From c0e9afa438a12728a1c4251e9552d320ebdb5268 Mon Sep 17 00:00:00 2001 From: zhongjiawei Date: Fri, 2 Aug 2024 16:33:24 +0800 Subject: [PATCH] docker:add clone3 seccomp whitelist for arm64 (cherry picked from commit 36446e9c94c779506c0d37b582a8b4330afeaaa1) --- VERSION-vendor | 2 +- docker.spec | 8 +++- git-commit | 2 +- ...d-clone3-seccomp-whitelist-for-arm64.patch | 41 +++++++++++++++++++ series.conf | 1 + 5 files changed, 51 insertions(+), 3 deletions(-) create mode 100644 patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch diff --git a/VERSION-vendor b/VERSION-vendor index 0c7afba..ce0f4a7 100644 --- a/VERSION-vendor +++ b/VERSION-vendor @@ -1 +1 @@ -18.09.0.339 +18.09.0.340 diff --git a/docker.spec b/docker.spec index 6a520e2..52b693b 100644 --- a/docker.spec +++ b/docker.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 339 +Release: 340 Epoch: 2 Summary: The open-source application container engine Group: Tools/Docker @@ -227,6 +227,12 @@ fi %endif %changelog +* Fri Aug 02 2024 zhongjiawei - 2:18.09.0-340 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:add clone3 seccomp whitelist for arm64 + * Fri Jul 26 2024 zhongjiawei - 18.09.0-339 - Type:CVE - CVE:CVE-2024-41110 diff --git a/git-commit b/git-commit index e388660..10194d5 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -bb54f3063f3fc856630a6f3d5a52bf065d5eb045 +29173030b7e118013ed3e8a3773492c40928bb9c diff --git a/patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch b/patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch new file mode 100644 index 0000000..282c7bb --- /dev/null +++ b/patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch @@ -0,0 +1,41 @@ +From c2bc614038532cfbd1db9bfe8ff3949b1867a5c5 Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Fri, 2 Aug 2024 16:26:00 +0800 +Subject: [PATCH] docker:add clone3 seccomp whitelist for arm64 + +--- + components/engine/profiles/seccomp/seccomp_default.go | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go +index 2c670623..a90e441c 100644 +--- a/components/engine/profiles/seccomp/seccomp_default.go ++++ b/components/engine/profiles/seccomp/seccomp_default.go +@@ -482,7 +482,6 @@ func DefaultProfile() *types.Seccomp { + { + Names: []string{ + "modify_ldt", +- "clone3", + }, + Action: types.ActAllow, + Args: []*types.Arg{}, +@@ -490,6 +489,16 @@ func DefaultProfile() *types.Seccomp { + Arches: []string{"amd64", "x32", "x86"}, + }, + }, ++ { ++ Names: []string{ ++ "clone3", ++ }, ++ Action: types.ActAllow, ++ Args: []*types.Arg{}, ++ Includes: types.Filter{ ++ Arches: []string{"arm64", "amd64", "x32", "x86"}, ++ }, ++ }, + { + Names: []string{ + "s390_pci_mmio_read", +-- +2.33.0 + diff --git a/series.conf b/series.conf index 1ae40a6..df25d03 100644 --- a/series.conf +++ b/series.conf @@ -275,4 +275,5 @@ patch/0274-docker-fix-CVE-2024-29018.patch patch/0275-backport-fix-CVE-2024-32473.patch patch/0276-docker-Ignore-SIGURG-on-Linux.patch patch/0277-backport-fix-CVE-2024-41110.patch +patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch #end -- Gitee