diff --git a/build-scripts/components/runc/strict-patches/v1.1.13/0001-apparmor-change-profile-immediately-not-on-exec.patch b/build-scripts/components/runc/strict-patches/v1.1.13/0001-apparmor-change-profile-immediately-not-on-exec.patch new file mode 100644 index 000000000..5210c4417 --- /dev/null +++ b/build-scripts/components/runc/strict-patches/v1.1.13/0001-apparmor-change-profile-immediately-not-on-exec.patch @@ -0,0 +1,36 @@ +From a367e391600dfab0d9eb3deaec4db300a2fb1fa1 Mon Sep 17 00:00:00 2001 +From: Alberto Mardegan +Date: Wed, 16 Jun 2021 15:04:16 +0300 +Subject: [PATCH 1/3] apparmor: change profile immediately, not on exec + +--- + libcontainer/apparmor/apparmor_linux.go | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libcontainer/apparmor/apparmor_linux.go b/libcontainer/apparmor/apparmor_linux.go +index 8b1483c..292cfa6 100644 +--- a/libcontainer/apparmor/apparmor_linux.go ++++ b/libcontainer/apparmor/apparmor_linux.go +@@ -48,9 +48,9 @@ func setProcAttr(attr, value string) error { + return err + } + +-// changeOnExec reimplements aa_change_onexec from libapparmor in Go +-func changeOnExec(name string) error { +- if err := setProcAttr("exec", "exec "+name); err != nil { ++// changeProfile reimplements aa_change_profile from libapparmor in Go ++func changeProfile(name string) error { ++ if err := setProcAttr("current", "changeprofile "+name); err != nil { + return fmt.Errorf("apparmor failed to apply profile: %w", err) + } + return nil +@@ -64,5 +64,5 @@ func applyProfile(name string) error { + return nil + } + +- return changeOnExec(name) ++ return changeProfile(name) + } +-- +2.34.1 + diff --git a/build-scripts/components/runc/strict-patches/v1.1.13/0002-setns_init_linux-set-the-NNP-flag-after-changing-the.patch b/build-scripts/components/runc/strict-patches/v1.1.13/0002-setns_init_linux-set-the-NNP-flag-after-changing-the.patch new file mode 100644 index 000000000..df95bf45e --- /dev/null +++ b/build-scripts/components/runc/strict-patches/v1.1.13/0002-setns_init_linux-set-the-NNP-flag-after-changing-the.patch @@ -0,0 +1,51 @@ +From 36fca252c746022e4e2273092ed21e2e4efe33f8 Mon Sep 17 00:00:00 2001 +From: eaudetcobello +Date: Fri, 19 Jul 2024 09:42:31 -0400 +Subject: [PATCH 2/3] setns_init_linux: set the NNP flag after changing the + apparmor profile + +With the current version of the AppArmor kernel module, it's not +possible to switch the AppArmor profile if the NoNewPrivileges flag is +set. So, we invert the order of the two operations. + +Adjusts the previous patch for runc version v1.1.13 + +Co-Authored-By: Alberto Mardegan +Co-Authored-By: Angelos Kolaitis +--- + libcontainer/setns_init_linux.go | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go +index bb358901..b496c81e 100644 +--- a/libcontainer/setns_init_linux.go ++++ b/libcontainer/setns_init_linux.go +@@ -57,12 +57,6 @@ func (l *linuxSetnsInit) Init() error { + return err + } + } +- if l.config.NoNewPrivileges { +- if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil { +- return err +- } +- } +- + // Tell our parent that we're ready to exec. This must be done before the + // Seccomp rules have been applied, because we need to be able to read and + // write to a socket. +@@ -93,7 +87,11 @@ func (l *linuxSetnsInit) Init() error { + if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil { + return err + } +- ++ if l.config.NoNewPrivileges { ++ if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil { ++ return err ++ } ++ } + // Check for the arg before waiting to make sure it exists and it is + // returned as a create time error. + name, err := exec.LookPath(l.config.Args[0]) +-- +2.43.0 + diff --git a/build-scripts/components/runc/strict-patches/v1.1.13/0003-standard_init_linux-change-AppArmor-profile-as-late-.patch b/build-scripts/components/runc/strict-patches/v1.1.13/0003-standard_init_linux-change-AppArmor-profile-as-late-.patch new file mode 100644 index 000000000..006a701d7 --- /dev/null +++ b/build-scripts/components/runc/strict-patches/v1.1.13/0003-standard_init_linux-change-AppArmor-profile-as-late-.patch @@ -0,0 +1,55 @@ +From 7fc0138605e1a4c6da32db9abbaeba313d30b960 Mon Sep 17 00:00:00 2001 +From: eaudetcobello +Date: Fri, 19 Jul 2024 09:28:24 -0400 +Subject: [PATCH 3/3] standard_init_linux: change AppArmor profile as late as + possible + +--- + libcontainer/standard_init_linux.go | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go +index d9a6a224..1ee95988 100644 +--- a/libcontainer/standard_init_linux.go ++++ b/libcontainer/standard_init_linux.go +@@ -127,10 +127,6 @@ func (l *linuxStandardInit) Init() error { + return &os.SyscallError{Syscall: "sethostname", Err: err} + } + } +- if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil { +- return fmt.Errorf("unable to apply apparmor profile: %w", err) +- } +- + for key, value := range l.config.Config.Sysctl { + if err := writeSystemProperty(key, value); err != nil { + return err +@@ -150,18 +146,20 @@ func (l *linuxStandardInit) Init() error { + if err != nil { + return fmt.Errorf("can't get pdeath signal: %w", err) + } +- if l.config.NoNewPrivileges { +- if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil { +- return &os.SyscallError{Syscall: "prctl(SET_NO_NEW_PRIVS)", Err: err} +- } +- } +- + // Tell our parent that we're ready to exec. This must be done before the + // Seccomp rules have been applied, because we need to be able to read and + // write to a socket. + if err := syncParentReady(l.pipe); err != nil { + return fmt.Errorf("sync ready: %w", err) + } ++ if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil { ++ return fmt.Errorf("unable to apply apparmor profile: %w", err) ++ } ++ if l.config.NoNewPrivileges { ++ if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil { ++ return &os.SyscallError{Syscall: "prctl(SET_NO_NEW_PRIVS)", Err: err} ++ } ++ } + if err := selinux.SetExecLabel(l.config.ProcessLabel); err != nil { + return fmt.Errorf("can't set process label: %w", err) + } +-- +2.43.0 +