Sebastiaan van Stijn
ae160b4edd
Merge commit from fork
...
[19.03] AuthZ plugin security fixes
2024-07-23 21:36:28 +02:00
Jameson Hyde
eaa196855e
If url includes scheme, urlPath will drop hostname, which would not match the auth check
...
Signed-off-by: Jameson Hyde <jameson.hyde@docker.com >
(cherry picked from commit 754fb8d9d03895ae3ab60d2ad778152b0d835206)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com >
(cherry picked from commit 5282cb25d0pawel.gronowski@docker.com >
2024-07-17 13:13:11 +02:00
Jameson Hyde
2cd03a5fde
Authz plugin security fixes for 0-length content and path validation
...
Signed-off-by: Jameson Hyde <jameson.hyde@docker.com >
fix comments
(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com >
(cherry picked from commit 2ac8a479c5pawel.gronowski@docker.com >
2024-07-17 13:13:07 +02:00
Sebastiaan van Stijn
69f9c8c906
Merge pull request #41948 from AkihiroSuda/cherrypick-41892-1903
...
[19.03 backport] pkg/archive: allow mknodding FIFO inside userns
2021-02-12 11:58:29 +01:00
Brian Goff
420b1d3625
pull: Validate layer digest format
...
Otherwise a malformed or empty digest may cause a panic.
Signed-off-by: Brian Goff <cpuguy83@gmail.com >
(cherry picked from commit a7d4af84bdtibor@docker.com >
2021-01-28 21:43:36 +00:00
Brian Goff
5472f39022
buildkit: Apply apparmor profile
...
Signed-off-by: Brian Goff <cpuguy83@gmail.com >
(cherry picked from commit 611eb6ffb3tibor@docker.com >
2021-01-28 21:43:09 +00:00
Tibor Vass
b96fb8837b
vendor buildkit 396bfe20b590914cd77945ef0d70d976a0ed093c
...
Signed-off-by: Tibor Vass <tibor@docker.com >
2021-01-28 21:43:06 +00:00
Brian Goff
67de83e70b
Use real root with 0701 perms
...
Various dirs in /var/lib/docker contain data that needs to be mounted
into a container. For this reason, these dirs are set to be owned by the
remapped root user, otherwise there can be permissions issues.
However, this uneccessarily exposes these dirs to an unprivileged user
on the host.
Instead, set the ownership of these dirs to the real root (or rather the
UID/GID of dockerd) with 0701 permissions, which allows the remapped
root to enter the directories but not read/write to them.
The remapped root needs to enter these dirs so the container's rootfs
can be configured... e.g. to mount /etc/resolve.conf.
This prevents an unprivileged user from having read/write access to
these dirs on the host.
The flip side of this is now any user can enter these directories.
Signed-off-by: Brian Goff <cpuguy83@gmail.com >
(cherry picked from commit e908cc3901eb14d936bftibor@docker.com >
2021-01-28 21:42:41 +00:00
Brian Goff
5eff67a2c2
Do not set DOCKER_TMP to be owned by remapped root
...
The remapped root does not need access to this dir.
Having this owned by the remapped root opens the host up to an
uprivileged user on the host being able to escalate privileges.
While it would not be normal for the remapped UID to be used outside of
the container context, it could happen.
Signed-off-by: Brian Goff <cpuguy83@gmail.com >
(cherry picked from commit bfedd27259tibor@docker.com >
2021-01-28 21:42:20 +00:00
Brian Goff
1342c51d5e
Ensure MkdirAllAndChown also sets perms
...
Generally if we ever need to change perms of a dir, between versions,
this ensures the permissions actually change when we think it should
change without having to handle special cases if it already existed.
Signed-off-by: Brian Goff <cpuguy83@gmail.com >
(cherry picked from commit edb62a3acetibor@docker.com >
2021-01-28 21:42:01 +00:00
Akihiro Suda
df6c53c924
pkg/archive: allow mknodding FIFO inside userns
...
Fix #41803
Also attempt to mknod devices.
Mknodding devices are likely to fail, but still worth trying when
running with a seccomp user notification.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp >
(cherry picked from commit d5d5cccb7eakihiro.suda.cz@hco.ntt.co.jp >
2021-01-28 16:46:37 +09:00
Akihiro Suda
7d75c1d40d
Merge pull request #41731 from thaJeztah/19.03_container_1.3.9
...
[19.03] update containerd binary to v1.3.9 (address CVE-2020-15257)
2020-12-01 12:45:08 +09:00
Sebastiaan van Stijn
d3c5506330
update containerd binary to v1.3.9 (address CVE-2020-15257)
...
full diff: https://github.com/containerd/containerd/compare/v1.3.8...v1.3.9
Release notes:
containerd 1.3.9
---------------------
Welcome to the v1.3.9 release of containerd!
The ninth patch release for containerd 1.3 is a security release to address
CVE-2020-15257. See GHSA-36xw-fx78-c5r4 for more details:
https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4
Signed-off-by: Sebastiaan van Stijn <github@gone.nl >
2020-11-30 20:10:30 +01:00
Sebastiaan van Stijn
1babdf81e7
update containerd binary to v1.3.8
...
full diff: https://github.com/containerd/containerd/compare/v1.3.7...v1.3.8
Release notes:
containerd 1.3.8
----------------------
Welcome to the v1.3.8 release of containerd!
The eighth patch release for containerd 1.3 includes several bug fixes and updates.
Notable Updates
- Fix metrics monitoring of v2 runtime tasks
- Fix nil pointer error when restoring checkpoint
- Fix devmapper device deletion on rollback
- Fix integer overflow on Windows
- Update seccomp default profile
Signed-off-by: Sebastiaan van Stijn <github@gone.nl >
2020-11-30 20:04:31 +01:00
Brian Goff
35968c420d
Merge pull request #41685 from ameyag/19.03-bmp-libnetwork-nil-deference
...
[19.03] docker/libnetwork 55e924b8a84231a065879156c0de95aefc5f5435 (bump_19.03 branch)
2020-11-18 10:03:17 -08:00
Ameya Gawde
f80f6304e2
Bump libnetwork
...
Signed-off-by: Ameya Gawde <agawde@mirantis.com >
2020-11-17 16:21:39 -08:00
Sebastiaan van Stijn
837baebb74
Merge pull request #41635 from AkihiroSuda/rootlesskit-0.11.0-1903
...
[19.03 backport] bump up rootlesskit to v0.11.0
2020-11-09 20:50:00 +01:00
Akihiro Suda
4b181db52b
bump up rootlesskit to v0.11.0
...
Important fix: Lock state dir for preventing automatic clean-up by systemd-tmpfiles
(https://github.com/rootless-containers/rootlesskit/pull/188 )
Full changes:https://github.com/rootless-containers/rootlesskit/compare/v0.10.0...v0.11.0
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp >
(cherry picked from commit c6accc67f2akihiro.suda.cz@hco.ntt.co.jp >
2020-11-05 16:53:57 +09:00
Akihiro Suda
619f1b54c6
Merge pull request #41596 from thaJeztah/19.03_backport_swagger_fix
...
[19.03 backport] docs: fix builder-version swagger
2020-10-29 12:37:35 +09:00
Tonis Tiigi
7487dca8a5
docs: fix builder-version swagger
...
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com >
(cherry picked from commit 8cc0fd811egithub@gone.nl >
2020-10-27 20:42:13 +01:00
Brian Goff
bb69504a4a
Merge pull request #41557 from AkihiroSuda/cherrypick-41156-1903
...
[19.03 backport] dockerd-rootless.sh: support new containerd shim socket path convention
2020-10-16 13:06:56 -07:00
Akihiro Suda
c7253a0e1a
dockerd-rootless.sh: support containerd v1.4 shim socket path convention
...
The new shim socket path convention hardcodes `/run/containerd`:
https://github.com/containerd/containerd/pull/4343
`dockerd-rootless.sh` is updated to hide the rootful `/run/containerd`
from the mount namespace of the rootless dockerd.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp >
(cherry picked from commit 794aa20983akihiro.suda.cz@hco.ntt.co.jp >
2020-10-16 13:33:56 +09:00
Brian Goff
b27122246a
Merge pull request #41542 from thaJeztah/19.03_backport_fix_41517
2020-10-09 16:14:30 -07:00
Tianon Gravi
88eec2e811
Also trim "~..." from AppArmor versions
...
Signed-off-by: Tianon Gravi <admwiggin@gmail.com >
(cherry picked from commit 654cad4d9dgithub@gone.nl >
2020-10-09 22:22:56 +02:00
Akihiro Suda
ecd3baca25
pkg/aaparser: support parsing version like "3.0.0-beta1"
...
Fix #41517
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp >
(cherry picked from commit ee079e4692github@gone.nl >
2020-10-09 22:22:53 +02:00
Brian Goff
233a6379e5
Merge pull request #41522 from thaJeztah/19.03_backport_gcp_leak
...
[19.03 backport] Fix gcplogs memory/connection leak
2020-10-06 14:27:10 -07:00
Patrick Haas
74c0c5b7f1
Fix gcplogs memory/connection leak
...
The cloud logging client should be closed when the log driver is closed. Otherwise dockerd will keep a gRPC connection to the logging endpoint open indefinitely.
This results in a slow leak of tcp sockets (1) and memory (~200Kb) any time that a container using `--log-driver=gcplogs` is terminates.
Signed-off-by: Patrick Haas <patrickhaas@google.com >
(cherry picked from commit ef553e14a4github@gone.nl >
2020-10-03 00:30:30 +02:00
Tianon Gravi
88623e101c
Merge pull request #41293 from thaJeztah/19.03_backport_fix_getexecuser
...
[19.03 backport] oci: correctly use user.GetExecUser interface
2020-09-25 18:35:14 -07:00
Brian Goff
705762f23c
Merge pull request #41494 from thaJeztah/19.03_backport_aws_sdk_go
...
[19.03 backport] awslogs: Update aws-sdk-go to support IMDSv2
2020-09-25 12:24:39 -07:00
Samuel Karp
5f32bd9ced
awslogs: Update aws-sdk-go to support IMDSv2
...
AWS recently launched a new version of the EC2 Instance Metadata
Service, which is used to provide credentials to the awslogs driver when
running on Amazon EC2. This new version of the IMDS adds
defense-in-depth mechanisms against open firewalls, reverse proxies, and
SSRF vulnerabilities and is generally an improvement over the previous
version. An updated version of the AWS SDK is able to handle the both
the previous version and the new version of the IMDS and functions when
either is enabled.
More information about IMDSv2 is available at the following links:
* https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
Closes https://github.com/moby/moby/issues/40422
Signed-off-by: Samuel Karp <skarp@amazon.com >
(cherry picked from commit 44a8e10bfcgithub@gone.nl >
2020-09-25 16:14:50 +02:00
Tibor Vass
bd33bbf049
Merge pull request #41314 from thaJeztah/19.03_backport_fix_racey_logger_test
...
[19.03 backport] test-fixes for flaky test: TestCheckCapacityAndRotate
2020-09-16 07:28:27 -07:00
Tibor Vass
426396f438
Merge pull request #41451 from thaJeztah/19.03_update_buildkit
...
[19.03] vendor: buildkit v0.6.4-32-gdf89d4dc
2020-09-15 16:02:53 -07:00
Tibor Vass
406dba269c
Merge pull request #41446 from thaJeztah/19.03_backport_swagger_fixes
...
[19.03 backport] swagger: fix MemTotal units in SystemInfo endpoint
2020-09-15 16:00:28 -07:00
Tibor Vass
50b33bd3cd
Merge pull request #41312 from thaJeztah/19.03_backport_pass_network_error
...
[19.03 backport] Check for context error that is wrapped in url.Error
2020-09-15 15:56:29 -07:00
Tibor Vass
519462f3df
Merge pull request #41334 from thaJeztah/19.03_backport_bump_golang_1.13.15
...
[19.03 backport] Bump Golang 1.13.15
2020-09-15 15:55:08 -07:00
Tibor Vass
64fffefffa
Merge pull request #40408 from thaJeztah/19.03_backport_update_containerd_1.3
...
[19.03 backport] update containerd binary v1.3.7
2020-09-15 15:54:32 -07:00
Sebastiaan van Stijn
8cf9d50fc0
[19.03] vendor: buildkit v0.6.4-32-gdf89d4dc
...
full diff: https://github.com/moby/buildkit/compare/v0.6.4-28-gda1f4bf1...v0.6.4-32-gdf89d4dc
no local changes in the daemon code
Signed-off-by: Sebastiaan van Stijn <github@gone.nl >
2020-09-15 11:19:58 +02:00
Nikolay Edigaryev
a4e96a486f
swagger: fix MemTotal units in SystemInfo endpoint
...
MemTotal represents bytes, not kilobytes. See Linux[1] and Windows[2]
implementations.
[1]: f50a40e889/pkg/system/meminfo_linux.go (L49)f50a40e889/pkg/system/meminfo_windows.go (L40)edigaryev@gmail.com >
(cherry picked from commit 13e0ba700agithub@gone.nl >
2020-09-14 14:37:54 +02:00
Sebastiaan van Stijn
9fe291827a
Bump Golang 1.13.15
...
full diff: https://github.com/golang/go/compare/go1.13.14...go1.13.15
go1.13.15 (released 2020/08/06) includes security fixes to the encoding/binary
package. See the Go 1.13.15 milestone on the issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.13.15+label%3ACherryPickApproved
Signed-off-by: Sebastiaan van Stijn <github@gone.nl >
(cherry picked from commit 2a6325e310github@gone.nl >
2020-08-10 12:16:14 +02:00
Akihiro Suda
a15a770e1b
update containerd to v1.3.7
...
Release note: https://github.com/containerd/containerd/releases/tag/v1.3.7
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp >
(cherry picked from commit 43d13054c5github@gone.nl >
2020-08-05 22:40:36 +02:00
Jintao Zhang
9380ec7397
update containerd to v1.3.6
...
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com >
(cherry picked from commit 85e3dddccdgithub@gone.nl >
2020-08-05 22:40:17 +02:00
Jintao Zhang
80cef48453
update containerd to v1.3.5
...
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com >
(cherry picked from commit 0e915e5413github@gone.nl >
2020-08-05 22:40:15 +02:00
Jintao Zhang
fc8f88dc14
update containerd to v1.3.4
...
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com >
(cherry picked from commit fbaaca6351github@gone.nl >
2020-08-05 22:40:13 +02:00
Sebastiaan van Stijn
89a4208757
update containerd binary to v1.3.3
...
full diff: https://github.com/containerd/containerd/compare/v1.3.2...v1.3.3
release notes: https://github.com/containerd/containerd/releases/tag/v1.3.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl >
(cherry picked from commit 27649ee44fgithub@gone.nl >
2020-08-05 22:40:11 +02:00
Jintao Zhang
490c45b756
Update containerd to v1.3.2
...
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com >
(cherry picked from commit 7f809e1080github@gone.nl >
2020-08-05 22:40:09 +02:00
Jintao Zhang
56d897347d
Update containerd to v1.3.1
...
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com >
(cherry picked from commit 517946eb47github@gone.nl >
2020-08-05 22:40:07 +02:00
Derek McGowan
d4c63720e9
update containerd binary v1.3.0
...
full diff: https://github.com/containerd/containerd/compare/v1.2.8..v1.3.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl >
Signed-off-by: Derek McGowan <derek@mcgstyle.net >
(cherry picked from commit 6c94a50f41github@gone.nl >
2020-08-05 22:40:04 +02:00
Brian Goff
ec14dc44d1
Fix log file rotation test.
...
The test was looking for the wrong file name.
Since compression happens asyncronously, sometimes the test would
succeed and sometimes fail.
This change makes sure to wait for the compressed version of the file
since we can't know when the compression is going to occur.
Signed-off-by: Brian Goff <cpuguy83@gmail.com >
(cherry picked from commit c6d860ace6github@gone.nl >
2020-08-05 12:48:27 +02:00
Brian Goff
a958fc3e65
Fix flakey test for log file rotate.
...
Signed-off-by: Brian Goff <cpuguy83@gmail.com >
(cherry picked from commit 5ea5c02c88github@gone.nl >
2020-08-05 12:48:17 +02:00
Evgeniy Makhrov
89da709cb7
Check for context error that is wrapped in url.Error
...
Signed-off-by: Evgeniy Makhrov <e.makhrov@corp.badoo.com >
(cherry picked from commit 8ccb46a521github@gone.nl >
2020-08-04 17:44:42 +02:00
