Skip to content

server: use SecureJoin when setting container /etc directory #8225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 30, 2024
Merged

server: use SecureJoin when setting container /etc directory #8225

merged 3 commits into from
May 30, 2024

Conversation

@haircommander
Copy link
Member

@haircommander haircommander commented May 28, 2024
edited
Loading

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Fix CVE-2024-5154 where a malicious container image could make a symlink of `/proc/mounts` on the host, out of the container's rootfs

@haircommander haircommander requested a review from mrunalp as a code owner May 28, 2024 18:52
@openshift-ci openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels May 28, 2024
@openshift-ci openshift-ci bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: no Indicates the PR's author has not DCO signed all their commits. and removed dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels May 28, 2024
@openshift-ci openshift-ci bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels May 28, 2024
@haircommander
Copy link
Member Author

@eriksjolund @kwilczynski can you check the newest version? /etc/mtab was already being linked somewhere somehow, and so ci was failing. this should cover that

@eriksjolund
Copy link

LGTM

@kwilczynski
Copy link
Contributor

/retest

kwilczynski
kwilczynski reviewed May 29, 2024
View reviewed changes
kwilczynski
kwilczynski reviewed May 29, 2024
View reviewed changes
@haircommander
Copy link
Member Author

/cherry-pick release-1.30,release-1.29

@openshift-cherrypick-robot
Copy link

@haircommander: once the present PR merges, I will cherry-pick it on top of release-1.30,release-1.29 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.30,release-1.29

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@haircommander
Copy link
Member Author

/retest

@kwilczynski
Copy link
Contributor

/approve
/lgtm

Thank you for help @haircommander and @eriksjolund 🎉

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 29, 2024
@saschagrunert
Copy link
Member

/retest

kwilczynski
kwilczynski reviewed May 30, 2024
View reviewed changes
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label May 30, 2024
Krzysztof Wilczyński and others added 2 commits May 30, 2024 10:23
@openshift-ci openshift-ci bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels May 30, 2024
@kwilczynski
Copy link
Contributor

/test ci-e2e-conmonrs

@haircommander
Copy link
Member Author

/retest

sohankunkerkar
sohankunkerkar approved these changes May 30, 2024
View reviewed changes
Copy link
Member

@sohankunkerkar sohankunkerkar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 30, 2024
@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 30, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, kwilczynski, sohankunkerkar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sohankunkerkar
Copy link
Member

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 30, 2024
@sohankunkerkar
Copy link
Member

Let's get this PR in as it addresses a CVE. We can expect the unit test failures to disappear once the rebase happens

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 30, 2024
@kwilczynski
Copy link
Contributor

/test e2e-aws-ovn

@openshift-merge-bot openshift-merge-bot bot merged commit 5e2cc98 into cri-o:main May 30, 2024
@openshift-cherrypick-robot
Copy link

@haircommander: cannot checkout release-1.30,release-1.29: error checking out "release-1.30,release-1.29": exit status 1 error: pathspec 'release-1.30,release-1.29' did not match any file(s) known to git

In response to this:

/cherry-pick release-1.30,release-1.29

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@haircommander
Copy link
Member Author

/cherry-pick release-1.30
/cherry-pick release-1.29

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request May 31, 2024
Merged
@openshift-cherrypick-robot
Copy link

@haircommander: new pull request created: #8231

In response to this:

/cherry-pick release-1.30
/cherry-pick release-1.29

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kwilczynski
Copy link
Contributor

/test ci-e2e-conmonrs

This was referenced May 31, 2024
Merged
Merged
Merged
Merged
Merged
@saschagrunert saschagrunert added the kind/bug Categorizes issue or PR as related to a bug. label Jun 4, 2024
@kwilczynski kwilczynski mentioned this pull request Aug 9, 2024
Merged
@github-actions github-actions bot mentioned this pull request Sep 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sohankunkerkar sohankunkerkar sohankunkerkar approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@hasan4791 hasan4791 Awaiting requested review from hasan4791

+2 more reviewers

@eriksjolund eriksjolund eriksjolund left review comments

@kwilczynski kwilczynski kwilczynski left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@eriksjolund eriksjolund

@kwilczynski kwilczynski

@haircommander haircommander

@sohankunkerkar sohankunkerkar

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@haircommander @eriksjolund @kwilczynski @openshift-cherrypick-robot @saschagrunert @sohankunkerkar