Skip to content
This repository was archived by the owner on Jun 11, 2020. It is now read-only.

[17.06 backport] update libseccomp golang#13

Merged
thaJeztah merged 8 commits intodocker-archive:17.06from
kolyshkin:17.06_backport_update_libseccomp_golang
Sep 5, 2019
Merged

[17.06 backport] update libseccomp golang#13
thaJeztah merged 8 commits intodocker-archive:17.06from
kolyshkin:17.06_backport_update_libseccomp_golang

Conversation

@kolyshkin
Copy link
Copy Markdown

@kolyshkin kolyshkin commented Sep 5, 2019
edited by thaJeztah
Loading

This is a continuation of #12 with a few more commits on top, mostly trying to fix Travis CI and update Golang to 1.10+

closes #12

addresses ENGCORE-866
backport of opencontainers#1424 for 17.06

A bug in Seccomp filter handling was recently identified in Moby related to handling of syscall arguments in Seccomp filters (moby/moby#32714). The bug was in the libseccomp-golang bindings, and has been fixed there. This PR updates the bindings to include this fix, and provides integration tests to catch regressions in this behavior.

The minimum supported version of libseccomp is bumped from v2.1.0 to v2.2.0 by associated changes to the bindings. Support for v2.1.0 was never very good (some features had to be gated off because of a library bug), though it is still the version provided by a few major distributions. If this change is contentious, I can see about backing out the changes that require v2.2.0.

This fixes CVE-2017-18367 - Multiple syscall arguments were incorrectly combined with logical-OR, instead of logical-AND

mheon and others added 8 commits August 8, 2019 17:49
@mheon @thaJeztah
Vendor updated libseccomp-golang for bugfix
4f30e9e 
Syscall argument handling was bugged in previous releases.
Per-argument match rules were handled with OR logic when they
should have used AND logic. The updated version of the bindings
resolves this issue.

As a side effect, the minimum supported version of Libseccomp has
been raised from v2.1.0 to v2.2.0.

Signed-off-by: Matthew Heon <mheon@redhat.com>
(cherry picked from commit 03a5a74)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@mheon @thaJeztah
Add integration tests for multi-argument Seccomp filters
aefd6c6 
Signed-off-by: Matthew Heon <mheon@redhat.com>
(cherry picked from commit bbc847a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@mheon @thaJeztah
Update Travis config to use trusty-backports libseccomp
98bf9c5 
Signed-off-by: Matthew Heon <mheon@redhat.com>
(cherry picked from commit 472fa3d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@vdemeester @kolyshkin
Add build 1.9 to travis
303f90e 
`tip` should point to 1.10 already ? (or soon-ish)

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit ab0a6dd)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@tklauser @kolyshkin
libcontainer: remove dependency on libapparmor
c76745c 
libapparmor is integrated in libcontainer using cgo but is only used to
call a single function: aa_change_onexec. It turns out this function is
simple enough (writing a string to a file in /proc/<n>/attr/...) to be
re-implemented locally in libcontainer in plain Go.

This allows to drop the dependency on libapparmor and the corresponding
cgo integration.

Fixes opencontainers#1674

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
(cherry picked from commit db093f6)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Conflicts:
- minor conflict in .travis.yml due to missing go get lines
@avagin @kolyshkin
Dockerfile: use CRIU 2.12 for tests
7b57883 
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
(cherry picked from commit fe03957)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@dqminh @kolyshkin
upgrade to go 1.10 with debian stretch
0231d6a 
This also remove jessie-backport version of libseccomp and just use
stretch bundled version

Signed-off-by: Daniel Dao <dqminh89@gmail.com>
(cherry picked from commit 121c7b4)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Conflicts:
 - Dockerfile: minor conflict due to different go version (1.8.0 vs 1.8)
@HaraldNordgren @kolyshkin
Bump Travis versions
a6b4b0c 
Signed-off-by: Harald Nordgren <haraldnordgren@gmail.com>
(cherry picked from commit 630fb5b)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@thaJeztah thaJeztah changed the title WIP [17.06 backport] update libseccomp golang [17.06 backport] update libseccomp golang Sep 5, 2019
thaJeztah
thaJeztah approved these changes Sep 5, 2019
View reviewed changes
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Sep 5, 2019

All green! Let me merge this one

@thaJeztah thaJeztah merged commit c2bda4a into docker-archive:17.06 Sep 5, 2019
@kolyshkin
Copy link
Copy Markdown
Author

kolyshkin commented Sep 5, 2019

hooray

=== RUN   TestSeccompPermitWriteMultipleConditions
--- PASS: TestSeccompPermitWriteMultipleConditions (0.28s)
=== RUN   TestSeccompDenyWriteMultipleConditions
--- PASS: TestSeccompDenyWriteMultipleConditions (0.28s)

@kolyshkin kolyshkin deleted the 17.06_backport_update_libseccomp_golang branch April 21, 2020 08:50
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@thaJeztah thaJeztah thaJeztah approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@kolyshkin @thaJeztah @mheon @vdemeester @tklauser @avagin @dqminh @HaraldNordgren