Unfortunately on a number of occasions, Buildah has been released
officially with a `-dev` suffix in the version number. Assist in
catching this mistake at release time by the addition of a simple
conditional test. Note that it must be positively enabled by a
magic env. var. before executing the system tests.
Ref: original PR https://github.com/containers/buildah/pull/6243
Signed-off-by: Chris Evich <cevich@redhat.com>
update some URLs
The origin repository renamed its "master" branch to "main", so we need
to update our references to items in that branch.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Bump to Buildah v1.29.5. This will contain a fix for CVE-2024-11218 and
will be vendored into the Podman 4.4-rhel release branch to address the
issue there for RHEL 8.6, RHEL 9.0, and a variety of OCP versions.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
- Fix nits spotted by @TomSweeneyRedHat and @nalind
- Include 2nd component of fix for CVE-2024-9407
so `GetBindMount()` and `GetCacheMount()` handling
of bind-propagation flags concurr.
Signed-off-by: Chris Evich <cevich@redhat.com>
At the time of this commit, the Windows cross-build check is failing.
It is believed there is little actual need for this testing, nor support
for buildah as a library on Windows. Disable it.
Signed-off-by: Chris Evich <cevich@redhat.com>
Fix a time-of-check/time-of-use error when mounting type=bind and
type=cache directories that use a "src" flag. A hostile writer could
use a concurrently-running stage or build to replace that "src" location
between the point when we had resolved possible symbolic links and when
runc/crun/whatever actually went to create the bind mount
(CVE-2024-11218).
Stop ignoring the "src" option for cache mounts when there's no "from"
option.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Vivek Naruka <vnaruka@redhat.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
Ensure that the temporary directory that we create is never itself the
top-level directory of the content that we're downloading, in case it's
an archive which includes a "." with weird permissions.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: David Shea <dshea@redhat.com>
When handling RUN --mount=type=bind, where the mount is read-write,
instead of a simple bind mount, create an overlay mount with an upper
directory that will be discarded after the overlay mount is unmounted.
This brings us in line with the expected behavior, wherein writes to
bind mounts should be discarded.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Vivek Naruka <vnaruka@redhat.com>
Add a way to pass a "set the SELinux contexts" labels to
MountWithOptions.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: David Shea <dshea@redhat.com>
Signed-off-by: Vivek Naruka <vnaruka@redhat.com>
Add a ForceMount flag to pkg/overlay.Options that forces mounting the
overlay filesystem and returning a bind mount to it instead of trying to
leave that for later in cases where we're able to have the kernel do it.
This is mainly for the sake of callers that want to do more things with
the mounted overlay filesystem before passing them to the (presumably)
OCI runtime.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: David Shea <dshea@redhat.com>
Add a helper that uses the new internal/open package to bind mount a
location inside of a chroot direct to a new temporary location, for
ensuring that the latter is not bind-mounted from outside of the chroot.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a package that lets us open a directory in a chroot, pass its
descriptor up, and then bind mount that directory to a specified
location.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow cache mounts (RUN --mount=type=cache) to refer to other stages or
additional build contexts.
Update the build-check-cve-2024-9675 integration test to use different
directories for its main build context and the additional build context
that it uses for its final run.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: David Shea <dshea@redhat.com>
Signed-off-by: Vivek Naruka <vnaruka@redhat.com>
The `--mount type=cache` argument to the `RUN` instruction in
Dockerfiles was using `filepath.Join` on user input, allowing
crafted paths to be used to gain access to paths on the host,
when the command should normally be limited only to Buildah;s own
cache and context directories. Switch to `filepath.SecureJoin` to
resolve the issue.
Fixes CVE-2024-9675
Signed-off-by: Matt Heon <mheon@redhat.com>
Signed-off-by: David Shea <dshea@redhat.com>
When analyzing a layer blob's contents, don't break if the blob has more
zeroes padding it out even after the tar reader thinks it's hit the end
of the archive.
Add more detail to the diagnostic error we print when there's a digest
or length mismatch, too, in case it's triggered by something other than
zero padding.
Don't ignore errors which might be encountered when we try to use skopeo
to copy an image to a directory.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Addresses CVE-2024-1753 which allowed a user to write files to the
`/` directory of the host machine if selinux was not enabled.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
When comparing layer payloads during conformance tests, mask off any
file type bits that the tar headers in the layers might have included.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This mimics #5111 but without the vendor update, which is very
large on this branch.
[NO NEW TESTS NEEDED] This cannot be tested in CI as cloud
providers already don't provide these interfaces in their VMs.
Signed-off-by: Matt Heon <mheon@redhat.com>
The overlay 'flavor' of this task seems to complete successfully in
about 22 minutes. This is aweful close to the task-timeout, and
certainly for the slower 'VFS' flavor of the task. Increase the task
timeout to 30 minutes.
Signed-off-by: Chris Evich <cevich@redhat.com>
This branch will never receive any security-backports when the
associated RHEL release reaches EOL. Add a condition to force CI to
break with a helpful message, after this RHEL EOL date.
Signed-off-by: Chris Evich <cevich@redhat.com>
This test could be failed when we enable firewall.
To reduce the impact of firewall, we use "curl".
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
openshift-merge-bot[bot]
Chris Evich
Nalin Dahyabhai
tomsweeneyredhat
David Shea
Matt Heon
Lokesh Mandvekar
openshift-ci[bot]
OpenShift Merge Robot
Aditya R
Miloslav Trmač
Daniel J Walsh
Toshiki Sonoda