Merge pull request #677 from devimc/topic/fixCVEs

Use and install the latest version of packages

static-build/nemu/Dockerfile

@@ -12,7 +12,7 @@ ARG VIRTIOFSD
 ARG PREFIX
 
 WORKDIR /root/nemu
-RUN apt-get update
+RUN apt-get update && apt-get upgrade -y
 RUN apt-get install -y \
 	    autoconf \
 	    automake \

static-build/nemu/build-static-nemu.sh

@@ -11,9 +11,11 @@ set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 source "${script_dir}/../../scripts/lib.sh"
+source "${script_dir}/../qemu.blacklist"
 
 config_dir="${script_dir}/../../scripts/"
 nemu_tar="kata-nemu-static.tar.gz"
+nemu_tmp_tar="kata-nemu-static-tmp.tar.gz"
 Dockerfile="Dockerfile"
 
 if [ $# -ne 0 ];then
@@ -74,6 +76,7 @@ https_proxy="${https_proxy:-}"
 prefix="${prefix:-"/opt/kata"}"
 
 sudo docker build \
+	--no-cache \
 	--build-arg http_proxy="${http_proxy}" \
 	--build-arg https_proxy="${https_proxy}" \
 	--build-arg NEMU_REPO="${nemu_repo}" \
@@ -94,3 +97,7 @@ sudo docker run \
 	mv "/tmp/nemu-static/${nemu_tar}" /share/
 
 sudo chown ${USER}:${USER} "${PWD}/${nemu_tar}"
+
+# Remove blacklisted binaries
+gzip -d < "${nemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${nemu_tmp_tar}"
+mv -f "${nemu_tmp_tar}" "${nemu_tar}"

static-build/qemu.blacklist

@@ -0,0 +1,38 @@
+#
+# List of blacklisted files that are not
+# required in kata and may have CVEs.
+#
+qemu_black_list=(
+*/bin/qemu-pr-helper
+*/bin/virtfs-proxy-helper
+*/libexec/
+*/share/*/applications/
+*/share/*/*.dtb
+*/share/*/efi-e1000e.rom
+*/share/*/efi-e1000.rom
+*/share/*/efi-eepro100.rom
+*/share/*/efi-ne2k_pci.rom
+*/share/*/efi-pcnet.rom
+*/share/*/efi-rtl8139.rom
+*/share/*/efi-vmxnet3.rom
+*/share/*/icons/
+*/share/*/*.img
+*/share/*/keymaps/
+*/share/*/multiboot.bin
+*/share/*/openbios-ppc
+*/share/*/openbios-sparc32
+*/share/*/openbios-sparc64
+*/share/*/palcode-clipper
+*/share/*/ppc_rom.bin
+*/share/*/pvh.bin
+*/share/*/pxe-*
+*/share/*/QEMU,*
+*/share/*/qemu_vga.ndrv
+*/share/*/sgabios.bin
+*/share/*/skiboot.lid
+*/share/*/slof.bin
+*/share/*/spapr-rtas.bin
+*/share/*/trace-events-all
+*/share/*/u-boot*
+*/share/*/vgabios*
+)

static-build/qemu/Dockerfile

@@ -1,4 +1,4 @@
-from ubuntu:16.04
+from ubuntu:18.04
 
 ARG QEMU_REPO
 # commit/tag/branch
@@ -6,7 +6,7 @@ ARG QEMU_VERSION
 ARG PREFIX
 
 WORKDIR /root/qemu
-RUN apt-get update
+RUN apt-get update && apt-get upgrade -y
 RUN apt-get install -y \
 	    autoconf \
 	    automake \

static-build/qemu/build-static-qemu.sh

@@ -11,9 +11,11 @@ set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 source "${script_dir}/../../scripts/lib.sh"
+source "${script_dir}/../qemu.blacklist"
 
 packaging_dir="${script_dir}/../.."
 qemu_tar="kata-qemu-static.tar.gz"
+qemu_tmp_tar="kata-qemu-static-tmp.tar.gz"
 
 qemu_repo="${qemu_repo:-}"
 qemu_version="${qemu_version:-}"
@@ -39,6 +41,7 @@ https_proxy="${https_proxy:-}"
 prefix="${prefix:-"/opt/kata"}"
 
 sudo docker build \
+	--no-cache \
 	--build-arg http_proxy="${http_proxy}" \
 	--build-arg https_proxy="${https_proxy}" \
 	--build-arg QEMU_REPO="${qemu_repo}" \
@@ -54,3 +57,7 @@ sudo docker run \
 	mv "/tmp/qemu-static/${qemu_tar}" /share/
 
 sudo chown ${USER}:${USER} "${PWD}/${qemu_tar}"
+
+# Remove blacklisted binaries
+gzip -d < "${qemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${qemu_tmp_tar}"
+mv -f "${qemu_tmp_tar}" "${qemu_tar}"