Commit Graph

7125 Commits

Author SHA1 Message Date
Akihiro Suda daaed349e3 Merge pull request #4409 from akhilerm/update-actions
ci: update to setup bats action from bats-core
2024-09-24 17:53:30 +09:00
lifubang 10c951e335 add ErrCgroupNotExist
For some rootless container, runc has no access to cgroup,
But the container is still running. So we should return the
`ErrNotRunning` and `ErrCgroupNotExist` error seperatlly.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-09-23 23:27:35 +00:00
Akihiro Suda 5ff9d16e96 Merge pull request #4407 from rata/rata/min-1.22.4
go.mod: Force 1.22.4 as min go version
2024-09-23 21:51:51 +09:00
Rodrigo Campos 319e133c3c go.mod: Use toolchain 1.22.4
Go since 1.21 allows to set a "toolchain" that specifies the minimum Go
toolchain to use when working in runc. In contrast to the go line,
toolchain does not impose a requirement on other modules[1][2].

As documented in the 1.2.0-rc.1 release notes, 1.22.4 is needed for the
nsenter package. Let's suggest this with the toolchain version.

[1]: https://go.dev/doc/toolchain
[2]: https://go.dev/blog/toolchain

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-09-23 11:47:01 +02:00
Akhil Mohan 8671a7dba9 ci: update to setup bats action from bats-core
mig4/setup-bats is now unmaintained(last commit in Sep 2021).
bats-core/bats-action can be used as a replacement maintained
by the bats-core team.

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-09-22 23:00:59 +05:30
Kir Kolyshkin 30f8f51eab runc create/run: warn on rootless + shared pidns + no cgroup
Shared pid namespace means `runc kill` (or `runc delete -f`) have to
kill all container processes, not just init. To do so, it needs a cgroup
to read the PIDs from.

If there is no cgroup, processes will be leaked, and so such
configuration is bad and should not be allowed. To keep backward
compatibility, though, let's merely warn about this for now.

Alas, the only way to know if cgroup access is available is by returning
an error from Manager.Apply. Amend fs cgroup managers to do so (systemd
doesn't need it, since v1 can't work with rootless, and cgroup v2 does
not have a special rootless case).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-17 22:49:37 -07:00
Kir Kolyshkin 21c6116557 tests/int: log when teardown starts
This aids in failed test analysis by allowing to distinguish the output
of various commands being run as part of the test case from the output
of teardown command like runc delete.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-17 22:49:37 -07:00
Kir Kolyshkin b1449fd510 libct: use Namespaces.IsPrivate more
In these cases, this is exactly what we want to find out.

Slightly improves performance and readability.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-17 22:49:29 -07:00
Kir Kolyshkin 15904913c2 Merge pull request #4397 from rafaelroquetto/main
Upgrade Cilium's eBPF library version to 0.16
2024-09-13 18:22:49 -07:00
Kir Kolyshkin d5ee7a5549 Merge pull request #4400 from cyphar/mkdirall-suidsgid-bits
utils: mkdirall: fix handling of suid/sgid bits
2024-09-13 18:20:18 -07:00
Aleksa Sarai d8844e2939 tests: integration: add setgid mkdirall test
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-13 23:34:33 +10:00
Aleksa Sarai 066b109e99 vendor: update to github.com/cyphar/filepath-securejoin@v0.3.2
This includes a fix for the handling of S_ISGID directories.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-13 23:34:33 +10:00
Aleksa Sarai 646efe70b1 utils: mkdirall: mask silently ignored mode bits to match os.MkdirAll
It turns out that the suid and sgid mode bits are silently ignored by
Linux (though the sticky bit is honoured), and some users are requesting
mode bits that are ignored. While returning an error (as securejoin
does) makes some sense, this is a regression.

Ref: https://github.com/cyphar/filepath-securejoin/issues/23
Fixes: dd827f7b71 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-13 23:34:33 +10:00
Aleksa Sarai 457e1ffa4c tests: add regression test for CVE-2019-19921 / CVE-2023-27561
We reintroduced this once already because it is quite easy to miss this
subtle aspect of proc mounting. The recent migration to
securejoin.MkdirAllInRoot could have also inadvertently reintroduced
this (though it didn't).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-13 17:57:42 +10:00
Rafael Roquetto 216175a9ca Upgrade Cilium's eBPF library version to 0.16
Signed-off-by: Rafael Roquetto <rafael.roquetto@grafana.com>
2024-09-12 11:13:21 -06:00
Akihiro Suda 7c2e69f1c4 Merge pull request #4399 from kolyshkin/endian
libct/seccomp/patchbpf: use binary.NativeEndian
2024-09-13 01:53:07 +09:00
Kir Kolyshkin a31efe7045 libct/seccomp/patchbpf: use binary.NativeEndian
It is available since Go 1.21 and is defined during compile time
(i.e. based on GOARCH during build).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-11 22:06:58 -07:00
Akihiro Suda e8e8c029c7 Merge pull request #4393 from cyphar/mkdirall-inroot-securejoin
utils: switch to securejoin.MkdirAllHandle
2024-09-12 14:04:36 +09:00
Kir Kolyshkin f9f5764175 Merge pull request #4395 from AkihiroSuda/fix-4394
libct: Signal: honor RootlessCgroups
2024-09-11 16:45:29 -07:00
Akihiro Suda 429e06a518 libct: Signal: honor RootlessCgroups
`signalAllProcesses()` depends on the cgroup and is expected to fail
when runc is running in rootless without an access to the cgroup.

When `RootlessCgroups` is set to `true`, runc just ignores the error
from `signalAllProcesses` and may leak some processes running.
(See the comments in PR 4395)
In the future, runc should walk the process tree to avoid such a leak.

Note that `RootlessCgroups` is a misnomer; it is set to `false` despite
the name when cgroup v2 delegation is configured.
This is expected to be renamed in a separate commit.

Fix issue 4394

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-09-11 03:54:52 +09:00
Aleksa Sarai dd827f7b71 utils: switch to securejoin.MkdirAllHandle
filepath-securejoin has a bunch of extra hardening features and is very
well-tested, so we should use it instead of our own homebrew solution.

A lot of rootfs_linux.go callers pass a SecureJoin'd path, which means
we need to keep the wrapper helpers in utils, but at least the core
logic is no longer in runc. In future we will want to remove this dodgy
logic and just use file handles for everything (using libpathrs,
ideally).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 23:06:47 +10:00
Aleksa Sarai 1d308c7da4 vendor: update to github.com/cyphar/filepath-securejoin@v0.3.1
This includes the MkdirAll and OpenInRoot implementations which are
actually secure against races.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 23:05:59 +10:00
Aleksa Sarai 5ab5ef3dc3 deps: update to golang.org/x/sys@v0.22
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 23:03:39 +10:00
Aleksa Sarai 961b8031f6 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:33:06 +10:00
lifubang 45471bc945 VERSION: release v1.2.0-rc.3
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.0-rc.3
2024-09-03 11:29:51 +10:00
Aleksa Sarai 6c24b2e83e changelog: update to include 1.1.14 notes
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:29:21 +10:00
Aleksa Sarai 9e9fdd815a Merge commit from fork
rootfs: try to scope MkdirAll to stay inside the rootfs
2024-09-03 10:55:23 +10:00
Aleksa Sarai 63c2908164 rootfs: try to scope MkdirAll to stay inside the rootfs
While we use SecureJoin to try to make all of our target paths inside
the container safe, SecureJoin is not safe against an attacker than can
change the path after we "resolve" it.

os.MkdirAll can inadvertently follow symlinks and thus an attacker could
end up tricking runc into creating empty directories on the host (note
that the container doesn't get access to these directories, and the host
just sees empty directories). However, this could potentially cause DoS
issues by (for instance) creating a directory in a conf.d directory for
a daemon that doesn't handle subdirectories properly.

In addition, the handling for creating file bind-mounts did a plain
open(O_CREAT) on the SecureJoin'd path, which is even more obviously
unsafe (luckily we didn't use O_TRUNC, or this bug could've allowed an
attacker to cause data loss...). Regardless of the symlink issue,
opening an untrusted file could result in a DoS if the file is a hung
tty or some other "nasty" file. We can use mknodat to safely create a
regular file without opening anything anyway (O_CREAT|O_EXCL would also
work but it makes the logic a bit more complicated, and we don't want to
open the file for any particular reason anyway).

libpathrs[1] is the long-term solution for these kinds of problems, but
for now we can patch this particular issue by creating a more restricted
MkdirAll that refuses to resolve symlinks and does the creation using
file descriptors. This is loosely based on a more secure version that
filepath-securejoin now has[2] and will be added to libpathrs soon[3].

[1]: https://github.com/openSUSE/libpathrs
[2]: https://github.com/cyphar/filepath-securejoin/releases/tag/v0.3.0
[3]: https://github.com/openSUSE/libpathrs/issues/10

Fixes: CVE-2024-45310
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 02:34:13 +10:00
Akihiro Suda 346b818dad Merge pull request #4380 from rata/makefile-no-envs
Makefile: Don't read COMMIT, BUILDTAGS, EXTRA_BUILDTAGS from env vars
2024-08-24 23:46:59 +09:00
Rodrigo Campos 767bc0089c Makefile: Don't read COMMIT, BUILDTAG, EXTRA_BUILDTAGS from env vars
We recently switched VERSION to be read from env vars (#4270). This
broke several projects, as they were building runc and using a `VERSION`
env var for, e.g. the containerd version.

When fixing that in #4370, we discussed to consider doing the same for
these variables too
(https://github.com/opencontainers/runc/pull/4370#pullrequestreview-2240030944).

Let's stop reading them from env vars, as it is very easy to do it by
mistake (e.g. compile runc and define a COMMIT env var, not to override
the commit shown in `runc --version`) and users that want can still
override them if they want to. For example, with:

	make EXTRA_BUILDTAGS=runc_nodmz

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-08-24 14:50:45 +02:00
Akihiro Suda a41b62a5e1 Merge pull request #4376 from kolyshkin/simplify-branch-protection
ci/gha: add all-done jobs
2024-08-22 10:59:47 +09:00
Kir Kolyshkin 2cd24a4dae ci/gha: add all-done jobs
The sole reason is to simplify branch protection rules,
requiring just these to be passed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 17:00:59 -07:00
Rodrigo Campos 41831e7635 Merge pull request #4377 from AkihiroSuda/distro-should-not-install-recvtty-etc
mv contrib/cmd tests/cmd (except memfd-bind)
2024-08-21 11:38:48 +02:00
Kir Kolyshkin 376e875fdd Merge pull request #4370 from rata/main
Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION
2024-08-16 03:30:13 -07:00
Rodrigo Campos cc2078ccdd Makefile: Add EXTRA_VERSION
Add this new make variable so users can specify build information
without modifying the runc version nor the source code.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-08-15 18:06:03 +02:00
Akihiro Suda f76489f0af mv contrib/cmd tests/cmd (except memfd-bind)
The following commands are moved from `contrib/cmd` to `tests/cmd`:
- fs-idmap
- pidfd-kill
- recvtty
- remap-rootfs
- sd-helper
- seccompagent

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-08-16 00:55:48 +09:00
Rodrigo Campos f4cc3d8313 Revert "allow overriding VERSION value in Makefile"
This reverts commit 9d9273c926.

This commit broke the build for several other projects (see comments
here: https://github.com/opencontainers/runc/pull/4270, after the merge)
and we don't really need this to be able to set the version without
changing the file.

With this commit reverted, we can still run:

	make VERSION="1.2.3"

and it just works. It doesn't take it from an env variable, but that is
what broke all the other projects (VERSION is just too generic as an env
var, especially for a project like runc that is embedded in many
others).

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-08-15 11:09:14 +02:00
lfbzhm 0377d50458 Merge pull request #4360 from kolyshkin/go123
Add Go 1.23, drop 1.21
2024-08-15 12:02:04 +08:00
Kir Kolyshkin 606257c6e1 Bump golangci-lint to v1.60, fix new warnings
The warnings fixed were:

libcontainer/configs/config_test.go:205:12: printf: non-constant format string in call to (*testing.common).Errorf (govet)
		t.Errorf(fmt.Sprintf("Expected error to not occur but it was %+v", err))
		         ^
libcontainer/cgroups/fs/blkio_test.go:481:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^
libcontainer/cgroups/fs/blkio_test.go:595:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-14 20:39:15 +08:00
Kir Kolyshkin adedeb993a ci/gha: add Go 1.23, drop 1.21
- drop Go 1.21;
- add Go 1.23;
- for a few jobs that were using Go 1.21, switch to 1.22;

Also, bump go to 1.22 in go.mod.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-14 20:39:15 +08:00
Rodrigo Campos 2ee5564b58 Merge pull request #4378 from lifubang/fix-ci-curlL
[CI] ensure we can download the specific version's go
2024-08-14 14:05:11 +02:00
lifubang be539412b8 ensure we can download the specific version's go
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-08-14 18:40:49 +08:00
Rodrigo Campos 94eda74ab4 Merge pull request #4374 from kolyshkin/cpu-burst
Fix cpu burst test failure on newer kernels
2024-08-14 12:28:44 +02:00
Akihiro Suda e531ebbca8 Merge pull request #4371 from kolyshkin/simplify
libct/int/seccomp_test: simplify exit code checks
2024-08-14 12:28:08 +09:00
Kir Kolyshkin a7c8d86fc1 tests/int: fix "cpu burst" failure on new kernels
A kernel bug which resulted in cpu.max.burst value read which is 1000
times smaller than it should be has recently been fixed (see [1]).

Adapt the test so it works with either broken or fixed kernel.

[1]: https://lore.kernel.org/all/20240424132438.514720-1-serein.chengyu@huawei.com/

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-13 17:54:23 -07:00
Kir Kolyshkin b437ed3063 tests/int: check_{systemd,cgroup}_value: better log
1. Rename current -> got, expected -> want.
2. check_cgroup_value: add file name to output.
3. Improve functions description.

This is mostly to simplify debugging test failures.
Example output before:

	current 500000 !? 500

After:

	cpu.max.burst: got 500000, want 500

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-13 17:44:31 -07:00
Kir Kolyshkin 2c398bb41d libct/int/seccomp_test: simplify exit code checks
In all the three cases, we check that the program returned non-zero exit
code. This can be done in a much simpler manner.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-10 14:46:43 -07:00
Akihiro Suda 6602681d52 Merge pull request #4369 from TheSiman/patch-1
Fix link to gvariant documentation in systemd docs.
2024-08-09 17:02:44 +10:00
ver4a 171304c8a3 docs/systemd: fix a broken link
Documentation was moved from https://docs.gtk.org/glib/gvariant-text.html to https://docs.gtk.org/glib/gvariant-text-format.html.

Signed-off-by: ver4a <verca@uncontrol.me>
2024-08-07 00:27:57 +02:00
Rodrigo Campos ad5b481dac Merge pull request #4344 from kolyshkin/nilness
ci bumps
2024-08-01 16:00:32 +02:00