From cba426a5adca7ed4829bccb9e347e8ec4eb2e628 Mon Sep 17 00:00:00 2001 From: tomsweeneyredhat Date: Fri, 25 Oct 2024 19:53:53 -0400 Subject: [PATCH] [v4.9] Bump Buildah to v1.33.11, fix CVE-2024-9676 Fixes CVE-2024-9676 in the Podman v4.9 release branch. [NO NEW TESTS NEEDED] Signed-off-by: tomsweeneyredhat --- go.mod | 8 +- go.sum | 16 ++-- .../github.com/containers/buildah/.cirrus.yml | 10 +- .../containers/buildah/CHANGELOG.md | 16 ++++ .../containers/buildah/changelog.txt | 13 +++ .../containers/buildah/define/types.go | 2 +- .../buildah/internal/volumes/volumes.go | 31 ++++++- .../common/pkg/subscriptions/subscriptions.go | 6 +- .../containers/common/version/version.go | 2 +- .../image/v5/docker/docker_image.go | 9 ++ .../containers/image/v5/version/version.go | 2 +- .../github.com/containers/storage/.cirrus.yml | 2 +- vendor/github.com/containers/storage/VERSION | 2 +- .../storage/drivers/overlay/overlay.go | 42 +++++++-- .../github.com/containers/storage/userns.go | 92 +++++++++++++------ .../containers/storage/userns_unsupported.go | 14 +++ vendor/modules.txt | 8 +- 17 files changed, 204 insertions(+), 71 deletions(-) create mode 100644 vendor/github.com/containers/storage/userns_unsupported.go diff --git a/go.mod b/go.mod index a84fbbb1b4..f7813bac96 100644 --- a/go.mod +++ b/go.mod @@ -11,15 +11,15 @@ require ( github.com/checkpoint-restore/go-criu/v7 v7.0.0 github.com/containernetworking/cni v1.1.2 github.com/containernetworking/plugins v1.3.0 - github.com/containers/buildah v1.33.8 - github.com/containers/common v0.57.5 + github.com/containers/buildah v1.33.11 + github.com/containers/common v0.57.7 github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.7.2 - github.com/containers/image/v5 v5.29.3 + github.com/containers/image/v5 v5.29.4 github.com/containers/libhvee v0.5.0 github.com/containers/ocicrypt v1.1.10 github.com/containers/psgo v1.8.0 - github.com/containers/storage v1.51.0 + github.com/containers/storage v1.51.2 github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 github.com/coreos/stream-metadata-go v0.4.4 github.com/crc-org/vfkit v0.1.2-0.20231030102423-f3c783d34420 diff --git a/go.sum b/go.sum index 495035a32b..2ebae34d2a 100644 --- a/go.sum +++ b/go.sum @@ -258,16 +258,16 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q6mVDp5H1HnjM= github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0= -github.com/containers/buildah v1.33.8 h1:/IfJm5gTHwWshFdRHgLTHkoHNZY85B/xePkpOypBKUw= -github.com/containers/buildah v1.33.8/go.mod h1:aS1MZukKW39pe/yeJ7sRq9Jf2Sl04uePugPIto6ItNo= -github.com/containers/common v0.57.5 h1:EgIahxAeYpcE0JKl4A4Z2oEUseve1jt+lMuXIqYnalE= -github.com/containers/common v0.57.5/go.mod h1:dRw+mJGANzTOJZSs+KfJzrSVNQ4zK0u46/MhLCUfzPY= +github.com/containers/buildah v1.33.11 h1:WhEw4xD251utfeb3Huijb/yiTY62tqh8IzchcbnQ2rA= +github.com/containers/buildah v1.33.11/go.mod h1:MtL+0XpZL5csljQDshjeQfvjzyTV0hgZsSoExmO3eu8= +github.com/containers/common v0.57.7 h1:xA6/dXNbScnaytcFNQKTFGn6VDxwvDlCngJtfdGAf7g= +github.com/containers/common v0.57.7/go.mod h1:GRtgIWNPc8zmo/vcA7VoZfLWpgQRH01/kzQbeNZH8WQ= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/gvisor-tap-vsock v0.7.2 h1:6CyU5D85C0/DciRRd7W0bPljK4FAS+DPrrHEQMHfZKY= github.com/containers/gvisor-tap-vsock v0.7.2/go.mod h1:6NiTxh2GCVxZQLPzfuEB78/Osp2Usd9uf6nLdd6PiUY= -github.com/containers/image/v5 v5.29.3 h1:RJHdxP+ZiC+loIFG2DTmjlVNWTS7o5jrdrRScUrY1VE= -github.com/containers/image/v5 v5.29.3/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E= +github.com/containers/image/v5 v5.29.4 h1:EbYrwOscTvzeCXt4149OtU74T/ZuohEottcs/hz47O4= +github.com/containers/image/v5 v5.29.4/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E= github.com/containers/libhvee v0.5.0 h1:rDhfG2NI8Q+VgeXht2dXezanxEdpj9pHqYX3vWfOGUw= github.com/containers/libhvee v0.5.0/go.mod h1:yvU3Em2u1ZLl2VLd2glMIBWriBwfhWsDaRJsvixUIB0= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= @@ -282,8 +282,8 @@ github.com/containers/ocicrypt v1.1.10/go.mod h1:YfzSSr06PTHQwSTUKqDSjish9BeW1E4 github.com/containers/psgo v1.8.0 h1:2loGekmGAxM9ir5OsXWEfGwFxorMPYnc6gEDsGFQvhY= github.com/containers/psgo v1.8.0/go.mod h1:T8ZxnX3Ur4RvnhxFJ7t8xJ1F48RhiZB4rSrOaR/qGHc= github.com/containers/storage v1.43.0/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s= -github.com/containers/storage v1.51.0 h1:AowbcpiWXzAjHosKz7MKvPEqpyX+ryZA/ZurytRrFNA= -github.com/containers/storage v1.51.0/go.mod h1:ybl8a3j1PPtpyaEi/5A6TOFs+5TrEyObeKJzVtkUlfc= +github.com/containers/storage v1.51.2 h1:Xw8p1AG1A+Nh6dCsb1UOB3YKF5uzlCkI3uAP4fsFup4= +github.com/containers/storage v1.51.2/go.mod h1:ybl8a3j1PPtpyaEi/5A6TOFs+5TrEyObeKJzVtkUlfc= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= diff --git a/vendor/github.com/containers/buildah/.cirrus.yml b/vendor/github.com/containers/buildah/.cirrus.yml index ac12d66b20..7c990085f7 100644 --- a/vendor/github.com/containers/buildah/.cirrus.yml +++ b/vendor/github.com/containers/buildah/.cirrus.yml @@ -137,15 +137,9 @@ cross_build_task: alias: cross_build only_if: >- $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' - - osx_instance: - image: ghcr.io/cirruslabs/macos-ventura-base:latest - + env: + HOME: /root script: - - brew update - - brew install go - - brew install go-md2man - - brew install gpgme - go version - make cross CGO_ENABLED=0 diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md index 6f8821722d..52e4324036 100644 --- a/vendor/github.com/containers/buildah/CHANGELOG.md +++ b/vendor/github.com/containers/buildah/CHANGELOG.md @@ -2,6 +2,22 @@ # Changelog +## v1.33.11 (2024-10-25) + + [release-1.33] Bump c/storage to v1.51.2, fixes CVE-2024-9676 + +## v1.33.10 (2024-10-17) + + [release-1.33] Properly validate cache IDs and sources + vendor: update c/common to v0.57.7 + [release-1.33] Bump to v1.33.9 + [release-1.33] Fixes Listing tags in JFrog Artifactory may fail + Cross-build on Fedora + +## v1.33.9 (2024-07-16) + + [release-1.33] Fixes Listing tags in JFrog Artifactory may fail + ## v1.33.8 (2024-05-17) [release-1.33] Bump c/image v5.29.3, c/common v0.57.5, CVE-2024-3727 diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt index 3d903e04ab..e7b5fa46a7 100644 --- a/vendor/github.com/containers/buildah/changelog.txt +++ b/vendor/github.com/containers/buildah/changelog.txt @@ -1,3 +1,16 @@ +- Changelog for v1.33.11 (2024-10-25) + * [release-1.33] Bump c/storage to v1.51.2, fixes CVE-2024-9676 + +- Changelog for v1.33.10 (2024-10-17) + * [release-1.33] Properly validate cache IDs and sources + * vendor: update c/common to v0.57.7 + * [release-1.33] Bump to v1.33.9 + * [release-1.33] Fixes Listing tags in JFrog Artifactory may fail + * Cross-build on Fedora + +- Changelog for v1.33.9 (2024-07-16) + * [release-1.33] Fixes Listing tags in JFrog Artifactory may fail + - Changelog for v1.33.8 (2024-05-17) * [release-1.33] Bump c/image v5.29.3, c/common v0.57.5, CVE-2024-3727 * integration test: handle new labels in "bud and test --unsetlabel" diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go index 583e0b81f3..0e1e96366a 100644 --- a/vendor/github.com/containers/buildah/define/types.go +++ b/vendor/github.com/containers/buildah/define/types.go @@ -29,7 +29,7 @@ const ( // identify working containers. Package = "buildah" // Version for the Package. Also used by .packit.sh for Packit builds. - Version = "1.33.8" + Version = "1.33.11" // DefaultRuntime if containers.conf fails. DefaultRuntime = "runc" diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go index fd1ff7f985..f20b254ef7 100644 --- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go +++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go @@ -23,6 +23,7 @@ import ( "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/lockfile" "github.com/containers/storage/pkg/unshare" + digest "github.com/opencontainers/go-digest" specs "github.com/opencontainers/runtime-spec/specs-go" selinux "github.com/opencontainers/selinux/go-selinux" ) @@ -101,6 +102,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st if len(kv) == 1 { return newMount, "", fmt.Errorf("%v: %w", kv[0], errBadOptionArg) } + switch kv[1] { + default: + return newMount, "", fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption) + case "shared", "rshared", "private", "rprivate", "slave", "rslave": + // this should be the relevant parts of the same list of options we accepted above + } newMount.Options = append(newMount.Options, kv[1]) case "src", "source": if len(kv) == 1 { @@ -276,6 +283,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a if len(kv) == 1 { return newMount, nil, fmt.Errorf("%v: %w", kv[0], errBadOptionArg) } + switch kv[1] { + default: + return newMount, nil, fmt.Errorf("%v: %q: %w", kv[0], kv[1], errBadMntOption) + case "shared", "rshared", "private", "rprivate", "slave", "rslave": + // this should be the relevant parts of the same list of options we accepted above + } newMount.Options = append(newMount.Options, kv[1]) case "id": if len(kv) == 1 { @@ -361,7 +374,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage) } // path should be /contextDir/specified path - newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source)) + evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{}) + if err != nil { + return newMount, nil, err + } + newMount.Source = evaluated } else { // we need to create cache on host if no image is being used @@ -378,11 +395,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a } if id != "" { - newMount.Source = filepath.Join(cacheParent, filepath.Clean(id)) - buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id)) + // Don't let the user control where we place the directory. + dirID := digest.FromString(id).Encoded()[:16] + newMount.Source = filepath.Join(cacheParent, dirID) + buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) } else { - newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination)) - buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination)) + // Don't let the user control where we place the directory. + dirID := digest.FromString(newMount.Destination).Encoded()[:16] + newMount.Source = filepath.Join(cacheParent, dirID) + buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID) } idPair := idtools.IDPair{ UID: uid, diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go index 6ba2154a77..d976329f75 100644 --- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go @@ -10,6 +10,7 @@ import ( "github.com/containers/common/pkg/umask" "github.com/containers/storage/pkg/idtools" + securejoin "github.com/cyphar/filepath-securejoin" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/sirupsen/logrus" @@ -345,7 +346,10 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" destDir := "/etc/crypto-policies/back-ends" - srcOnHost := filepath.Join(mountPoint, srcBackendDir) + srcOnHost, err := securejoin.SecureJoin(mountPoint, srcBackendDir) + if err != nil { + return fmt.Errorf("resolve %s in the container: %w", srcBackendDir, err) + } if _, err := os.Stat(srcOnHost); err != nil { if errors.Is(err, os.ErrNotExist) { return nil diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index 9182b589f1..131d5bb4b4 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.57.5" +const Version = "0.57.7" diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go index 4c80bb2b52..9741afc3f0 100644 --- a/vendor/github.com/containers/image/v5/docker/docker_image.go +++ b/vendor/github.com/containers/image/v5/docker/docker_image.go @@ -14,6 +14,7 @@ import ( "github.com/containers/image/v5/manifest" "github.com/containers/image/v5/types" "github.com/opencontainers/go-digest" + "github.com/sirupsen/logrus" ) // Image is a Docker-specific implementation of types.ImageCloser with a few extra methods @@ -90,6 +91,14 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types. } for _, tag := range tagsHolder.Tags { if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values + // Per https://github.com/containers/skopeo/issues/2346 , unknown versions of JFrog Artifactory, + // contrary to the tag format specified in + // https://github.com/opencontainers/distribution-spec/blob/8a871c8234977df058f1a14e299fe0a673853da2/spec.md?plain=1#L160 , + // include digests in the list. + if _, err := digest.Parse(tag); err == nil { + logrus.Debugf("Ignoring invalid tag %q matching a digest format", tag) + continue + } return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err) } tags = append(tags, tag) diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go index 62d824b3eb..441e467068 100644 --- a/vendor/github.com/containers/image/v5/version/version.go +++ b/vendor/github.com/containers/image/v5/version/version.go @@ -8,7 +8,7 @@ const ( // VersionMinor is for functionality in a backwards-compatible manner VersionMinor = 29 // VersionPatch is for backwards-compatible bug fixes - VersionPatch = 3 + VersionPatch = 4 // VersionDev indicates development branch. Releases will be empty string. VersionDev = "" diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml index c41dd5da2c..9e61509c27 100644 --- a/vendor/github.com/containers/storage/.cirrus.yml +++ b/vendor/github.com/containers/storage/.cirrus.yml @@ -119,7 +119,7 @@ lint_task: env: CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage" container: - image: golang + image: golang:1.19 modules_cache: fingerprint_script: cat go.sum folder: $GOPATH/pkg/mod diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION index ba0a719118..aa618f0d56 100644 --- a/vendor/github.com/containers/storage/VERSION +++ b/vendor/github.com/containers/storage/VERSION @@ -1 +1 @@ -1.51.0 +1.51.2 diff --git a/vendor/github.com/containers/storage/drivers/overlay/overlay.go b/vendor/github.com/containers/storage/drivers/overlay/overlay.go index 04ecf871fd..08532fbda6 100644 --- a/vendor/github.com/containers/storage/drivers/overlay/overlay.go +++ b/vendor/github.com/containers/storage/drivers/overlay/overlay.go @@ -1670,13 +1670,21 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO } if err := idtools.MkdirAllAs(diffDir, perms, rootUID, rootGID); err != nil { - return "", err + if !inAdditionalStore { + return "", err + } + // if it is in an additional store, do not fail if the directory already exists + if _, err2 := os.Stat(diffDir); err2 != nil { + return "", err + } } mergedDir := path.Join(workDirBase, "merged") - // Create the driver merged dir - if err := idtools.MkdirAs(mergedDir, 0o700, rootUID, rootGID); err != nil && !os.IsExist(err) { - return "", err + // Attempt to create the merged dir only if it doesn't exist. + if _, err := os.Stat(mergedDir); err != nil && os.IsNotExist(err) { + if err := idtools.MkdirAs(mergedDir, 0o700, rootUID, rootGID); err != nil && !os.IsExist(err) { + return "", err + } } if count := d.ctr.Increment(mergedDir); count > 1 { return mergedDir, nil @@ -1841,7 +1849,7 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO // Put unmounts the mount path created for the give id. func (d *Driver) Put(id string) error { - dir := d.dir(id) + dir, _, inAdditionalStore := d.dir2(id) if _, err := os.Stat(dir); err != nil { return err } @@ -1902,11 +1910,27 @@ func (d *Driver) Put(id string) error { } } - if err := unix.Rmdir(mountpoint); err != nil && !os.IsNotExist(err) { - logrus.Debugf("Failed to remove mountpoint %s overlay: %s - %v", id, mountpoint, err) - return fmt.Errorf("removing mount point %q: %w", mountpoint, err) - } + if !inAdditionalStore { + uid, gid := int(0), int(0) + fi, err := os.Stat(mountpoint) + if err != nil { + return err + } + if stat, ok := fi.Sys().(*syscall.Stat_t); ok { + uid, gid = int(stat.Uid), int(stat.Gid) + } + tmpMountpoint := path.Join(dir, "merged.1") + if err := idtools.MkdirAs(tmpMountpoint, 0o700, uid, gid); err != nil && !errors.Is(err, os.ErrExist) { + return err + } + // rename(2) can be used on an empty directory, as it is the mountpoint after umount, and it retains + // its atomic semantic. In this way the "merged" directory is never removed. + if err := unix.Rename(tmpMountpoint, mountpoint); err != nil { + logrus.Debugf("Failed to replace mountpoint %s overlay: %s - %v", id, mountpoint, err) + return fmt.Errorf("replacing mount point %q: %w", mountpoint, err) + } + } return nil } diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go index 32ae830bea..2c855da7c6 100644 --- a/vendor/github.com/containers/storage/userns.go +++ b/vendor/github.com/containers/storage/userns.go @@ -1,18 +1,21 @@ +//go:build linux + package storage import ( "fmt" "os" "os/user" - "path/filepath" "strconv" drivers "github.com/containers/storage/drivers" "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/unshare" "github.com/containers/storage/types" + securejoin "github.com/cyphar/filepath-securejoin" libcontainerUser "github.com/opencontainers/runc/libcontainer/user" "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" ) // getAdditionalSubIDs looks up the additional IDs configured for @@ -85,40 +88,59 @@ const nobodyUser = 65534 // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and // /etc/group files. func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 { + var ( + passwd *os.File + group *os.File + size int + err error + ) if passwdFile == "" { - passwdFile = filepath.Join(containerMount, "etc/passwd") - } - if groupFile == "" { - groupFile = filepath.Join(groupFile, "etc/group") + passwd, err = secureOpen(containerMount, "/etc/passwd") + } else { + // User-specified override from a volume. Will not be in + // container root. + passwd, err = os.Open(passwdFile) } - - size := 0 - - users, err := libcontainerUser.ParsePasswdFile(passwdFile) if err == nil { - for _, u := range users { - // Skip the "nobody" user otherwise we end up with 65536 - // ids with most images - if u.Name == "nobody" { - continue - } - if u.Uid > size && u.Uid != nobodyUser { - size = u.Uid - } - if u.Gid > size && u.Gid != nobodyUser { - size = u.Gid + defer passwd.Close() + + users, err := libcontainerUser.ParsePasswd(passwd) + if err == nil { + for _, u := range users { + // Skip the "nobody" user otherwise we end up with 65536 + // ids with most images + if u.Name == "nobody" || u.Name == "nogroup" { + continue + } + if u.Uid > size && u.Uid != nobodyUser { + size = u.Uid + 1 + } + if u.Gid > size && u.Gid != nobodyUser { + size = u.Gid + 1 + } } } } - groups, err := libcontainerUser.ParseGroupFile(groupFile) + if groupFile == "" { + group, err = secureOpen(containerMount, "/etc/group") + } else { + // User-specified override from a volume. Will not be in + // container root. + group, err = os.Open(groupFile) + } if err == nil { - for _, g := range groups { - if g.Name == "nobody" { - continue - } - if g.Gid > size && g.Gid != nobodyUser { - size = g.Gid + defer group.Close() + + groups, err := libcontainerUser.ParseGroup(group) + if err == nil { + for _, g := range groups { + if g.Name == "nobody" || g.Name == "nogroup" { + continue + } + if g.Gid > size && g.Gid != nobodyUser { + size = g.Gid + 1 + } } } } @@ -309,3 +331,19 @@ func getAutoUserNSIDMappings( gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...) return uidMap, gidMap, nil } + +// Securely open (read-only) a file in a container mount. +func secureOpen(containerMount, file string) (*os.File, error) { + filePath, err := securejoin.SecureJoin(containerMount, file) + if err != nil { + return nil, err + } + + flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY + fileHandle, err := os.OpenFile(filePath, flags, 0) + if err != nil { + return nil, err + } + + return fileHandle, nil +} diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go new file mode 100644 index 0000000000..e37c18fe43 --- /dev/null +++ b/vendor/github.com/containers/storage/userns_unsupported.go @@ -0,0 +1,14 @@ +//go:build !linux + +package storage + +import ( + "errors" + + "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/types" +) + +func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) { + return nil, nil, errors.New("user namespaces are not supported on this platform") +} diff --git a/vendor/modules.txt b/vendor/modules.txt index d99eb4f521..75dc99e3db 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -147,7 +147,7 @@ github.com/containernetworking/cni/pkg/version # github.com/containernetworking/plugins v1.3.0 ## explicit; go 1.20 github.com/containernetworking/plugins/pkg/ns -# github.com/containers/buildah v1.33.8 +# github.com/containers/buildah v1.33.11 ## explicit; go 1.20 github.com/containers/buildah github.com/containers/buildah/bind @@ -176,7 +176,7 @@ github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/pkg/volumes github.com/containers/buildah/util -# github.com/containers/common v0.57.5 +# github.com/containers/common v0.57.7 ## explicit; go 1.18 github.com/containers/common/internal/attributedstring github.com/containers/common/libimage @@ -243,7 +243,7 @@ github.com/containers/conmon/runner/config # github.com/containers/gvisor-tap-vsock v0.7.2 ## explicit; go 1.20 github.com/containers/gvisor-tap-vsock/pkg/types -# github.com/containers/image/v5 v5.29.3 +# github.com/containers/image/v5 v5.29.4 ## explicit; go 1.19 github.com/containers/image/v5/copy github.com/containers/image/v5/directory @@ -353,7 +353,7 @@ github.com/containers/psgo/internal/dev github.com/containers/psgo/internal/host github.com/containers/psgo/internal/proc github.com/containers/psgo/internal/process -# github.com/containers/storage v1.51.0 +# github.com/containers/storage v1.51.2 ## explicit; go 1.19 github.com/containers/storage github.com/containers/storage/drivers