Skip to content
This repository has been archived by the owner on Jun 11, 2020. It is now read-only.

[17.06 backport] update libseccomp golang #13

Conversation

kolyshkin
Copy link

@kolyshkin kolyshkin commented Sep 5, 2019

This is a continuation of #12 with a few more commits on top, mostly trying to fix Travis CI and update Golang to 1.10+

closes #12

addresses ENGCORE-866
backport of opencontainers#1424 for 17.06

A bug in Seccomp filter handling was recently identified in Moby related to handling of syscall arguments in Seccomp filters (moby/moby#32714). The bug was in the libseccomp-golang bindings, and has been fixed there. This PR updates the bindings to include this fix, and provides integration tests to catch regressions in this behavior.

The minimum supported version of libseccomp is bumped from v2.1.0 to v2.2.0 by associated changes to the bindings. Support for v2.1.0 was never very good (some features had to be gated off because of a library bug), though it is still the version provided by a few major distributions. If this change is contentious, I can see about backing out the changes that require v2.2.0.

This fixes CVE-2017-18367 - Multiple syscall arguments were incorrectly combined with logical-OR, instead of logical-AND

mheon and others added 8 commits August 8, 2019 17:49
Syscall argument handling was bugged in previous releases.
Per-argument match rules were handled with OR logic when they
should have used AND logic. The updated version of the bindings
resolves this issue.

As a side effect, the minimum supported version of Libseccomp has
been raised from v2.1.0 to v2.2.0.

Signed-off-by: Matthew Heon <[email protected]>
(cherry picked from commit 03a5a74)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Matthew Heon <[email protected]>
(cherry picked from commit bbc847a)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Matthew Heon <[email protected]>
(cherry picked from commit 472fa3d)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
`tip` should point to 1.10 already ? (or soon-ish)

Signed-off-by: Vincent Demeester <[email protected]>
(cherry picked from commit ab0a6dd)
Signed-off-by: Kir Kolyshkin <[email protected]>
libapparmor is integrated in libcontainer using cgo but is only used to
call a single function: aa_change_onexec. It turns out this function is
simple enough (writing a string to a file in /proc/<n>/attr/...) to be
re-implemented locally in libcontainer in plain Go.

This allows to drop the dependency on libapparmor and the corresponding
cgo integration.

Fixes opencontainers#1674

Signed-off-by: Tobias Klauser <[email protected]>
(cherry picked from commit db093f6)
Signed-off-by: Kir Kolyshkin <[email protected]>

Conflicts:
- minor conflict in .travis.yml due to missing go get lines
Signed-off-by: Andrei Vagin <[email protected]>
(cherry picked from commit fe03957)
Signed-off-by: Kir Kolyshkin <[email protected]>
This also remove jessie-backport version of libseccomp and just use
stretch bundled version

Signed-off-by: Daniel Dao <[email protected]>
(cherry picked from commit 121c7b4)
Signed-off-by: Kir Kolyshkin <[email protected]>

Conflicts:
 - Dockerfile: minor conflict due to different go version (1.8.0 vs 1.8)
Signed-off-by: Harald Nordgren <[email protected]>
(cherry picked from commit 630fb5b)
Signed-off-by: Kir Kolyshkin <[email protected]>
@thaJeztah thaJeztah changed the title WIP [17.06 backport] update libseccomp golang [17.06 backport] update libseccomp golang Sep 5, 2019
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah
Copy link
Member

All green! Let me merge this one

@thaJeztah thaJeztah merged commit c2bda4a into docker-archive:17.06 Sep 5, 2019
@kolyshkin
Copy link
Author

hooray

=== RUN   TestSeccompPermitWriteMultipleConditions
--- PASS: TestSeccompPermitWriteMultipleConditions (0.28s)
=== RUN   TestSeccompDenyWriteMultipleConditions
--- PASS: TestSeccompDenyWriteMultipleConditions (0.28s)

@kolyshkin kolyshkin deleted the 17.06_backport_update_libseccomp_golang branch April 21, 2020 08:50
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants