Commit Graph

6376 Commits

Author SHA1 Message Date
Akihiro Suda 2b221a6ab7 Merge pull request #3787 from kolyshkin/rec-fixup
mountToRootfs: minor refactor
2023-03-28 12:53:38 +09:00
Kir Kolyshkin 8293ef2e74 tests/int: test for CAP_DAC_OVERRIDE
This is a test case for issue reported as #3715. In short, even if a
(non-root) user that the container is run as does not have execute
permission bit set for the executable, it should still work in case runc
has the CAP_DAC_OVERRIDE capability set.

Note that since the upstream golang is also broken (see [1]), this test
will fail for Go 1.20 and 1.20.1 (fix is in Go 1.20.2 as per [2]).

[1] https://go.dev/issue/58552
[2] https://go-review.googlesource.com/c/go/+/469956

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 15:16:15 -07:00
Kir Kolyshkin 8491d33482 Fix runc run "permission denied" when rootless
Since commit 957d97bcf4 was made to fix issue [7],
a few things happened:

- a similar functionality appeared in go 1.20 [1], so the issue
  mentioned in the comment (being removed) is no longer true;
- a bug in runc was found [2], which also affects go [3];
- the bug was fixed in go 1.21 [4] and 1.20.2 [5];
- a similar fix was made to x/sys/unix.Faccessat [6].

The essense of [2] is, even if a (non-root) user that the container is
run as does not have execute permission bit set for the executable, it
should still work in case runc has the CAP_DAC_OVERRIDE capability set.

To fix this [2] without reintroducing the older bug [7]:
- drop own Eaccess implementation;
- use the one from x/sys/unix for Go 1.19 (depends on [6]);
- do not use anything when Go 1.20+ is used.

NOTE it is virtually impossible to fix the bug [2] when Go 1.20 or Go
1.20.1 is used because of [3].

A test case is added by a separate commit.

Fixes: #3715.

[1] https://go-review.googlesource.com/c/go/+/414824
[2] https://github.com/opencontainers/runc/issues/3715
[3] https://go.dev/issue/58552
[4] https://go-review.googlesource.com/c/go/+/468735
[5] https://go-review.googlesource.com/c/go/+/469956
[6] https://go-review.googlesource.com/c/sys/+/468877
[7] https://github.com/opencontainers/runc/issues/3520

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 15:15:48 -07:00
Kir Kolyshkin 99a337f66d Dockefile: bump go go 1.20
Go 1.20.2 has an important fix to an issue described in [1].

Switch from using Go 1.19 from Dockerfile, which is used for release
binaries and some CI.

[1] https://github.com/golang/go/issues/58624

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 15:13:43 -07:00
Kir Kolyshkin 3e3db2883b Merge pull request #3778 from kolyshkin/skip-flaky-ce7
libct/cg/dev: skip flaky test of CentOS 7
2023-03-27 13:39:36 -07:00
Kir Kolyshkin da98076c97 mountToRootfs: minor refactor
The setRecAttr is only called for "bind" case, as cases end with a
return statement. Indeed, recursive mount attributes only make sense for
bind mounts.

Move the code to under case "bind" to improve readability. No change in
logic.

Fixes: 382eba4354
Reported-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 12:47:05 -07:00
Peter Hunt~ 54e20217a8 libctr/cgroups: don't take init's cgroup into account
Sometimes, the init process is not in the root cgroup.
This can be noted by GetInitPath, which already scrubs the path of `init.scope`.

This was encountered when trying to patch the Kubelet to handle systemd being in a separate cpuset
from root (to allow load balance disabling for containers). At present, there's no way to have libcontainer or runc
manage cgroups in a hierarchy outside of the one init is in (unless the path contains `init.scope`, which is limiting)

Signed-off-by: Peter Hunt <pehunt@redhat.com>
2023-03-27 13:16:46 -04:00
Akihiro Suda da5047c5d8 Merge pull request #3781 from yanggangtony/fix-typo
fix wrong notes for `const MaxNameLen`
2023-03-26 07:02:40 +09:00
Akihiro Suda 948ef27c7a Merge pull request #3773 from kolyshkin/no-symlinks
Prohibit /proc and /sys to be symlinks
2023-03-25 22:58:27 +09:00
Kir Kolyshkin a7a836effa libct/cg/dev: skip flaky test of CentOS 7
There is some kind of a race in CentOS 7 which sometimes result in one
of these tests failing like this:

    systemd_test.go:136: mkdir /sys/fs/cgroup/hugetlb/system.slice/system-runc_test_pods.slice: no such file or directory

or

    systemd_test.go:187: open /sys/fs/cgroup/cpuset/system.slice/system-runc_test_pods.slice/cpuset.mems: no such file or directory

As this is only happening on CentOS 7, let's skip this test on this
platform.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-22 20:01:39 -07:00
yanggang 65df6b91b9 fix wrong notes for const MaxNameLen
Signed-off-by: yanggang <gang.yang@daocloud.io>
2023-03-23 10:31:15 +08:00
TTFISH 9d45ae8d34 tests: Fix fuzzer location in oss-fuzz config
Signed-off-by: TTFISH <jiongchiyu@gmail.com>
2023-03-23 03:21:17 +08:00
Akihiro Suda efad7a3b80 Merge pull request #3735 from kolyshkin/int-fix-flake
libct/int: make TestFdLeaks more robust
2023-03-21 06:15:43 +09:00
Kir Kolyshkin e67dc399ba Merge pull request #3739 from AkihiroSuda/fix-acl
specconv: avoid mapping "acl" to MS_POSIXACL
2023-03-20 14:15:15 -07:00
Akihiro Suda f08b4a9c43 Merge pull request #3775 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.30.0
build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
2023-03-18 19:15:44 +09:00
Kir Kolyshkin 0d72adf96d Prohibit /proc and /sys to be symlinks
Commit 3291d66b98 introduced a check for /proc and /sys, making sure
the destination (dest) is a directory (and not e.g. a symlink).

Later, a hunk from commit 0ca91f44f switched from using filepath.Join
to SecureJoin for dest. As SecureJoin follows and resolves symlinks,
the check whether dest is a symlink no longer works.

To fix, do the check without/before using SecureJoin.

Add integration tests to make sure we won't regress.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-17 11:03:44 -07:00
Kir Kolyshkin c6624e66b2 Merge pull request #3772 from kolyshkin/retry-unshare
nsexec: retry unshare on EINVAL
2023-03-17 09:54:14 -07:00
dependabot[bot] 8f0d0c4dc8 build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.1 to 1.30.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.1...v1.30.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-17 05:00:52 +00:00
Kir Kolyshkin cecb039d24 nsexec: retry unshare on EINVAL
Older kernels may return EINVAL on unshare when a process is reading
runc's /proc/$PID/status or /proc/$PID/maps. This was fixed by kernel
commit 12c641ab8270f ("unshare: Unsharing a thread does not require
unsharing a vm") in Linuxt  v4.3.

For CentOS 7, the fix was backported to CentOS 7.7 (kernel 3.10.0-1062).

To work around this kernel bug, let's retry on EINVAL a few times.

Reported-by: zzyyzte <zhang.yu58@zte.com.cn>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-16 10:45:02 -07:00
Kir Kolyshkin 206008ab9c Merge pull request #3767 from AkihiroSuda/fix-issue-template-config
.github/ISSUE_TEMPLATE/config.yml: fix contact links
2023-03-16 10:41:23 -07:00
Kir Kolyshkin 784f583884 Merge pull request #3771 from opencontainers/dependabot/github_actions/actions/setup-go-4
build(deps): bump actions/setup-go from 3 to 4
2023-03-16 10:35:09 -07:00
dependabot[bot] e3cf217cf1 build(deps): bump actions/setup-go from 3 to 4
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-16 05:11:04 +00:00
Akihiro Suda b3a68fe77b Merge pull request #3769 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.29.1
build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
2023-03-16 09:40:59 +09:00
dependabot[bot] a7046b8387 build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.0 to 1.29.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.0...v1.29.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-15 05:10:21 +00:00
Akihiro Suda df4eae457b rootless: fix /sys/fs/cgroup mounts
It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:

1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared
   (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)
2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro`
   (e.g., `runc spec --rootless`; this condition is very rare)

A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host.
Other users's cgroup hierarchies are not affected.

To fix the issue, this commit does:
1. Remount `/sys/fs/cgroup` to apply `MS_RDONLY` when it is being bind-mounted
2. Mask `/sys/fs/cgroup` when the bind source is unavailable

Fix CVE-2023-25809 (GHSA-m8cg-xc2p-r3fc)

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-14 14:16:25 +09:00
Akihiro Suda afeffb7ea8 .github/ISSUE_TEMPLATE/config.yml: fix contact links
`contact_links` without `about` properties are not shown in
https://github.com/opencontainers/runc/issues/new/choose

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-10 09:45:41 +09:00
Akihiro Suda d5be3e2605 Merge pull request #3766 from AkihiroSuda/issue-template
Add `.github/ISSUE_TEMPLATE/config.yml`
2023-03-10 09:36:44 +09:00
Kir Kolyshkin 4ec7b90489 Merge pull request #3764 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.29.0
build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
2023-03-09 14:46:39 -08:00
Akihiro Suda 7d940bdf99 Add .github/ISSUE_TEMPLATE/config.yml
After merging this PR, the "Report a security vulnerability" button
will appear in "New issue" screen.

Demo: https://github.com/containerd/nerdctl/issues

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-10 00:03:41 +09:00
dependabot[bot] 6b41f8ed26 build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.29.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-09 04:59:44 +00:00
Kir Kolyshkin 6d0261c1ac Merge pull request #3757 from opencontainers/dependabot/go_modules/golang.org/x/net-0.8.0
build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
2023-03-07 11:00:03 -08:00
dependabot[bot] 6faef164f5 build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-06 05:03:16 +00:00
Kir Kolyshkin 69225fa919 Merge pull request #3724 from kinvolk/rata/nsexec-fixes
nsexec: Remove bogus kill to stage_2_pid
2023-03-01 15:50:00 -08:00
Kir Kolyshkin 58c192a1be Merge pull request #3661 from Wang-squirrel/dev1
Add support for umask when exec container
2023-02-27 19:33:03 -08:00
Wang-squirrel 7b4c3fc111 Add support for umask when exec container
Signed-off-by: WangXiaoSong <wang.xiaosong1@zte.com.cn>
2023-02-23 10:04:47 +08:00
Kir Kolyshkin f2e71b085d libct/int: make TestFdLeaks more robust
The purpose of this test is to check that there are no extra file
descriptors left open after repeated calls to runContainer. In fact,
the first call to runContainer leaves a few file descriptors opened,
and this is by design.

Previously, this test relied on two things:
1. some other tests were run before it (and thus all such opened-once
   file descriptors are already opened);
2.  explicitly excluding fd opened to /sys/fs/cgroup.

Now, if we run this test separately, it will fail (because of 1 above).
The same may happen if the tests are run in a random order.

To fix this, add a container run before collection the initial fd list,
so those fds that are opened once are included and won't be reported.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin be7e03940f libct/int: wording nits
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin 7c75e84e22 libc/int: add/use runContainerOk wrapper
This is to de-duplicate the code that checks that err is nil
and that the exit code is zero.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin 5a0642d6fd Merge pull request #3728 from AITsygunka/3727-bug-fix
Fix runc crushes when parsing invalid JSON specification file
2023-02-22 02:57:20 -08:00
Akihiro Suda 71f8b2af5c Merge pull request #3734 from kinvolk/rata/nsexec-add-debug-log
nsexec: Add debug logs to send mount sources
2023-02-22 13:19:06 +09:00
Akihiro Suda 7d4fde26f8 Merge pull request #3716 from AkihiroSuda/spec-v1.1.0-rc.1
go:mod: runtime-spec v1.1.0-rc.1; add docs/spec-conformance.md
2023-02-22 09:23:41 +09:00
Andrey Tsygunka 97ea1255ed Fix runc crushes when parsing invalid JSON
Signed-off-by: Andrey Tsygunka <dreamsider@mail.ru>
2023-02-16 15:45:19 +03:00
Kir Kolyshkin 537645fd52 Merge pull request #3747 from opencontainers/dependabot/go_modules/golang.org/x/net-0.7.0
build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
2023-02-15 17:31:13 -08:00
dependabot[bot] b3b0bde69b build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-15 04:59:08 +00:00
Akihiro Suda 4e3699c74c Merge pull request #3746 from crazy-max/fix-static-pie
Makefile: fix typo in LDFLAGS_STATIC
2023-02-15 11:35:09 +09:00
CrazyMax 2e44a20280 Makefile: fix typo in LDFLAGS_STATIC
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-02-14 21:27:26 +01:00
Kir Kolyshkin b199fb2e3f Merge pull request #3573 from chuanchang/add_tests_for_capabilities
tests: add tests for capabilities
2023-02-13 17:49:54 -08:00
Akihiro Suda 514ea70993 Merge pull request #3740 from kinvolk/rata/fix-basename-test
tests: Fix weird error on centos-9
2023-02-11 22:52:10 +09:00
Akihiro Suda 92a4ccb84e specconv: avoid mapping "acl" to MS_POSIXACL
From https://github.com/torvalds/linux/commit/caaef1ba8c9ee7a54b53dd8bf4bb7e8658185583 :

> In fact SB_POSIXACL is an internal flag, and accepting MS_POSIXACL on
> the mount(2) interface is possibly a bug.

Fix issue 3738

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-02-11 22:50:41 +09:00
Rodrigo Campos 2adeb6f952 nsexec: Remove bogus kill to stage_2_pid
stage_2_pid is not yet assigned, so this kills the PID -1, but as
the sane_kill() wrapper is just a nop in that case. Just remove these
calls to kill stage_2_pid before it is cloned/assigned.

I've checked by executing the error paths that no binary is left by mistake.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-02-10 16:07:51 +01:00