Commit Graph

6201 Commits

Author SHA1 Message Date
Kir Kolyshkin a1610b56a4 Merge pull request #4305 from lifubang/backport-cs8eol
[1.1] ci: workaround for centos stream 8 being EOLed
2024-06-04 10:44:40 -07:00
Kir Kolyshkin 9629fd9554 ci: workaround for centos stream 8 being EOLed
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 48c4e733f4)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-04 18:21:52 +08:00
Kir Kolyshkin 20ef9762da Merge pull request #4300 from lifubang/backport-codespell-2.3.0
[1.1] Fix codespell warnings
2024-06-03 17:02:16 -07:00
Kir Kolyshkin 3b7fcf76ef ci: pin codespell
CI should not fail and require attention every time a new codespell
version is released.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b24fc9d2c4)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-03 09:04:41 +08:00
Kir Kolyshkin f8f7defa85 Fix codespell warnings
./features.go:30: tru ==> through, true
...
./utils_linux.go:147: infront ==> in front

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 177c7d4f59)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-02 06:51:39 +08:00
lfbzhm a12f444afb Merge pull request #4284 from kolyshkin/1.1-fix-4094
[1.1] libct/cg/fs: fix setting rt_period vs rt_runtime
2024-05-24 13:30:19 +08:00
Kir Kolyshkin 860f05f307 libct/cg/fs: fix setting rt_period vs rt_runtime
The issue is the same as in commit 1b2adcf but for RT scheduler;
the fix is also the same.

Test case by ls-ggg.

Co-authored-by: ls-ggg <335814617@qq.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b60079e2e59670b8babd653002d8f469064fb244)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-21 09:54:44 -07:00
Kir Kolyshkin 9244703011 Merge pull request #4277 from lifubang/backport-4265-nofilerlimit
[1.1] Fix set nofile rlimit error
2024-05-20 14:20:11 -07:00
Akihiro Suda 51dc972864 Merge pull request #4231 from kolyshkin/1.1-3349
[1.1] runc list: fix race with runc delete
2024-05-18 02:47:23 +09:00
lifubang c918058bb7 fix comments for ClearRlimitNofileCache
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit a35f7d8093)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-17 18:18:29 +08:00
lifubang 2992049dc3 update/add some tests for rlimit
issues:
https://github.com/opencontainers/runc/issues/4195
https://github.com/opencontainers/runc/pull/4265#discussion_r1588599809

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 4ea0bf88fd)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-05-17 18:18:29 +08:00
ls-ggg d7a29a3b33 libct: clean cached rlimit nofile in go runtime
As reported in issue #4195, the new version(since 1.19) of go runtime
will cache rlimit-nofile. Before executing execve, the rlimit-nofile
of the process will be restored with the cache. In runc, this will
cause the rlimit-nofile set by the parent process for the container
to become invalid. It can be solved by clearing the cache.

Signed-off-by: ls-ggg <335814617@qq.com>
(cherry picked from commit f9f8abf310)
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit da68c8e37b)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-17 18:18:29 +08:00
lfbzhm 42c2ab2b7c use go 1.18 in go.mod
The complete generic features are supported since go 1.18

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-05-17 18:18:23 +08:00
lifubang 83ecd11c29 runc exec: setupRlimits after syscall.rlimit.init() completed
Issue: https://github.com/opencontainers/runc/issues/4195
Since https://go-review.googlesource.com/c/go/+/476097, there is
a get/set race between runc exec and syscall.rlimit.init, so we
need to call setupRlimits after syscall.rlimit.init() completed.

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit a853a82677)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-16 21:48:34 +08:00
Kir Kolyshkin fbddb715ed libct: fix a comment
Do not refer to the function which was removed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit bac506463d)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-16 21:48:34 +08:00
Kir Kolyshkin debf52aa5b deprecate libct.system.Execv
This is not used since commit dac41717.
It will be removed in v1.2.0

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit dbd0c3349f)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-16 21:47:26 +08:00
Kir Kolyshkin 986edbe60f list: use Info(), fix race with delete
Since commit 551629417 we can (and should) use Info() to get access to
file stat. Do this.

While going over directory entries, a parallel runc delete can remove
an entry, and with the current code it results in a fatal error (which
was not observed in practice, but looks quite possible). To fix,
add a special case to continue on ErrNotExist.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 1a3ee4966c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-10 11:22:11 -07:00
Kir Kolyshkin 09214f21da list: getContainers: less indentation
Instead of a huge if {} block, use continue.

Best reviewed with --ignore-all-space.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 095929b15e)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-10 11:22:11 -07:00
Akihiro Suda 007abf31f8 Merge pull request #4270 from akhilerm/backport-1.1-4269
[1.1] allow overriding VERSION value in Makefile
2024-05-08 07:22:52 +09:00
Akhil Mohan 6f4d975c40 allow overriding VERSION value in Makefile
this allows using a custom version string while building runc
without modifying the VERSION file

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
(cherry picked from commit 9d9273c926)
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-05-06 22:18:04 +05:30
Mrunal Patel e8bb71e147 Merge pull request #4257 from sohankunkerkar/release-1.1
[1.1] libcontainer: force apps to think fips is enabled/disabled for testing
2024-04-26 10:31:35 -07:00
lfbzhm 6379b58d97 libcontainer: force apps to think fips is enabled/disabled for testing
The motivation behind this change is to provide a flexible mechanism for
containers within a Kubernetes cluster to opt out of FIPS mode when necessary.
This change enables apps to simulate FIPS mode being enabled or disabled for testing
purposes. Users can control whether apps believe FIPS mode is on or off by manipulating
`/proc/sys/crypto/fips_enabled`.

Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
2024-04-26 11:23:49 -04:00
lfbzhm 5bfff6ae24 Merge pull request #4261 from kolyshkin/1.1-4256
[1.1] Vagrantfile.fedora: bump Fedora to 39
2024-04-26 20:50:23 +08:00
Kir Kolyshkin 265e737180 Vagrantfile.fedora: bump Fedora to 39
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 8732eada62)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 18:23:24 -07:00
Kir Kolyshkin b0691cafe3 Merge pull request #4244 from kycheng/chore/net-cve
[1.1] chore: silencing security false positives caused by golang.org/x/net
2024-04-16 17:26:56 -07:00
kychen 59056a0213 silence security false positives from golang/net
golang.org/x/net:v0.8.0 will introduce some security false positives:

- https://avd.aquasec.com/nvd/cve-2023-4448
- https://avd.aquasec.com/nvd/cve-2023-3978
- https://avd.aquasec.com/nvd/cve-2023-39325

Signed-off-by: kychen <kychen@alauda.io>
2024-04-10 15:28:12 +08:00
Kir Kolyshkin 148fdabd70 Merge pull request #4241 from kolyshkin/1.1.13-ci-fixes
[1.1] CI fixes and misc backports
2024-04-02 21:53:18 -07:00
Aleksa Sarai 452bf88ebf build: update libseccomp to v2.5.5
This adds support for syscalls up to Linux 6.7-rc3.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit cdccf6d615)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-02 14:15:48 -07:00
Kir Kolyshkin 3fada6eca4 tests/int: fix flaky "runc run with tmpfs perm"
Apparently, sometimes a short-lived "runc run" produces result with \r
and sometimes without. As a result, we have an occasional failure of
"runc run with tmpfs perms" test.

The solution (to the flaky test) is to use the first line of the output
(like many other tests do).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6d27922005)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-02 14:14:24 -07:00
TTFISH aae41a4b79 Fix integration tests failure when calling "ip"
Signed-off-by: TTFISH <jiongchiyu@gmail.com>
(cherry picked from commit eb55472ee1)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-02 14:13:03 -07:00
lfbzhm 82a8b979ef update go version to 1.21 in cirrus ci
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
(cherry picked from commit a596a05510)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-02 14:12:20 -07:00
Kir Kolyshkin 03271050eb ci/gha/cross-i386: pin Go to 1.21
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-02 14:12:14 -07:00
Aleksa Sarai a9833ff391 Merge pull request from GHSA-xr7r-f8xq-vfvv
runc: release 1.1.12
2024-02-01 07:04:29 +11:00
Aleksa Sarai 29d6d87345 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:12:54 +11:00
Aleksa Sarai 51d5e94601 VERSION: release 1.1.12
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.1.12
2024-01-24 00:12:48 +11:00
Aleksa Sarai 2a4ed3e75b merge 1.1-ghsa-xr7r-f8xq-vfvv into release-1.1
This is a security fix for CVE-2024-21626. See the advisory[1] for more
details.

Aleksa Sarai (6):
  init: don't special-case logrus fds
  libcontainer: mark all non-stdio fds O_CLOEXEC before spawning init
  cgroup: plug leaks of /sys/fs/cgroup handle
  init: close internal fds before execve
  setns init: do explicit lookup of execve argument early
  init: verify after chdir that cwd is inside the container

Hang Jiang (1):
  Fix File to Close

[1]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
LGTMs: cyphar AkihiroSuda kolyshkin lifubang
2024-01-24 00:11:59 +11:00
Aleksa Sarai e9665f4d60 init: don't special-case logrus fds
We close the logfd before execve so there's no need to special case it.
In addition, it turns out that (*os.File).Fd() doesn't handle the case
where the file was closed and so it seems suspect to use that kind of
check.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:10:59 +11:00
Aleksa Sarai 683ad2ff3b libcontainer: mark all non-stdio fds O_CLOEXEC before spawning init
Given the core issue in GHSA-xr7r-f8xq-vfvv was that we were unknowingly
leaking file descriptors to "runc init", it seems prudent to make sure
we proactively prevent this in the future. The solution is to simply
mark all non-stdio file descriptors as O_CLOEXEC before we spawn "runc
init".

For libcontainer library users, this could result in unrelated files
being marked as O_CLOEXEC -- however (for the same reason we are doing
this for runc), for security reasons those files should've been marked
as O_CLOEXEC anyway.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:10:59 +11:00
Aleksa Sarai b6633f48a8 cgroup: plug leaks of /sys/fs/cgroup handle
We auto-close this file descriptor in the final exec step, but it's
probably a good idea to not possibly leak the file descriptor to "runc
init" (we've had issues like this in the past) especially since it is a
directory handle from the host mount namespace.

In practice, on runc 1.1 this does leak to "runc init" but on main the
handle has a low enough file descriptor that it gets clobbered by the
ForkExec of "runc init".

OPEN_TREE_CLONE would let us protect this handle even further, but the
performance impact of creating an anonymous mount namespace is probably
not worth it.

Also, switch to using an *os.File for the handle so if it goes out of
scope during setup (i.e. an error occurs during setup) it will get
cleaned up by the GC.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:10:58 +11:00
Aleksa Sarai 284ba3057e init: close internal fds before execve
If we leak a file descriptor referencing the host filesystem, an
attacker could use a /proc/self/fd magic-link as the source for execve
to execute a host binary in the container. This would allow the binary
itself (or a process inside the container in the 'runc exec' case) to
write to a host binary, leading to a container escape.

The simple solution is to make sure we close all file descriptors
immediately before the execve(2) step. Doing this earlier can lead to very
serious issues in Go (as file descriptors can be reused, any (*os.File)
reference could start silently operating on a different file) so we have
to do it as late as possible.

Unfortunately, there are some Go runtime file descriptors that we must
not close (otherwise the Go scheduler panics randomly). The only way of
being sure which file descriptors cannot be closed is to sneakily
go:linkname the runtime internal "internal/poll.IsPollDescriptor"
function. This is almost certainly not recommended but there isn't any
other way to be absolutely sure, while also closing any other possible
files.

In addition, we can keep the logrus forwarding logfd open because you
cannot execve a pipe and the contents of the pipe are so restricted
(JSON-encoded in a format we pick) that it seems unlikely you could even
construct shellcode. Closing the logfd causes issues if there is an
error returned from execve.

In mainline runc, runc-dmz protects us against this attack because the
intermediate execve(2) closes all of the O_CLOEXEC internal runc file
descriptors and thus runc-dmz cannot access them to attack the host.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:10:58 +11:00
Aleksa Sarai fbe3eed1e5 setns init: do explicit lookup of execve argument early
(This is a partial backport of a minor change included in commit
dac41717465462b21fab5b5942fe4cb3f47d7e53.)

This mirrors the logic in standard_init_linux.go, and also ensures that
we do not call exec.LookPath in the final execve step.

While this is okay for regular binaries, it seems exec.LookPath calls
os.Getenv which tries to emit a log entry to the test harness when
running in "go test" mode. In a future patch (in order to fix
CVE-2024-21626), we will close all of the file descriptors immediately
before execve, which would mean the file descriptor for test harness
logging would be closed at execve time. So, moving exec.LookPath earlier
is necessary.

Ref: dac4171746 ("runc-dmz: reduce memfd binary cloning cost with small C binary")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:10:57 +11:00
Aleksa Sarai 0994249a5e init: verify after chdir that cwd is inside the container
If a file descriptor of a directory in the host's mount namespace is
leaked to runc init, a malicious config.json could use /proc/self/fd/...
as a working directory to allow for host filesystem access after the
container runs. This can also be exploited by a container process if it
knows that an administrator will use "runc exec --cwd" and the target
--cwd (the attacker can change that cwd to be a symlink pointing to
/proc/self/fd/... and wait for the process to exec and then snoop on
/proc/$pid/cwd to get access to the host). The former issue can lead to
a critical vulnerability in Docker and Kubernetes, while the latter is a
container breakout.

We can (ab)use the fact that getcwd(2) on Linux detects this exact case,
and getcwd(3) and Go's Getwd() return an error as a result. Thus, if we
just do os.Getwd() after chdir we can easily detect this case and error
out.

In runc 1.1, a /sys/fs/cgroup handle happens to be leaked to "runc
init", making this exploitable. On runc main it just so happens that the
leaked /sys/fs/cgroup gets clobbered and thus this is only consistently
exploitable for runc 1.1.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Co-developed-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
[refactored the implementation and added more comments]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:10:57 +11:00
hang.jiang 506552a88b Fix File to Close
(This is a cherry-pick of 937ca107c3d22da77eb8e8030f2342253b980980.)

Signed-off-by: hang.jiang <hang.jiang@daocloud.io>
Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:10:57 +11:00
Aleksa Sarai 099ff69336 merge #4177 into opencontainers/runc:release-1.1
Aleksa Sarai (2):
  keyring: update AkihiroSuda key expiry
  keyring: update cyphar@cyphar.com key expiry

LGTMs: AkihiroSuda lifubang
2024-01-24 00:10:21 +11:00
Aleksa Sarai d0b1a37440 keyring: update AkihiroSuda key expiry
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-22 17:35:00 +11:00
Aleksa Sarai d561e5da87 keyring: update cyphar@cyphar.com key expiry
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-22 17:35:00 +11:00
Aleksa Sarai 452f520c10 merge #4160 into opencontainers/runc:release-1.1
lfbzhm (2):
  VERSION: back to development
  VERSION: release 1.1.11

LGTMs: AkihiroSuda cyphar
2024-01-02 13:35:25 +11:00
lfbzhm 7887736f33 VERSION: back to development
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-02 13:34:17 +11:00
lfbzhm 4bccb38cc9 VERSION: release 1.1.11
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.1.11
2024-01-02 13:34:16 +11:00
lfbzhm 930fde5144 Merge pull request #4144 from cyphar/1.1-ns-path-handling
[1.1] *: fix several issues with userns path handling
2023-12-16 08:44:29 +08:00