From 1a396a1784111fc5f9c6b5539bb51b3bd9ddddd7 Mon Sep 17 00:00:00 2001 From: Peng Tao Date: Tue, 16 Aug 2022 17:46:05 +0800 Subject: [PATCH] dep: update nix dependency To fix CVE-2021-45707 that affects nix < 0.20.2. Fixes: #4929 Signed-off-by: Peng Tao --- src/agent/Cargo.lock | 28 ++++------------------------ src/agent/Cargo.toml | 2 +- src/agent/rustjail/Cargo.toml | 2 +- src/agent/rustjail/src/seccomp.rs | 29 ++++++++++++++++------------- 4 files changed, 22 insertions(+), 39 deletions(-) diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 8c9524c9c1..969020b76e 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -635,21 +635,20 @@ checksum = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836" [[package]] name = "libseccomp" -version = "0.1.3" +version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "36ad71a5b66ceef3acfe6a3178b29b4da063f8bcb2c36dab666d52a7a9cfdb86" +checksum = "49bda1fbf25c42ac8942ff7df1eb6172a3bc36299e84be0dba8c888a7db68c80" dependencies = [ "libc", "libseccomp-sys", - "nix 0.17.0", "pkg-config", ] [[package]] name = "libseccomp-sys" -version = "0.1.1" +version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "539912de229a4fc16e507e8df12a394038a524a5b5b6c92045ad344472aac475" +checksum = "9a7cbbd4ad467251987c6e5b47d53b11a5a05add08f2447a9e2d70aef1e0d138" [[package]] name = "lock_api" @@ -797,19 +796,6 @@ dependencies = [ "tokio", ] -[[package]] -name = "nix" -version = "0.17.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50e4785f2c3b7589a0d0c1dd60285e1188adac4006e8abd6dd578e1567027363" -dependencies = [ - "bitflags", - "cc", - "cfg-if 0.1.10", - "libc", - "void", -] - [[package]] name = "nix" version = "0.22.3" @@ -1905,12 +1891,6 @@ version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" -[[package]] -name = "void" -version = "1.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a02e4885ed3bc0f2de90ea6dd45ebcbb66dacffe03547fadbb0eeae2770887d" - [[package]] name = "vsock" version = "0.2.6" diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index ae809bdaf7..58ddb8b6a2 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -12,7 +12,7 @@ lazy_static = "1.3.0" ttrpc = { version = "0.5.0", features = ["async", "protobuf-codec"], default-features = false } protobuf = "=2.14.0" libc = "0.2.58" -nix = "0.23.0" +nix = "0.23" capctl = "0.2.0" serde_json = "1.0.39" scan_fmt = "0.2.3" diff --git a/src/agent/rustjail/Cargo.toml b/src/agent/rustjail/Cargo.toml index 78c0f962eb..115c4758b7 100644 --- a/src/agent/rustjail/Cargo.toml +++ b/src/agent/rustjail/Cargo.toml @@ -31,7 +31,7 @@ tokio = { version = "1.2.0", features = ["sync", "io-util", "process", "time", " futures = "0.3.17" async-trait = "0.1.31" inotify = "0.9.2" -libseccomp = { version = "0.1.3", optional = true } +libseccomp = { version = "0.2.3", optional = true } [dev-dependencies] serial_test = "0.5.0" diff --git a/src/agent/rustjail/src/seccomp.rs b/src/agent/rustjail/src/seccomp.rs index 3496a45d8a..fab0197873 100644 --- a/src/agent/rustjail/src/seccomp.rs +++ b/src/agent/rustjail/src/seccomp.rs @@ -26,12 +26,15 @@ fn get_rule_conditions(args: &[LinuxSeccompArg]) -> Result> return Err(anyhow!("seccomp opreator is required")); } - let cond = ScmpArgCompare::new( - arg.index, - ScmpCompareOp::from_str(&arg.op)?, - arg.value, - Some(arg.value_two), - ); + let mut op = ScmpCompareOp::from_str(&arg.op)?; + let mut value = arg.value; + // For SCMP_CMP_MASKED_EQ, arg.value is the mask and arg.value_two is the value + if op == ScmpCompareOp::MaskedEqual(u64::default()) { + op = ScmpCompareOp::MaskedEqual(arg.value); + value = arg.value_two; + } + + let cond = ScmpArgCompare::new(arg.index, op, value); conditions.push(cond); } @@ -44,7 +47,7 @@ pub fn get_unknown_syscalls(scmp: &LinuxSeccomp) -> Option> { for syscall in &scmp.syscalls { for name in &syscall.names { - if get_syscall_from_name(name, None).is_err() { + if ScmpSyscall::from_name(name).is_err() { unknown_syscalls.push(name.to_string()); } } @@ -60,7 +63,7 @@ pub fn get_unknown_syscalls(scmp: &LinuxSeccomp) -> Option> { // init_seccomp creates a seccomp filter and loads it for the current process // including all the child processes. pub fn init_seccomp(scmp: &LinuxSeccomp) -> Result<()> { - let def_action = ScmpAction::from_str(scmp.default_action.as_str(), Some(libc::EPERM as u32))?; + let def_action = ScmpAction::from_str(scmp.default_action.as_str(), Some(libc::EPERM as i32))?; // Create a new filter context let mut filter = ScmpFilterContext::new_filter(def_action)?; @@ -72,7 +75,7 @@ pub fn init_seccomp(scmp: &LinuxSeccomp) -> Result<()> { } // Unset no new privileges bit - filter.set_no_new_privs_bit(false)?; + filter.set_ctl_nnp(false)?; // Add a rule for each system call for syscall in &scmp.syscalls { @@ -80,13 +83,13 @@ pub fn init_seccomp(scmp: &LinuxSeccomp) -> Result<()> { return Err(anyhow!("syscall name is required")); } - let action = ScmpAction::from_str(&syscall.action, Some(syscall.errno_ret))?; + let action = ScmpAction::from_str(&syscall.action, Some(syscall.errno_ret as i32))?; if action == def_action { continue; } for name in &syscall.names { - let syscall_num = match get_syscall_from_name(name, None) { + let syscall_num = match ScmpSyscall::from_name(name) { Ok(num) => num, Err(_) => { // If we cannot resolve the given system call, we assume it is not supported @@ -96,10 +99,10 @@ pub fn init_seccomp(scmp: &LinuxSeccomp) -> Result<()> { }; if syscall.args.is_empty() { - filter.add_rule(action, syscall_num, None)?; + filter.add_rule(action, syscall_num)?; } else { let conditions = get_rule_conditions(&syscall.args)?; - filter.add_rule(action, syscall_num, Some(&conditions))?; + filter.add_rule_conditional(action, syscall_num, &conditions)?; } } }