github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-13 13:46:46 +00:00
Code Issues Projects Releases Wiki Activity

agent: Upgrade nix version for security fix

Browse Source 
Running `cargo audit` showed that the `nix` package for the agent and
the `rustjail` and `vsock-exporter` local crates need to be updated to
resolve rust security issue
[RUSTSEC-2021-0119](https://rustsec.org/advisories/RUSTSEC-2021-0119).
Hence, bumped `nix` to the latest version (which required changes to
work with the new, simpler `errno` handling).

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This commit is contained in:
James O. D. Hunt 2021-11-25 14:06:15 +00:00
parent 256d5008dc
commit 4a2be13c60
14 changed files with 108 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
src/agent/Cargo.lock generated
View File

@ -107,9 +107,9 @@ dependencies = [
[[package]]
name = "bitflags"
version = "1.2.1"
version = "1.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
[[package]]
name = "bumpalo"
@ -180,13 +180,13 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "cgroups-rs"
version = "0.2.7"
version = "0.2.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "31dc7b58f8b80f0e02202df9fe45fd7432572d8868bab0abcb888656833aeaba"
checksum = "5c5c9f6e5c72958dc962baa5f8bb37fb611017854b0d774b8adab4d7416ab445"
dependencies = [
"libc",
"log",
"nix 0.20.2",
"nix 0.20.0",
"regex",
]
@ -511,7 +511,7 @@ dependencies = [
"logging",
"netlink-packet-utils",
"netlink-sys",
"nix 0.21.2",
"nix 0.23.0",
"oci",
"opentelemetry",
"procfs",
@ -747,6 +747,19 @@ dependencies = [
"tokio",
]
[[package]]
name = "nix"
version = "0.16.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dd0eaf8df8bab402257e0a5c17a254e4cc1f72a93588a1ddfb5d356c801aa7cb"
dependencies = [
"bitflags",
"cc",
"cfg-if 0.1.10",
"libc",
"void",
]
[[package]]
name = "nix"
version = "0.17.0"
@ -762,9 +775,33 @@ dependencies = [
[[package]]
name = "nix"
version = "0.20.2"
version = "0.19.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f5e06129fb611568ef4e868c14b326274959aa70ff7776e9d55323531c374945"
checksum = "b2ccba0cfe4fdf15982d1674c69b1fd80bad427d293849982668dfe454bd61f2"
dependencies = [
"bitflags",
"cc",
"cfg-if 1.0.0",
"libc",
]
[[package]]
name = "nix"
version = "0.20.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fa9b4819da1bc61c0ea48b63b7bc8604064dd43013e7cc325df098d49cd7c18a"
dependencies = [
"bitflags",
"cc",
"cfg-if 1.0.0",
"libc",
]
[[package]]
name = "nix"
version = "0.22.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf1e25ee6b412c2a1e3fcb6a4499a5c1bfe7f43e014bdce9a6b6666e5aa2d187"
dependencies = [
"bitflags",
"cc",
@ -775,22 +812,9 @@ dependencies = [
[[package]]
name = "nix"
version = "0.21.2"
version = "0.23.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "77d9f3521ea8e0641a153b3cddaf008dcbf26acd4ed739a2517295e0760d12c7"
dependencies = [
"bitflags",
"cc",
"cfg-if 1.0.0",
"libc",
"memoffset",
]
[[package]]
name = "nix"
version = "0.22.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d3bb9a13fa32bc5aeb64150cd3f32d6cf4c748f8f8a417cce5d2eb976a8370ba"
checksum = "f305c2c2e4c39a82f7bf0bf65fb557f9070ce06781d4f2454295cc34b1c43188"
dependencies = [
"bitflags",
"cc",
@ -1260,7 +1284,7 @@ dependencies = [
"log",
"netlink-packet-route",
"netlink-proto",
"nix 0.22.2",
"nix 0.22.0",
"thiserror",
"tokio",
]
@ -1285,7 +1309,7 @@ dependencies = [
"lazy_static",
"libc",
"libseccomp",
"nix 0.21.2",
"nix 0.23.0",
"oci",
"path-absolutize",
"protobuf",
@ -1721,16 +1745,16 @@ dependencies = [
[[package]]
name = "ttrpc"
version = "0.5.2"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "66a973ce6d5eaa20c173635b29ffb660dafbc7ef109172c0015ba44e47a23711"
checksum = "004604e91de38bc16cb9c7898187343075388ea414ad24896a21fc4e91a7c861"
dependencies = [
"async-trait",
"byteorder",
"futures",
"libc",
"log",
"nix 0.20.2",
"nix 0.16.1",
"protobuf",
"protobuf-codegen-pure",
"thiserror",
@ -1791,12 +1815,12 @@ checksum = "6a02e4885ed3bc0f2de90ea6dd45ebcbb66dacffe03547fadbb0eeae2770887d"
[[package]]
name = "vsock"
version = "0.2.5"
version = "0.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a10cd0a332ca79e7bbde3299ca161ef2860dc72ba0c443b20356c23d48687c99"
checksum = "c932be691560e8f3f7b2be5a47df1b8f45387e1d1df40d45b2e62284b9e9150e"
dependencies = [
"libc",
"nix 0.22.2",
"nix 0.19.1",
]
[[package]]
@ -1807,7 +1831,7 @@ dependencies = [
"bincode",
"byteorder",
"libc",
"nix 0.21.2",
"nix 0.23.0",
"opentelemetry",
"serde",
"slog",

2
src/agent/Cargo.toml
View File

@ -12,7 +12,7 @@ lazy_static = "1.3.0"
ttrpc = { version = "0.5.0", features = ["async", "protobuf-codec"], default-features = false }
protobuf = "=2.14.0"
libc = "0.2.58"
nix = "0.21.0"
nix = "0.23.0"
capctl = "0.2.0"
serde_json = "1.0.39"
scan_fmt = "0.2.3"

2
src/agent/rustjail/Cargo.toml
View File

@ -11,7 +11,7 @@ serde_derive = "1.0.91"
oci = { path = "../oci" }
protocols = { path ="../protocols" }
caps = "0.5.0"
nix = "0.21.0"
nix = "0.23.0"
scopeguard = "1.0.0"
capctl = "0.2.0"
lazy_static = "1.3.0"

3
src/agent/rustjail/src/cgroups/fs/mod.rs
View File

@ -22,7 +22,6 @@ use crate::cgroups::Manager as CgroupManager;
use crate::container::DEFAULT_DEVICES;
use anyhow::{anyhow, Context, Result};
use libc::{self, pid_t};
use nix::errno::Errno;
use oci::{
LinuxBlockIo, LinuxCpu, LinuxDevice, LinuxDeviceCgroup, LinuxHugepageLimit, LinuxMemory,
LinuxNetwork, LinuxPids, LinuxResources,
@ -175,7 +174,7 @@ impl CgroupManager for Manager {
freezer_controller.freeze()?;
}
_ => {
return Err(nix::Error::Sys(Errno::EINVAL).into());
return Err(nix::Error::EINVAL.into());
}
}

24
src/agent/rustjail/src/container.rs
View File

@ -419,7 +419,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
ns.r#type.clone(),
ns.path.clone()
);
log_child!(cfd_log, "error is : {:?}", e.as_errno());
log_child!(cfd_log, "error is : {:?}", e);
e
})?;
@ -496,7 +496,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
log_child!(cfd_log, "join namespace {:?}", s);
sched::setns(fd, s).or_else(|e| {
if s == CloneFlags::CLONE_NEWUSER {
if e.as_errno().unwrap() != Errno::EINVAL {
if e != Errno::EINVAL {
let _ = write_sync(cwfd, SYNC_FAILED, format!("{:?}", e).as_str());
return Err(e);
}
@ -1108,10 +1108,8 @@ fn do_exec(args: &[String]) -> ! {
.collect();
let _ = unistd::execvp(p.as_c_str(), &sa).map_err(|e| match e {
nix::Error::Sys(errno) => {
std::process::exit(errno as i32);
}
_ => std::process::exit(-2),
nix::Error::UnknownErrno => std::process::exit(-2),
_ => std::process::exit(e as i32),
});
unreachable!()
@ -1157,7 +1155,7 @@ fn get_pid_namespace(logger: &Logger, linux: &Linux) -> Result<Option<RawFd>> {
ns.r#type.clone(),
ns.path.clone()
);
error!(logger, "error is : {:?}", e.as_errno());
error!(logger, "error is : {:?}", e);
e
})?;
@ -1390,13 +1388,13 @@ impl LinuxContainer {
.context(format!("cannot change onwer of container {} root", id))?;
if config.spec.is_none() {
return Err(nix::Error::Sys(Errno::EINVAL).into());
return Err(nix::Error::EINVAL.into());
}
let spec = config.spec.as_ref().unwrap();
if spec.linux.is_none() {
return Err(nix::Error::Sys(Errno::EINVAL).into());
return Err(nix::Error::EINVAL.into());
}
let linux = spec.linux.as_ref().unwrap();
@ -1473,7 +1471,7 @@ async fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> {
let binary = PathBuf::from(h.path.as_str());
let path = binary.canonicalize()?;
if !path.exists() {
return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
return Err(anyhow!(nix::Error::EINVAL));
}
let args = h.args.clone();
@ -1542,7 +1540,7 @@ async fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> {
if code != 0 {
error!(logger, "hook {} exit status is {}", &path, code);
return Err(anyhow!(nix::Error::from_errno(Errno::UnknownErrno)));
return Err(anyhow!(nix::Error::UnknownErrno));
}
debug!(logger, "hook {} exit status is 0", &path);
@ -1558,7 +1556,7 @@ async fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> {
match tokio::time::timeout(Duration::new(timeout, 0), join_handle).await {
Ok(r) => r.unwrap(),
Err(_) => Err(anyhow!(nix::Error::from_errno(Errno::ETIMEDOUT))),
Err(_) => Err(anyhow!(nix::Error::ETIMEDOUT)),
}
}
@ -1664,7 +1662,7 @@ mod tests {
)
.await;
let expected_err = nix::Error::from_errno(Errno::ETIMEDOUT);
let expected_err = nix::Error::ETIMEDOUT;
assert_eq!(
res.unwrap_err().downcast::<nix::Error>().unwrap(),
expected_err

60
src/agent/rustjail/src/mount.rs
View File

@ -5,7 +5,6 @@
use anyhow::{anyhow, Context, Result};
use libc::uid_t;
use nix::errno::Errno;
use nix::fcntl::{self, OFlag};
#[cfg(not(test))]
use nix::mount;
@ -655,7 +654,7 @@ pub fn ms_move_root(rootfs: &str) -> Result<bool> {
None::<&str>,
)?;
umount2(abs_mount_point, MntFlags::MNT_DETACH).or_else(|e| {
if e.ne(&nix::Error::from(Errno::EINVAL)) && e.ne(&nix::Error::from(Errno::EPERM)) {
if e.ne(&nix::Error::EINVAL) && e.ne(&nix::Error::EPERM) {
return Err(anyhow!(e));
}
@ -798,14 +797,8 @@ fn mount_from(
}
};
let _ = stat::stat(dest.as_str()).map_err(|e| {
log_child!(
cfd_log,
"dest stat error. {}: {:?}",
dest.as_str(),
e.as_errno()
)
});
let _ = stat::stat(dest.as_str())
.map_err(|e| log_child!(cfd_log, "dest stat error. {}: {:?}", dest.as_str(), e));
mount(
Some(src.as_str()),
@ -815,7 +808,7 @@ fn mount_from(
Some(d.as_str()),
)
.map_err(|e| {
log_child!(cfd_log, "mount error: {:?}", e.as_errno());
log_child!(cfd_log, "mount error: {:?}", e);
e
})?;
@ -837,7 +830,7 @@ fn mount_from(
None::<&str>,
)
.map_err(|e| {
log_child!(cfd_log, "remout {}: {:?}", dest.as_str(), e.as_errno());
log_child!(cfd_log, "remout {}: {:?}", dest.as_str(), e);
e
})?;
}
@ -1006,7 +999,7 @@ pub fn finish_rootfs(cfd_log: RawFd, spec: &Spec, process: &Process) -> Result<(
fn mask_path(path: &str) -> Result<()> {
if !path.starts_with('/') || path.contains("..") {
return Err(nix::Error::Sys(Errno::EINVAL).into());
return Err(nix::Error::EINVAL.into());
}
match mount(
@ -1016,49 +1009,30 @@ fn mask_path(path: &str) -> Result<()> {
MsFlags::MS_BIND,
None::<&str>,
) {
Err(nix::Error::Sys(e)) => {
if e != Errno::ENOENT && e != Errno::ENOTDIR {
//info!("{}: {}", path, e.desc());
return Err(nix::Error::Sys(e).into());
}
}
Err(e) => {
return Err(e.into());
}
Ok(_) => {}
Err(e) => match e {
nix::Error::ENOENT | nix::Error::ENOTDIR => Ok(()),
_ => Err(e.into()),
},
Ok(_) => Ok(()),
}
Ok(())
}
fn readonly_path(path: &str) -> Result<()> {
if !path.starts_with('/') || path.contains("..") {
return Err(nix::Error::Sys(Errno::EINVAL).into());
return Err(nix::Error::EINVAL.into());
}
match mount(
if let Err(e) = mount(
Some(&path[1..]),
path,
None::<&str>,
MsFlags::MS_BIND | MsFlags::MS_REC,
None::<&str>,
) {
Err(nix::Error::Sys(e)) => {
if e == Errno::ENOENT {
return Ok(());
} else {
//info!("{}: {}", path, e.desc());
return Err(nix::Error::Sys(e).into());
}
}
Err(e) => {
return Err(e.into());
}
Ok(_) => {}
match e {
nix::Error::ENOENT => return Ok(()),
_ => return Err(e.into()),
};
}
mount(

6
src/agent/rustjail/src/pipestream.rs
View File

@ -30,7 +30,7 @@ impl io::Read for &StreamFd {
fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
match unistd::read(self.0, buf) {
Ok(l) => Ok(l),
Err(e) => Err(e.as_errno().unwrap().into()),
Err(e) => Err(e.into()),
}
}
}
@ -39,7 +39,7 @@ impl io::Write for &StreamFd {
fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
match unistd::write(self.0, buf) {
Ok(l) => Ok(l),
Err(e) => Err(e.as_errno().unwrap().into()),
Err(e) => Err(e.into()),
}
}
@ -52,7 +52,7 @@ impl StreamFd {
fn close(&mut self) -> io::Result<()> {
match unistd::close(self.0) {
Ok(()) => Ok(()),
Err(e) => Err(e.as_errno().unwrap().into()),
Err(e) => Err(e.into()),
}
}
}

5
src/agent/rustjail/src/sync.rs
View File

@ -3,7 +3,6 @@
// SPDX-License-Identifier: Apache-2.0
//
use nix::errno::Errno;
use nix::unistd;
use std::mem;
use std::os::unix::io::RawFd;
@ -41,7 +40,7 @@ pub fn write_count(fd: RawFd, buf: &[u8], count: usize) -> Result<usize> {
}
Err(e) => {
if e != nix::Error::from_errno(Errno::EINTR) {
if e != nix::Error::EINTR {
return Err(e.into());
}
}
@ -65,7 +64,7 @@ fn read_count(fd: RawFd, count: usize) -> Result<Vec<u8>> {
}
Err(e) => {
if e != nix::Error::from_errno(Errno::EINTR) {
if e != nix::Error::EINTR {
return Err(e.into());
}
}

3
src/agent/rustjail/src/validator.rs
View File

@ -5,13 +5,12 @@
use crate::container::Config;
use anyhow::{anyhow, Context, Error, Result};
use nix::errno::Errno;
use oci::{Linux, LinuxIdMapping, LinuxNamespace, Spec};
use std::collections::HashMap;
use std::path::{Component, PathBuf};
fn einval() -> Error {
anyhow!(nix::Error::from_errno(Errno::EINVAL))
anyhow!(nix::Error::EINVAL)
}
fn get_linux(oci: &Spec) -> Result<&Linux> {

6
src/agent/src/console.rs
View File

@ -149,10 +149,8 @@ fn run_in_child(slave_fd: libc::c_int, shell: String) -> Result<()> {
// run shell
let _ = unistd::execvp(cmd.as_c_str(), &args).map_err(|e| match e {
nix::Error::Sys(errno) => {
std::process::exit(errno as i32);
}
_ => std::process::exit(-2),
nix::Error::UnknownErrno => std::process::exit(-2),
_ => std::process::exit(e as i32),
});
Ok(())

9
src/agent/src/netlink.rs
View File

@ -523,7 +523,7 @@ impl Handle {
.as_ref()
.map(|to| to.address.as_str()) // Extract address field
.and_then(|addr| if addr.is_empty() { None } else { Some(addr) }) // Make sure it's not empty
.ok_or(nix::Error::Sys(nix::errno::Errno::EINVAL))?;
.ok_or(nix::Error::EINVAL)?;
let ip = IpAddr::from_str(ip_address)
.map_err(|e| anyhow!("Failed to parse IP {}: {:?}", ip_address, e))?;
@ -612,12 +612,7 @@ fn parse_mac_address(addr: &str) -> Result<[u8; 6]> {
// Parse single Mac address block
let mut parse_next = || -> Result<u8> {
let v = u8::from_str_radix(
split
.next()
.ok_or(nix::Error::Sys(nix::errno::Errno::EINVAL))?,
16,
)?;
let v = u8::from_str_radix(split.next().ok_or(nix::Error::EINVAL)?, 16)?;
Ok(v)
};

23
src/agent/src/rpc.rs
View File

@ -150,7 +150,7 @@ impl AgentService {
Some(spec) => rustjail::grpc_to_oci(spec),
None => {
error!(sl!(), "no oci spec in the create container request!");
return Err(anyhow!(nix::Error::from_errno(nix::errno::Errno::EINVAL)));
return Err(anyhow!(nix::Error::EINVAL));
}
};
@ -210,7 +210,7 @@ impl AgentService {
Process::new(&sl!(), &p, cid.as_str(), true, pipe_size)?
} else {
info!(sl!(), "no process configurations!");
return Err(anyhow!(nix::Error::from_errno(nix::errno::Errno::EINVAL)));
return Err(anyhow!(nix::Error::EINVAL));
};
ctr.start(p).await?;
s.update_shared_pidns(&ctr)?;
@ -317,13 +317,11 @@ impl AgentService {
.await
.is_err()
{
return Err(anyhow!(nix::Error::from_errno(nix::errno::Errno::ETIME)));
return Err(anyhow!(nix::Error::ETIME));
}
if handle.await.is_err() {
return Err(anyhow!(nix::Error::from_errno(
nix::errno::Errno::UnknownErrno
)));
return Err(anyhow!(nix::Error::UnknownErrno));
}
let s = self.sandbox.clone();
@ -347,7 +345,7 @@ impl AgentService {
let process = req
.process
.into_option()
.ok_or_else(|| anyhow!(nix::Error::from_errno(nix::errno::Errno::EINVAL)))?;
.ok_or_else(|| anyhow!(nix::Error::EINVAL))?;
let pipe_size = AGENT_CONFIG.read().await.container_pipe_size;
let ocip = rustjail::process_grpc_to_oci(&process);
@ -527,7 +525,7 @@ impl AgentService {
};
if reader.is_none() {
return Err(anyhow!(nix::Error::from_errno(nix::errno::Errno::EINVAL)));
return Err(anyhow!(nix::Error::EINVAL));
}
let reader = reader.ok_or_else(|| anyhow!("cannot get stream reader"))?;
@ -1311,10 +1309,7 @@ fn get_memory_info(block_size: bool, hotplug: bool) -> Result<(u64, bool)> {
Err(e) => {
info!(sl!(), "hotplug memory error: {:?}", e);
match e {
nix::Error::Sys(errno) => match errno {
Errno::ENOENT => plug = false,
_ => return Err(anyhow!(e)),
},
nix::Error::ENOENT => plug = false,
_ => return Err(anyhow!(e)),
}
}
@ -1531,7 +1526,7 @@ fn do_copy_file(req: &CopyFileRequest) -> Result<()> {
let path = PathBuf::from(req.path.as_str());
if !path.starts_with(CONTAINER_BASE) {
return Err(nix::Error::Sys(Errno::EINVAL).into());
return Err(nix::Error::EINVAL.into());
}
let parent = path.parent();
@ -1611,7 +1606,7 @@ fn setup_bundle(cid: &str, spec: &mut Spec) -> Result<PathBuf> {
let spec_root = if let Some(sr) = &spec.root {
sr
} else {
return Err(nix::Error::Sys(Errno::EINVAL).into());
return Err(nix::Error::EINVAL.into());
};
let spec_root_path = Path::new(&spec_root.path);

3
src/agent/src/uevent.rs
View File

@ -11,7 +11,6 @@ use slog::Logger;
use anyhow::{anyhow, Result};
use netlink_sys::{protocols, SocketAddr, TokioSocket};
use nix::errno::Errno;
use std::fmt::Debug;
use std::os::unix::io::FromRawFd;
use std::sync::Arc;
@ -203,7 +202,7 @@ pub async fn watch_uevents(
Ok((buf, addr)) => {
if addr.port_number() != 0 {
// not our netlink message
let err_msg = format!("{:?}", nix::Error::Sys(Errno::EBADMSG));
let err_msg = format!("{:?}", nix::Error::EBADMSG);
error!(logger, "receive uevent message failed"; "error" => err_msg);
continue;
}

2
src/agent/vsock-exporter/Cargo.toml
View File

@ -7,7 +7,7 @@ edition = "2018"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
nix = "0.21.0"
nix = "0.23.0"
libc = "0.2.94"
thiserror = "1.0.26"
opentelemetry = { version = "0.14.0", features=["serialize"] }