Merge pull request #677 from devimc/topic/fixCVEs

Use and install the latest version of packages
2025-07-12 22:58:58 +00:00 · 2019-08-20 08:37:19 +01:00 · 2019-08-20 08:37:19 +01:00 · 83faa9787b
commit 83faa9787b
parent c80a4afded c79a01b3f9
5 changed files with 55 additions and 3 deletions
--- a/static-build/nemu/Dockerfile
+++ b/static-build/nemu/Dockerfile
@ -12,7 +12,7 @@ ARG VIRTIOFSD
 ARG PREFIX

 WORKDIR /root/nemu
-RUN apt-get update
+RUN apt-get update && apt-get upgrade -y
 RUN apt-get install -y \
 	    autoconf \
 	    automake \
--- a/static-build/nemu/build-static-nemu.sh
+++ b/static-build/nemu/build-static-nemu.sh
@ -11,9 +11,11 @@ set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

 source "${script_dir}/../../scripts/lib.sh"
+source "${script_dir}/../qemu.blacklist"

 config_dir="${script_dir}/../../scripts/"
 nemu_tar="kata-nemu-static.tar.gz"
+nemu_tmp_tar="kata-nemu-static-tmp.tar.gz"
 Dockerfile="Dockerfile"

 if [ $# -ne 0 ];then
@ -74,6 +76,7 @@ https_proxy="${https_proxy:-}"
 prefix="${prefix:-"/opt/kata"}"

 sudo docker build \
+	--no-cache \
 	--build-arg http_proxy="${http_proxy}" \
 	--build-arg https_proxy="${https_proxy}" \
 	--build-arg NEMU_REPO="${nemu_repo}" \
@ -94,3 +97,7 @@ sudo docker run \
 	mv "/tmp/nemu-static/${nemu_tar}" /share/

 sudo chown ${USER}:${USER} "${PWD}/${nemu_tar}"
+
+# Remove blacklisted binaries
+gzip -d < "${nemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${nemu_tmp_tar}"
+mv -f "${nemu_tmp_tar}" "${nemu_tar}"
--- a/static-build/qemu.blacklist
+++ b/static-build/qemu.blacklist
@ -0,0 +1,38 @@
+#
+# List of blacklisted files that are not
+# required in kata and may have CVEs.
+#
+qemu_black_list=(
+*/bin/qemu-pr-helper
+*/bin/virtfs-proxy-helper
+*/libexec/
+*/share/*/applications/
+*/share/*/*.dtb
+*/share/*/efi-e1000e.rom
+*/share/*/efi-e1000.rom
+*/share/*/efi-eepro100.rom
+*/share/*/efi-ne2k_pci.rom
+*/share/*/efi-pcnet.rom
+*/share/*/efi-rtl8139.rom
+*/share/*/efi-vmxnet3.rom
+*/share/*/icons/
+*/share/*/*.img
+*/share/*/keymaps/
+*/share/*/multiboot.bin
+*/share/*/openbios-ppc
+*/share/*/openbios-sparc32
+*/share/*/openbios-sparc64
+*/share/*/palcode-clipper
+*/share/*/ppc_rom.bin
+*/share/*/pvh.bin
+*/share/*/pxe-*
+*/share/*/QEMU,*
+*/share/*/qemu_vga.ndrv
+*/share/*/sgabios.bin
+*/share/*/skiboot.lid
+*/share/*/slof.bin
+*/share/*/spapr-rtas.bin
+*/share/*/trace-events-all
+*/share/*/u-boot*
+*/share/*/vgabios*
+)
--- a/static-build/qemu/Dockerfile
+++ b/static-build/qemu/Dockerfile
@ -1,4 +1,4 @@
-from ubuntu:16.04
+from ubuntu:18.04

 ARG QEMU_REPO
 # commit/tag/branch
@ -6,7 +6,7 @@ ARG QEMU_VERSION
 ARG PREFIX

 WORKDIR /root/qemu
-RUN apt-get update
+RUN apt-get update && apt-get upgrade -y
 RUN apt-get install -y \
 	    autoconf \
 	    automake \
--- a/static-build/qemu/build-static-qemu.sh
+++ b/static-build/qemu/build-static-qemu.sh
@ -11,9 +11,11 @@ set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

 source "${script_dir}/../../scripts/lib.sh"
+source "${script_dir}/../qemu.blacklist"

 packaging_dir="${script_dir}/../.."
 qemu_tar="kata-qemu-static.tar.gz"
+qemu_tmp_tar="kata-qemu-static-tmp.tar.gz"

 qemu_repo="${qemu_repo:-}"
 qemu_version="${qemu_version:-}"
@ -39,6 +41,7 @@ https_proxy="${https_proxy:-}"
 prefix="${prefix:-"/opt/kata"}"

 sudo docker build \
+	--no-cache \
 	--build-arg http_proxy="${http_proxy}" \
 	--build-arg https_proxy="${https_proxy}" \
 	--build-arg QEMU_REPO="${qemu_repo}" \
@ -54,3 +57,7 @@ sudo docker run \
 	mv "/tmp/qemu-static/${qemu_tar}" /share/

 sudo chown ${USER}:${USER} "${PWD}/${qemu_tar}"
+
+# Remove blacklisted binaries
+gzip -d < "${qemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${qemu_tmp_tar}"
+mv -f "${qemu_tmp_tar}" "${qemu_tar}"