Set up permissions on the scanner output directory so that scanners
whose images specify that they be run as non-root users can still write
to it. The most recent syft image exposed our bug.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
update some URLs
The origin repository renamed its "master" branch to "main", so we need
to update our references to items in that branch.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Tag a new release to incorporate the recent security advisory, and make
a minor update to the CI configuration.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Fix a time-of-check/time-of-use error when mounting type=bind and
type=cache directories that use a "src" flag. A hostile writer could
use a concurrently-running stage or build to replace that "src" location
between the point when we had resolved possible symbolic links and when
runc/crun/whatever actually went to create the bind mount
(CVE-2024-11218).
Stop ignoring the "src" option for cache mounts when there's no "from"
option.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Ensure that the temporary directory that we create is never itself the
top-level directory of the content that we're downloading, in case it's
an archive which includes a "." with weird permissions.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When handling RUN --mount=type=bind, where the mount is read-write,
instead of a simple bind mount, create an overlay mount with an upper
directory that will be discarded after the overlay mount is unmounted.
This brings us in line with the expected behavior, wherein writes to
bind mounts should be discarded.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a ForceMount flag to pkg/overlay.Options that forces mounting the
overlay filesystem and returning a bind mount to it instead of trying to
leave that for later in cases where we're able to have the kernel do it.
This is mainly for the sake of callers that want to do more things with
the mounted overlay filesystem before passing them to the (presumably)
OCI runtime.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a helper that uses the new internal/open package to bind mount a
location inside of a chroot direct to a new temporary location, for
ensuring that the latter is not bind-mounted from outside of the chroot.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a package that lets us open a directory in a chroot, pass its
descriptor up, and then bind mount that directory to a specified
location.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Allow cache mounts (RUN --mount=type=cache) to refer to other stages or
additional build contexts.
Update the build-check-cve-2024-9675 integration test to use different
directories for its main build context and the additional build context
that it uses for its final run.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
The changelog.txt and CHANGELOG.md files each had "vv1.37" instead of "v1.37". This corrects that.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
This updates the changelog.txt in the release-1.37 branch to include
CVE numbers that were fixed with a couple of commits. I was able to
update CHANGELOG.MD in a separate commit.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
The `--mount type=cache` argument to the `RUN` instruction in
Dockerfiles was using `filepath.Join` on user input, allowing
crafted paths to be used to gain access to paths on the host,
when the command should normally be limited only to Buildah;s own
cache and context directories. Switch to `filepath.SecureJoin` to
resolve the issue.
Fixes CVE-2024-9675
Signed-off-by: Matt Heon <mheon@redhat.com>
CVE-2024-9407: validate that the value for the "bind-propagation" flag
when handling "bind" and "cache" mounts in `buildah run` or in RUN
instructions is one of the values that we would accept without the
"bind-propagation=" prefix.
Paul: fix merged conflict in tests (cherry-picked from 732f770648)
Fixes https://issues.redhat.com/browse/RHEL-61147
Fixes https://issues.redhat.com/browse/RHEL-61145
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Rootless users cannot set the `security.ima` xattr on files
(presumably for security reasons, they get an EPERM on trying to
do so). We will normally try and preserve that xattr, so when
trying to add a file with an IMA xattr to a build on a Buildah
without this patch, you get an error. With this patch, the error
is downgraded to a warning, as it's better to successfully build
with a missing xattr than blocking all builds which want to
include the offending file.
The urgency on this has become somewhat higher as it seems like
F41/Rawhide are installing rpm-plugin-ima by default, which is
setting IMA xattrs on some files that Podman relies on - for
example, the catatonit binary we use for pid pause images.
Without this patch, building the pause image as rootless will
always fail on a system with rpm-plugin-ima installed.
Fixes: https://github.com/containers/podman/issues/18543
<MH: Cherry picked back to release-1.37, conflicts fixed>
Signed-off-by: Matt Heon <mheon@redhat.com>
Clean up the distinctions between the volumes slice and the volumeCache
and volumeCacheInfo maps so that --compat-volumes will work correctly
when we're building with multiple layers.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Don't error out when `manifest add --artifact` is given multiple files,
and add a test which should have checked that.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
ELN is kind of a midway between Fedora and RHEL, so it's best to mention
ELN jobs separately. This will also allow reusing fedora targets using
YAML anchors for TMT tests.
This commit also mentions fedora-40 targets separately for copr_build
jobs so that once fedora-41 is released, fedora-40 jobs continue to
trigger.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
(cherry picked from commit b2defd39e7)
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Packit now has sidetag support for adding multiple builds into a single
bodhi update.
Since we release c/ccommon, skopeo, buildah and podman often
almoost simultaneously, we should release them to Fedora in a single
bodhi update using sidetags so all builds can be tested together.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
(cherry picked from commit 0494df68b0)
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
As the title says. Bumping to c/image v5.32.2 and c/common to v0.60.2
in preparation for Podman v5.2.2
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
openshift-merge-bot[bot]
Nalin Dahyabhai
tomsweeneyredhat
Matt Heon
Lokesh Mandvekar
Paul Holzinger
Daniel J Walsh
Jindrich Novy