* [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649
@ 2022-08-26 11:33 Andrei Gherzan
2022-08-30 9:29 ` Andrei Gherzan
2022-08-31 1:47 ` Bruce Ashfield
0 siblings, 2 replies; 6+ messages in thread
From: Andrei Gherzan @ 2022-08-26 11:33 UTC (permalink / raw)
To: meta-virtualization; +Cc: andrei, Andrei Gherzan
From: Andrei Gherzan <andrei.gherzan@huawei.com>
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
---
.../podman/podman/CVE-2022-27649.patch | 106 ++++++++++++++++++
recipes-containers/podman/podman_git.bb | 3 +-
2 files changed, 108 insertions(+), 1 deletion(-)
create mode 100644 recipes-containers/podman/podman/CVE-2022-27649.patch
diff --git a/recipes-containers/podman/podman/CVE-2022-27649.patch b/recipes-containers/podman/podman/CVE-2022-27649.patch
new file mode 100644
index 0000000..cb786ad
--- /dev/null
+++ b/recipes-containers/podman/podman/CVE-2022-27649.patch
@@ -0,0 +1,106 @@
+From aafa80918a245edcbdaceb1191d749570f1872d0 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Mon, 28 Feb 2022 09:48:52 +0100
+Subject: [PATCH] do not set the inheritable capabilities
+
+The kernel never sets the inheritable capabilities for a process, they
+are only set by userspace. Emulate the same behavior.
+
+CVE: CVE-2022-27649
+Upstream-Status: Backport [https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0]
+Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
+---
+ libpod/oci_conmon_exec_linux.go | 7 +++++--
+ pkg/specgen/generate/security.go | 7 +++++--
+ test/e2e/run_test.go | 6 +++---
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go
+index aa970bbde28..65123b37e6a 100644
+--- a/libpod/oci_conmon_exec_linux.go
++++ b/libpod/oci_conmon_exec_linux.go
+@@ -758,11 +758,14 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
+ } else {
+ pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
+ }
++
++ // Always unset the inheritable capabilities similarly to what the Linux kernel does
++ // They are used only when using capabilities with uid != 0.
++ pspec.Capabilities.Inheritable = []string{}
++
+ if execUser.Uid == 0 {
+ pspec.Capabilities.Effective = pspec.Capabilities.Bounding
+- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
+ pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
+- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
+ } else {
+ if user == c.config.User {
+ pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective
+diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
+index 9c67099054f..988c2983267 100644
+--- a/pkg/specgen/generate/security.go
++++ b/pkg/specgen/generate/security.go
+@@ -146,6 +146,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+
+ configSpec := g.Config
+ configSpec.Process.Capabilities.Ambient = []string{}
++
++ // Always unset the inheritable capabilities similarly to what the Linux kernel does
++ // They are used only when using capabilities with uid != 0.
++ configSpec.Process.Capabilities.Inheritable = []string{}
+ configSpec.Process.Capabilities.Bounding = caplist
+
+ user := strings.Split(s.User, ":")[0]
+@@ -153,7 +157,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+ if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
+ configSpec.Process.Capabilities.Effective = caplist
+ configSpec.Process.Capabilities.Permitted = caplist
+- configSpec.Process.Capabilities.Inheritable = caplist
+ } else {
+ mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
+ if err != nil {
+@@ -175,12 +178,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
+ }
+ configSpec.Process.Capabilities.Effective = userCaps
+ configSpec.Process.Capabilities.Permitted = userCaps
+- configSpec.Process.Capabilities.Inheritable = userCaps
+
+ // Ambient capabilities were added to Linux 4.3. Set ambient
+ // capabilities only when the kernel supports them.
+ if supportAmbientCapabilities() {
+ configSpec.Process.Capabilities.Ambient = userCaps
++ configSpec.Process.Capabilities.Inheritable = userCaps
+ }
+ }
+
+diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
+index 91a2eddadf6..f4a6e573355 100644
+--- a/test/e2e/run_test.go
++++ b/test/e2e/run_test.go
+@@ -498,7 +498,7 @@ var _ = Describe("Podman run", func() {
+ session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+
+ session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+@@ -533,7 +533,7 @@ var _ = Describe("Podman run", func() {
+ session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+
+ if os.Geteuid() > 0 {
+ if os.Getenv("SKIP_USERNS") != "" {
+@@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() {
+ session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+- Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
+
+ session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index aedb988..65e0205 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -22,7 +22,8 @@ SRC_URI = " \
git://github.com/containers/libpod.git;branch=v4.0;protocol=https \
file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \
file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang \
- ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
+ file://CVE-2022-27649.patch;patchdir=src/import \
+ ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://00-podman-rootless.conf', '', d)} \
"
LICENSE = "Apache-2.0"
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649
2022-08-26 11:33 [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649 Andrei Gherzan
@ 2022-08-30 9:29 ` Andrei Gherzan
2022-08-30 13:11 ` [meta-virtualization] " Bruce Ashfield
2022-08-31 1:47 ` Bruce Ashfield
1 sibling, 1 reply; 6+ messages in thread
From: Andrei Gherzan @ 2022-08-30 9:29 UTC (permalink / raw)
To: meta-virtualization
On Fri, 26 Aug 2022, at 12:33, Andrei Gherzan wrote:
> From: Andrei Gherzan <andrei.gherzan@huawei.com>
>
> Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
> ---
> .../podman/podman/CVE-2022-27649.patch | 106 ++++++++++++++++++
> recipes-containers/podman/podman_git.bb | 3 +-
> 2 files changed, 108 insertions(+), 1 deletion(-)
> create mode 100644 recipes-containers/podman/podman/CVE-2022-27649.patch
>
> diff --git a/recipes-containers/podman/podman/CVE-2022-27649.patch
> b/recipes-containers/podman/podman/CVE-2022-27649.patch
> new file mode 100644
> index 0000000..cb786ad
> --- /dev/null
> +++ b/recipes-containers/podman/podman/CVE-2022-27649.patch
> @@ -0,0 +1,106 @@
> +From aafa80918a245edcbdaceb1191d749570f1872d0 Mon Sep 17 00:00:00 2001
> +From: Giuseppe Scrivano <gscrivan@redhat.com>
> +Date: Mon, 28 Feb 2022 09:48:52 +0100
> +Subject: [PATCH] do not set the inheritable capabilities
> +
> +The kernel never sets the inheritable capabilities for a process, they
> +are only set by userspace. Emulate the same behavior.
> +
> +CVE: CVE-2022-27649
> +Upstream-Status: Backport
> [https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0]
> +Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
> +---
> + libpod/oci_conmon_exec_linux.go | 7 +++++--
> + pkg/specgen/generate/security.go | 7 +++++--
> + test/e2e/run_test.go | 6 +++---
> + 3 files changed, 13 insertions(+), 7 deletions(-)
> +
> +diff --git a/libpod/oci_conmon_exec_linux.go
> b/libpod/oci_conmon_exec_linux.go
> +index aa970bbde28..65123b37e6a 100644
> +--- a/libpod/oci_conmon_exec_linux.go
> ++++ b/libpod/oci_conmon_exec_linux.go
> +@@ -758,11 +758,14 @@ func prepareProcessExec(c *Container, options
> *ExecOptions, env []string, sessio
> + } else {
> + pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
> + }
> ++
> ++ // Always unset the inheritable capabilities similarly to what the
> Linux kernel does
> ++ // They are used only when using capabilities with uid != 0.
> ++ pspec.Capabilities.Inheritable = []string{}
> ++
> + if execUser.Uid == 0 {
> + pspec.Capabilities.Effective = pspec.Capabilities.Bounding
> +- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
> + pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
> +- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
> + } else {
> + if user == c.config.User {
> + pspec.Capabilities.Effective =
> ctrSpec.Process.Capabilities.Effective
> +diff --git a/pkg/specgen/generate/security.go
> b/pkg/specgen/generate/security.go
> +index 9c67099054f..988c2983267 100644
> +--- a/pkg/specgen/generate/security.go
> ++++ b/pkg/specgen/generate/security.go
> +@@ -146,6 +146,10 @@ func securityConfigureGenerator(s
> *specgen.SpecGenerator, g *generate.Generator,
> +
> + configSpec := g.Config
> + configSpec.Process.Capabilities.Ambient = []string{}
> ++
> ++ // Always unset the inheritable capabilities similarly to what the
> Linux kernel does
> ++ // They are used only when using capabilities with uid != 0.
> ++ configSpec.Process.Capabilities.Inheritable = []string{}
> + configSpec.Process.Capabilities.Bounding = caplist
> +
> + user := strings.Split(s.User, ":")[0]
> +@@ -153,7 +157,6 @@ func securityConfigureGenerator(s
> *specgen.SpecGenerator, g *generate.Generator,
> + if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user ==
> "root" || user == "0" {
> + configSpec.Process.Capabilities.Effective = caplist
> + configSpec.Process.Capabilities.Permitted = caplist
> +- configSpec.Process.Capabilities.Inheritable = caplist
> + } else {
> + mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd,
> nil)
> + if err != nil {
> +@@ -175,12 +178,12 @@ func securityConfigureGenerator(s
> *specgen.SpecGenerator, g *generate.Generator,
> + }
> + configSpec.Process.Capabilities.Effective = userCaps
> + configSpec.Process.Capabilities.Permitted = userCaps
> +- configSpec.Process.Capabilities.Inheritable = userCaps
> +
> + // Ambient capabilities were added to Linux 4.3. Set ambient
> + // capabilities only when the kernel supports them.
> + if supportAmbientCapabilities() {
> + configSpec.Process.Capabilities.Ambient = userCaps
> ++ configSpec.Process.Capabilities.Inheritable = userCaps
> + }
> + }
> +
> +diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
> +index 91a2eddadf6..f4a6e573355 100644
> +--- a/test/e2e/run_test.go
> ++++ b/test/e2e/run_test.go
> +@@ -498,7 +498,7 @@ var _ = Describe("Podman run", func() {
> + session = podmanTest.Podman([]string{"run", "--rm", "--user",
> "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
> + session.WaitWithDefaultTimeout()
> + Expect(session).Should(Exit(0))
> +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
> ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> +
> + session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep",
> "CapBnd", "/proc/self/status"})
> + session.WaitWithDefaultTimeout()
> +@@ -533,7 +533,7 @@ var _ = Describe("Podman run", func() {
> + session = podmanTest.Podman([]string{"run", "--user=0:0",
> "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
> "/proc/self/status"})
> + session.WaitWithDefaultTimeout()
> + Expect(session).Should(Exit(0))
> +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
> ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> +
> + if os.Geteuid() > 0 {
> + if os.Getenv("SKIP_USERNS") != "" {
> +@@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() {
> + session = podmanTest.Podman([]string{"run", "--userns=keep-id",
> "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
> + session.WaitWithDefaultTimeout()
> + Expect(session).Should(Exit(0))
> +- Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
> +
> + session = podmanTest.Podman([]string{"run", "--userns=keep-id",
> "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
> "/proc/self/status"})
> + session.WaitWithDefaultTimeout()
> diff --git a/recipes-containers/podman/podman_git.bb
> b/recipes-containers/podman/podman_git.bb
> index aedb988..65e0205 100644
> --- a/recipes-containers/podman/podman_git.bb
> +++ b/recipes-containers/podman/podman_git.bb
> @@ -22,7 +22,8 @@ SRC_URI = " \
> git://github.com/containers/libpod.git;branch=v4.0;protocol=https \
>
> file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import
> \
>
> file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang
> \
> - ${@bb.utils.contains('PACKAGECONFIG', 'rootless',
> 'file://50-podman-rootless.conf', '', d)} \
> + file://CVE-2022-27649.patch;patchdir=src/import \
> + ${@bb.utils.contains('PACKAGECONFIG', 'rootless',
> 'file://00-podman-rootless.conf', '', d)} \
> "
>
> LICENSE = "Apache-2.0"
> --
> 2.25.1
Small reminder on this patch.
Thanks,
Andrei
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization] [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649
2022-08-30 9:29 ` Andrei Gherzan
@ 2022-08-30 13:11 ` Bruce Ashfield
2022-08-30 13:14 ` Andrei Gherzan
0 siblings, 1 reply; 6+ messages in thread
From: Bruce Ashfield @ 2022-08-30 13:11 UTC (permalink / raw)
To: Andrei Gherzan; +Cc: meta-virtualization
On Tue, Aug 30, 2022 at 6:29 AM Andrei Gherzan <andrei@gherzan.com> wrote:
>
> On Fri, 26 Aug 2022, at 12:33, Andrei Gherzan wrote:
> > From: Andrei Gherzan <andrei.gherzan@huawei.com>
> >
> > Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
> > ---
> > .../podman/podman/CVE-2022-27649.patch | 106 ++++++++++++++++++
> > recipes-containers/podman/podman_git.bb | 3 +-
> > 2 files changed, 108 insertions(+), 1 deletion(-)
> > create mode 100644 recipes-containers/podman/podman/CVE-2022-27649.patch
> >
> > diff --git a/recipes-containers/podman/podman/CVE-2022-27649.patch
> > b/recipes-containers/podman/podman/CVE-2022-27649.patch
> > new file mode 100644
> > index 0000000..cb786ad
> > --- /dev/null
> > +++ b/recipes-containers/podman/podman/CVE-2022-27649.patch
> > @@ -0,0 +1,106 @@
> > +From aafa80918a245edcbdaceb1191d749570f1872d0 Mon Sep 17 00:00:00 2001
> > +From: Giuseppe Scrivano <gscrivan@redhat.com>
> > +Date: Mon, 28 Feb 2022 09:48:52 +0100
> > +Subject: [PATCH] do not set the inheritable capabilities
> > +
> > +The kernel never sets the inheritable capabilities for a process, they
> > +are only set by userspace. Emulate the same behavior.
> > +
> > +CVE: CVE-2022-27649
> > +Upstream-Status: Backport
> > [https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0]
> > +Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
> > +---
> > + libpod/oci_conmon_exec_linux.go | 7 +++++--
> > + pkg/specgen/generate/security.go | 7 +++++--
> > + test/e2e/run_test.go | 6 +++---
> > + 3 files changed, 13 insertions(+), 7 deletions(-)
> > +
> > +diff --git a/libpod/oci_conmon_exec_linux.go
> > b/libpod/oci_conmon_exec_linux.go
> > +index aa970bbde28..65123b37e6a 100644
> > +--- a/libpod/oci_conmon_exec_linux.go
> > ++++ b/libpod/oci_conmon_exec_linux.go
> > +@@ -758,11 +758,14 @@ func prepareProcessExec(c *Container, options
> > *ExecOptions, env []string, sessio
> > + } else {
> > + pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
> > + }
> > ++
> > ++ // Always unset the inheritable capabilities similarly to what the
> > Linux kernel does
> > ++ // They are used only when using capabilities with uid != 0.
> > ++ pspec.Capabilities.Inheritable = []string{}
> > ++
> > + if execUser.Uid == 0 {
> > + pspec.Capabilities.Effective = pspec.Capabilities.Bounding
> > +- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
> > + pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
> > +- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
> > + } else {
> > + if user == c.config.User {
> > + pspec.Capabilities.Effective =
> > ctrSpec.Process.Capabilities.Effective
> > +diff --git a/pkg/specgen/generate/security.go
> > b/pkg/specgen/generate/security.go
> > +index 9c67099054f..988c2983267 100644
> > +--- a/pkg/specgen/generate/security.go
> > ++++ b/pkg/specgen/generate/security.go
> > +@@ -146,6 +146,10 @@ func securityConfigureGenerator(s
> > *specgen.SpecGenerator, g *generate.Generator,
> > +
> > + configSpec := g.Config
> > + configSpec.Process.Capabilities.Ambient = []string{}
> > ++
> > ++ // Always unset the inheritable capabilities similarly to what the
> > Linux kernel does
> > ++ // They are used only when using capabilities with uid != 0.
> > ++ configSpec.Process.Capabilities.Inheritable = []string{}
> > + configSpec.Process.Capabilities.Bounding = caplist
> > +
> > + user := strings.Split(s.User, ":")[0]
> > +@@ -153,7 +157,6 @@ func securityConfigureGenerator(s
> > *specgen.SpecGenerator, g *generate.Generator,
> > + if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user ==
> > "root" || user == "0" {
> > + configSpec.Process.Capabilities.Effective = caplist
> > + configSpec.Process.Capabilities.Permitted = caplist
> > +- configSpec.Process.Capabilities.Inheritable = caplist
> > + } else {
> > + mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd,
> > nil)
> > + if err != nil {
> > +@@ -175,12 +178,12 @@ func securityConfigureGenerator(s
> > *specgen.SpecGenerator, g *generate.Generator,
> > + }
> > + configSpec.Process.Capabilities.Effective = userCaps
> > + configSpec.Process.Capabilities.Permitted = userCaps
> > +- configSpec.Process.Capabilities.Inheritable = userCaps
> > +
> > + // Ambient capabilities were added to Linux 4.3. Set ambient
> > + // capabilities only when the kernel supports them.
> > + if supportAmbientCapabilities() {
> > + configSpec.Process.Capabilities.Ambient = userCaps
> > ++ configSpec.Process.Capabilities.Inheritable = userCaps
> > + }
> > + }
> > +
> > +diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
> > +index 91a2eddadf6..f4a6e573355 100644
> > +--- a/test/e2e/run_test.go
> > ++++ b/test/e2e/run_test.go
> > +@@ -498,7 +498,7 @@ var _ = Describe("Podman run", func() {
> > + session = podmanTest.Podman([]string{"run", "--rm", "--user",
> > "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
> > + session.WaitWithDefaultTimeout()
> > + Expect(session).Should(Exit(0))
> > +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
> > ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> > +
> > + session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep",
> > "CapBnd", "/proc/self/status"})
> > + session.WaitWithDefaultTimeout()
> > +@@ -533,7 +533,7 @@ var _ = Describe("Podman run", func() {
> > + session = podmanTest.Podman([]string{"run", "--user=0:0",
> > "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
> > "/proc/self/status"})
> > + session.WaitWithDefaultTimeout()
> > + Expect(session).Should(Exit(0))
> > +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
> > ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> > +
> > + if os.Geteuid() > 0 {
> > + if os.Getenv("SKIP_USERNS") != "" {
> > +@@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() {
> > + session = podmanTest.Podman([]string{"run", "--userns=keep-id",
> > "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
> > + session.WaitWithDefaultTimeout()
> > + Expect(session).Should(Exit(0))
> > +- Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> > ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
> > +
> > + session = podmanTest.Podman([]string{"run", "--userns=keep-id",
> > "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
> > "/proc/self/status"})
> > + session.WaitWithDefaultTimeout()
> > diff --git a/recipes-containers/podman/podman_git.bb
> > b/recipes-containers/podman/podman_git.bb
> > index aedb988..65e0205 100644
> > --- a/recipes-containers/podman/podman_git.bb
> > +++ b/recipes-containers/podman/podman_git.bb
> > @@ -22,7 +22,8 @@ SRC_URI = " \
> > git://github.com/containers/libpod.git;branch=v4.0;protocol=https \
> >
> > file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import
> > \
> >
> > file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang
> > \
> > - ${@bb.utils.contains('PACKAGECONFIG', 'rootless',
> > 'file://50-podman-rootless.conf', '', d)} \
> > + file://CVE-2022-27649.patch;patchdir=src/import \
> > + ${@bb.utils.contains('PACKAGECONFIG', 'rootless',
> > 'file://00-podman-rootless.conf', '', d)} \
> > "
> >
> > LICENSE = "Apache-2.0"
> > --
> > 2.25.1
>
> Small reminder on this patch.
I'm on holidays all this week, and my build machines have gone
offline. If I can't restore access, it will be next week before I can
get to merges.
Bruce
>
> Thanks,
> Andrei
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7581): https://lists.yoctoproject.org/g/meta-virtualization/message/7581
> Mute This Topic: https://lists.yoctoproject.org/mt/93267827/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization] [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649
2022-08-30 13:11 ` [meta-virtualization] " Bruce Ashfield
@ 2022-08-30 13:14 ` Andrei Gherzan
0 siblings, 0 replies; 6+ messages in thread
From: Andrei Gherzan @ 2022-08-30 13:14 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: meta-virtualization
On Tue, 30 Aug 2022, at 14:11, Bruce Ashfield wrote:
> On Tue, Aug 30, 2022 at 6:29 AM Andrei Gherzan <andrei@gherzan.com> wrote:
>>
>> On Fri, 26 Aug 2022, at 12:33, Andrei Gherzan wrote:
>> > From: Andrei Gherzan <andrei.gherzan@huawei.com>
>> >
>> > Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
>> > ---
>> > .../podman/podman/CVE-2022-27649.patch | 106 ++++++++++++++++++
>> > recipes-containers/podman/podman_git.bb | 3 +-
>> > 2 files changed, 108 insertions(+), 1 deletion(-)
>> > create mode 100644 recipes-containers/podman/podman/CVE-2022-27649.patch
>> >
>> > diff --git a/recipes-containers/podman/podman/CVE-2022-27649.patch
>> > b/recipes-containers/podman/podman/CVE-2022-27649.patch
>> > new file mode 100644
>> > index 0000000..cb786ad
>> > --- /dev/null
>> > +++ b/recipes-containers/podman/podman/CVE-2022-27649.patch
>> > @@ -0,0 +1,106 @@
>> > +From aafa80918a245edcbdaceb1191d749570f1872d0 Mon Sep 17 00:00:00 2001
>> > +From: Giuseppe Scrivano <gscrivan@redhat.com>
>> > +Date: Mon, 28 Feb 2022 09:48:52 +0100
>> > +Subject: [PATCH] do not set the inheritable capabilities
>> > +
>> > +The kernel never sets the inheritable capabilities for a process, they
>> > +are only set by userspace. Emulate the same behavior.
>> > +
>> > +CVE: CVE-2022-27649
>> > +Upstream-Status: Backport
>> > [https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0]
>> > +Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
>> > +---
>> > + libpod/oci_conmon_exec_linux.go | 7 +++++--
>> > + pkg/specgen/generate/security.go | 7 +++++--
>> > + test/e2e/run_test.go | 6 +++---
>> > + 3 files changed, 13 insertions(+), 7 deletions(-)
>> > +
>> > +diff --git a/libpod/oci_conmon_exec_linux.go
>> > b/libpod/oci_conmon_exec_linux.go
>> > +index aa970bbde28..65123b37e6a 100644
>> > +--- a/libpod/oci_conmon_exec_linux.go
>> > ++++ b/libpod/oci_conmon_exec_linux.go
>> > +@@ -758,11 +758,14 @@ func prepareProcessExec(c *Container, options
>> > *ExecOptions, env []string, sessio
>> > + } else {
>> > + pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
>> > + }
>> > ++
>> > ++ // Always unset the inheritable capabilities similarly to what the
>> > Linux kernel does
>> > ++ // They are used only when using capabilities with uid != 0.
>> > ++ pspec.Capabilities.Inheritable = []string{}
>> > ++
>> > + if execUser.Uid == 0 {
>> > + pspec.Capabilities.Effective = pspec.Capabilities.Bounding
>> > +- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
>> > + pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
>> > +- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
>> > + } else {
>> > + if user == c.config.User {
>> > + pspec.Capabilities.Effective =
>> > ctrSpec.Process.Capabilities.Effective
>> > +diff --git a/pkg/specgen/generate/security.go
>> > b/pkg/specgen/generate/security.go
>> > +index 9c67099054f..988c2983267 100644
>> > +--- a/pkg/specgen/generate/security.go
>> > ++++ b/pkg/specgen/generate/security.go
>> > +@@ -146,6 +146,10 @@ func securityConfigureGenerator(s
>> > *specgen.SpecGenerator, g *generate.Generator,
>> > +
>> > + configSpec := g.Config
>> > + configSpec.Process.Capabilities.Ambient = []string{}
>> > ++
>> > ++ // Always unset the inheritable capabilities similarly to what the
>> > Linux kernel does
>> > ++ // They are used only when using capabilities with uid != 0.
>> > ++ configSpec.Process.Capabilities.Inheritable = []string{}
>> > + configSpec.Process.Capabilities.Bounding = caplist
>> > +
>> > + user := strings.Split(s.User, ":")[0]
>> > +@@ -153,7 +157,6 @@ func securityConfigureGenerator(s
>> > *specgen.SpecGenerator, g *generate.Generator,
>> > + if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user ==
>> > "root" || user == "0" {
>> > + configSpec.Process.Capabilities.Effective = caplist
>> > + configSpec.Process.Capabilities.Permitted = caplist
>> > +- configSpec.Process.Capabilities.Inheritable = caplist
>> > + } else {
>> > + mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd,
>> > nil)
>> > + if err != nil {
>> > +@@ -175,12 +178,12 @@ func securityConfigureGenerator(s
>> > *specgen.SpecGenerator, g *generate.Generator,
>> > + }
>> > + configSpec.Process.Capabilities.Effective = userCaps
>> > + configSpec.Process.Capabilities.Permitted = userCaps
>> > +- configSpec.Process.Capabilities.Inheritable = userCaps
>> > +
>> > + // Ambient capabilities were added to Linux 4.3. Set ambient
>> > + // capabilities only when the kernel supports them.
>> > + if supportAmbientCapabilities() {
>> > + configSpec.Process.Capabilities.Ambient = userCaps
>> > ++ configSpec.Process.Capabilities.Inheritable = userCaps
>> > + }
>> > + }
>> > +
>> > +diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
>> > +index 91a2eddadf6..f4a6e573355 100644
>> > +--- a/test/e2e/run_test.go
>> > ++++ b/test/e2e/run_test.go
>> > +@@ -498,7 +498,7 @@ var _ = Describe("Podman run", func() {
>> > + session = podmanTest.Podman([]string{"run", "--rm", "--user",
>> > "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
>> > + session.WaitWithDefaultTimeout()
>> > + Expect(session).Should(Exit(0))
>> > +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
>> > ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
>> > +
>> > + session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep",
>> > "CapBnd", "/proc/self/status"})
>> > + session.WaitWithDefaultTimeout()
>> > +@@ -533,7 +533,7 @@ var _ = Describe("Podman run", func() {
>> > + session = podmanTest.Podman([]string{"run", "--user=0:0",
>> > "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
>> > "/proc/self/status"})
>> > + session.WaitWithDefaultTimeout()
>> > + Expect(session).Should(Exit(0))
>> > +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
>> > ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
>> > +
>> > + if os.Geteuid() > 0 {
>> > + if os.Getenv("SKIP_USERNS") != "" {
>> > +@@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() {
>> > + session = podmanTest.Podman([]string{"run", "--userns=keep-id",
>> > "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
>> > + session.WaitWithDefaultTimeout()
>> > + Expect(session).Should(Exit(0))
>> > +- Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
>> > ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
>> > +
>> > + session = podmanTest.Podman([]string{"run", "--userns=keep-id",
>> > "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh",
>> > "/proc/self/status"})
>> > + session.WaitWithDefaultTimeout()
>> > diff --git a/recipes-containers/podman/podman_git.bb
>> > b/recipes-containers/podman/podman_git.bb
>> > index aedb988..65e0205 100644
>> > --- a/recipes-containers/podman/podman_git.bb
>> > +++ b/recipes-containers/podman/podman_git.bb
>> > @@ -22,7 +22,8 @@ SRC_URI = " \
>> > git://github.com/containers/libpod.git;branch=v4.0;protocol=https \
>> >
>> > file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import
>> > \
>> >
>> > file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang
>> > \
>> > - ${@bb.utils.contains('PACKAGECONFIG', 'rootless',
>> > 'file://50-podman-rootless.conf', '', d)} \
>> > + file://CVE-2022-27649.patch;patchdir=src/import \
>> > + ${@bb.utils.contains('PACKAGECONFIG', 'rootless',
>> > 'file://00-podman-rootless.conf', '', d)} \
>> > "
>> >
>> > LICENSE = "Apache-2.0"
>> > --
>> > 2.25.1
>>
>> Small reminder on this patch.
>
> I'm on holidays all this week, and my build machines have gone
> offline. If I can't restore access, it will be next week before I can
> get to merges.
Thanks for giving me a rough estimation - it helps. Enjoy your holiday!
Thanks,
Andrei
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization] [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649
2022-08-26 11:33 [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649 Andrei Gherzan
2022-08-30 9:29 ` Andrei Gherzan
@ 2022-08-31 1:47 ` Bruce Ashfield
2022-08-31 10:35 ` Andrei Gherzan
1 sibling, 1 reply; 6+ messages in thread
From: Bruce Ashfield @ 2022-08-31 1:47 UTC (permalink / raw)
To: Andrei Gherzan; +Cc: meta-virtualization, Andrei Gherzan
merged!
Bruce
In message: [meta-virtualization] [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649
on 26/08/2022 Andrei Gherzan wrote:
> From: Andrei Gherzan <andrei.gherzan@huawei.com>
>
> Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
> ---
> .../podman/podman/CVE-2022-27649.patch | 106 ++++++++++++++++++
> recipes-containers/podman/podman_git.bb | 3 +-
> 2 files changed, 108 insertions(+), 1 deletion(-)
> create mode 100644 recipes-containers/podman/podman/CVE-2022-27649.patch
>
> diff --git a/recipes-containers/podman/podman/CVE-2022-27649.patch b/recipes-containers/podman/podman/CVE-2022-27649.patch
> new file mode 100644
> index 0000000..cb786ad
> --- /dev/null
> +++ b/recipes-containers/podman/podman/CVE-2022-27649.patch
> @@ -0,0 +1,106 @@
> +From aafa80918a245edcbdaceb1191d749570f1872d0 Mon Sep 17 00:00:00 2001
> +From: Giuseppe Scrivano <gscrivan@redhat.com>
> +Date: Mon, 28 Feb 2022 09:48:52 +0100
> +Subject: [PATCH] do not set the inheritable capabilities
> +
> +The kernel never sets the inheritable capabilities for a process, they
> +are only set by userspace. Emulate the same behavior.
> +
> +CVE: CVE-2022-27649
> +Upstream-Status: Backport [https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0]
> +Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
> +---
> + libpod/oci_conmon_exec_linux.go | 7 +++++--
> + pkg/specgen/generate/security.go | 7 +++++--
> + test/e2e/run_test.go | 6 +++---
> + 3 files changed, 13 insertions(+), 7 deletions(-)
> +
> +diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go
> +index aa970bbde28..65123b37e6a 100644
> +--- a/libpod/oci_conmon_exec_linux.go
> ++++ b/libpod/oci_conmon_exec_linux.go
> +@@ -758,11 +758,14 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
> + } else {
> + pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
> + }
> ++
> ++ // Always unset the inheritable capabilities similarly to what the Linux kernel does
> ++ // They are used only when using capabilities with uid != 0.
> ++ pspec.Capabilities.Inheritable = []string{}
> ++
> + if execUser.Uid == 0 {
> + pspec.Capabilities.Effective = pspec.Capabilities.Bounding
> +- pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
> + pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
> +- pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
> + } else {
> + if user == c.config.User {
> + pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective
> +diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
> +index 9c67099054f..988c2983267 100644
> +--- a/pkg/specgen/generate/security.go
> ++++ b/pkg/specgen/generate/security.go
> +@@ -146,6 +146,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
> +
> + configSpec := g.Config
> + configSpec.Process.Capabilities.Ambient = []string{}
> ++
> ++ // Always unset the inheritable capabilities similarly to what the Linux kernel does
> ++ // They are used only when using capabilities with uid != 0.
> ++ configSpec.Process.Capabilities.Inheritable = []string{}
> + configSpec.Process.Capabilities.Bounding = caplist
> +
> + user := strings.Split(s.User, ":")[0]
> +@@ -153,7 +157,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
> + if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
> + configSpec.Process.Capabilities.Effective = caplist
> + configSpec.Process.Capabilities.Permitted = caplist
> +- configSpec.Process.Capabilities.Inheritable = caplist
> + } else {
> + mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
> + if err != nil {
> +@@ -175,12 +178,12 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
> + }
> + configSpec.Process.Capabilities.Effective = userCaps
> + configSpec.Process.Capabilities.Permitted = userCaps
> +- configSpec.Process.Capabilities.Inheritable = userCaps
> +
> + // Ambient capabilities were added to Linux 4.3. Set ambient
> + // capabilities only when the kernel supports them.
> + if supportAmbientCapabilities() {
> + configSpec.Process.Capabilities.Ambient = userCaps
> ++ configSpec.Process.Capabilities.Inheritable = userCaps
> + }
> + }
> +
> +diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
> +index 91a2eddadf6..f4a6e573355 100644
> +--- a/test/e2e/run_test.go
> ++++ b/test/e2e/run_test.go
> +@@ -498,7 +498,7 @@ var _ = Describe("Podman run", func() {
> + session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
> + session.WaitWithDefaultTimeout()
> + Expect(session).Should(Exit(0))
> +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
> ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> +
> + session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"})
> + session.WaitWithDefaultTimeout()
> +@@ -533,7 +533,7 @@ var _ = Describe("Podman run", func() {
> + session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
> + session.WaitWithDefaultTimeout()
> + Expect(session).Should(Exit(0))
> +- Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
> ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> +
> + if os.Geteuid() > 0 {
> + if os.Getenv("SKIP_USERNS") != "" {
> +@@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() {
> + session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
> + session.WaitWithDefaultTimeout()
> + Expect(session).Should(Exit(0))
> +- Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
> ++ Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
> +
> + session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
> + session.WaitWithDefaultTimeout()
> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
> index aedb988..65e0205 100644
> --- a/recipes-containers/podman/podman_git.bb
> +++ b/recipes-containers/podman/podman_git.bb
> @@ -22,7 +22,8 @@ SRC_URI = " \
> git://github.com/containers/libpod.git;branch=v4.0;protocol=https \
> file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \
> file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang \
> - ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
> + file://CVE-2022-27649.patch;patchdir=src/import \
> + ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://00-podman-rootless.conf', '', d)} \
> "
>
> LICENSE = "Apache-2.0"
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7573): https://lists.yoctoproject.org/g/meta-virtualization/message/7573
> Mute This Topic: https://lists.yoctoproject.org/mt/93267827/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization] [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649
2022-08-31 1:47 ` Bruce Ashfield
@ 2022-08-31 10:35 ` Andrei Gherzan
0 siblings, 0 replies; 6+ messages in thread
From: Andrei Gherzan @ 2022-08-31 10:35 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: meta-virtualization
On Wed, 31 Aug 2022, at 02:47, Bruce Ashfield wrote:
> merged!
Very much appreciated.
Andrei
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-08-31 10:36 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-26 11:33 [kirkstone][PATCH v2] podman: Patch for CVE-2022-27649 Andrei Gherzan
2022-08-30 9:29 ` Andrei Gherzan
2022-08-30 13:11 ` [meta-virtualization] " Bruce Ashfield
2022-08-30 13:14 ` Andrei Gherzan
2022-08-31 1:47 ` Bruce Ashfield
2022-08-31 10:35 ` Andrei Gherzan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.