Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package singularity-container

2.2 release contained a vulnerability described in detail upstream
https://github.com/singularityware/singularity/releases/tag/2.2.1 :
In versions of Singularity previous to 2.2.1, it was possible for a malicious 
user to create and manipulate specifically crafted raw devices within 
containers they own. Utilizing MS_NODEV as a container image mount option 
mitigates this potential vector of attack. As a result, this update should be 
implemented with high urgency. A big thanks to Mattias Wadenstein (@UMU in 
Sweden) for identifying and reporting this issue!

2.2-2 (debdiff attached) was prepared in collaboration with upstream to cover
that vulnerability and address few other possibly security related (snprintf)
and  functionality related issues.  security@d.o was provided with debdiff and
no negative opinions were expressed.

unblock singularity-container/2.2-2

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100, 
'unstable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru singularity-container-2.2/debian/changelog 
singularity-container-2.2/debian/changelog
--- singularity-container-2.2/debian/changelog  2016-11-30 12:33:01.000000000 
-0500
+++ singularity-container-2.2/debian/changelog  2017-02-09 16:27:55.000000000 
-0500
@@ -1,3 +1,24 @@
+singularity-container (2.2-2) unstable; urgency=high
+
+  * debian/patches - picks up from upcoming 2.2.1 release
+    critical functionality and possibly security-related fixes
+    - changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
+      to support mounting ext4 formatted images read-only
+    - changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
+      to utilize mount option MS_NODEV for images
+      (fixes potential security implications)
+    - changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
+      to fix bootstrapping ran as root (thus no MS_NODEV restriction
+      from above patch should be applied)
+    - changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
+      exit with error if snprintf would have went out of bounds
+    - changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
+      changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
+      changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
+      Various obvious fixes (updated URLs, apt --force-yes)
+
+ -- Yaroslav Halchenko <deb...@onerussian.com>  Thu, 09 Feb 2017 16:27:55 -0500
+
 singularity-container (2.2-1) unstable; urgency=medium
 
   [ Mehdi Dogguy ]
diff -Nru 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
--- 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
    1969-12-31 19:00:00.000000000 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
    2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,21 @@
+From: Gregory M. Kurtzer <gmkurt...@lbl.gov>
+Subject: Use --force-yes
+
+--- a/examples/debian.def
++++ b/examples/debian.def
+@@ -16,5 +16,5 @@ MirrorURL: http://ftp.us.debian.org/debi
+ %post
+     echo "Hello from inside the container"
+     apt-get update
+-    apt-get -y install vim
++    apt-get -y --force-yes install vim
+ 
+--- a/examples/ubuntu.def
++++ b/examples/ubuntu.def
+@@ -16,5 +16,5 @@ MirrorURL: http://us.archive.ubuntu.com/
+ %post
+     echo "Hello from inside the container"
+     sed -i 's/$/ universe/' /etc/apt/sources.list
+-    apt-get -y install vim
++    apt-get -y --force-yes install vim
+ 
diff -Nru 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
--- 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
    1969-12-31 19:00:00.000000000 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
    2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,14 @@
+From: Nekel-Seyew <kylemdswee...@gmail.com>
+Subject: added an ERRNO==ENOENT clause
+
+--- a/src/lib/file/group/group.c
++++ b/src/lib/file/group/group.c
+@@ -139,7 +139,7 @@ int singularity_file_group(void) {
+                 singularity_message(VERBOSE3, "Found supplementary group 
membership in: %d\n", gids[i]);
+                 singularity_message(VERBOSE2, "Adding user's supplementary 
group ('%s') info to template group file\n", grent->gr_name);
+                 fprintf(file_fp, "%s:x:%u:%s\n", gr->gr_name, gr->gr_gid, 
pwent->pw_name);
+-            } else if ( (errno == 0) || (errno == ESRCH) || (errno == EBADF) 
|| (errno == EPERM) ) {
++            } else if ( (errno == 0) || (errno == ESRCH) || (errno == EBADF) 
|| (errno == EPERM) || (errno == ENOENT)) {
+                 singularity_message(VERBOSE3, "Skipping GID %d as group entry 
does not exist.\n", gids[i]);
+             } else {
+                 singularity_message(ERROR, "Failed to lookup GID %d group 
entry: %s\n", gids[i], strerror(errno));
diff -Nru 
singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
 
singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
--- 
singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
    1969-12-31 19:00:00.000000000 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
    2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,120 @@
+From: Brian Bockelman <bbock...@cse.unl.edu>
+Subject: Fix remaining usage of snprintf.
+
+--- a/src/lib/message.c
++++ b/src/lib/message.c
+@@ -109,23 +109,23 @@ void _singularity_message(int level, con
+     }
+ 
+     if ( level <= messagelevel ) {
+-        char *header_string;
++        char header_string[95];
+ 
+         if ( messagelevel >= DEBUG ) {
+-            char *debug_string = (char *) malloc(25);
+-            char *location_string = (char *) malloc(60);
+-            char *tmp_header_string = (char *) malloc(80);
+-            header_string = (char *) malloc(80);
++            char debug_string[25];
++            char location_string[60];
++            char tmp_header_string[86];
+             snprintf(location_string, 60, "%s:%d:%s()", file, line, 
function); // Flawfinder: ignore
++            location_string[59] = '\0';
+             snprintf(debug_string, 25, "[U=%d,P=%d]", geteuid(), getpid()); 
// Flawfinder: ignore
+-            snprintf(tmp_header_string, 80, "%-18s %s", debug_string, 
location_string); // Flawfinder: ignore
+-            snprintf(header_string, 80, "%-7s %-62s: ", prefix, 
tmp_header_string); // Flawfinder: ignore
+-            free(debug_string);
+-            free(location_string);
+-            free(tmp_header_string);
++            debug_string[24] = '\0';
++            snprintf(tmp_header_string, 86, "%-18s %s", debug_string, 
location_string); // Flawfinder: ignore
++            tmp_header_string[85] = '\0';
++            snprintf(header_string, 95, "%-7s %-62s: ", prefix, 
tmp_header_string); // Flawfinder: ignore
++            header_string[94] = '\0';
+         } else {
+-            header_string = (char *) malloc(11);
+             snprintf(header_string, 10, "%-7s: ", prefix); // Flawfinder: 
ignore
++            header_string[9] = '\0';
+         }
+ 
+         if ( level == INFO && messagelevel == INFO ) {
+@@ -138,7 +138,6 @@ void _singularity_message(int level, con
+             fprintf(stderr, "%s", strjoin(header_string, message));
+         }
+ 
+-
+         fflush(stdout);
+         fflush(stderr);
+ 
+--- a/src/lib/rootfs/rootfs.c
++++ b/src/lib/rootfs/rootfs.c
+@@ -184,7 +184,10 @@ int singularity_rootfs_mount(void) {
+     } else if ( envar_defined("SINGULARITY_WRITABLE") == TRUE ) {
+         singularity_message(VERBOSE3, "Not enabling overlayFS, image mounted 
writablable\n");
+     } else {
+-        snprintf(overlay_options, overlay_options_len, 
"lowerdir=%s,upperdir=%s,workdir=%s", rootfs_source, overlay_upper, 
overlay_work); // Flawfinder: ignore
++        if (snprintf(overlay_options, overlay_options_len, 
"lowerdir=%s,upperdir=%s,workdir=%s", rootfs_source, overlay_upper, 
overlay_work) >= overlay_options_len) {
++            singularity_message(ERROR, "Overly-long path names for OverlayFS 
configuration.\n");
++            ABORT(255);
++        }
+ 
+         singularity_priv_escalate();
+         singularity_message(DEBUG, "Mounting overlay tmpfs: %s\n", 
overlay_mount);
+--- a/src/lib/sessiondir.c
++++ b/src/lib/sessiondir.c
+@@ -55,7 +55,7 @@ char *singularity_sessiondir_init(char *
+         struct stat filestat;
+         uid_t uid = singularity_priv_getuid();
+ 
+-        sessiondir = (char *) malloc(sizeof(char) * PATH_MAX);
++        sessiondir = (char *) malloc(PATH_MAX);
+ 
+         singularity_message(DEBUG, "Checking Singularity configuration for 
'sessiondir prefix'\n");
+ 
+@@ -66,9 +66,15 @@ char *singularity_sessiondir_init(char *
+ 
+         singularity_config_rewind();
+         if ( ( sessiondir_prefix = envar_path("SINGULARITY_SESSIONDIR") ) != 
NULL ) {
+-            snprintf(sessiondir, sizeof(char) * PATH_MAX, 
"%s/singularity-session-%d.%d.%lu", sessiondir_prefix, (int)uid, 
(int)filestat.st_dev, (long unsigned)filestat.st_ino); // Flawfinder: ignore
++            if (snprintf(sessiondir, PATH_MAX, 
"%s/singularity-session-%d.%d.%lu", sessiondir_prefix, (int)uid, 
(int)filestat.st_dev, (long unsigned)filestat.st_ino) >= PATH_MAX) { // 
Flawfinder: ignore
++                singularity_message(ERROR, "Overly-long session directory 
specified.\n");
++                ABORT(255);
++            }
+         } else if ( ( sessiondir_prefix = 
singularity_config_get_value("sessiondir prefix") ) != NULL ) {
+-            snprintf(sessiondir, sizeof(char) * PATH_MAX, "%s%d.%d.%lu", 
sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long 
unsigned)filestat.st_ino); // Flawfinder: ignore
++            if (snprintf(sessiondir, PATH_MAX, "%s%d.%d.%lu", 
sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long 
unsigned)filestat.st_ino) >= PATH_MAX) { // Flawfinder: ignore
++                singularity_message(ERROR, "Overly-long session directory 
specified.\n");
++                ABORT(255);
++            }
+         } else {
+             snprintf(sessiondir, sizeof(char) * PATH_MAX, 
"/tmp/.singularity-session-%d.%d.%lu", (int)uid, (int)filestat.st_dev, (long 
unsigned)filestat.st_ino); // Flawfinder: ignore
+         }
+--- a/src/util/util.c
++++ b/src/util/util.c
+@@ -136,8 +136,12 @@ char *joinpath(const char * path1, const
+         path2++;
+     }
+ 
+-    ret = (char *) malloc(strlength(tmp_path1, PATH_MAX) + strlength(path2, 
PATH_MAX) + 2);
+-    snprintf(ret, strlength(tmp_path1, PATH_MAX) + strlen(path2) + 2, 
"%s/%s", tmp_path1, path2); // Flawfinder: ignore
++    size_t ret_pathlen = strlength(tmp_path1, PATH_MAX) + strlength(path2, 
PATH_MAX) + 2;
++    ret = (char *) malloc(ret_pathlen);
++    if (snprintf(ret, ret_pathlen, "%s/%s", tmp_path1, path2) >= ret_pathlen) 
{ // Flawfinder: ignore
++        singularity_message(ERROR, "Overly-long path name.\n");
++        ABORT(255);
++    }
+ 
+     return(ret);
+ }
+@@ -147,7 +151,10 @@ char *strjoin(char *str1, char *str2) {
+     int len = strlength(str1, 2048) + strlength(str2, 2048) + 1;
+ 
+     ret = (char *) malloc(len);
+-    snprintf(ret, len, "%s%s", str1, str2); // Flawfinder: ignore
++    if (snprintf(ret, len, "%s%s", str1, str2) >= len) { // Flawfinder: ignore
++       singularity_message(ERROR, "Overly-long string encountered.\n");
++       ABORT(255);
++    }
+ 
+     return(ret);
+ }
diff -Nru 
singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
 
singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
--- 
singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
    1969-12-31 19:00:00.000000000 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
    2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,14 @@
+From: Gregory M. Kurtzer <gmkurt...@lbl.gov>
+Subject: Fix busybox path
+
+--- a/examples/busybox.def
++++ b/examples/busybox.def
+@@ -5,7 +5,7 @@
+ # required approvals from the U.S. Dept. of Energy).  All rights reserved.
+ 
+ BootStrap: busybox
+-MirrorURL: https://www.busybox.net/downloads/binaries/busybox-x86_64
++MirrorURL: 
https://www.busybox.net/downloads/binaries/1.26.2-defconfig-multiarch/busybox-x86_64
+ 
+ 
+ %post
diff -Nru 
singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
 
singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
--- 
singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
    1969-12-31 19:00:00.000000000 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
    2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,31 @@
+From: Gregory M. Kurtzer <gmkurt...@lbl.gov>
+Subject: Minor fixup to fail over to try ext4 file system
+  Sorry, I didn't realize anyone was still using those images!
+
+--- a/src/lib/rootfs/image/image.c
++++ b/src/lib/rootfs/image/image.c
+@@ -127,16 +127,20 @@ int rootfs_image_mount(void) {
+         singularity_message(VERBOSE, "Mounting image in read/write\n");
+         singularity_priv_escalate();
+         if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID, 
"errors=remount-ro") < 0 ) {
+-            singularity_message(ERROR, "Failed to mount image in 
(read/write): %s\n", strerror(errno));
+-            ABORT(255);
++            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID, 
"errors=remount-ro") < 0 ) {
++                singularity_message(ERROR, "Failed to mount image in 
(read/write): %s\n", strerror(errno));
++                ABORT(255);
++            }
+         }
+         singularity_priv_drop();
+     } else {
+         singularity_priv_escalate();
+         singularity_message(VERBOSE, "Mounting image in read/only\n");
+         if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY, 
"errors=remount-ro") < 0 ) {
+-            singularity_message(ERROR, "Failed to mount image in (read only): 
%s\n", strerror(errno));
+-            ABORT(255);
++            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY, 
"errors=remount-ro") < 0 ) {
++                singularity_message(ERROR, "Failed to mount image in (read 
only): %s\n", strerror(errno));
++                ABORT(255);
++            }
+         }
+         singularity_priv_drop();
+     }
diff -Nru 
singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
 
singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
--- 
singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
    1969-12-31 19:00:00.000000000 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
    2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,76 @@
+From: Gregory M. Kurtzer <gmkurt...@lbl.gov>
+Subject: Conditionally disable MS_NODEV when running as root
+
+--- a/src/lib/rootfs/dir/dir.c
++++ b/src/lib/rootfs/dir/dir.c
+@@ -65,6 +65,7 @@ int rootfs_dir_init(char *source, char *
+ 
+ 
+ int rootfs_dir_mount(void) {
++    int opts = MS_BIND|MS_NOSUID|MS_REC;
+ 
+     if ( ( mount_point == NULL ) || ( source_dir == NULL ) ) {
+         singularity_message(ERROR, "Called image_mount but image_init() 
hasn't been called\n");
+@@ -76,9 +77,13 @@ int rootfs_dir_mount(void) {
+         ABORT(255);
+     }
+ 
++    if ( getuid() != 0 ) {
++        opts |= MS_NODEV;
++    }
++
+     singularity_priv_escalate();
+     singularity_message(DEBUG, "Mounting container directory %s->%s\n", 
source_dir, mount_point);
+-    if ( mount(source_dir, mount_point, NULL, 
MS_BIND|MS_NOSUID|MS_REC|MS_NODEV, NULL) < 0 ) {
++    if ( mount(source_dir, mount_point, NULL, opts, NULL) < 0 ) {
+         singularity_message(ERROR, "Could not mount container directory 
%s->%s: %s\n", source_dir, mount_point, strerror(errno));
+         return 1;
+     }
+@@ -88,7 +93,7 @@ int rootfs_dir_mount(void) {
+         if ( singularity_ns_user_enabled() <= 0 ) {
+             singularity_priv_escalate();
+             singularity_message(VERBOSE2, "Making mount read only: %s\n", 
mount_point);
+-            if ( mount(NULL, mount_point, NULL, 
MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY|MS_NODEV, NULL) < 0 ) {
++            if ( mount(NULL, mount_point, NULL, opts|MS_REMOUNT|MS_RDONLY, 
NULL) < 0 ) {
+                 singularity_message(ERROR, "Could not bind read only %s: 
%s\n", mount_point, strerror(errno));
+                 ABORT(255);
+             }
+--- a/src/lib/rootfs/image/image.c
++++ b/src/lib/rootfs/image/image.c
+@@ -100,6 +100,7 @@ int rootfs_image_init(char *source, char
+ 
+ 
+ int rootfs_image_mount(void) {
++    int opts = MS_NOSUID;
+ 
+     if ( mount_point == NULL ) {
+         singularity_message(ERROR, "Called image_mount but image_init() 
hasn't been called\n");
+@@ -122,12 +123,15 @@ int rootfs_image_mount(void) {
+         ABORT(255);
+     }
+ 
++    if ( getuid() != 0 ) {
++        opts |= MS_NODEV;
++    }
+ 
+     if ( read_write > 0 ) {
+         singularity_message(VERBOSE, "Mounting image in read/write\n");
+         singularity_priv_escalate();
+-        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_NODEV, 
"errors=remount-ro") < 0 ) {
+-            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_NODEV, 
"errors=remount-ro") < 0 ) {
++        if ( mount(loop_dev, mount_point, "ext3", opts, "errors=remount-ro") 
< 0 ) {
++            if ( mount(loop_dev, mount_point, "ext4", opts, 
"errors=remount-ro") < 0 ) {
+                 singularity_message(ERROR, "Failed to mount image in 
(read/write): %s\n", strerror(errno));
+                 ABORT(255);
+             }
+@@ -136,8 +140,8 @@ int rootfs_image_mount(void) {
+     } else {
+         singularity_priv_escalate();
+         singularity_message(VERBOSE, "Mounting image in read/only\n");
+-        if ( mount(loop_dev, mount_point, "ext3", 
MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
+-            if ( mount(loop_dev, mount_point, "ext4", 
MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
++        if ( mount(loop_dev, mount_point, "ext3", opts|MS_RDONLY, 
"errors=remount-ro") < 0 ) {
++            if ( mount(loop_dev, mount_point, "ext4", opts|MS_RDONLY, 
"errors=remount-ro") < 0 ) {
+                 singularity_message(ERROR, "Failed to mount image in (read 
only): %s\n", strerror(errno));
+                 ABORT(255);
+             }
diff -Nru 
singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
 
singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
--- 
singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
    1969-12-31 19:00:00.000000000 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
    2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,67 @@
+commit f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d
+Author: Gregory M. Kurtzer <gmkurt...@lbl.gov>
+Date:   Thu Feb 2 22:37:50 2017 +0000
+
+    Utilize mount option MS_NODEV for images
+
+diff --git a/src/lib/rootfs/dir/dir.c b/src/lib/rootfs/dir/dir.c
+index c6ba1a8c..75fa6468 100644
+--- a/src/lib/rootfs/dir/dir.c
++++ b/src/lib/rootfs/dir/dir.c
+@@ -78,7 +78,7 @@ int rootfs_dir_mount(void) {
+ 
+     singularity_priv_escalate();
+     singularity_message(DEBUG, "Mounting container directory %s->%s\n", 
source_dir, mount_point);
+-    if ( mount(source_dir, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) 
< 0 ) {
++    if ( mount(source_dir, mount_point, NULL, 
MS_BIND|MS_NOSUID|MS_REC|MS_NODEV, NULL) < 0 ) {
+         singularity_message(ERROR, "Could not mount container directory 
%s->%s: %s\n", source_dir, mount_point, strerror(errno));
+         return 1;
+     }
+@@ -88,7 +88,7 @@ int rootfs_dir_mount(void) {
+         if ( singularity_ns_user_enabled() <= 0 ) {
+             singularity_priv_escalate();
+             singularity_message(VERBOSE2, "Making mount read only: %s\n", 
mount_point);
+-            if ( mount(NULL, mount_point, NULL, 
MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY, NULL) < 0 ) {
++            if ( mount(NULL, mount_point, NULL, 
MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY|MS_NODEV, NULL) < 0 ) {
+                 singularity_message(ERROR, "Could not bind read only %s: 
%s\n", mount_point, strerror(errno));
+                 ABORT(255);
+             }
+diff --git a/src/lib/rootfs/image/image.c b/src/lib/rootfs/image/image.c
+index 0db44999..8f3261fd 100644
+--- a/src/lib/rootfs/image/image.c
++++ b/src/lib/rootfs/image/image.c
+@@ -126,8 +126,8 @@ int rootfs_image_mount(void) {
+     if ( read_write > 0 ) {
+         singularity_message(VERBOSE, "Mounting image in read/write\n");
+         singularity_priv_escalate();
+-        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID, 
"errors=remount-ro") < 0 ) {
+-            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID, 
"errors=remount-ro") < 0 ) {
++        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_NODEV, 
"errors=remount-ro") < 0 ) {
++            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_NODEV, 
"errors=remount-ro") < 0 ) {
+                 singularity_message(ERROR, "Failed to mount image in 
(read/write): %s\n", strerror(errno));
+                 ABORT(255);
+             }
+@@ -136,8 +136,8 @@ int rootfs_image_mount(void) {
+     } else {
+         singularity_priv_escalate();
+         singularity_message(VERBOSE, "Mounting image in read/only\n");
+-        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY, 
"errors=remount-ro") < 0 ) {
+-            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY, 
"errors=remount-ro") < 0 ) {
++        if ( mount(loop_dev, mount_point, "ext3", 
MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
++            if ( mount(loop_dev, mount_point, "ext4", 
MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
+                 singularity_message(ERROR, "Failed to mount image in (read 
only): %s\n", strerror(errno));
+                 ABORT(255);
+             }
+diff --git a/src/lib/rootfs/squashfs/squashfs.c 
b/src/lib/rootfs/squashfs/squashfs.c
+index df71f4c2..82f2dfc5 100644
+--- a/src/lib/rootfs/squashfs/squashfs.c
++++ b/src/lib/rootfs/squashfs/squashfs.c
+@@ -104,7 +104,7 @@ int rootfs_squashfs_mount(void) {
+ 
+     singularity_priv_escalate();
+     singularity_message(VERBOSE, "Mounting squashfs image\n");
+-    if ( mount(loop_dev, mount_point, "squashfs", MS_NOSUID|MS_RDONLY, 
"errors=remount-ro") < 0 ) {
++    if ( mount(loop_dev, mount_point, "squashfs", 
MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
+         singularity_message(ERROR, "Failed to mount squashfs image in (read 
only): %s\n", strerror(errno));
+         ABORT(255);
+     }
diff -Nru singularity-container-2.2/debian/patches/series 
singularity-container-2.2/debian/patches/series
--- singularity-container-2.2/debian/patches/series     2016-11-30 
12:33:01.000000000 -0500
+++ singularity-container-2.2/debian/patches/series     2017-02-09 
16:27:55.000000000 -0500
@@ -2,3 +2,10 @@
 0001-BF-do-not-make-python-modules-not-intended-to-be-exe.patch
 0002-ENH-removed-python-shebangs-from-non-script-python-m.patch
 0001-BF-bash_completion.d-script-has-bashisms-so-use-bash.patch
+changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
+changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
+changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
+changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
+changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
+changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
+changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff

Reply via email to