Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: opencontainers/runc
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 28d2e4747af079c73af08708fa78522a9142de7d
Choose a base ref
..
head repository: opencontainers/runc
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 39bb12c88273ecd878b8cd4d940e3836f7180ba0
Choose a head ref
Showing with 12,175 additions and 2,332 deletions.
  1. +1 −1 .cirrus.yml
  2. +1 −1 .github/workflows/validate.yml
  3. +47 −3 CHANGELOG.md
  4. +1 −1 Dockerfile
  5. +1 −1 VERSION
  6. +1 −1 contrib/cmd/memfd-bind/README.md
  7. +4 −4 contrib/cmd/memfd-bind/memfd-bind@.service
  8. +7 −7 go.mod
  9. +18 −16 go.sum
  10. +0 −3 libcontainer/capabilities/capabilities.go
  11. +16 −3 libcontainer/container_linux.go
  12. +20 −3 libcontainer/dmz/cloned_binary_linux.go
  13. +115 −0 libcontainer/dmz/overlayfs_linux.go
  14. +0 −22 libcontainer/nsenter/nsenter_test.go
  15. +0 −7 libcontainer/nsenter/nsexec.c
  16. +0 −44 libcontainer/process_linux.go
  17. +30 −20 libcontainer/rootfs_linux.go
  18. +15 −0 libcontainer/utils/utils_unix.go
  19. +5 −5 tests/integration/cgroups.bats
  20. +56 −17 tests/integration/helpers.bash
  21. +4 −12 tests/integration/run.bats
  22. +0 −4 tests/integration/selinux.bats
  23. +2 −0 tests/integration/update.bats
  24. +62 −0 vendor/github.com/cpuguy83/go-md2man/v2/md2man/debug.go
  25. +11 −2 vendor/github.com/cpuguy83/go-md2man/v2/md2man/md2man.go
  26. +136 −64 vendor/github.com/cpuguy83/go-md2man/v2/md2man/roff.go
  27. +1 −1 vendor/github.com/moby/sys/mountinfo/mounted_linux.go
  28. +1 −4 vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
  29. +8 −8 vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go
  30. +8 −7 vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
  31. +23 −23 vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
  32. +2 −2 vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go
  33. +4 −2 vendor/github.com/opencontainers/selinux/pkg/pwalkdir/README.md
  34. +7 −0 vendor/github.com/opencontainers/selinux/pkg/pwalkdir/pwalkdir.go
  35. +1 −0 vendor/github.com/vishvananda/netlink/.gitignore
  36. +0 −19 vendor/github.com/vishvananda/netlink/.travis.yml
  37. +1 −1 vendor/github.com/vishvananda/netlink/README.md
  38. +1 −0 vendor/github.com/vishvananda/netlink/addr.go
  39. +53 −45 vendor/github.com/vishvananda/netlink/addr_linux.go
  40. +24 −0 vendor/github.com/vishvananda/netlink/bpf_linux.go
  41. +41 −4 vendor/github.com/vishvananda/netlink/bridge_linux.go
  42. +22 −0 vendor/github.com/vishvananda/netlink/chain.go
  43. +112 −0 vendor/github.com/vishvananda/netlink/chain_linux.go
  44. +44 −14 vendor/github.com/vishvananda/netlink/class.go
  45. +28 −12 vendor/github.com/vishvananda/netlink/class_linux.go
  46. +560 −52 vendor/github.com/vishvananda/netlink/conntrack_linux.go
  47. +19 −0 vendor/github.com/vishvananda/netlink/conntrack_unspecified.go
  48. +892 −5 vendor/github.com/vishvananda/netlink/devlink_linux.go
  49. +161 −23 vendor/github.com/vishvananda/netlink/filter.go
  50. +424 −111 vendor/github.com/vishvananda/netlink/filter_linux.go
  51. +42 −3 vendor/github.com/vishvananda/netlink/handle_linux.go
  52. +31 −1 vendor/github.com/vishvananda/netlink/handle_unspecified.go
  53. +40 −0 vendor/github.com/vishvananda/netlink/inet_diag.go
  54. +581 −0 vendor/github.com/vishvananda/netlink/ipset_linux.go
  55. +396 −43 vendor/github.com/vishvananda/netlink/link.go
  56. +1,018 −69 vendor/github.com/vishvananda/netlink/link_linux.go
  57. +1 −0 vendor/github.com/vishvananda/netlink/neigh.go
  58. +66 −19 vendor/github.com/vishvananda/netlink/neigh_linux.go
  59. +53 −1 vendor/github.com/vishvananda/netlink/netlink_unspecified.go
  60. +3 −3 vendor/github.com/vishvananda/netlink/netns_linux.go
  61. +4 −10 vendor/github.com/vishvananda/netlink/nl/addr_linux.go
  62. +43 −2 vendor/github.com/vishvananda/netlink/nl/conntrack_linux.go
  63. +110 −8 vendor/github.com/vishvananda/netlink/nl/devlink_linux.go
  64. +21 −0 vendor/github.com/vishvananda/netlink/nl/ip6tnl_linux.go
  65. +227 −0 vendor/github.com/vishvananda/netlink/nl/ipset_linux.go
  66. +212 −4 vendor/github.com/vishvananda/netlink/nl/link_linux.go
  67. +29 −0 vendor/github.com/vishvananda/netlink/nl/lwt_linux.go
  68. +297 −49 vendor/github.com/vishvananda/netlink/nl/nl_linux.go
  69. +79 −0 vendor/github.com/vishvananda/netlink/nl/parse_attr_linux.go
  70. +4 −0 vendor/github.com/vishvananda/netlink/nl/rdma_link_linux.go
  71. +3 −1 vendor/github.com/vishvananda/netlink/nl/route_linux.go
  72. +2 −2 vendor/github.com/vishvananda/netlink/nl/seg6_linux.go
  73. +4 −0 vendor/github.com/vishvananda/netlink/nl/seg6local_linux.go
  74. +9 −1 vendor/github.com/vishvananda/netlink/nl/syscall.go
  75. +742 −5 vendor/github.com/vishvananda/netlink/nl/tc_linux.go
  76. +41 −0 vendor/github.com/vishvananda/netlink/nl/vdpa_linux.go
  77. +9 −1 vendor/github.com/vishvananda/netlink/nl/xfrm_linux.go
  78. +28 −1 vendor/github.com/vishvananda/netlink/nl/xfrm_state_linux.go
  79. +208 −0 vendor/github.com/vishvananda/netlink/proc_event_linux.go
  80. +16 −8 vendor/github.com/vishvananda/netlink/protinfo.go
  81. +4 −0 vendor/github.com/vishvananda/netlink/protinfo_linux.go
  82. +74 −18 vendor/github.com/vishvananda/netlink/qdisc.go
  83. +134 −14 vendor/github.com/vishvananda/netlink/qdisc_linux.go
  84. +82 −15 vendor/github.com/vishvananda/netlink/rdma_link_linux.go
  85. +74 −20 vendor/github.com/vishvananda/netlink/route.go
  86. +857 −89 vendor/github.com/vishvananda/netlink/route_linux.go
  87. +10 −0 vendor/github.com/vishvananda/netlink/route_unspecified.go
  88. +45 −5 vendor/github.com/vishvananda/netlink/rule.go
  89. +145 −14 vendor/github.com/vishvananda/netlink/rule_linux.go
  90. +8 −0 vendor/github.com/vishvananda/netlink/rule_nonlinux.go
  91. +77 −0 vendor/github.com/vishvananda/netlink/socket.go
  92. +456 −28 vendor/github.com/vishvananda/netlink/socket_linux.go
  93. +195 −0 vendor/github.com/vishvananda/netlink/socket_xdp_linux.go
  94. +92 −0 vendor/github.com/vishvananda/netlink/tcp.go
  95. +368 −0 vendor/github.com/vishvananda/netlink/tcp_linux.go
  96. +27 −0 vendor/github.com/vishvananda/netlink/unix_diag.go
  97. +463 −0 vendor/github.com/vishvananda/netlink/vdpa_linux.go
  98. +132 −0 vendor/github.com/vishvananda/netlink/virtio.go
  99. +34 −0 vendor/github.com/vishvananda/netlink/xdp_diag.go
  100. +46 −0 vendor/github.com/vishvananda/netlink/xdp_linux.go
  101. +1 −1 vendor/github.com/vishvananda/netlink/{xfrm.go → xfrm_linux.go}
  102. +0 −96 vendor/github.com/vishvananda/netlink/xfrm_policy.go
  103. +107 −6 vendor/github.com/vishvananda/netlink/xfrm_policy_linux.go
  104. +0 −131 vendor/github.com/vishvananda/netlink/xfrm_state.go
  105. +221 −15 vendor/github.com/vishvananda/netlink/xfrm_state_linux.go
  106. +7 −0 vendor/github.com/vishvananda/netlink/xfrm_unspecified.go
  107. +2 −0 vendor/github.com/vishvananda/netns/.golangci.yml
  108. +1 −0 vendor/github.com/vishvananda/netns/README.md
  109. +9 −0 vendor/github.com/vishvananda/netns/doc.go
  110. +115 −65 vendor/github.com/vishvananda/netns/netns_linux.go
  111. +17 −0 vendor/github.com/vishvananda/netns/{netns_unspecified.go → netns_others.go}
  112. +12 −19 vendor/github.com/vishvananda/netns/{netns.go → nshandle_linux.go}
  113. +45 −0 vendor/github.com/vishvananda/netns/nshandle_others.go
  114. +0 −102 vendor/golang.org/x/sys/execabs/execabs.go
  115. +0 −17 vendor/golang.org/x/sys/execabs/execabs_go118.go
  116. +0 −20 vendor/golang.org/x/sys/execabs/execabs_go119.go
  117. +2 −2 vendor/google.golang.org/protobuf/encoding/prototext/decode.go
  118. +12 −8 vendor/google.golang.org/protobuf/encoding/prototext/encode.go
  119. +1 −0 vendor/google.golang.org/protobuf/internal/descfmt/stringer.go
  120. +10 −10 vendor/google.golang.org/protobuf/internal/descopts/options.go
  121. BIN vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb
  122. +2 −2 vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
  123. +1 −1 vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
  124. +18 −3 vendor/google.golang.org/protobuf/internal/errors/errors.go
  125. +63 −29 vendor/google.golang.org/protobuf/internal/filedesc/desc.go
  126. +41 −4 vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
  127. +11 −40 vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
  128. +11 −0 vendor/google.golang.org/protobuf/internal/filedesc/desc_list_gen.go
  129. +19 −5 vendor/google.golang.org/protobuf/internal/filedesc/editions.go
  130. +1 −0 vendor/google.golang.org/protobuf/internal/filedesc/placeholder.go
  131. +2 −2 vendor/google.golang.org/protobuf/internal/filetype/build.go
  132. +43 −6 vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
  133. +1 −1 vendor/google.golang.org/protobuf/internal/genid/doc.go
  134. +11 −6 vendor/google.golang.org/protobuf/internal/genid/go_features_gen.go
  135. +1 −1 vendor/google.golang.org/protobuf/internal/genid/map_entry.go
  136. +1 −1 vendor/google.golang.org/protobuf/internal/genid/wrappers.go
  137. +3 −3 vendor/google.golang.org/protobuf/internal/impl/api_export.go
  138. +1 −1 vendor/google.golang.org/protobuf/internal/impl/checkinit.go
  139. +23 −10 vendor/google.golang.org/protobuf/internal/impl/codec_extension.go
  140. +50 −17 vendor/google.golang.org/protobuf/internal/impl/codec_field.go
  141. +13 −2 vendor/google.golang.org/protobuf/internal/impl/codec_map.go
  142. +3 −0 vendor/google.golang.org/protobuf/internal/impl/codec_message.go
  143. +22 −0 vendor/google.golang.org/protobuf/internal/impl/codec_messageset.go
  144. +0 −210 vendor/google.golang.org/protobuf/internal/impl/codec_reflect.go
  145. +0 −3 vendor/google.golang.org/protobuf/internal/impl/codec_unsafe.go
  146. +2 −2 vendor/google.golang.org/protobuf/internal/impl/convert.go
  147. +1 −1 vendor/google.golang.org/protobuf/internal/impl/convert_list.go
  148. +1 −1 vendor/google.golang.org/protobuf/internal/impl/convert_map.go
  149. +43 −7 vendor/google.golang.org/protobuf/internal/impl/encode.go
  150. +224 −0 vendor/google.golang.org/protobuf/internal/impl/equal.go
  151. +4 −4 vendor/google.golang.org/protobuf/internal/impl/extension.go
  152. +2 −1 vendor/google.golang.org/protobuf/internal/impl/legacy_enum.go
  153. +2 −1 vendor/google.golang.org/protobuf/internal/impl/legacy_extension.go
  154. +2 −2 vendor/google.golang.org/protobuf/internal/impl/legacy_file.go
  155. +9 −5 vendor/google.golang.org/protobuf/internal/impl/legacy_message.go
  156. +6 −6 vendor/google.golang.org/protobuf/internal/impl/message.go
  157. +22 −23 vendor/google.golang.org/protobuf/internal/impl/message_reflect.go
  158. +84 −62 vendor/google.golang.org/protobuf/internal/impl/message_reflect_gen.go
  159. +0 −215 vendor/google.golang.org/protobuf/internal/impl/pointer_reflect.go
  160. +2 −5 vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go
  161. +2 −2 vendor/google.golang.org/protobuf/internal/order/range.go
  162. +0 −28 vendor/google.golang.org/protobuf/internal/strs/strings_pure.go
  163. +1 −2 vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go120.go
  164. +1 −2 vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go121.go
  165. +2 −2 vendor/google.golang.org/protobuf/internal/version/version.go
  166. +2 −0 vendor/google.golang.org/protobuf/proto/decode.go
  167. +38 −6 vendor/google.golang.org/protobuf/proto/encode.go
  168. +9 −0 vendor/google.golang.org/protobuf/proto/equal.go
  169. +81 −7 vendor/google.golang.org/protobuf/proto/extension.go
  170. +6 −1 vendor/google.golang.org/protobuf/proto/messageset.go
  171. +2 −0 vendor/google.golang.org/protobuf/proto/size.go
  172. +10 −0 vendor/google.golang.org/protobuf/reflect/protoreflect/methods.go
  173. +1 −1 vendor/google.golang.org/protobuf/reflect/protoreflect/proto.go
  174. +21 −0 vendor/google.golang.org/protobuf/reflect/protoreflect/source_gen.go
  175. +9 −3 vendor/google.golang.org/protobuf/reflect/protoreflect/type.go
  176. +0 −60 vendor/google.golang.org/protobuf/reflect/protoreflect/value_pure.go
  177. +7 −7 vendor/google.golang.org/protobuf/reflect/protoreflect/value_union.go
  178. +4 −5 vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go120.go
  179. +5 −6 vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go121.go
  180. +7 −7 vendor/google.golang.org/protobuf/reflect/protoregistry/registry.go
  181. +18 −0 vendor/google.golang.org/protobuf/runtime/protoiface/methods.go
  182. +10 −11 vendor/modules.txt
2 changes: 1 addition & 1 deletion .cirrus.yml
Original file line number Diff line number Diff line change
@@ -77,7 +77,7 @@ task:
env:
HOME: /root
CIRRUS_WORKING_DIR: /home/runc
GO_VERSION: "1.22"
GO_VERSION: "1.23"
BATS_VERSION: "v1.9.0"
RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux
# yamllint disable rule:key-duplicates
2 changes: 1 addition & 1 deletion .github/workflows/validate.yml
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@ on:
- release-*
pull_request:
env:
GO_VERSION: 1.22.x
GO_VERSION: 1.23.x
permissions:
contents: read

50 changes: 47 additions & 3 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -6,6 +6,48 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [1.2.0] - 2024-10-22

> できるときにできることをやるんだ。それが今だ。
### Added
* In order to alleviate the remaining concerns around the memory usage and
(arguably somewhat unimportant, but measurable) performance overhead of
memfds for cloning `/proc/self/exe`, we have added a new protection using
`overlayfs` that is used if you have enough privileges and the running
kernel supports it. It has effectively no performance nor memory overhead
(compared to no cloning at all). (#4448)

### Fixed
* The original fix for [CVE-2024-45310][cve-2024-45310] was intentionally very
limited in scope to make it easier to review, however it also did not handle
all possible `os.MkdirAll` cases and thus could lead to regressions. We have
switched to the more complete implementation in the newer versions of
`github.com/cyphar/filepath-securejoin`. (#4393, #4400, #4421, #4430)
* In certain situations (a system with lots of mounts or racing mounts) we
could accidentally end up leaking mounts from the container into the host.
This has been fixed. (#4417)
* The fallback logic for `O_TMPFILE` clones of `/proc/self/exe` had a minor
bug that would cause us to miss non-`noexec` directories and thus fail to
start containers on some systems. (#4444)
* Sometimes the cloned `/proc/self/exe` file descriptor could be placed in a
way that it would get clobbered by the Go runtime. We had a fix for this
already but it turns out it could still break in rare circumstances, but it
has now been fixed. (#4294, #4452)

### Changed
* It is not possible for `runc kill` to work properly in some specific
configurations (such as rootless containers with no cgroups and a shared pid
namespace). We now output a warning for such configurations. (#4398)
* memfd-bind: update the documentation and make path handling with the systemd
unit more idiomatic. (#4428)
* We now use v0.16 of Cilium's eBPF library, including fixes that quite a few
downstreams asked for. (#4397, #4396)
* Some internal `runc init` synchronisation that was no longer necessary (due
to the `/proc/self/exe` cloning move to Go) was removed. (#4441)

[cve-2024-45310]: https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv

## [1.2.0-rc.3] - 2024-09-02

> The supreme happiness of life is the conviction that we are loved.
@@ -16,8 +58,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
maliciously configured containers to create empty files and directories on
the host.

[cve-2024-45310]: https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv

### Added

* Document build prerequisites for different platforms. (#4353)
@@ -41,6 +81,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
* Makefile: Don't read COMMIT, BUILDTAGS, `EXTRA_BUILDTAGS` from env vars.
(#4380)

[cve-2024-45310]: https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv

## [1.2.0-rc.2] - 2024-06-26

> TRUE or FALSE, it's a problem!
@@ -802,7 +844,8 @@ implementation (libcontainer) is *not* covered by this policy.
cgroups at all during `runc update`). (#2994)

<!-- minor releases -->
[Unreleased]: https://github.com/opencontainers/runc/compare/v1.2.0-rc.3...HEAD
[Unreleased]: https://github.com/opencontainers/runc/compare/v1.2.0...HEAD
[1.2.0]: https://github.com/opencontainers/runc/compare/v1.2.0-rc.1...v1.2.0
[1.1.0]: https://github.com/opencontainers/runc/compare/v1.1.0-rc.1...v1.1.0
[1.0.0]: https://github.com/opencontainers/runc/releases/tag/v1.0.0

@@ -831,6 +874,7 @@ implementation (libcontainer) is *not* covered by this policy.
[1.1.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.1.0-rc.1

<!-- 1.2.z patch releases -->
[Unreleased 1.2.z]: https://github.com/opencontainers/runc/compare/v1.2.0...release-1.2
[1.2.0-rc.3]: https://github.com/opencontainers/runc/compare/v1.2.0-rc.2...v1.2.0-rc.3
[1.2.0-rc.2]: https://github.com/opencontainers/runc/compare/v1.2.0-rc.1...v1.2.0-rc.2
[1.2.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.1.0...v1.2.0-rc.1
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
ARG GO_VERSION=1.22
ARG GO_VERSION=1.23
ARG BATS_VERSION=v1.9.0
ARG LIBSECCOMP_VERSION=2.5.5

2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.2.0-rc.3+dev
1.2.0+dev
2 changes: 1 addition & 1 deletion contrib/cmd/memfd-bind/README.md
Original file line number Diff line number Diff line change
@@ -25,7 +25,7 @@ The provided `memfd-bind@.service` file can be used to get systemd to manage
this daemon. You can supply the path like so:

```
% systemctl start memfd-bind@/usr/bin/runc
% systemctl start memfd-bind@$(systemd-escape -p /usr/bin/runc)
```

Thus, there are three ways of protecting against CVE-2019-5736, in order of how
8 changes: 4 additions & 4 deletions contrib/cmd/memfd-bind/memfd-bind@.service
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
[Unit]
Description=Manage memfd-bind of %I
Documentation=https://github.com/opencontainers/runc
Description=Manage memfd-bind of %f
Documentation=https://github.com/opencontainers/runc/blob/main/contrib/cmd/memfd-bind/README.md

[Service]
Type=simple
ExecStart=memfd-bind "%I"
ExecStop=memfd-bind --cleanup "%I"
ExecStart=memfd-bind "%f"
ExecStop=memfd-bind --cleanup "%f"

[Install]
WantedBy=multi-user.target
14 changes: 7 additions & 7 deletions go.mod
Original file line number Diff line number Diff line change
@@ -15,25 +15,25 @@ require (
github.com/cyphar/filepath-securejoin v0.3.4
github.com/docker/go-units v0.5.0
github.com/godbus/dbus/v5 v5.1.0
github.com/moby/sys/mountinfo v0.7.1
github.com/moby/sys/mountinfo v0.7.2
github.com/moby/sys/user v0.3.0
github.com/moby/sys/userns v0.1.0
github.com/mrunalp/fileutils v0.5.1
github.com/opencontainers/runtime-spec v1.2.0
github.com/opencontainers/selinux v1.11.0
github.com/opencontainers/selinux v1.11.1
github.com/seccomp/libseccomp-golang v0.10.0
github.com/sirupsen/logrus v1.9.3
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
github.com/urfave/cli v1.22.14
github.com/vishvananda/netlink v1.1.0
github.com/urfave/cli v1.22.16
github.com/vishvananda/netlink v1.3.0
golang.org/x/net v0.24.0
golang.org/x/sys v0.22.0
google.golang.org/protobuf v1.33.0
google.golang.org/protobuf v1.35.1
)

require (
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
github.com/vishvananda/netns v0.0.4 // indirect
golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
)
34 changes: 18 additions & 16 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/checkpoint-restore/go-criu/v6 v6.3.0 h1:mIdrSO2cPNWQY1truPg6uHLXyKHk3Z5Odx4wjKOASzA=
github.com/checkpoint-restore/go-criu/v6 v6.3.0/go.mod h1:rrRTN/uSwY2X+BPRl/gkulo9gsKOSAeVp9/K2tv7xZI=
github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok=
@@ -7,8 +7,9 @@ github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn
github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc=
github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8=
github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -38,8 +39,8 @@ github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/
github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
@@ -48,8 +49,8 @@ github.com/mrunalp/fileutils v0.5.1 h1:F+S7ZlNKnrwHfSwdlgNSkKo67ReVf8o9fel6C3dkm
github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
@@ -65,6 +66,7 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -73,30 +75,30 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJH8j0=
github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k=
github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
github.com/urfave/cli v1.22.16 h1:MH0k6uJxdwdeWQTwhSO42Pwr4YLrNLwBtg1MRgTqPdQ=
github.com/urfave/cli v1.22.16/go.mod h1:EeJR6BKodywf4zciqrdw6hpCPk68JO9z5LazXZMn5Po=
github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk=
github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI=
golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
3 changes: 0 additions & 3 deletions libcontainer/capabilities/capabilities.go
Original file line number Diff line number Diff line change
@@ -65,9 +65,6 @@ func New(capConfig *configs.Capabilities) (*Caps, error) {
if c.pid, err = capability.NewPid2(0); err != nil {
return nil, err
}
if err = c.pid.Load(); err != nil {
return nil, err
}
if len(unknownCaps) > 0 {
logrus.Warn("ignoring unknown or unavailable capabilities: ", mapKeys(unknownCaps))
}
19 changes: 16 additions & 3 deletions libcontainer/container_linux.go
Original file line number Diff line number Diff line change
@@ -19,7 +19,6 @@ import (
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
"github.com/vishvananda/netlink/nl"
"golang.org/x/sys/execabs"
"golang.org/x/sys/unix"

"github.com/opencontainers/runc/libcontainer/cgroups"
@@ -618,6 +617,8 @@ func (c *Container) newParentProcess(p *Process) (parentProcess, error) {
)
}

// TODO: After https://go-review.googlesource.com/c/go/+/515799 included
// in go versions supported by us, we can remove this logic.
if safeExe != nil {
// Due to a Go stdlib bug, we need to add safeExe to the set of
// ExtraFiles otherwise it is possible for the stdlib to clobber the fd
@@ -628,6 +629,18 @@ func (c *Container) newParentProcess(p *Process) (parentProcess, error) {
//
// See <https://github.com/golang/go/issues/61751>.
cmd.ExtraFiles = append(cmd.ExtraFiles, safeExe)

// There is a race situation when we are opening a file, if there is a
// small fd was closed at that time, maybe it will be reused by safeExe.
// Because of Go stdlib fds shuffling bug, if the fd of safeExe is too
// small, go stdlib will dup3 it to another fd, or dup3 a other fd to this
// fd, then it will cause the fd type cmd.Path refers to a random path,
// and it can lead to an error "permission denied" when starting the process.
// Please see #4294.
// So we should not use the original fd of safeExe, but use the fd after
// shuffled by Go stdlib. Because Go stdlib will guarantee this fd refers to
// the correct file.
cmd.Path = "/proc/self/fd/" + strconv.Itoa(stdioFdCount+len(cmd.ExtraFiles)-1)
}

// NOTE: when running a container with no PID namespace and the parent
@@ -1113,7 +1126,7 @@ func (c *Container) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Namespa
// We resolve the paths for new{u,g}idmap from
// the context of runc to avoid doing a path
// lookup in the nsexec context.
if path, err := execabs.LookPath("newuidmap"); err == nil {
if path, err := exec.LookPath("newuidmap"); err == nil {
r.AddData(&Bytemsg{
Type: UidmapPathAttr,
Value: []byte(path),
@@ -1141,7 +1154,7 @@ func (c *Container) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Namespa
Value: b,
})
if c.config.RootlessEUID {
if path, err := execabs.LookPath("newgidmap"); err == nil {
if path, err := exec.LookPath("newgidmap"); err == nil {
r.AddData(&Bytemsg{
Type: GidmapPathAttr,
Value: []byte(path),
23 changes: 20 additions & 3 deletions libcontainer/dmz/cloned_binary_linux.go
Original file line number Diff line number Diff line change
@@ -64,9 +64,6 @@ func Memfd(comment string) (*os.File, SealFunc, error) {
}

func sealFile(f **os.File) error {
if err := (*f).Chmod(0o511); err != nil {
return err
}
// When sealing an O_TMPFILE-style descriptor we need to
// re-open the path as O_PATH to clear the existing write
// handle we have.
@@ -108,6 +105,9 @@ func mktemp(dir string) (*os.File, SealFunc, error) {
if err := os.Remove(file.Name()); err != nil {
return nil, nil, fmt.Errorf("unlinking classic tmpfile: %w", err)
}
if err := file.Chmod(0o511); err != nil {
return nil, nil, fmt.Errorf("chmod classic tmpfile: %w", err)
}
var stat unix.Stat_t
if err := unix.Fstat(int(file.Fd()), &stat); err != nil {
return nil, nil, fmt.Errorf("cannot fstat classic tmpfile: %w", err)
@@ -212,6 +212,23 @@ func IsCloned(exe *os.File) bool {
// make sure the container process can never resolve the original runc binary.
// For more details on why this is necessary, see CVE-2019-5736.
func CloneSelfExe(tmpDir string) (*os.File, error) {
// Try to create a temporary overlayfs to produce a readonly version of
// /proc/self/exe that cannot be "unwrapped" by the container. In contrast
// to CloneBinary, this technique does not require any extra memory usage
// and does not have the (fairly noticeable) performance impact of copying
// a large binary file into a memfd.
//
// Based on some basic performance testing, the overlayfs approach has
// effectively no performance overhead (it is on par with both
// MS_BIND+MS_RDONLY and no binary cloning at all) while memfd copying adds
// around ~60% overhead during container startup.
overlayFile, err := sealedOverlayfs("/proc/self/exe", tmpDir)
if err == nil {
logrus.Debug("runc-dmz: using overlayfs for sealed /proc/self/exe") // used for tests
return overlayFile, nil
}
logrus.WithError(err).Debugf("could not use overlayfs for /proc/self/exe sealing -- falling back to making a temporary copy")

selfExe, err := os.Open("/proc/self/exe")
if err != nil {
return nil, fmt.Errorf("opening current binary: %w", err)
Loading