microsoft · jslobodzian · Nov 25, 2025 · Nov 18, 2025 · Nov 18, 2025 · Nov 24, 2025
@@ -0,0 +1,111 @@
+From 46223b256bfb3f42e193d947d1b1ef551260749f Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <[email protected]>
+Date: Mon, 27 Oct 2025 16:42:59 +0900
+Subject: [PATCH] Fix directory permissions
+
+- Create /var/lib/containerd with 0o700 (was: 0o711).
+- Create config.TempDir with 0o700 (was: 0o711).
+- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
+- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
+- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
+  as required by userns-remapped containers.
+  /run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with:
+  - 0o700 for non-userns-remapped containers
+  - 0o710 for userns-remapped containers with the remapped root group as the owner group.
+
+Signed-off-by: Akihiro Suda <[email protected]>
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5.patch
+---
+ cmd/containerd/server/server.go | 14 ++++++++++++--
+ core/runtime/v2/task_manager.go |  2 ++
+ plugins/cri/runtime/plugin.go   |  7 +++++++
+ plugins/sandbox/controller.go   |  6 +++++-
+ 4 files changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/cmd/containerd/server/server.go b/cmd/containerd/server/server.go
+index 9f38cb3..c9e3698 100644
+--- a/cmd/containerd/server/server.go
++++ b/cmd/containerd/server/server.go
+@@ -81,10 +81,16 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
+ 		return errors.New("root and state must be different paths")
+ 	}
+
+-	if err := sys.MkdirAllWithACL(config.Root, 0o711); err != nil {
++	if err := sys.MkdirAllWithACL(config.Root, 0o700); err != nil {
++		return err
++	}
++	// chmod is needed for upgrading from an older release that created the dir with 0o711
++	if err := os.Chmod(config.Root, 0o700); err != nil {
+ 		return err
+ 	}
+
++	// For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
++	// Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
+ 	if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil {
+ 		return err
+ 	}
+@@ -99,7 +105,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
+ 	}
+
+ 	if config.TempDir != "" {
+-		if err := sys.MkdirAllWithACL(config.TempDir, 0o711); err != nil {
++		if err := sys.MkdirAllWithACL(config.TempDir, 0o700); err != nil {
++			return err
++		}
++		// chmod is needed for upgrading from an older release that created the dir with 0o711
++		if err := os.Chmod(config.Root, 0o700); err != nil {
+ 			return err
+ 		}
+ 		if runtime.GOOS == "windows" {
+diff --git a/core/runtime/v2/task_manager.go b/core/runtime/v2/task_manager.go
+index f396ced..024763a 100644
+--- a/core/runtime/v2/task_manager.go
++++ b/core/runtime/v2/task_manager.go
+@@ -74,6 +74,8 @@ func init() {
+ 			shimManager := shimManagerI.(*ShimManager)
+ 			root, state := ic.Properties[plugins.PropertyRootDir], ic.Properties[plugins.PropertyStateDir]
+ 			for _, d := range []string{root, state} {
++				// root:  the parent of this directory is created as 0o700, not 0o711.
++				// state: the parent of this directory is created as 0o711 too, so as to support userns-remapped containers.
+ 				if err := os.MkdirAll(d, 0711); err != nil {
+ 					return nil, err
+ 				}
+diff --git a/plugins/cri/runtime/plugin.go b/plugins/cri/runtime/plugin.go
+index adc64d9..07f64a1 100644
+--- a/plugins/cri/runtime/plugin.go
++++ b/plugins/cri/runtime/plugin.go
+@@ -91,6 +91,13 @@ func initCRIRuntime(ic *plugin.InitContext) (interface{}, error) {
+ 	rootDir := filepath.Join(containerdRootDir, "io.containerd.grpc.v1.cri")
+ 	containerdStateDir := filepath.Dir(ic.Properties[plugins.PropertyStateDir])
+ 	stateDir := filepath.Join(containerdStateDir, "io.containerd.grpc.v1.cri")
++	if err := os.MkdirAll(stateDir, 0o700); err != nil {
++		return nil, err
++	}
++	// chmod is needed for upgrading from an older release that created the dir with 0o755
++	if err := os.Chmod(stateDir, 0o700); err != nil {
++		return nil, err
++	}
+ 	c := criconfig.Config{
+ 		RuntimeConfig:      *pluginConfig,
+ 		ContainerdRootDir:  containerdRootDir,
+diff --git a/plugins/sandbox/controller.go b/plugins/sandbox/controller.go
+index aec9cc3..165f2e8 100644
+--- a/plugins/sandbox/controller.go
++++ b/plugins/sandbox/controller.go
+@@ -68,7 +68,11 @@ func init() {
+ 			state := ic.Properties[plugins.PropertyStateDir]
+ 			root := ic.Properties[plugins.PropertyRootDir]
+ 			for _, d := range []string{root, state} {
+-				if err := os.MkdirAll(d, 0711); err != nil {
++				if err := os.MkdirAll(d, 0700); err != nil {
++					return nil, err
++				}
++				// chmod is needed for upgrading from an older release that created the dir with 0o711
++				if err := os.Chmod(d, 0o700); err != nil {
+ 					return nil, err
+ 				}
+ 			}
+-- 
+2.45.4
+
@@ -5,7 +5,7 @@
 Summary: Industry-standard container runtime
 Name: %{upstream_name}2
 Version: 2.0.0
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -23,7 +23,8 @@ Patch3:	CVE-2025-22872.patch
 Patch4:	CVE-2025-47291.patch
 Patch5:	multi-snapshotters-support.patch
 Patch6:	tardev-support.patch
-Patch7:	CVE-2025-64329.patch
+Patch7: CVE-2024-25621.patch
+Patch8: CVE-2025-64329.patch
 %{?systemd_requires}
 
 BuildRequires: golang < 1.25
@@ -99,9 +100,12 @@ fi
 %dir /opt/containerd/lib
 
 %changelog
-* Sat Nov 08 2025 Azure Linux Security Servicing Account <[email protected]> - 2.0.0-15
+* Mon Nov 24 2025 Azure Linux Security Servicing Account <[email protected]> - 2.0.0-16
 - Patch for CVE-2025-64329
 
+* Tue Nov 11 2025 Azure Linux Security Servicing Account <[email protected]> - 2.0.0-15
+- Patch for CVE-2024-25621
+
 * Sun Aug 31 2025 Andrew Phelps <[email protected]> - 2.0.0-14
 - Set BR for golang to < 1.25