5973a1a6..18ede031e 100644
---- a/libpod/oci.go
-+++ b/libpod/oci.go
-@@ -1107,7 +1107,7 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
- 	pspec.Capabilities.Effective = []string{}
- 	if privileged {
- 		pspec.Capabilities.Bounding = allCaps
--	} else {
-+	} else if execUser.Uid != 0 {
- 		pspec.Capabilities.Bounding = []string{}
- 	}
- 	pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
--- 
-2.29.2
-

SOURCES/podman-1882267.patch

@@ -1,23 +0,0 @@
-From bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea Mon Sep 17 00:00:00 2001
-From: Matthew Heon <mheon@redhat.com>
-Date: Thu, 24 Sep 2020 10:42:13 -0400
-Subject: [PATCH] Fix https://bugzilla.redhat.com/show_bug.cgi?id=1882267
-
-Signed-off-by: Matthew Heon <mheon@redhat.com>
----
- cmd/podman/sigproxy.go | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go
-index 16861bad04..92d7f4e4a9 100644
---- a/cmd/podman/sigproxy.go
-+++ b/cmd/podman/sigproxy.go
-@@ -19,7 +19,7 @@ func ProxySignals(ctr *libpod.Container) {
- 		for s := range sigBuffer {
- 			// Ignore SIGCHLD and SIGPIPE - these are mostly likely
- 			// intended for the podman command itself.
--			if s == signal.SIGCHLD || s == signal.SIGPIPE {
-+			if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG {
- 				continue
- 			}
- 

SOURCES/podman-CVE-2020-10696.patch

@@ -1,48 +0,0 @@
-From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
-From: TomSweeneyRedHat <tsweeney@redhat.com>
-Date: Tue, 24 Mar 2020 20:10:22 -0400
-Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
-
-Stealing @nalind 's workaround to avoid refetching
-content after a file read failure.  Under the right
-circumstances that could be a symlink to a file meant
-to overwrite a good file with bad data.
-
-Testing:
-```
-goodstuff
-
-[1] 14901
-
-127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
-127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
-no FROM statement found
-
-goodstuff
-```
-
-Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
----
- imagebuildah/util.go | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
---- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696
-+++ b/vendor/github.com/containers//buildah/imagebuildah/util.go
-@@ -12,6 +12,7 @@ import (
- 
- 	"github.com/containers/buildah"
- 	"github.com/containers/storage/pkg/chrootarchive"
-+	"github.com/containers/storage/pkg/ioutils"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
- )
-@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
- 		}
- 		dockerfile := filepath.Join(dir, "Dockerfile")
- 		// Assume this is a Dockerfile
--		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
-+		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
- 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
- 		}
- 	}

SOURCES/podman-CVE-2021-20188.patch

@@ -1,319 +0,0 @@
-From 69daa67c436a8fdeb0149aa5cb0112f03fdb699f Mon Sep 17 00:00:00 2001
-From: Matthew Heon <mheon@redhat.com>
-Date: Mon, 25 Jan 2021 14:18:07 -0500
-Subject: [PATCH] Correct handling of capabilities
-
-Ensure that capabilities are properly handled for non-root users
-in privileged containers. We do not want to give full caps, but
-instead only CapInh and CapEff (others should be all-zeroes).
-
-Fixing `podman run` is easy - the same code as the Podman 1.6 fix
-works there. The `podman exec` command is far more challenging.
-Exec received a complete rewrite to use Conmon at some point
-before Podman 1.6, and gained many capabilities in the process.
-One of those was the ability to actually tweak the capabilities
-of the exec process - 1.0 did not have that. Since it was needed
-to resolve this CVE, I was forced to backport a large bit of the
-1.0 -> 1.6 exec changes (passing a Process block to the OCI
-runtime, and using `prepareProcessExec()` to prepare said block).
-I am honestly uncomfortable with the size and scope of this
-change but I don't see another way around this.
-
-Fixes CVE-2021-20188
-
-Signed-off-by: Matthew Heon <mheon@redhat.com>
----
- libpod/container_api.go |  24 +------
- libpod/oci.go           | 148 ++++++++++++++++++++++++++++++++--------
- pkg/spec/spec.go        |   8 +++
- 3 files changed, 132 insertions(+), 48 deletions(-)
-
-diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go
---- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig	2019-02-11 16:26:46.000000000 +0100
-+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go	2021-02-12 10:38:48.767172399 +0100
-@@ -2,7 +2,6 @@ package libpod
- 
- import (
- 	"context"
--	"fmt"
- 	"io/ioutil"
- 	"os"
- 	"strconv"
-@@ -11,9 +10,7 @@ import (
- 
- 	"github.com/containers/libpod/libpod/driver"
- 	"github.com/containers/libpod/pkg/inspect"
--	"github.com/containers/libpod/pkg/lookup"
- 	"github.com/containers/storage/pkg/stringid"
--	"github.com/docker/docker/daemon/caps"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
- 	"k8s.io/apimachinery/pkg/util/wait"
-@@ -263,8 +260,6 @@ func (c *Container) Kill(signal uint) er
- // TODO allow specifying streams to attach to
- // TODO investigate allowing exec without attaching
- func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error {
--	var capList []string
--
- 	locked := false
- 	if !c.batched {
- 		locked = true
-@@ -287,22 +282,8 @@ func (c *Container) Exec(tty, privileged
- 	if conState != ContainerStateRunning {
- 		return errors.Errorf("cannot exec into container that is not running")
- 	}
--	if privileged || c.config.Privileged {
--		capList = caps.GetAllCapabilities()
--	}
- 
--	// If user was set, look it up in the container to get a UID to use on
--	// the host
--	hostUser := ""
--	if user != "" {
--		execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
--		if err != nil {
--			return err
--		}
--
--		// runc expects user formatted as uid:gid
--		hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid)
--	}
-+	isPrivileged := privileged || c.config.Privileged
- 
- 	// Generate exec session ID
- 	// Ensure we don't conflict with an existing session ID
-@@ -324,10 +305,11 @@ func (c *Container) Exec(tty, privileged
- 
- 	logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID)
- 
--	execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID)
-+	execCmd, processFile, err := c.runtime.ociRuntime.execContainer(c, cmd, env, tty, workDir, user, sessionID, isPrivileged)
- 	if err != nil {
- 		return errors.Wrapf(err, "error exec %s", c.ID())
- 	}
-+	defer os.Remove(processFile)
- 	chWait := make(chan error)
- 	go func() {
- 		chWait <- execCmd.Wait()
-diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go
---- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig	2019-02-11 16:26:46.000000000 +0100
-+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go	2021-02-12 10:38:48.768172416 +0100
-@@ -15,10 +15,12 @@ import (
- 	"syscall"
- 	"time"
- 
-+	"github.com/containers/libpod/pkg/lookup"
- 	"github.com/containers/libpod/pkg/rootless"
- 	"github.com/containers/libpod/pkg/util"
- 	"github.com/coreos/go-systemd/activation"
- 	"github.com/cri-o/ocicni/pkg/ocicni"
-+	"github.com/docker/docker/daemon/caps"
- 	spec "github.com/opencontainers/runtime-spec/specs-go"
- 	"github.com/opencontainers/selinux/go-selinux"
- 	"github.com/opencontainers/selinux/go-selinux/label"
-@@ -735,18 +737,23 @@ func (r *OCIRuntime) unpauseContainer(ct
- // TODO: Add --detach support
- // TODO: Convert to use conmon
- // TODO: add --pid-file and use that to generate exec session tracking
--func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) {
-+func (r *OCIRuntime) execContainer(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (*exec.Cmd, string, error) {
- 	if len(cmd) == 0 {
--		return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
-+		return nil, "", errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
- 	}
- 
- 	if sessionID == "" {
--		return nil, errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
-+		return nil, "", errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
- 	}
- 
- 	runtimeDir, err := util.GetRootlessRuntimeDir()
- 	if err != nil {
--		return nil, err
-+		return nil, "", err
-+	}
-+
-+	processFile, err := prepareProcessExec(c, cmd, env, tty, cwd, user, sessionID, privileged)
-+	if err != nil {
-+		return nil, "", err
- 	}
- 
- 	args := []string{}
-@@ -756,34 +763,14 @@ func (r *OCIRuntime) execContainer(c *Co
- 
- 	args = append(args, "exec")
- 
--	if cwd != "" {
--		args = append(args, "--cwd", cwd)
--	}
-+	args = append(args, "--process", processFile)
- 
- 	args = append(args, "--pid-file", c.execPidPath(sessionID))
- 
--	if tty {
--		args = append(args, "--tty")
--	} else {
--		args = append(args, "--tty=false")
--	}
--
--	if user != "" {
--		args = append(args, "--user", user)
--	}
--
- 	if c.config.Spec.Process.NoNewPrivileges {
- 		args = append(args, "--no-new-privs")
- 	}
- 
--	for _, cap := range capAdd {
--		args = append(args, "--cap", cap)
--	}
--
--	for _, envVar := range env {
--		args = append(args, "--env", envVar)
--	}
--
- 	// Append container ID and command
- 	args = append(args, c.ID())
- 	args = append(args, cmd...)
-@@ -797,10 +784,10 @@ func (r *OCIRuntime) execContainer(c *Co
- 	execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir))
- 
- 	if err := execCmd.Start(); err != nil {
--		return nil, errors.Wrapf(err, "cannot start container %s", c.ID())
-+		return nil, "", errors.Wrapf(err, "cannot start container %s", c.ID())
- 	}
- 
--	return execCmd, nil
-+	return execCmd, processFile, nil
- }
- 
- // execStopContainer stops all active exec sessions in a container
-@@ -892,3 +879,110 @@ func (r *OCIRuntime) checkpointContainer
- 	args = append(args, ctr.ID())
- 	return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, args...)
- }
-+
-+// prepareProcessExec returns the path of the process.json used in runc exec -p.
-+// Returns path to the created exec process file. This will need to be removed
-+// by the caller when they're done, best effort.
-+func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (string, error) {
-+	filename := filepath.Join(c.bundlePath(), fmt.Sprintf("exec-process-%s", sessionID))
-+	f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0600)
-+	if err != nil {
-+		return "", err
-+	}
-+	defer f.Close()
-+
-+	pspec := c.config.Spec.Process
-+	pspec.SelinuxLabel = c.config.ProcessLabel
-+	pspec.Args = cmd
-+	// We need to default this to false else it will inherit terminal as true
-+	// from the container.
-+	pspec.Terminal = false
-+	if tty {
-+		pspec.Terminal = true
-+	}
-+	if len(env) > 0 {
-+		pspec.Env = append(pspec.Env, env...)
-+	}
-+
-+	if cwd != "" {
-+		pspec.Cwd = cwd
-+
-+	}
-+
-+	var addGroups []string
-+	var sgids []uint32
-+
-+	// if the user is empty, we should inherit the user that the container is currently running with
-+	if user == "" {
-+		user = c.config.User
-+		addGroups = c.config.Groups
-+	}
-+
-+	execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
-+	if err != nil {
-+		return "", err
-+	}
-+
-+	if len(addGroups) > 0 {
-+		sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, nil)
-+		if err != nil {
-+			return "", errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID)
-+		}
-+	}
-+
-+	// If user was set, look it up in the container to get a UID to use on
-+	// the host
-+	if user != "" || len(sgids) > 0 {
-+		if user != "" {
-+			for _, sgid := range execUser.Sgids {
-+				sgids = append(sgids, uint32(sgid))
-+			}
-+		}
-+		processUser := spec.User{
-+			UID:            uint32(execUser.Uid),
-+			GID:            uint32(execUser.Gid),
-+			AdditionalGids: sgids,
-+		}
-+
-+		pspec.User = processUser
-+	}
-+
-+	allCaps := caps.GetAllCapabilities()
-+	pspec.Capabilities.Effective = []string{}
-+	if privileged {
-+		pspec.Capabilities.Bounding = allCaps
-+	} else {
-+		pspec.Capabilities.Bounding = []string{}
-+	}
-+	pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
-+	if execUser.Uid == 0 {
-+		pspec.Capabilities.Effective = pspec.Capabilities.Bounding
-+		pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
-+		pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
-+	} else {
-+		pspec.Capabilities.Permitted = pspec.Capabilities.Effective
-+		pspec.Capabilities.Ambient = pspec.Capabilities.Effective
-+	}
-+
-+	hasHomeSet := false
-+	for _, s := range pspec.Env {
-+		if strings.HasPrefix(s, "HOME=") {
-+			hasHomeSet = true
-+			break
-+		}
-+	}
-+	if !hasHomeSet {
-+		pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home))
-+	}
-+
-+	processJSON, err := json.Marshal(pspec)
-+	if err != nil {
-+		return "", err
-+	}
-+
-+	if err := ioutil.WriteFile(filename, processJSON, 0644); err != nil {
-+		return "", err
-+	}
-+
-+	return filename, nil
-+}
-diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go
---- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig	2019-02-11 16:26:46.000000000 +0100
-+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go	2021-02-12 10:38:48.768172416 +0100
-@@ -325,6 +325,14 @@ func CreateConfigToOCISpec(config *Creat
- 		}
- 	} else {
- 		g.SetupPrivileged(true)
-+		if config.User != "" {
-+			user := strings.SplitN(config.User, ":", 2)[0]
-+			if user != "root" && user != "0" {
-+				g.Spec().Process.Capabilities.Effective = []string{}
-+				g.Spec().Process.Capabilities.Permitted = []string{}
-+				g.Spec().Process.Capabilities.Ambient = []string{}
-+			}
-+		}
- 	}
- 
- 	// HANDLE SECCOMP