From 017cb29b32441cc687c2ee2c6e3f22cc53148178 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Mon, 23 May 2022 12:56:35 -0700 Subject: [PATCH 1/2] Dockerfile,scripts/release: bump libseccomp to v2.5.4 Release notes: https://github.com/seccomp/libseccomp/releases/tag/v2.5.4 This affects the released static binaries (as they are statically linked against libseccomp). Signed-off-by: Kir Kolyshkin (cherry picked from commit f7b07fd54c67b322fa436413d3ecb479c2f4579e) Signed-off-by: Kir Kolyshkin --- Dockerfile | 2 +- script/release_build.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index d6680cc2e3c..d4e508ae26e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ ARG GO_VERSION=1.17 ARG BATS_VERSION=v1.3.0 -ARG LIBSECCOMP_VERSION=2.5.3 +ARG LIBSECCOMP_VERSION=2.5.4 FROM golang:${GO_VERSION}-bullseye ARG DEBIAN_FRONTEND=noninteractive diff --git a/script/release_build.sh b/script/release_build.sh index 2525161585c..af238628cbd 100755 --- a/script/release_build.sh +++ b/script/release_build.sh @@ -19,7 +19,7 @@ set -e ## ---> # Project-specific options and functions. In *theory* you shouldn't need to # touch anything else in this script in order to use this elsewhere. -: "${LIBSECCOMP_VERSION:=2.5.3}" +: "${LIBSECCOMP_VERSION:=2.5.4}" project="runc" root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")" From 8242c05dabf5f99203ccb026a1fc33e2f127b93c Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 24 May 2022 10:50:18 -0700 Subject: [PATCH 2/2] script/seccomp.sh: check tarball sha256 Add checking of downloaded tarball checksum. In case it doesn't match the hardcoded value, the error is like this: libseccomp-2.5.4.tar.gz: FAILED sha256sum: WARNING: 1 computed checksum did NOT match In case the checksum for a particular version is not specified in the script, the error will look like this: ./script/seccomp.sh: line 29: SECCOMP_SHA256[${ver}]: unbound variable In case the the hardcoded value in the file is of wrong format/length, we'll get: sha256sum: 'standard input': no properly formatted SHA256 checksum lines found In any of these cases, the script aborts (due to set -e). Signed-off-by: Kir Kolyshkin (cherry picked from commit 95f1e2e18872de54a17d64b2d808255463ee3d93) Signed-off-by: Kir Kolyshkin --- script/seccomp.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/script/seccomp.sh b/script/seccomp.sh index 2c2ea84e0f4..beea612ac83 100755 --- a/script/seccomp.sh +++ b/script/seccomp.sh @@ -5,6 +5,11 @@ set -e -u -o pipefail # shellcheck source=./script/lib.sh source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" +# sha256 checksums for seccomp release tarballs. +declare -A SECCOMP_SHA256=( + ["2.5.4"]=d82902400405cf0068574ef3dc1fe5f5926207543ba1ae6f8e7a1576351dcbdb +) + # Due to libseccomp being LGPL we must include its sources, # so download, install and build against it. # Parameters: @@ -19,8 +24,10 @@ function build_libseccomp() { local arches=("$@") local tar="libseccomp-${ver}.tar.gz" - # Download and extract. + # Download, check, and extract. wget "https://github.com/seccomp/libseccomp/releases/download/v${ver}/${tar}"{,.asc} + sha256sum --strict --check - <<<"${SECCOMP_SHA256[${ver}]} *${tar}" + local srcdir srcdir="$(mktemp -d)" tar xf "$tar" -C "$srcdir"