Commit Graph

5291 Commits

Author SHA1 Message Date
Aleksa Sarai 1eea9253a1 cgroup2: io: add io.stats parsing test
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-06-01 10:47:39 +10:00
Aleksa Sarai 0fef122f87 cgroup2: io: handle 64-bit values correctly on 32-bit architectures
strconv.ParseUint(..., 0) is not really safe, because on 32-bit
architectures it will trigger runtime errors when trying to parse large
numbers (which in the case of the cgroupv2 io controller, is almost
certainly going to happen).

Fixes: 1932917b71 ("libcontainer: add initial support for cgroups v2")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-06-01 10:35:09 +10:00
Aleksa Sarai efca32c799 cgroup2: io: map io.stats to v1 blkio.stats correctly
Kubelet and cAdvisor depend on the metrics having the same values as in
cgroupv1, but we didn't correctly map the number of read and write IOs
to the correct cgroupv1 stats table (blkio.io_serviced).

In addition, don't leak any extra stats in our output -- if users need
that information we can always add a new field for it.

Reported-by: Yashpal Choudhary <yashpal.c1995@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-06-01 10:35:03 +10:00
Aleksa Sarai a2d86b7961 merge branch 'pr-2965'
Yashpal Choudhary (1):
  cgroup2: capitalize io stats read and write Op values

LGTMs: AkihiroSuda cyphar
Closes #2965
2021-05-28 14:25:55 +10:00
Aleksa Sarai 63ee74376e merge branch 'pr-2958'
Kir Kolyshkin (2)
  libct/cg/sd: fix SkipDevices for systemd
  libct/cg/sd: add SkipDevices unit test

LGTMs: mrunalp AkihiroSuda cyphar
Closes #2958
2021-05-28 14:24:05 +10:00
Akihiro Suda 960b5fdb5a Merge pull request #2961 from kolyshkin/test-dev 2021-05-27 14:33:48 +09:00
Yashpal Choudhary 49d293a56d cgroup2: capitalize io stats read and write Op values
Signed-off-by: Yashpal Choudhary <yashpal.c1995@gmail.com>
2021-05-27 03:32:01 +05:30
Kir Kolyshkin 0e16e7c202 libct/cg/sd: add SkipDevices unit test
The idea is to mimic what kubelet is doing, with minimum amount of code.

First, create a slice with SkipDevices=true. It should have access to
all devices.

Next, create a scope within the above slice, allowing access to /dev/full
only.

Check that within that scope we can only access /dev/full and not other
devices (such as /dev/null).

Repeat the test with SkipDevices=false, make sure we can not access any
devices (as they are disallowed by a parent cgroup). This is done only
to assess the test correctness.

NOTE that cgroup v1 and v2 behave differently for SkipDevices=false
case, and thus the check is different. Cgroup v1 returns EPERM on
writing to devices.allow, so cgroup manager's Set() fails, and we check
for a particular error from m.Set(). Cgroup v2 allows to create a child
cgroup, but denies access to any device (despite access being enabled)
-- so we check the error from the shell script running in that cgroup.
Again, this is only about SkipDevices=false case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-26 10:20:24 -07:00
Akihiro Suda e005fee9d3 Merge pull request #2946 from kolyshkin/systemd-stop-timeout
libct/cg/sd: return error from stopUnit
2021-05-26 15:27:57 +09:00
Akihiro Suda 19d75e1ccb Merge pull request #2956 from kolyshkin/version
Fix/improve runc -v
2021-05-26 13:09:15 +09:00
Kir Kolyshkin f5a2c9cced tests/int/dev: only call lsblk once
The "runc run [device cgroup allow rm block device]" test calls lsblk
three times to get device name, minor and major number. This creates a
potential problem when the devices are changed between the calls.

Simplify the code by using bash read together with IFS (as there's no
way to have lsblk output MAJOR:MINOR pair without a semicolon).

Note that head -n 1 is not needed as read already reads a single line.

[v2: don't use PATH as CentOS7's lsblk does not support it.]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-25 12:21:42 -07:00
Kir Kolyshkin aa934af087 runc -v: set default for, always show main.version
Apparently not everyone compiles runc via the provided Makefile. For
example, one can just run "go build", in which case Version variable
is left empty, which leads to:

	$ ./runc -v
	runc version spec: 1.0.2-dev
	go: go1.16.3

Surely, the main problem here is runc was built in a wrong way, but the
second problem is such output is very confusing -- it may seem that we
have runc 1.0.2.

To solve, make sure to _always_ add version (even if empty), and set the
default to "unknown".

NOTE this does not change anything in case runc is compiled via the
Makefile.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-25 12:07:12 -07:00
Qiang Huang bfcbc947d5 Merge pull request #2962 from cyphar/golint-fixes
*: clean up remaining golangci-lint failures
2021-05-25 14:10:47 +08:00
Aleksa Sarai 37767c0510 ci: lint: show all errors in PRs
It seems that golangci-lint didn't warn us about new lint errors that
were added after we enabled it, so just run the full thing and give us
all the errors on every PR run -- as long as we keep master lint-clean
it doesn't matter whether we set this or not.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:33:02 +10:00
Aleksa Sarai 07ca0be07b *: clean up remaining golangci-lint failures
Most of these were false positives or cases where we want to ignore the
lint, but the change to the BPF generation is actually useful.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:19:39 +10:00
Aleksa Sarai ed4781029f merge branch 'pr-2781'
Sebastiaan van Stijn (7):
  errcheck: utils
  errcheck: signals
  errcheck: tty
  errcheck: libcontainer
  errcheck: libcontainer/nsenter
  errcheck: libcontainer/configs
  errcheck: libcontainer/integration

LGTM: AkihiroSuda cyphar
Closes #2781
2021-05-25 12:31:52 +10:00
Kir Kolyshkin 752e7a8249 libct/cg/sd: fix SkipDevices for systemd
Commit 108ee85b82 adds SkipDevices flag, which is used by kubernetes
to create cgroups for pods.

Unfortunately the above commit falls short, and systemd DevicePolicy and
DeviceAllow properties are still set, which requires kubernetes to set
"allow everything" rule.

This commit fixes this: if SkipDevices flag is set, we return
Device* properties to allow all devices.

Fixes: 108ee85b82
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-24 17:00:37 -07:00
Akihiro Suda e051128219 Merge pull request #2951 from cyphar/cgroup2-devices-cleanup
cgroup2: devices filtering cleanup
2021-05-24 21:52:42 +09:00
Aleksa Sarai 00119c85a9 integration: add repeated "runc update" test
This is to ensure that we aren't leaking eBPF programs after "runc
update". Unfortunately we cannot directly test the behaviour of cgroup
program updates in an integration test because "runc update" doesn't
support that behaviour at the moment.

So instead we rely on the fact that each "runc update" implicitly
triggers the devices rules to be updated. Without the previous patches
applied, this new test will fail with errors (on cgroupv2 systems).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:55:24 +10:00
Aleksa Sarai d0f2c25f52 cgroup2: devices: replace all existing filters when attaching
In the normal cases (only one existing filter or no existing filters),
just make use of BPF_F_REPLACE if there is one existing filter. However
if there is more than one filter applied, we should probably remove all
other filters since the alternative is that we will never remove our old
filters.

The only two other viable ways of solving this problem would be to use
BPF pins to either pin the eBPF program using a predictable name (so we
can always only replace *our* programs) or to switch away from custom
programs and instead use eBPF maps (which are pinned) and thus we just
update the map conntents to update the ruleset. Unfortunately these both
would add a hard requirement of bpffs and would require at least a minor
rewrite of the eBPF filtering code -- which is better left for another
time.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:55:19 +10:00
Aleksa Sarai 98a3c0e4db cgroup2: devices: switch to emulator for cgroupv1 parity
There were several issues with the previous cgroupv2 devices filter
generator implementation, stemming from the previous implementation
using a few too many tricks to implement the correct cgroup behaviour
(rules were handled in reverse order, with wildcards having particularly
special interpretations). As a result, some slightly odd configurations
with rules in specific orders could result in incorrect filters being
generated.

By switching to the emulator which is already used by cgroupv1, we can
guarantee that the behaviour of filters in both cgroup versions will be
identical, as well as making use of the hardenings in the emulator (not
allowing users to add deny rules the kernel will ignore).

(Note that because the ordering of the devices emulator rules is
deterministic and based on the rule value, the existing test rules had
to be reordered slightly.)

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:55:15 +10:00
Aleksa Sarai dcc1cf7c1c devices: add emulator.Rules shorthand
The devices cgroup emulator is also useful for removing unneeded rules
as well as computing what the final default-allow state of the filter
will be (allow-list or deny-list).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:55:12 +10:00
Aleksa Sarai 54904516e6 libcontainer: fix integration failure in "make test"
When running inside a Docker container, systemd is not available. The
new TestFdLeaksSystemd forgot to include the relevant t.Skip section.

Fixes: a7feb42395 ("libct/int: add TestFdLeaksSystemd")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:55:09 +10:00
Aleksa Sarai c7c70ce810 *: clean t.Skip messages
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:53:01 +10:00
Mrunal Patel 211aceec3b Merge pull request #2957 from haircommander/export-RangeToBits
libctr/cg/systemd: export rangeToBits
2021-05-21 13:36:16 -04:00
Peter Hunt a95237f816 libctr/cg/systemd: export rangeToBits
It's both a useful function, and sufficiently complex to discourage copying

Signed-off-by: Peter Hunt <pehunt@redhat.com>
2021-05-21 10:18:34 -04:00
Sebastiaan van Stijn df0206a6b3 errcheck: utils
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:19:34 +02:00
Sebastiaan van Stijn 0c65f833ef errcheck: signals
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:19:32 +02:00
Sebastiaan van Stijn 3b31e3eaac errcheck: tty
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:19:30 +02:00
Sebastiaan van Stijn b45fbd43b8 errcheck: libcontainer
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:19:26 +02:00
Sebastiaan van Stijn 463ee5e19a errcheck: libcontainer/nsenter
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:17:47 +02:00
Sebastiaan van Stijn 7e7ff8722a errcheck: libcontainer/configs
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:17:45 +02:00
Sebastiaan van Stijn a899505377 errcheck: libcontainer/integration
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:17:40 +02:00
Kir Kolyshkin fdc28957f5 Makefile: use git describe for $COMMIT
Use "git describe --dirty --long" instead of "git rev-parse". As a
result, the commit ID will contain the closest tag, the number of commits
since the tag, and the (abbreviated) git commit sha (see example below).

NOTE that this tag is still unique and can be used instead of bare sha
for all git commands.

Example output of "runc -v | grep commit".

Before:
 commit: 4d87573871

After:
 commit: v1.0.0-rc95-9-g6f55d074

This means that
 - the closest tag is v1.0.0-rc95
 - there were 9 commits after the tag
 - the abbreviated sha is 6f55d074

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-19 23:42:29 -07:00
Akihiro Suda 4d87573871 Merge pull request #2940 from kolyshkin/intelrdt-unit-test
libct/intelrdt: fix unit test
2021-05-20 13:43:20 +09:00
Aleksa Sarai 57d353df7b merge branch 'pr-2955'
Kir Kolyshkin (3):
  libct/cg/fs2: setFreezer: wait until frozen
  libct/cg/fs2: optimize setFreezer more
  libct/cg/fs2: optimize setFreezer

LGTMs: cyphar AkihiroSuda
Closes #2955
2021-05-20 14:25:41 +10:00
Kir Kolyshkin b93666ebc1 libct/cg/fs2: setFreezer: wait until frozen
According to cgroup v2 documentation [1]:

> Freezing of the cgroup may take some time; when this action is
> completed, the “frozen” value in the cgroup.events control file will
> be updated to “1” and the corresponding notification will be issued.

Implement polling of cgroup.events, waiting for "frozen 1" to appear.
In case something goes wrong, limit the maximum number of retries and
return "undefined" after some time (currently 10s).

[1] https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-19 12:15:24 -07:00
Kir Kolyshkin 1069e4e9da libct/cg/fs2: optimize setFreezer more
Before this patch, setFreezer does

- open/read/close (to check if the freezer is supported)
- open/write/close (to set the value)
- open/read/close (to check the value)

Three opens is a bit excessive. Refactor to only open the file once:

- open (to check if the freezer is supported)
- write (to set the value)
- seek/read (to check the value)
- close

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-19 12:10:56 -07:00
Kir Kolyshkin 5d193188db libct/cg/fs2: optimize setFreezer
In case configs.Undefined or any wrong value is passed, there is no need
to check whether the freezer is supported.

Move arguments check to the beginning to avoid an unnecessary call to
supportFreezer().

While at it, simplify the "whether to return an error if freezer is not
supported" check.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-19 12:10:56 -07:00
Aleksa Sarai d3e5303429 Merge branch 'release-rc95'
Aleksa Sarai (3):
  VERSION: back to development
  VERSION: release v1.0.0-rc95
  rootfs: add mount destination validation

LGTMs: cyphar kolyshkin mrunalp AkihiroSuda
Closes GHSA-c3xm-pvg7-gh7r CVE-2021-30465
2021-05-19 19:20:54 +10:00
Aleksa Sarai 8a7a374f5b VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-19 16:59:42 +10:00
Aleksa Sarai b9ee9c6314 VERSION: release v1.0.0-rc95
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.0.0-rc95
2021-05-19 16:59:00 +10:00
Aleksa Sarai 0ca91f44f1 rootfs: add mount destination validation
Because the target of a mount is inside a container (which may be a
volume that is shared with another container), there exists a race
condition where the target of the mount may change to a path containing
a symlink after we have sanitised the path -- resulting in us
inadvertently mounting the path outside of the container.

This is not immediately useful because we are in a mount namespace with
MS_SLAVE mount propagation applied to "/", so we cannot mount on top of
host paths in the host namespace. However, if any subsequent mountpoints
in the configuration use a subdirectory of that host path as a source,
those subsequent mounts will use an attacker-controlled source path
(resolved within the host rootfs) -- allowing the bind-mounting of "/"
into the container.

While arguably configuration issues like this are not entirely within
runc's threat model, within the context of Kubernetes (and possibly
other container managers that provide semi-arbitrary container creation
privileges to untrusted users) this is a legitimate issue. Since we
cannot block mounting from the host into the container, we need to block
the first stage of this attack (mounting onto a path outside the
container).

The long-term plan to solve this would be to migrate to libpathrs, but
as a stop-gap we implement libpathrs-like path verification through
readlink(/proc/self/fd/$n) and then do mount operations through the
procfd once it's been verified to be inside the container. The target
could move after we've checked it, but if it is inside the container
then we can assume that it is safe for the same reason that libpathrs
operations would be safe.

A slight wrinkle is the "copyup" functionality we provide for tmpfs,
which is the only case where we want to do a mount on the host
filesystem. To facilitate this, I split out the copy-up functionality
entirely so that the logic isn't interspersed with the regular tmpfs
logic. In addition, all dependencies on m.Destination being overwritten
have been removed since that pattern was just begging to be a source of
more mount-target bugs (we do still have to modify m.Destination for
tmpfs-copyup but we only do it temporarily).

Fixes: CVE-2021-30465
Reported-by: Etienne Champetier <champetier.etienne@gmail.com>
Co-authored-by: Noah Meyerhans <nmeyerha@amazon.com>
Reviewed-by: Samuel Karp <skarp@amazon.com>
Reviewed-by: Kir Kolyshkin <kolyshkin@gmail.com> (@kolyshkin)
Reviewed-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-19 16:58:35 +10:00
Aleksa Sarai c01a56034f merge branch 'pr-2954'
Giuseppe Scrivano (1):
  libcontainer: honor seccomp defaultErrnoRet

LGTMs: kolyshkin cyphar
Closes #2954
2021-05-18 17:00:37 +10:00
Giuseppe Scrivano c61f606254 libcontainer: honor seccomp defaultErrnoRet
https://github.com/opencontainers/runtime-spec/pull/1087 added support
for defaultErrnoRet to the OCI runtime specs.

If a defaultErrnoRet is specified, disable patching the generated
libseccomp cBPF.

Closes: https://github.com/opencontainers/runc/issues/2943

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2021-05-17 09:23:32 +02:00
Mrunal Patel 5c4ccc2f72 Merge pull request #2938 from kolyshkin/libct-int-nts
libcontainer/integration: nits
2021-05-14 19:15:38 -04:00
Mrunal Patel 5fe1e98a49 Merge pull request #2945 from kolyshkin/update-sh
ci/gha: bump shfmt and shellcheck
2021-05-14 19:14:30 -04:00
Mrunal Patel 0b6d3e5e8e Merge pull request #2932 from kolyshkin/ci-go116
CI: bump go 1.16, bats 1.3.0
2021-05-14 19:14:12 -04:00
Kir Kolyshkin 33c9f8b9c7 libct/cg/sd: return error from stopUnit
Historically, we never returned an error from failed startUnit
or stopUnit. The startUnit case was fixed by commit 3844789.

It is time to fix stopUnit, too. The reasons are:

1. Ignoring an error from stopUnit means an unexpected trouble down the
   road, for example a failure to create a container with the same name:

   > time="2021-05-07T19:51:27Z" level=error msg="container_linux.go:380: starting container process caused: process_linux.go:385: applying cgroup configuration for process caused: Unit runc-test_busybox.scope already exists."

2. A somewhat short timeout of 1 second means the cgroup might
   actually be removed a few seconds later but we might have a
   race between removing the cgroup and creating another one
   with the same name, resulting in the same error as amove.

So, return an error if removal failed, and increase the timeout.

Now, modify the systemd cgroup v1 manager to not mask the error from
stopUnit (stopErr) with the subsequent one from cgroups.RemovePath,
as stopErr is most probably the reason why RemovePath failed.

Note that for v1 we do want to remove the paths even in case of a
failure from stopUnit, as some were not created by systemd.
There's no need to do that for v2, thanks to unified hierarchy,
so no changes there.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-12 11:40:21 -07:00
Kir Kolyshkin d519da5eb0 Dockerfile, Vagrantfile.centos7, .github: bats 1.3.0
Bump from bats 1.2.1 to 1.3.0.

Changes: https://github.com/bats-core/bats-core/releases/tag/v1.3.0

NOTE we're already using bats 1.3.0 on Fedora CI.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-12 11:34:54 -07:00