Merge branch 'main' into 2.0

microsoft · May 29, 2024 · b593ba2 · b593ba2
2 parents 5b01d26 + fea7c96
commit b593ba2
Show file tree

Hide file tree

Showing 40 changed files with 1,524 additions and 392 deletions.
diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
diff --git a/SPECS/LICENSES-AND-NOTICES/data/licenses.json b/SPECS/LICENSES-AND-NOTICES/data/licenses.json
@@ -2150,6 +2150,7 @@
                 "application-gateway-kubernetes-ingress",
                 "asc",
                 "azcopy",
+                "azl-compliance",
                 "azure-iot-sdk-c",
                 "azure-storage-cpp",
                 "azurelinux-sysinfo",

diff --git a/SPECS/azl-compliance/azl-compliance.signatures.json b/SPECS/azl-compliance/azl-compliance.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "azl-compliance-1.0.1.tar.gz": "1d96b99ec755500383e5ff6bad01f1ac85848f067488f3ce29a99e6eb57a86b7"
+ }
+}
diff --git a/SPECS/azl-compliance/azl-compliance.spec b/SPECS/azl-compliance/azl-compliance.spec
@@ -0,0 +1,58 @@
+Summary:        Azure Linux compliance package to meet all sorts of compliance rules
+Name:           azl-compliance
+Version:        1.0.1
+Release:        1%{?dist}
+License:        BSD-3-Clause
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System Environment/Base
+URL:            https://aka.ms/mariner
+Source0:        %{_mariner_sources_url}/%{name}-%{version}.tar.gz
+Requires:       dnf
+Requires:       gnutls
+Requires:       grub2
+Requires:       grubby
+Requires:       rpm
+Requires:       rsyslog
+Requires:       sudo
+BuildRequires:  rust
+
+%description
+Azure Linux compliance package to configure systems to meet FIPS and FedRAMP compliance.
+
+%prep
+%autosetup
+
+%build
+cd azl-compliance
+cargo build --release --offline
+
+%install
+mkdir -p %{buildroot}%{_sysconfdir}/azl-compliance/
+mkdir -p %{buildroot}%{_bindir}
+install -m 0755 ./azl-compliance/target/release/azl-compliance %{buildroot}%{_bindir}/azl-compliance
+mkdir -p %{buildroot}%{_sysconfdir}/azl-compliance/fips
+mkdir -p %{buildroot}%{_sysconfdir}/azl-compliance/fedramp/remediation_scripts
+install -m 0755 fips/*.sh %{buildroot}%{_sysconfdir}/azl-compliance/fips/
+install -m 0755 fedramp/*.sh %{buildroot}%{_sysconfdir}/azl-compliance/fedramp/
+install -m 0644 fedramp/*.txt %{buildroot}%{_sysconfdir}/azl-compliance/fedramp/
+install -m 0755 fedramp/remediation_scripts/* %{buildroot}%{_sysconfdir}/azl-compliance/fedramp/remediation_scripts/
+install -m 0644 azl-compliance-fips.json %{buildroot}%{_sysconfdir}/azl-compliance/
+install -m 0644 azl-compliance-fedramp.json %{buildroot}%{_sysconfdir}/azl-compliance/
+
+%files
+%license LICENSE
+%{_bindir}/azl-compliance
+%{_sysconfdir}/azl-compliance/fips
+%{_sysconfdir}/azl-compliance/azl-compliance-fips.json
+%{_sysconfdir}/azl-compliance/fedramp
+%{_sysconfdir}/azl-compliance/azl-compliance-fedramp.json
+
+%check
+cd azl-compliance
+cargo test --release --offline
+
+%changelog
+* Tue Mar 19 2024 Tobias Brick <tobiasb@microsoft.com> 1.0.1-1
+- Original version for CBL-Mariner.
+- License verified
diff --git a/SPECS/cri-o/CVE-2021-3602.patch b/SPECS/cri-o/CVE-2021-3602.patch
@@ -1,82 +1,3 @@
-From 8716daa06e9eb421438b338f18b6b650b082b208 Mon Sep 17 00:00:00 2001
-From: Cameron Baird <cameronbaird@microsoft.com>
-Date: Tue, 16 Apr 2024 22:33:46 +0000
-Subject: [PATCH 4/4] CVE-2021-3602
-
----
- .../github.com/containers/buildah/chroot/run.go   | 15 +++++----------
- .../podman/v3/pkg/specgen/generate/security.go    |  7 +++++--
- 2 files changed, 10 insertions(+), 12 deletions(-)
-
-diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go
-index a93f97dcd..643f5c91d 100644
---- a/vendor/github.com/containers/buildah/chroot/run.go
-+++ b/vendor/github.com/containers/buildah/chroot/run.go
-@@ -160,7 +160,7 @@ func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reade
- 	cmd := unshare.Command(runUsingChrootCommand)
- 	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
- 	cmd.Dir = "/"
--	cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
-+	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
-
- 	logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
- 	confwg.Add(1)
-@@ -206,7 +206,7 @@ func runUsingChrootMain() {
- 		os.Exit(1)
- 	}
-
--	if options.Spec == nil {
-+	if options.Spec == nil || options.Spec.Process == nil {
- 		fmt.Fprintf(os.Stderr, "invalid options spec in runUsingChrootMain\n")
- 		os.Exit(1)
- 	}
-@@ -572,7 +572,7 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
- 	cmd := unshare.Command(append([]string{runUsingChrootExecCommand}, spec.Process.Args...)...)
- 	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
- 	cmd.Dir = "/"
--	cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
-+	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
- 	cmd.UnshareFlags = syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS
- 	requestedUserNS := false
- 	for _, ns := range spec.Linux.Namespaces {
-@@ -662,7 +662,7 @@ func runUsingChrootExecMain() {
- 	// Set the hostname.  We're already in a distinct UTS namespace and are admins in the user
- 	// namespace which created it, so we shouldn't get a permissions error, but seccomp policy
- 	// might deny our attempt to call sethostname() anyway, so log a debug message for that.
--	if options.Spec == nil {
-+	if options.Spec == nil || options.Spec.Process == nil {
- 		fmt.Fprintf(os.Stderr, "invalid options spec passed in\n")
- 		os.Exit(1)
- 	}
-@@ -818,7 +818,6 @@ func runUsingChrootExecMain() {
- // Output debug messages when that differs from what we're being asked to do.
- func logNamespaceDiagnostics(spec *specs.Spec) {
- 	sawMountNS := false
--	sawUserNS := false
- 	sawUTSNS := false
- 	for _, ns := range spec.Linux.Namespaces {
- 		switch ns.Type {
-@@ -853,9 +852,8 @@ func logNamespaceDiagnostics(spec *specs.Spec) {
- 			}
- 		case specs.UserNamespace:
- 			if ns.Path != "" {
--				logrus.Debugf("unable to join user namespace %q, creating a new one", ns.Path)
-+				logrus.Debugf("unable to join user namespace, sorry about that")
- 			}
--			sawUserNS = true
- 		case specs.UTSNamespace:
- 			if ns.Path != "" {
- 				logrus.Debugf("unable to join UTS namespace %q, creating a new one", ns.Path)
-@@ -866,9 +864,6 @@ func logNamespaceDiagnostics(spec *specs.Spec) {
- 	if !sawMountNS {
- 		logrus.Debugf("mount namespace not requested, but creating a new one anyway")
- 	}
--	if !sawUserNS {
--		logrus.Debugf("user namespace not requested, but creating a new one anyway")
--	}
- 	if !sawUTSNS {
- 		logrus.Debugf("UTS namespace not requested, but creating a new one anyway")
- 	}
 diff --git a/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go b/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go
 index e0e4a47a4..3cda89a32 100644
 --- a/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go