diff -Nru docker.io-20.10.21/debian/changelog docker.io-20.10.21/debian/changelog --- docker.io-20.10.21/debian/changelog 2024-01-18 04:34:37.000000000 +0000 +++ docker.io-20.10.21/debian/changelog 2024-02-28 08:47:24.000000000 +0000 @@ -1,3 +1,24 @@ +docker.io (20.10.21-0ubuntu1~20.04.6~test1) focal-security; urgency=medium + + * SECURITY UPDATE: denial-of-service + - debian/patches/CVE-2024-23650.patch: Add more validations for nil + values + - CVE-2024-23650 + * SECURITY UPDATE: race condition with accessing subpaths from cache mounts + - debian/patches/CVE-2024-23651.patch: add extra validation for submount + sources + - CVE-2024-23651 + * SECURITY UPDATE: container escape vulnerability + - debian/patches/CVE-2024-23652.patch: recheck mount stub path within + root after container run + - CVE-2024-23652 + * SECURITY UPDATE: run a container with elevated privileges issue + - debian/patches/CVE-2024-23653.patch: make sure interactive container + API validates entitlements + - CVE-2024-23653 + + -- Nishit Majithia Wed, 28 Feb 2024 14:17:24 +0530 + docker.io (20.10.21-0ubuntu1~20.04.5) focal-security; urgency=medium * No change rebuild due to golang-1.20, golang-1.21 updates diff -Nru docker.io-20.10.21/debian/patches/CVE-2024-23650.patch docker.io-20.10.21/debian/patches/CVE-2024-23650.patch --- docker.io-20.10.21/debian/patches/CVE-2024-23650.patch 1970-01-01 00:00:00.000000000 +0000 +++ docker.io-20.10.21/debian/patches/CVE-2024-23650.patch 2024-02-22 05:49:20.000000000 +0000 @@ -0,0 +1,111 @@ +[Ubuntu note: backport to ubuntu version. These files doesnt exist or the + affected code not present in these version of embedded buildkit: + - client_test.go + - writer.go + - parse.go + - bridge.go + - solver.go + - matcher.go + - attestation.go + - attribute.go + - span.go + + Removing all the changes on above files form this patch] + +From 6495c2bda891abb063a6474685a0fcad30da3269 Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Sun, 17 Dec 2023 17:18:08 -0800 +Subject: [PATCH 1/5] exporter: validate null config metadata from gateway + +Signed-off-by: Tonis Tiigi +(cherry picked from commit ef536af15b2d351b8f0459022decc2a4955b1cb2) +--- + client/client_test.go | 2 +- + client/validation_test.go | 54 +++++++++++++++++++++++++++++++ + exporter/containerimage/writer.go | 9 ++++++ + 3 files changed, 64 insertions(+), 1 deletion(-) + create mode 100644 client/validation_test.go + + +From 63664239f39d6a6643d442c8ae89137011b29e39 Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Sun, 17 Dec 2023 17:40:36 -0800 +Subject: [PATCH 2/5] exporter: add validation for invalid platorm + +Signed-off-by: Tonis Tiigi +(cherry picked from commit d293ec3208f87fefab7a1caadffa3f3f50604796) +--- + client/client_test.go | 3 ++ + client/validation_test.go | 49 +++++++++++++++++++++++++++++++ + exporter/containerimage/writer.go | 7 +++++ + 3 files changed, 59 insertions(+) + + +From 8dfaf014d7f9721b501f99ab0aeb9f0ed957948d Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Sun, 17 Dec 2023 20:43:57 -0800 +Subject: [PATCH 3/5] exporter: add validation for platforms key value + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 432ece72ae124ce8a29ced6854a08206f09f3a73) +--- + client/validation_test.go | 110 ++++++++++++++++++++++ + exporter/containerimage/exptypes/parse.go | 14 +++ + 2 files changed, 124 insertions(+) + + +From e11862c24df3cea41d14fa76106ff5a8ad3f0bff Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Sun, 17 Dec 2023 22:49:42 -0800 +Subject: [PATCH 4/5] sourcepolicy: add validations for nil values + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 4e2569e796aae398648082689d70ca1d4f4f74a8) +--- + client/validation_test.go | 103 +++++++++++++++++++++++++++++++++++++ + solver/llbsolver/bridge.go | 8 +++ + solver/llbsolver/solver.go | 23 +++++++++ + sourcepolicy/matcher.go | 3 ++ + 4 files changed, 137 insertions(+) + + +From 5d7d85f5a0388bb0faa0d9250f96b35814cff1f9 Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Sun, 17 Dec 2023 23:39:51 -0800 +Subject: [PATCH 5/5] pb: add extra validation to protobuf types + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 838635998dcae34bbde59e3eab129ab85bd37bef) +--- + client/validation_test.go | 9 ++++++--- + control/control.go | 3 +++ + frontend/gateway/client/attestation.go | 6 ++++++ + frontend/gateway/gateway.go | 15 +++++++++++++++ + util/tracing/transform/attribute.go | 21 ++++++++++++++++----- + util/tracing/transform/span.go | 23 +++++++++++++++++++---- + 6 files changed, 65 insertions(+), 12 deletions(-) + +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/control/control.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/control/control.go +@@ -266,6 +266,9 @@ func (c *Controller) Solve(ctx context.C + cacheExportMode = parseCacheExportMode(e.Attrs["mode"]) + } + for _, im := range req.Cache.Imports { ++ if im == nil { ++ continue ++ } + cacheImports = append(cacheImports, frontend.CacheOptionsEntry{ + Type: im.Type, + Attrs: im.Attrs, +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go +@@ -556,6 +556,9 @@ func (lbf *llbBridgeForwarder) Solve(ctx + } + var cacheImports []frontend.CacheOptionsEntry + for _, e := range req.CacheImports { ++ if e == nil { ++ return nil, errors.Errorf("invalid nil cache import") ++ } + cacheImports = append(cacheImports, frontend.CacheOptionsEntry{ + Type: e.Type, + Attrs: e.Attrs, diff -Nru docker.io-20.10.21/debian/patches/CVE-2024-23651.patch docker.io-20.10.21/debian/patches/CVE-2024-23651.patch --- docker.io-20.10.21/debian/patches/CVE-2024-23651.patch 1970-01-01 00:00:00.000000000 +0000 +++ docker.io-20.10.21/debian/patches/CVE-2024-23651.patch 2024-02-22 07:34:35.000000000 +0000 @@ -0,0 +1,320 @@ +From c82ace1296850847bcbdebe7a8af627f58eae41b Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Tue, 19 Dec 2023 20:23:10 -0800 +Subject: [PATCH] exec: add extra validation for submount sources + +While submount paths were already validated there are some +cases where the parent mount may not be immutable while the +submount is created. + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 2529ec4121bcd8c35bcd96218083da175c2e5b77) +--- + executor/oci/spec.go | 30 ++++++++++++-------- + executor/oci/spec_freebsd.go | 11 ++++++++ + executor/oci/spec_linux.go | 47 ++++++++++++++++++++++++++++++++ + executor/oci/spec_windows.go | 11 ++++++++ + snapshot/localmounter.go | 35 ++++++++++++++++++------ + snapshot/localmounter_freebsd.go | 2 +- + snapshot/localmounter_linux.go | 45 +++++++++++++++++++++--------- + 7 files changed, 146 insertions(+), 35 deletions(-) + +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/executor/oci/spec.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/executor/oci/spec.go +@@ -9,7 +9,6 @@ import ( + "github.com/containerd/containerd/mount" + "github.com/containerd/containerd/namespaces" + "github.com/containerd/containerd/oci" +- "github.com/containerd/continuity/fs" + "github.com/docker/docker/pkg/idtools" + "github.com/mitchellh/hashstructure" + "github.com/moby/buildkit/executor" +@@ -145,6 +144,7 @@ func GenerateSpec(ctx context.Context, m + type mountRef struct { + mount mount.Mount + unmount func() error ++ subRefs map[string]mountRef + } + + type submounts struct { +@@ -163,10 +163,17 @@ func (s *submounts) subMount(m mount.Mou + return mount.Mount{}, nil + } + if mr, ok := s.m[h]; ok { +- sm, err := sub(mr.mount, subPath) ++ if sm, ok := mr.subRefs[subPath]; ok { ++ return sm.mount, nil ++ } ++ sm, unmount, err := sub(mr.mount, subPath) + if err != nil { + return mount.Mount{}, nil + } ++ mr.subRefs[subPath] = mountRef{ ++ mount: sm, ++ unmount: unmount, ++ } + return sm, nil + } + +@@ -191,12 +198,17 @@ func (s *submounts) subMount(m mount.Mou + Options: opts, + }, + unmount: lm.Unmount, ++ subRefs: map[string]mountRef{}, + } + +- sm, err := sub(s.m[h].mount, subPath) ++ sm, unmount, err := sub(s.m[h].mount, subPath) + if err != nil { + return mount.Mount{}, err + } ++ s.m[h].subRefs[subPath] = mountRef{ ++ mount: sm, ++ unmount: unmount, ++ } + return sm, nil + } + +@@ -206,6 +218,9 @@ func (s *submounts) cleanup() { + for _, m := range s.m { + func(m mountRef) { + go func() { ++ for _, sm := range m.subRefs { ++ sm.unmount() ++ } + m.unmount() + wg.Done() + }() +@@ -214,15 +229,6 @@ func (s *submounts) cleanup() { + wg.Wait() + } + +-func sub(m mount.Mount, subPath string) (mount.Mount, error) { +- src, err := fs.RootPath(m.Source, subPath) +- if err != nil { +- return mount.Mount{}, err +- } +- m.Source = src +- return m, nil +-} +- + func specMapping(s []idtools.IDMap) []specs.LinuxIDMapping { + var ids []specs.LinuxIDMapping + for _, item := range s { +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/executor/oci/spec_unix.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/executor/oci/spec_unix.go +@@ -5,16 +5,21 @@ package oci + + import ( + "context" ++ "strconv" + + "github.com/containerd/containerd/containers" ++ "github.com/containerd/containerd/mount" + "github.com/containerd/containerd/oci" + "github.com/docker/docker/pkg/idtools" + "github.com/docker/docker/profiles/seccomp" ++ "github.com/containerd/continuity/fs" ++ "github.com/moby/buildkit/snapshot" + "github.com/moby/buildkit/solver/pb" + "github.com/moby/buildkit/util/entitlements/security" + "github.com/moby/buildkit/util/system" + specs "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/selinux/go-selinux/label" ++ "golang.org/x/sys/unix" + ) + + func generateMountOpts(resolvConf, hostsFile string) ([]oci.SpecOpts, error) { +@@ -88,3 +93,45 @@ func withDefaultProfile() oci.SpecOpts { + return err + } + } ++ ++func sub(m mount.Mount, subPath string) (mount.Mount, func() error, error) { ++ var retries = 10 ++ root := m.Source ++ for { ++ src, err := fs.RootPath(root, subPath) ++ if err != nil { ++ return mount.Mount{}, nil, err ++ } ++ // similar to runc.WithProcfd ++ fh, err := os.OpenFile(src, unix.O_PATH|unix.O_CLOEXEC, 0) ++ if err != nil { ++ return mount.Mount{}, nil, err ++ } ++ ++ fdPath := "/proc/self/fd/" + strconv.Itoa(int(fh.Fd())) ++ if resolved, err := os.Readlink(fdPath); err != nil { ++ fh.Close() ++ return mount.Mount{}, nil, err ++ } else if resolved != src { ++ retries-- ++ if retries <= 0 { ++ fh.Close() ++ return mount.Mount{}, nil, errors.Errorf("unable to safely resolve subpath %s", subPath) ++ } ++ fh.Close() ++ continue ++ } ++ ++ m.Source = fdPath ++ lm := snapshot.LocalMounterWithMounts([]mount.Mount{m}, snapshot.ForceRemount()) ++ mp, err := lm.Mount() ++ if err != nil { ++ fh.Close() ++ return mount.Mount{}, nil, err ++ } ++ m.Source = mp ++ fh.Close() // release the fd, we don't need it anymore ++ ++ return m, lm.Unmount, nil ++ } ++} +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go +@@ -4,6 +4,8 @@ + package oci + + import ( ++ "github.com/containerd/containerd/mount" ++ "github.com/containerd/continuity/fs" + "github.com/containerd/containerd/oci" + "github.com/docker/docker/pkg/idtools" + "github.com/moby/buildkit/solver/pb" +@@ -36,3 +38,12 @@ func generateIDmapOpts(idmap *idtools.Id + } + return nil, errors.New("no support for IdentityMapping on Windows") + } ++ ++func sub(m mount.Mount, subPath string) (mount.Mount, func() error, error) { ++ src, err := fs.RootPath(m.Source, subPath) ++ if err != nil { ++ return mount.Mount{}, nil, err ++ } ++ m.Source = src ++ return m, func() error { return nil }, nil ++} +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/snapshot/localmounter.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/snapshot/localmounter.go +@@ -11,22 +11,39 @@ type Mounter interface { + Unmount() error + } + ++type LocalMounterOpt func(*localMounter) ++ + // LocalMounter is a helper for mounting mountfactory to temporary path. In + // addition it can mount binds without privileges +-func LocalMounter(mountable Mountable) Mounter { +- return &localMounter{mountable: mountable} ++func LocalMounter(mountable Mountable, opts ...LocalMounterOpt) Mounter { ++ lm := &localMounter{mountable: mountable} ++ for _, opt := range opts { ++ opt(lm) ++ } ++ return lm + } + + // LocalMounterWithMounts is a helper for mounting to temporary path. In + // addition it can mount binds without privileges +-func LocalMounterWithMounts(mounts []mount.Mount) Mounter { +- return &localMounter{mounts: mounts} ++func LocalMounterWithMounts(mounts []mount.Mount, opts ...LocalMounterOpt) Mounter { ++ lm := &localMounter{mounts: mounts} ++ for _, opt := range opts { ++ opt(lm) ++ } ++ return lm + } + + type localMounter struct { +- mu sync.Mutex +- mounts []mount.Mount +- mountable Mountable +- target string +- release func() error ++ mu sync.Mutex ++ mounts []mount.Mount ++ mountable Mountable ++ target string ++ release func() error ++ forceRemount bool ++} ++ ++func ForceRemount() LocalMounterOpt { ++ return func(lm *localMounter) { ++ lm.forceRemount = true ++ } + } +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/snapshot/localmounter_unix.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/snapshot/localmounter_unix.go +@@ -6,6 +6,7 @@ package snapshot + import ( + "io/ioutil" + "os" ++ "path/filepath" + "syscall" + + "github.com/containerd/containerd/mount" +@@ -25,30 +26,48 @@ func (lm *localMounter) Mount() (string, + lm.release = release + } + ++ var isFile bool + if len(lm.mounts) == 1 && (lm.mounts[0].Type == "bind" || lm.mounts[0].Type == "rbind") { +- ro := false +- for _, opt := range lm.mounts[0].Options { +- if opt == "ro" { +- ro = true +- break ++ if !lm.forceRemount { ++ ro := false ++ for _, opt := range lm.mounts[0].Options { ++ if opt == "ro" { ++ ro = true ++ break ++ } + } ++ if !ro { ++ return lm.mounts[0].Source, nil ++ } ++ } ++ fi, err := os.Stat(lm.mounts[0].Source) ++ if err != nil { ++ return "", err + } +- if !ro { +- return lm.mounts[0].Source, nil ++ if !fi.IsDir() { ++ isFile = true + } + } + +- dir, err := ioutil.TempDir("", "buildkit-mount") ++ dest, err := ioutil.TempDir("", "buildkit-mount") + if err != nil { + return "", errors.Wrap(err, "failed to create temp dir") + } + +- if err := mount.All(lm.mounts, dir); err != nil { +- os.RemoveAll(dir) +- return "", errors.Wrapf(err, "failed to mount %s: %+v", dir, lm.mounts) ++ if isFile { ++ dest = filepath.Join(dest, "file") ++ if err := os.WriteFile(dest, []byte{}, 0644); err != nil { ++ os.RemoveAll(dest) ++ return "", errors.Wrap(err, "failed to create temp file") ++ } ++ } ++ ++ if err := mount.All(lm.mounts, dest); err != nil { ++ os.RemoveAll(dest) ++ return "", errors.Wrapf(err, "failed to mount %s: %+v", dest, lm.mounts) + } +- lm.target = dir +- return dir, nil ++ lm.target = dest ++ return dest, nil + } + + func (lm *localMounter) Unmount() error { diff -Nru docker.io-20.10.21/debian/patches/CVE-2024-23652.patch docker.io-20.10.21/debian/patches/CVE-2024-23652.patch --- docker.io-20.10.21/debian/patches/CVE-2024-23652.patch 1970-01-01 00:00:00.000000000 +0000 +++ docker.io-20.10.21/debian/patches/CVE-2024-23652.patch 2024-02-22 09:44:41.000000000 +0000 @@ -0,0 +1,36 @@ +[Ubuntu note: backporting the patch for this ubuntu release] + +From 23bebc4a180b84ba18733f545e7559e10c439ac3 Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Tue, 12 Dec 2023 18:41:21 -0800 +Subject: [PATCH] executor: recheck mount stub path within root after container + run + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 96ccaec09c51176a6d954fd7c4ce57d519bae1b2) +--- + executor/stubs.go | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/executor/stubs.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/executor/stubs.go +@@ -4,6 +4,7 @@ import ( + "errors" + "os" + "path/filepath" ++ "strings" + "syscall" + + "github.com/containerd/continuity/fs" +@@ -36,6 +37,11 @@ func MountStubsCleaner(dir string, mount + + return func() { + for _, p := range paths { ++ p, err := fs.RootPath(dir, strings.TrimPrefix(p, dir)) ++ if err != nil { ++ continue ++ } ++ + st, err := os.Lstat(p) + if err != nil { + continue diff -Nru docker.io-20.10.21/debian/patches/CVE-2024-23653.patch docker.io-20.10.21/debian/patches/CVE-2024-23653.patch --- docker.io-20.10.21/debian/patches/CVE-2024-23653.patch 1970-01-01 00:00:00.000000000 +0000 +++ docker.io-20.10.21/debian/patches/CVE-2024-23653.patch 2024-02-22 11:54:42.000000000 +0000 @@ -0,0 +1,474 @@ +From 0c5daa23277e9e1fa8b2d794903cd97df95496fb Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Tue, 12 Dec 2023 13:42:46 -0800 +Subject: [PATCH 1/2] gateway: pass executor with build and not access worker + directly + +Running interactive container APIs was done by giving +the gateway implementation access to worker controller +directly, but it should be passed with a build job instead. + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 0971dffaab93d91e51af984b44c745b35b3c5b4d) +--- + cmd/buildkitd/main.go | 4 ++-- + executor/executor.go | 10 ++++++-- + frontend/frontend.go | 3 ++- + frontend/gateway/container/container.go | 9 ++++--- + frontend/gateway/forwarder/forward.go | 9 ++++--- + frontend/gateway/forwarder/frontend.go | 5 ++-- + frontend/gateway/gateway.go | 29 ++++++++++------------ + snapshot/snapshotter.go | 7 ++---- + solver/llbsolver/bridge.go | 32 +++++++++++++++++++++++++ + solver/llbsolver/provenance.go | 2 +- + solver/llbsolver/solver.go | 2 +- + worker/worker.go | 2 +- + worker/workercontroller.go | 23 ++++++++++++++++++ + 13 files changed, 98 insertions(+), 39 deletions(-) + +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/executor/executor.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/executor/executor.go +@@ -5,6 +5,8 @@ import ( + "io" + "net" + ++ "github.com/containerd/containerd/mount" ++ "github.com/docker/docker/pkg/idtools" + "github.com/moby/buildkit/snapshot" + "github.com/moby/buildkit/solver/pb" + ) +@@ -22,8 +24,13 @@ type Meta struct { + SecurityMode pb.SecurityMode + } + ++type MountableRef interface { ++ Mount() ([]mount.Mount, func() error, error) ++ IdentityMapping() *idtools.IdentityMapping ++} ++ + type Mountable interface { +- Mount(ctx context.Context, readonly bool) (snapshot.Mountable, error) ++ Mount(ctx context.Context, readonly bool) (MountableRef, error) + } + + type Mount struct { +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/frontend/frontend.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/frontend/frontend.go +@@ -4,6 +4,7 @@ import ( + "context" + + "github.com/moby/buildkit/client/llb" ++ "github.com/moby/buildkit/executor" + gw "github.com/moby/buildkit/frontend/gateway/client" + "github.com/moby/buildkit/session" + "github.com/moby/buildkit/solver/pb" +@@ -11,7 +12,7 @@ import ( + ) + + type Frontend interface { +- Solve(ctx context.Context, llb FrontendLLBBridge, opt map[string]string, inputs map[string]*pb.Definition, sid string, sm *session.Manager) (*Result, error) ++ Solve(ctx context.Context, llb FrontendLLBBridge, exec executor.Executor, opt map[string]string, inputs map[string]*pb.Definition, sid string, sm *session.Manager) (*Result, error) + } + + type FrontendLLBBridge interface { +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/frontend/gateway/container.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/frontend/gateway/container.go +@@ -40,7 +40,7 @@ type Mount struct { + WorkerRef *worker.WorkerRef + } + +-func NewContainer(ctx context.Context, w worker.Worker, sm *session.Manager, g session.Group, req NewContainerRequest) (client.Container, error) { ++func NewContainer(ctx context.Context, cm cache.Manager, exec executor.Executor, sm *session.Manager, g session.Group, req NewContainerRequest) (client.Container, error) { + ctx, cancel := context.WithCancel(ctx) + eg, ctx := errgroup.WithContext(ctx) + platform := opspb.Platform{ +@@ -54,7 +54,7 @@ func NewContainer(ctx context.Context, w + id: req.ContainerID, + netMode: req.NetMode, + platform: platform, +- executor: w.Executor(), ++ executor: exec, + errGroup: eg, + ctx: ctx, + cancel: cancel, +@@ -75,9 +75,8 @@ func NewContainer(ctx context.Context, w + } + + name := fmt.Sprintf("container %s", req.ContainerID) +- mm := mounts.NewMountManager(name, w.CacheManager(), sm, w.MetadataStore()) +- p, err := PrepareMounts(ctx, mm, w.CacheManager(), g, "", mnts, refs, func(m *opspb.Mount, ref cache.ImmutableRef) (cache.MutableRef, error) { +- cm := w.CacheManager() ++ mm := mounts.NewMountManager(name, cm, sm) ++ p, err := PrepareMounts(ctx, mm, cm, g, "", mnts, refs, func(m *opspb.Mount, ref cache.ImmutableRef) (cache.MutableRef, error) { + if m.Input != opspb.Empty { + cm = refs[m.Input].Worker.CacheManager() + } +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/forward.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/forward.go +@@ -6,6 +6,7 @@ import ( + + cacheutil "github.com/moby/buildkit/cache/util" + "github.com/moby/buildkit/client/llb" ++ "github.com/moby/buildkit/executor" + "github.com/moby/buildkit/frontend" + "github.com/moby/buildkit/frontend/gateway" + "github.com/moby/buildkit/frontend/gateway/client" +@@ -24,7 +25,7 @@ import ( + "golang.org/x/sync/errgroup" + ) + +-func llbBridgeToGatewayClient(ctx context.Context, llbBridge frontend.FrontendLLBBridge, opts map[string]string, inputs map[string]*opspb.Definition, w worker.Infos, sid string, sm *session.Manager) (*bridgeClient, error) { ++func llbBridgeToGatewayClient(ctx context.Context, llbBridge frontend.FrontendLLBBridge, exec executor.Executor, opts map[string]string, inputs map[string]*opspb.Definition, w worker.Infos, sid string, sm *session.Manager) (*bridgeClient, error) { + return &bridgeClient{ + opts: opts, + inputs: inputs, +@@ -34,6 +35,7 @@ func llbBridgeToGatewayClient(ctx contex + workers: w, + final: map[*ref]struct{}{}, + workerRefByID: make(map[string]*worker.WorkerRef), ++ executor: exec, + }, nil + } + +@@ -48,6 +50,7 @@ type bridgeClient struct { + refs []*ref + workers worker.Infos + workerRefByID map[string]*worker.WorkerRef ++ executor executor.Executor + } + + func (c *bridgeClient) Solve(ctx context.Context, req client.SolveRequest) (*client.Result, error) { +@@ -272,13 +275,13 @@ func (c *bridgeClient) NewContainer(ctx + return nil, err + } + +- w, err := c.workers.GetDefault() ++ cm, err := c.workers.DefaultCacheManager() + if err != nil { + return nil, err + } + + group := session.NewGroup(c.sid) +- ctr, err := gateway.NewContainer(ctx, w, c.sm, group, ctrReq) ++ ctr, err := gateway.NewContainer(ctx, cm, c.executor, c.sm, group, ctrReq) + if err != nil { + return nil, err + } +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/frontend.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/frontend.go +@@ -3,6 +3,7 @@ package forwarder + import ( + "context" + ++ "github.com/moby/buildkit/executor" + "github.com/moby/buildkit/frontend" + "github.com/moby/buildkit/frontend/gateway/client" + "github.com/moby/buildkit/session" +@@ -22,8 +23,8 @@ type GatewayForwarder struct { + f client.BuildFunc + } + +-func (gf *GatewayForwarder) Solve(ctx context.Context, llbBridge frontend.FrontendLLBBridge, opts map[string]string, inputs map[string]*pb.Definition, sid string, sm *session.Manager) (retRes *frontend.Result, retErr error) { +- c, err := llbBridgeToGatewayClient(ctx, llbBridge, opts, inputs, gf.workers, sid, sm) ++func (gf *GatewayForwarder) Solve(ctx context.Context, llbBridge frontend.FrontendLLBBridge, exec executor.Executor, opts map[string]string, inputs map[string]*pb.Definition, sid string, sm *session.Manager) (retRes *frontend.Result, retErr error) { ++ c, err := llbBridgeToGatewayClient(ctx, llbBridge, exec, opts, inputs, gf.workers, sid, sm) + if err != nil { + return nil, err + } +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go +@@ -76,7 +76,7 @@ func filterPrefix(opts map[string]string + return m + } + +-func (gf *gatewayFrontend) Solve(ctx context.Context, llbBridge frontend.FrontendLLBBridge, opts map[string]string, inputs map[string]*opspb.Definition, sid string, sm *session.Manager) (*frontend.Result, error) { ++func (gf *gatewayFrontend) Solve(ctx context.Context, llbBridge frontend.FrontendLLBBridge, exec executor.Executor, opts map[string]string, inputs map[string]*opspb.Definition, sid string, sm *session.Manager) (*frontend.Result, error) { + source, ok := opts[keySource] + if !ok { + return nil, errors.Errorf("no source specified for gateway") +@@ -240,19 +240,14 @@ func (gf *gatewayFrontend) Solve(ctx con + } + } + +- lbf, ctx, err := serveLLBBridgeForwarder(ctx, llbBridge, gf.workers, inputs, sid, sm) ++ lbf, ctx, err := serveLLBBridgeForwarder(ctx, llbBridge, exec, gf.workers, inputs, sid, sm) + defer lbf.conn.Close() //nolint + if err != nil { + return nil, err + } + defer lbf.Discard() + +- w, err := gf.workers.GetDefault() +- if err != nil { +- return nil, err +- } +- +- err = w.Executor().Run(ctx, "", mountWithSession(rootFS, session.NewGroup(sid)), nil, executor.ProcessInfo{Meta: meta, Stdin: lbf.Stdin, Stdout: lbf.Stdout, Stderr: os.Stderr}, nil) ++ err = exec.Run(ctx, "", mountWithSession(rootFS, session.NewGroup(sid)), nil, executor.ProcessInfo{Meta: meta, Stdin: lbf.Stdin, Stdout: lbf.Stdout, Stderr: os.Stderr}, nil) + + if err != nil { + if errdefs.IsCanceled(err) && lbf.isErrServerClosed { +@@ -334,11 +329,11 @@ func (lbf *llbBridgeForwarder) Result() + return lbf.result, nil + } + +-func NewBridgeForwarder(ctx context.Context, llbBridge frontend.FrontendLLBBridge, workers worker.Infos, inputs map[string]*opspb.Definition, sid string, sm *session.Manager) LLBBridgeForwarder { +- return newBridgeForwarder(ctx, llbBridge, workers, inputs, sid, sm) ++func NewBridgeForwarder(ctx context.Context, llbBridge frontend.FrontendLLBBridge, exec executor.Executor, workers worker.Infos, inputs map[string]*opspb.Definition, sid string, sm *session.Manager) LLBBridgeForwarder { ++ return newBridgeForwarder(ctx, llbBridge, exec, workers, inputs, sid, sm) + } + +-func newBridgeForwarder(ctx context.Context, llbBridge frontend.FrontendLLBBridge, workers worker.Infos, inputs map[string]*opspb.Definition, sid string, sm *session.Manager) *llbBridgeForwarder { ++func newBridgeForwarder(ctx context.Context, llbBridge frontend.FrontendLLBBridge, exec executor.Executor, workers worker.Infos, inputs map[string]*opspb.Definition, sid string, sm *session.Manager) *llbBridgeForwarder { + lbf := &llbBridgeForwarder{ + callCtx: ctx, + llbBridge: llbBridge, +@@ -351,13 +346,14 @@ func newBridgeForwarder(ctx context.Cont + sid: sid, + sm: sm, + ctrs: map[string]gwclient.Container{}, ++ executor: exec, + } + return lbf + } + +-func serveLLBBridgeForwarder(ctx context.Context, llbBridge frontend.FrontendLLBBridge, workers worker.Infos, inputs map[string]*opspb.Definition, sid string, sm *session.Manager) (*llbBridgeForwarder, context.Context, error) { ++func serveLLBBridgeForwarder(ctx context.Context, llbBridge frontend.FrontendLLBBridge, exec executor.Executor, workers worker.Infos, inputs map[string]*opspb.Definition, sid string, sm *session.Manager) (*llbBridgeForwarder, context.Context, error) { + ctx, cancel := context.WithCancel(ctx) +- lbf := newBridgeForwarder(ctx, llbBridge, workers, inputs, sid, sm) ++ lbf := newBridgeForwarder(ctx, llbBridge, exec, workers, inputs, sid, sm) + server := grpc.NewServer(grpc.UnaryInterceptor(grpcerrors.UnaryServerInterceptor), grpc.StreamInterceptor(grpcerrors.StreamServerInterceptor)) + grpc_health_v1.RegisterHealthServer(server, health.NewServer()) + pb.RegisterLLBBridgeServer(server, lbf) +@@ -452,6 +448,7 @@ type llbBridgeForwarder struct { + isErrServerClosed bool + sid string + sm *session.Manager ++ executor executor.Executor + *pipe + ctrs map[string]gwclient.Container + ctrsMu sync.Mutex +@@ -885,12 +882,12 @@ func (lbf *llbBridgeForwarder) NewContai + // and we want the context to live for the duration of the container. + group := session.NewGroup(lbf.sid) + +- w, err := lbf.workers.GetDefault() ++ cm, err := lbf.workers.DefaultCacheManager() + if err != nil { + return nil, stack.Enable(err) + } + +- ctr, err := NewContainer(context.Background(), w, lbf.sm, group, ctrReq) ++ ctr, err := NewContainer(context.Background(), cm, lbf.executor, lbf.sm, group, ctrReq) + if err != nil { + return nil, stack.Enable(err) + } +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/snapshot/snapshotter.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/snapshot/snapshotter.go +@@ -9,13 +9,10 @@ import ( + "github.com/containerd/containerd/mount" + "github.com/containerd/containerd/snapshots" + "github.com/docker/docker/pkg/idtools" ++ "github.com/moby/buildkit/executor" + ) + +-type Mountable interface { +- // ID() string +- Mount() ([]mount.Mount, func() error, error) +- IdentityMapping() *idtools.IdentityMapping +-} ++type Mountable = executor.MountableRef + + // Snapshotter defines interface that any snapshot implementation should satisfy + type Snapshotter interface { +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go +@@ -11,6 +11,8 @@ import ( + "github.com/mitchellh/hashstructure" + "github.com/moby/buildkit/cache/remotecache" + "github.com/moby/buildkit/client/llb" ++ "github.com/moby/buildkit/executor" ++ resourcestypes "github.com/moby/buildkit/executor/resources/types" + "github.com/moby/buildkit/frontend" + gw "github.com/moby/buildkit/frontend/gateway/client" + "github.com/moby/buildkit/session" +@@ -19,6 +21,7 @@ import ( + llberrdefs "github.com/moby/buildkit/solver/llbsolver/errdefs" + "github.com/moby/buildkit/solver/pb" + "github.com/moby/buildkit/util/flightcontrol" ++ "github.com/moby/buildkit/util/entitlements" + "github.com/moby/buildkit/worker" + digest "github.com/opencontainers/go-digest" + "github.com/pkg/errors" +@@ -34,6 +37,10 @@ type llbBridge struct { + cms map[string]solver.CacheManager + cmsMu sync.Mutex + sm *session.Manager ++ ++ executorOnce sync.Once ++ executorErr error ++ executor executor.Executor + } + + func (b *llbBridge) loadResult(ctx context.Context, def *pb.Definition, cacheImports []gw.CacheOptionsEntry) (solver.CachedResult, error) { +@@ -144,6 +151,52 @@ func (b *llbBridge) Solve(ctx context.Co + return + } + ++func (b *llbBridge) validateEntitlements(p executor.ProcessInfo) error { ++ ent, err := loadEntitlements(b.builder) ++ if err != nil { ++ return err ++ } ++ v := entitlements.Values{ ++ NetworkHost: p.Meta.NetMode == pb.NetMode_HOST, ++ SecurityInsecure: p.Meta.SecurityMode == pb.SecurityMode_INSECURE, ++ } ++ return ent.Check(v) ++} ++ ++func (b *llbBridge) Run(ctx context.Context, id string, rootfs executor.Mount, mounts []executor.Mount, process executor.ProcessInfo, started chan<- struct{}) (resourcestypes.Recorder, error) { ++ if err := b.validateEntitlements(process); err != nil { ++ return nil, err ++ } ++ ++ if err := b.loadExecutor(); err != nil { ++ return nil, err ++ } ++ return b.executor.Run(ctx, id, rootfs, mounts, process, started) ++} ++ ++func (b *llbBridge) Exec(ctx context.Context, id string, process executor.ProcessInfo) error { ++ if err := b.validateEntitlements(process); err != nil { ++ return err ++ } ++ ++ if err := b.loadExecutor(); err != nil { ++ return err ++ } ++ return b.executor.Exec(ctx, id, process) ++} ++ ++func (b *llbBridge) loadExecutor() error { ++ b.executorOnce.Do(func() { ++ w, err := b.resolveWorker() ++ if err != nil { ++ b.executorErr = err ++ return ++ } ++ b.executor = w.Executor() ++ }) ++ return b.executorErr ++} ++ + type resultProxy struct { + cb func(context.Context) (solver.CachedResult, error) + def *pb.Definition +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go +@@ -107,7 +107,7 @@ func (s *Solver) Solve(ctx context.Conte + + var res *frontend.Result + if s.gatewayForwarder != nil && req.Definition == nil && req.Frontend == "" { +- fwd := gateway.NewBridgeForwarder(ctx, s.Bridge(j), s.workerController, req.FrontendInputs, sessionID, s.sm) ++ fwd := gateway.NewBridgeForwarder(ctx, s.Bridge(j), s.Bridge(j), s.workerController.Infos(), req.FrontendInputs, sessionID, s.sm) + defer fwd.Discard() + if err := s.gatewayForwarder.RegisterBuild(ctx, id, fwd); err != nil { + return nil, err +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/worker/worker.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/worker/worker.go +@@ -40,7 +40,7 @@ type Worker interface { + } + + type Infos interface { +- GetDefault() (Worker, error) ++ DefaultCacheManager() (cache.Manager, error) + WorkerInfos() []client.WorkerInfo + } + +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/worker/workercontroller.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/worker/workercontroller.go +@@ -4,6 +4,7 @@ import ( + "sync" + + "github.com/containerd/containerd/filters" ++ "github.com/moby/buildkit/cache" + "github.com/moby/buildkit/client" + "github.com/pkg/errors" + ) +@@ -75,3 +76,25 @@ func (c *Controller) WorkerInfos() []cli + } + return out + } ++ ++func (c *Controller) Infos() Infos { ++ return &infosController{c: c} ++} ++ ++type infosController struct { ++ c *Controller ++} ++ ++var _ Infos = &infosController{} ++ ++func (c *infosController) DefaultCacheManager() (cache.Manager, error) { ++ w, err := c.c.GetDefault() ++ if err != nil { ++ return nil, err ++ } ++ return w.CacheManager(), nil ++} ++ ++func (c *infosController) WorkerInfos() []client.WorkerInfo { ++ return c.c.WorkerInfos() ++} +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go +@@ -99,16 +99,12 @@ func ValidateEntitlements(ent entitlemen + return func(op *pb.Op, _ *pb.OpMetadata, opt *solver.VertexOptions) error { + switch op := op.Op.(type) { + case *pb.Op_Exec: +- if op.Exec.Network == pb.NetMode_HOST { +- if !ent.Allowed(entitlements.EntitlementNetworkHost) { +- return errors.Errorf("%s is not allowed", entitlements.EntitlementNetworkHost) +- } ++ v := entitlements.Values{ ++ NetworkHost: op.Exec.Network == pb.NetMode_HOST, ++ SecurityInsecure: op.Exec.Security == pb.SecurityMode_INSECURE, + } +- +- if op.Exec.Security == pb.SecurityMode_INSECURE { +- if !ent.Allowed(entitlements.EntitlementSecurityInsecure) { +- return errors.Errorf("%s is not allowed", entitlements.EntitlementSecurityInsecure) +- } ++ if err := ent.Check(v); err != nil { ++ return err + } + } + return nil +--- docker.io-20.10.21.orig/engine/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go ++++ docker.io-20.10.21/engine/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go +@@ -58,3 +58,23 @@ func (s Set) Allowed(e Entitlement) bool + _, ok := s[e] + return ok + } ++ ++func (s Set) Check(v Values) error { ++ if v.NetworkHost { ++ if !s.Allowed(EntitlementNetworkHost) { ++ return errors.Errorf("%s is not allowed", EntitlementNetworkHost) ++ } ++ } ++ ++ if v.SecurityInsecure { ++ if !s.Allowed(EntitlementSecurityInsecure) { ++ return errors.Errorf("%s is not allowed", EntitlementSecurityInsecure) ++ } ++ } ++ return nil ++} ++ ++type Values struct { ++ NetworkHost bool ++ SecurityInsecure bool ++} diff -Nru docker.io-20.10.21/debian/patches/series docker.io-20.10.21/debian/patches/series --- docker.io-20.10.21/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ docker.io-20.10.21/debian/patches/series 2024-02-28 08:46:58.000000000 +0000 @@ -0,0 +1,4 @@ +CVE-2024-23650.patch +CVE-2024-23651.patch +CVE-2024-23652.patch +CVE-2024-23653.patch