[v0.10][MCR v23][Backport] 4600 4602 4603 4604 #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aepifanov
changed the title
aepifanov
changed the title
aepifanov
force-pushed
the
v10_backport-4600-4601-4602-4603-4604
branch
4 times, most recently
from
4b337d6
to
1a47866
Compare
|
I think this looks good to me. Pretty big update to runc though, isn't it? |
These are exactly for buildkit CVEs, not for runc, except the latest one, which a bit related. |
corhere
requested changes
Feb 27, 2024
| @@ -25,8 +26,8 @@ import ( | |||
| "golang.org/x/sync/errgroup" | |||
| ) | |||
|
|
|||
| func llbBridgeToGatewayClient(ctx context.Context, llbBridge frontend.FrontendLLBBridge, opts map[string]string, inputs map[string]*opspb.Definition, w worker.Infos, sid string, sm *session.Manager) (*bridgeClient, error) { | |||
| bc := &bridgeClient{ | |||
| func LLBBridgeToGatewayClient(ctx context.Context, llbBridge frontend.FrontendLLBBridge, exec executor.Executor, opts map[string]string, inputs map[string]*opspb.Definition, w worker.Infos, sid string, sm *session.Manager) (*BridgeClient, error) { | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
That is needed for breaking dependency loop
There was a problem hiding this comment.
What dependency loop? What kind of dependency loop? How does renaming a function from unexported to exported help? I don't understand.
Running interactive container APIs was done by giving the gateway implementation access to worker controller directly, but it should be passed with a build job instead. Signed-off-by: Tonis Tiigi <[email protected]> (cherry picked from commit 0971dffaab93d91e51af984b44c745b35b3c5b4d) (cherry picked from commit 564f884e7bb6db9c63e03c3b081ea71e15aa7980) (cherry picked from commit 5026d95) Signed-off-by: Andrey Epifanov <[email protected]> `bridgeClient` is made exported since exported func LLBBridgeToGatewayClient should have exported-return Signed-off-by: Andrey Epifanov <[email protected]> # Conflicts: # executor/executor.go # frontend/gateway/container/container.go # frontend/gateway/forwarder/forward.go # frontend/gateway/forwarder/frontend.go # frontend/gateway/gateway.go # solver/llbsolver/bridge.go # solver/llbsolver/provenance.go # solver/llbsolver/solver.go # worker/workercontroller.go
Ensure interactive calls validate same conditions that the build requests do. Refactor of the build side is to ensure we use the same validation function for both cases. There was no validation issue with the LLB validation. Signed-off-by: Tonis Tiigi <[email protected]> (cherry picked from commit d1970522d7145be5f4a1f1a028b1910bb527126c) (cherry picked from commit e1e30278d0a491dfd34bd80fa66b54106614cffa) (cherry picked from commit 92cc595) Signed-off-by: Andrey Epifanov <[email protected]> # Conflicts: # client/build_test.go # solver/llbsolver/bridge.go
Fix issue 3148 Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit 0b5a315) Signed-off-by: Andrey Epifanov <[email protected]> # Conflicts: # client/client_test.go
On Linux, an empty directory is usually 4096 bytes, not 0, so we need an additional explicit check here. Signed-off-by: Justin Chadwell <[email protected]> (cherry picked from commit 6778973) Signed-off-by: Andrey Epifanov <[email protected]> # Conflicts: # client/client_test.go
Signed-off-by: Justin Chadwell <[email protected]> (cherry picked from commit 32b5e4d)
Signed-off-by: Tonis Tiigi <[email protected]> (cherry picked from commit 96ccaec09c51176a6d954fd7c4ce57d519bae1b2) (cherry picked from commit a9523c6476f39bb44dd02bcab19e8cb25c5bc37b) (cherry picked from commit 00fe637) Signed-off-by: Andrey Epifanov <[email protected]> # Conflicts: # executor/stubs.go
Signed-off-by: Tonis Tiigi <[email protected]> (cherry picked from commit 42d866e) (cherry picked from commit e81066f8a8623dc876f3d64fae8f693c17ecdc1a) (cherry picked from commit d089e0b)
While submount paths were already validated there are some cases where the parent mount may not be immutable while the submount is created. Signed-off-by: Tonis Tiigi <[email protected]> (cherry picked from commit 2529ec4121bcd8c35bcd96218083da175c2e5b77) (cherry picked from commit cbc233b3b695918d92fd5b1407b829296c53db70) (cherry picked from commit f781267) Signed-off-by: Andrey Epifanov <[email protected]> # Conflicts: # executor/oci/spec.go # executor/oci/spec_windows.go # snapshot/localmounter_unix.go
Signed-off-by: CrazyMax <[email protected]> (cherry picked from commit 5955ccf) Signed-off-by: Andrey Epifanov <[email protected]> # Conflicts: # Dockerfile
Signed-off-by: Tonis Tiigi <[email protected]> (cherry picked from commit bac3f2b) Signed-off-by: Andrey Epifanov <[email protected]> # Conflicts: # Dockerfile
aepifanov
force-pushed
the
v10_backport-4600-4601-4602-4603-4604
branch
from
b1d2785
to
e364de6
Compare
corhere
approved these changes
Feb 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of CVE fixes:
4600 - CVE-2024-21626 GHSA-xr7r-f8xq-vfvv
4602 - CVE-2024-23653 GHSA-wr6v-9f75-vh2g
4603 - CVE-2024-23652 GHSA-4v98-7qmw-rqr8
4604 - CVE-2024-23651 GHSA-m3r6-h7wv-7xxv
Backports of refactoring for smooth application CVE fixes:
MountStubsCleaner: preserve timestamps - 0b5a315
executor: stubs cleaner should remove empty directory mounts - 6778973
chore: tidy atime_unix.go to use errors pkg - 32b5e4d
Fix cross tests for ppc64le
Dockerfile: update xx to 1.3.0 - 5955cc