Merge pull request #3882 from dtrudg/prep-4.3.5-ghsa

Prepare 4.3.5 release / pick GHSA-wwrx-w7c9-rf87 fixes

Author: dtrudg

.circleci/config.yml

@@ -6,7 +6,7 @@ orbs:
 parameters:
   go-version:
     type: string
-    default: '1.25.3'
+    default: '1.25.4'
 
 executors:
   node:

CHANGELOG.md

@@ -1,5 +1,15 @@
 # SingularityCE Changelog
 
+## 4.3.5 \[2025-12-02\]
+
+### Security Related Fixes
+
+- Fix for [CVE-2025-64750 /
+  GHSA-wwrx-w7c9-rf87](https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87)
+  Ineffective application of selinux / apparmor LSM process labels via the
+  `--security` flag.
+- Dependencies updated.
+
 ## 4.3.4 \[2025-10-14\]
 
 ### Security Related Fixes

INSTALL.md

@@ -227,11 +227,11 @@ git submodule update --init
 By default your clone will be on the `main` branch which is where development
 of SingularityCE happens. To build a specific version of SingularityCE, check
 out a [release tag](https://github.com/sylabs/singularity/tags) before
-compiling. E.g. to build the 4.3.3 release, checkout the
-`v4.3.3` tag:
+compiling. E.g. to build the 4.3.5 release, checkout the
+`v4.3.5` tag:
 
 ```sh
-git checkout --recurse-submodules v4.3.3
+git checkout --recurse-submodules v4.3.5
 ```
 
 ## Compiling SingularityCE

e2e/security/security.go

@@ -8,6 +8,7 @@ package security
 import (
 	"fmt"
 	"os"
+	"os/exec"
 	"testing"
 
 	"github.com/sylabs/singularity/v4/e2e/internal/e2e"
@@ -231,6 +232,124 @@ func (c ctx) testSecurityConfOwnership(t *testing.T) {
 	)
 }
 
+// testApparmor tests the apparmor security flag.
+func (c ctx) testApparmor(t *testing.T) {
+	require.Apparmor(t)
+	e2e.EnsureImage(t, c.env)
+
+	tests := []struct {
+		name       string
+		image      string
+		argv       []string
+		opts       []string
+		expectOp   e2e.SingularityCmdResultOp
+		expectExit int
+	}{
+		// apparmor
+		// Uses the profile for /usr/bin/man which will block `ls` in container root.
+		{
+			name:     "apparmor applied",
+			argv:     []string{"cat", "/proc/self/attr/current"},
+			opts:     []string{"--security", "apparmor:/usr/bin/man"},
+			expectOp: e2e.ExpectOutput(e2e.ExactMatch, "/usr/bin/man (enforce)"),
+		},
+		{
+			name:       "apparmor denial",
+			argv:       []string{"ls", "/"},
+			opts:       []string{"--security", "apparmor:/usr/bin/man"},
+			expectExit: 1,
+			expectOp:   e2e.ExpectError(e2e.ContainMatch, "Permission denied"),
+		},
+	}
+
+	for _, profile := range e2e.NativeProfiles {
+		t.Run(profile.String(), func(t *testing.T) {
+			for _, tt := range tests {
+				optArgs := []string{}
+				optArgs = append(optArgs, tt.opts...)
+				optArgs = append(optArgs, c.env.ImagePath)
+				optArgs = append(optArgs, tt.argv...)
+
+				c.env.RunSingularity(
+					t,
+					e2e.AsSubtest(tt.name),
+					e2e.WithProfile(profile),
+					e2e.WithCommand("exec"),
+					e2e.WithArgs(optArgs...),
+					e2e.ExpectExit(tt.expectExit, tt.expectOp),
+				)
+			}
+		})
+	}
+}
+
+// testSELinux tests the selinux security flag.
+func (c ctx) testSELinux(t *testing.T) {
+	require.Selinux(t)
+	require.Command(t, "chcon")
+	e2e.EnsureImage(t, c.env)
+
+	sandbox, cleanup := e2e.MakeTempDir(t, c.env.TestDir, "sandbox-", "")
+	defer cleanup(t)
+	// convert test image to sandbox
+	c.env.RunSingularity(
+		t,
+		e2e.WithProfile(e2e.UserProfile),
+		e2e.WithCommand("build"),
+		e2e.WithArgs("--force", "--sandbox", sandbox, c.env.ImagePath),
+		e2e.ExpectExit(0),
+	)
+	// label as `container_ro_t`
+	cmd := exec.Command("chcon", "-R", "-t", "container_ro_file_t", sandbox)
+	if err := cmd.Run(); err != nil {
+		t.Fatalf("while labeling sandbox: %v", err)
+	}
+
+	tests := []struct {
+		name       string
+		image      string
+		argv       []string
+		opts       []string
+		expectOp   e2e.SingularityCmdResultOp
+		expectExit int
+	}{
+		// selinux
+		// Uses the container_t label which will block `ls` in /tmp bind from host.
+		{
+			name:     "selinux applied",
+			argv:     []string{"cat", "/proc/self/attr/current"},
+			opts:     []string{"--security", "selinux:unconfined_u:unconfined_r:container_t:s0"},
+			expectOp: e2e.ExpectOutput(e2e.ContainMatch, "unconfined_u:unconfined_r:container_t:s0"),
+		},
+		{
+			name:       "selinux denial",
+			argv:       []string{"ls", "/tmp"},
+			opts:       []string{"--security", "selinux:unconfined_u:unconfined_r:container_t:s0"},
+			expectExit: 1,
+			expectOp:   e2e.ExpectError(e2e.ContainMatch, "Permission denied"),
+		},
+	}
+	for _, profile := range e2e.NativeProfiles {
+		t.Run(profile.String(), func(t *testing.T) {
+			for _, tt := range tests {
+				optArgs := []string{}
+				optArgs = append(optArgs, tt.opts...)
+				optArgs = append(optArgs, sandbox)
+				optArgs = append(optArgs, tt.argv...)
+
+				c.env.RunSingularity(
+					t,
+					e2e.AsSubtest(tt.name),
+					e2e.WithProfile(profile),
+					e2e.WithCommand("exec"),
+					e2e.WithArgs(optArgs...),
+					e2e.ExpectExit(tt.expectExit, tt.expectOp),
+				)
+			}
+		})
+	}
+}
+
 // E2ETests is the main func to trigger the test suite
 func E2ETests(env e2e.TestEnv) testhelper.Tests {
 	c := ctx{
@@ -243,6 +362,8 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests {
 		"singularitySecurityUnpriv": c.testSecurityUnpriv,
 		"singularitySecurityPriv":   c.testSecurityPriv,
 		"testSecurityConfOwnership": np(c.testSecurityConfOwnership),
+		"testApparmor":              c.testApparmor,
+		"testSELinux":               c.testSELinux,
 		// OCI-Mode
 		"ociCapabilities": c.ociCapabilities,
 	}

internal/pkg/runtime/engine/singularity/container_linux.go

@@ -1146,6 +1146,25 @@ func (c *container) addKernelMount(system *mount.System) error {
 	} else {
 		sylog.Verbosef("Skipping /sys mount")
 	}
+
+	// /sys/fs/selinux must be available for opencontainers/selinux.GetEnabled() to detect SELinux.
+	if c.engine.EngineConfig.OciConfig.Process.SelinuxLabel != "" {
+		sylog.Debugf("SELinux requested, ensuring /sys/fs/selinux mount available.")
+
+		if !c.engine.EngineConfig.File.MountSys || c.engine.EngineConfig.GetNoSys() {
+			return fmt.Errorf("SELinux requested, but /sys mount disabled by configuration")
+		}
+
+		if c.userNS {
+			sylog.Debugf("/sys/fs/selinux available via /sys bind")
+		} else {
+			if err := system.Points.AddFS(mount.KernelTag, "/sys/fs/selinux", "selinuxfs", syscall.MS_NOSUID|syscall.MS_NODEV|syscall.MS_NOEXEC, ""); err != nil {
+				return fmt.Errorf("unable to add sys/fs/selinux to mount list: %s", err)
+			}
+			sylog.Verbosef("Default mount: /sys/fs/selinux")
+		}
+	}
+
 	return nil
 }
 

internal/pkg/security/apparmor/apparmor_supported.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2018-2022, Sylabs Inc. All rights reserved.
+// Copyright (c) 2018-2025, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE.md file distributed with the sources of this project regarding your
 // rights to use or distribute this software.
@@ -10,6 +10,10 @@ package apparmor
 import (
 	"fmt"
 	"os"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
+	"golang.org/x/sys/unix"
 )
 
 // Enabled returns whether AppArmor is enabled.
@@ -23,7 +27,23 @@ func Enabled() bool {
 
 // LoadProfile loads the specified AppArmor profile.
 func LoadProfile(profile string) error {
-	f, err := os.OpenFile("/proc/self/attr/exec", os.O_WRONLY, 0)
+	// We must make sure we are actually opening and writing to a real attr/exec
+	// in a real procfs so that the profile takes effect. Using
+	// pathrs-lite/procfs as below accomplishes this.
+	proc, err := procfs.OpenProcRoot()
+	if err != nil {
+		return err
+	}
+	defer proc.Close()
+
+	attrExec, closer, err := proc.OpenThreadSelf("attr/exec")
+	if err != nil {
+		return err
+	}
+	defer closer()
+	defer attrExec.Close()
+
+	f, err := pathrs.Reopen(attrExec, unix.O_WRONLY|unix.O_CLOEXEC)
 	if err != nil {
 		return err
 	}

internal/pkg/security/security.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2018-2020, Sylabs Inc. All rights reserved.
+// Copyright (c) 2018-2025, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE.md file distributed with the sources of this project regarding your
 // rights to use or distribute this software.
@@ -28,15 +28,15 @@ func Configure(config *specs.Spec) error {
 					return err
 				}
 			} else {
-				sylog.Warningf("selinux is not enabled or supported on this system")
+				return fmt.Errorf("selinux requested, but is not enabled or supported on this system")
 			}
 		} else if config.Process.ApparmorProfile != "" {
 			if apparmor.Enabled() {
 				if err := apparmor.LoadProfile(config.Process.ApparmorProfile); err != nil {
 					return err
 				}
 			} else {
-				sylog.Warningf("apparmor is not enabled or supported on this system")
+				return fmt.Errorf("apparmor requested, but is not enabled or supported on this system")
 			}
 		}
 	}
@@ -46,7 +46,7 @@ func Configure(config *specs.Spec) error {
 				return err
 			}
 		} else {
-			sylog.Warningf("seccomp requested but not enabled, seccomp library is missing or too old")
+			return fmt.Errorf("seccomp requested but not enabled, seccomp library is missing or too old")
 		}
 	}
 	return nil

internal/pkg/security/security_test.go

@@ -1,20 +1,18 @@
-// Copyright (c) 2019, Sylabs Inc. All rights reserved.
+// Copyright (c) 2019-2025, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE.md file distributed with the sources of this project regarding your
 // rights to use or distribute this software.
 
 package security
 
 import (
-	"os"
 	"runtime"
 	"testing"
 
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sylabs/singularity/v4/internal/pkg/security/apparmor"
 	"github.com/sylabs/singularity/v4/internal/pkg/security/selinux"
 	"github.com/sylabs/singularity/v4/internal/pkg/test"
-	"github.com/sylabs/singularity/v4/internal/pkg/util/mainthread"
 )
 
 func TestGetParam(t *testing.T) {
@@ -89,6 +87,16 @@ func TestConfigure(t *testing.T) {
 			},
 			disabled: !selinux.Enabled(),
 		},
+		{
+			desc: "SELinux when not available",
+			spec: specs.Spec{
+				Process: &specs.Process{
+					SelinuxLabel: "unconfined_u:unconfined_r:unconfined_t:s0",
+				},
+			},
+			expectFailure: true,
+			disabled:      selinux.Enabled(),
+		},
 		{
 			desc: "with bad apparmor profile",
 			spec: specs.Spec{
@@ -108,6 +116,16 @@ func TestConfigure(t *testing.T) {
 			},
 			disabled: !apparmor.Enabled(),
 		},
+		{
+			desc: "apparmor when not available",
+			spec: specs.Spec{
+				Process: &specs.Process{
+					ApparmorProfile: "unconfined",
+				},
+			},
+			expectFailure: true,
+			disabled:      apparmor.Enabled(),
+		},
 	}
 
 	for _, s := range specs {
@@ -118,9 +136,9 @@ func TestConfigure(t *testing.T) {
 
 			var err error
 
-			mainthread.Execute(func() {
-				err = Configure(&s.spec)
-			})
+			runtime.LockOSThread()
+			defer runtime.UnlockOSThread()
+			err = Configure(&s.spec)
 
 			if err != nil && !s.expectFailure {
 				t.Errorf("unexpected failure %s: %s", s.desc, err)
@@ -130,18 +148,3 @@ func TestConfigure(t *testing.T) {
 		})
 	}
 }
-
-func init() {
-	runtime.LockOSThread()
-}
-
-func TestMain(m *testing.M) {
-	go func() {
-		os.Exit(m.Run())
-	}()
-
-	// run functions requiring execution in main thread
-	for f := range mainthread.FuncChannel {
-		f()
-	}
-}