Commit Graph

6243 Commits

Author SHA1 Message Date
Davanum Srinivas 56fcc9385c Switch to newer v0.10.0 release of libseccomp-golang
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-06-10 15:27:30 -04:00
Sebastiaan van Stijn 258eff101c Merge pull request #3498 from cyphar/systemd-devices-nonexistent-files
cgroups: systemd: skip adding device paths that don't exist
2022-06-08 19:03:26 +02:00
dependabot[bot] cc0feb4b6c build(deps): bump actions/cache from 3.0.2 to 3.0.4
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.2 to 3.0.4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.2...v3.0.4)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-08 04:12:16 +00:00
Sebastiaan van Stijn a7a45d7d27 Merge pull request #3503 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.6.2
build(deps): bump github.com/moby/sys/mountinfo from 0.6.1 to 0.6.2
2022-06-07 09:24:41 +02:00
dependabot[bot] 5ed3fdff8f build(deps): bump github.com/moby/sys/mountinfo from 0.6.1 to 0.6.2
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.6.1 to 0.6.2.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/mountinfo/v0.6.1...mountinfo/v0.6.2)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-07 04:14:12 +00:00
Akihiro Suda 2bc61bb01a Merge pull request #3486 from kolyshkin/gha-ci-shellcheck
ci: shellcheck job nits
2022-06-03 00:31:17 +09:00
Aleksa Sarai 343951a22b cgroups: systemd: skip adding device paths that don't exist
systemd emits very loud warnings when the path specified doesn't exist
(which can be the case for some of our default rules). We don't need the
ruleset we give systemd to be completely accurate (we discard some kinds
of wildcard rules anyway) so we can safely skip adding these.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-06-02 12:10:57 +10:00
Sebastiaan van Stijn a51ea7c477 Merge pull request #3489 from eriksjolund/relax_sanity_check_in_getenv_int
libcontainer: relax getenv_int sanity check
2022-06-01 21:49:40 +02:00
Kir Kolyshkin bd718784af Merge pull request #3495 from AkihiroSuda/update-cgroup2-distros
docs/cgroup-v2.md: update the distro list
2022-06-01 10:55:00 -07:00
Erik Sjölund 03a210d0f2 libcontainer: relax getenv_int sanity check
Remove upper bound in integer sanity check
to not restrict the number of socket-activated
sockets passed in.

Closes #3488

Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2022-06-01 13:54:02 +10:00
Akihiro Suda 72ad20994b docs/cgroup-v2.md: update the distro list
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-05-27 17:41:24 +09:00
Sebastiaan van Stijn 182d77c1a9 Merge pull request #3491 from kolyshkin/bump-ebpf-0.9.0
vendor: bump cilium/ebpf to v0.9.0
2022-05-27 10:24:26 +02:00
Kir Kolyshkin 1505379ca3 Merge pull request #3482 from kolyshkin/seccomp-sha
script/seccomp.sh: check tarball sha256
2022-05-26 18:26:07 -07:00
Mrunal Patel e1889c4bf2 Merge pull request #3484 from kolyshkin/bump-urfave-cli-nodocs
vendor: bump urfave/cli, add urfave_cli_no_docs tag
2022-05-26 17:59:41 -07:00
Kir Kolyshkin 65f41d57d9 vendor: bump urfave/cli, add urfave_cli_no_docs tag
This removes the runc dependency on cpuguy83/md2man and
russross/blackfriday, which saves more than 400 KB (more than 300 KB
once stripped) from the binary.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-26 13:51:48 -07:00
Kir Kolyshkin e0406b4ba6 vendor: bump cilium/ebpf to v0.9.0
Also, change the deprecated Sym to WithSymbol.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-26 13:35:32 -07:00
Kir Kolyshkin 6b96cbdd59 ci: improve shellcheck job
1. Use env directive instead of adding to $GITHUB_ENV.

2. Use bash herefile to feed sha256sum instead of pipe to grep.

3. Fix the hardcoded checksum (it was missing the first character).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-25 18:57:25 -07:00
Kir Kolyshkin e1d04cdfeb script/seccomp.sh: check tarball sha256
Add checking of downloaded tarball checksum.

In case it doesn't match the hardcoded value, the error is like this:

	libseccomp-2.5.4.tar.gz: FAILED
	sha256sum: WARNING: 1 computed checksum did NOT match

In case the checksum for a particular version is not specified in the
script, the error will look like this:

	./script/seccomp.sh: line 29: SECCOMP_SHA256[${ver}]: unbound variable

In case the the hardcoded value in the file is of wrong format/length,
we'll get:

	sha256sum: 'standard input': no properly formatted SHA256 checksum lines found

In any of these cases, the script aborts (due to set -e).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-25 18:29:07 -07:00
Akihiro Suda 016a0d29d1 Merge pull request #3452 from kolyshkin/separate-devices
Decouple setting cgroup device rules from cgroup manager
2022-05-25 18:11:36 +09:00
Aleksa Sarai 436b86f5d9 merge branch 'pr-3483'
Kir Kolyshkin:
  ci: drop docker layer caching from release job

LGTMs: thaJeztah cyphar
Closes #3483
2022-05-25 08:46:15 +10:00
Kir Kolyshkin fbafaf315e ci: drop docker layer caching from release job
This job is failing with "No space left on device" lately, and this
helps to fix it.

Besides, it seems that caching does not help to shorten execution times
(validate/release job succeeds in under 8 minutes now; ymmv).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-24 11:22:27 -07:00
Akihiro Suda 3f0daac908 Merge pull request #3480 from kolyshkin/bump-libseccomp
Dockerfile,scripts/release: bump libseccomp to v2.5.4
2022-05-24 13:13:19 +09:00
Kir Kolyshkin f7b07fd54c Dockerfile,scripts/release: bump libseccomp to v2.5.4
Release notes: https://github.com/seccomp/libseccomp/releases/tag/v2.5.4

This affects the released static binaries (as they are statically linked
against libseccomp).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-23 12:56:35 -07:00
Kir Kolyshkin 848aa38b8e Merge pull request #3474 from cyphar/seccomp-enosys-setup
seccomp: enosys: always return -ENOSYS for setup(2)
2022-05-23 10:43:54 -07:00
Aleksa Sarai 6a79271c31 seccomp: patchbpf: minor cleanups
Define sizeof(int) as a constant, and also return ENOSYS earlier in the
filter if it doesn't increase the number of instructions we generate
(this is a negligible performance improvement but it does make it easier
to understand the generated filter stub).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-05-23 16:36:07 +10:00
Aleksa Sarai be6488a5a9 seccomp: enosys: always return -ENOSYS for setup(2) on s390(x)
On s390x, syscalls above 255 are multiplexed using the (now otherwise
unused) setup(2) syscall (syscall number 0). If the kernel supports the
syscall then it will correctly translate the syscall number such that
seccomp will correctly detect it -- however, for unknown syscalls the
syscall number remains unchanged. This can be verified by running the
following program under strace:

	int main(void)
	{
		scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
		seccomp_load(ctx);

		return syscall(439, AT_FDCWD, "asdf", X_OK, 0);
	}

Which will then die with the following signal (on pre-5.8 kernels):

	--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,
	            si_call_addr=0x3ffb3006c22, si_syscall=__NR_setup,
	            si_arch=AUDIT_ARCH_S390X} ---

(Note that the si_syscall is __NR_setup, not __NR_faccessat2.)

As a result, the -ENOSYS handling we had previously did not work
completely correctly on s390x because any syscall not supported by the
kernel would be treated as syscall number 0 rather than the actual
syscall number.

Always returning -ENOSYS will not cause any issues because in all of the
cases where this multiplexing occurs, seccomp will see the remapped
syscall number -- and no userspace program will call setup(2)
intentionally (the syscall has not existed in Linux for decades and was
originally a hack used early in Linux init prior to spawning pid1 -- so
you will get -ENOSYS from the kernel anyway).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-05-23 16:36:07 +10:00
Kir Kolyshkin 967079dfc1 Merge pull request #3475 from chenk008/fix_dbus_connection_closed
libct/cg/sd: check dbus.ErrClosed instead of isDbusError
2022-05-20 11:07:06 -07:00
Kang Chen 0ca0bb9fee libct/cg/sd: check dbus.ErrClosed instead of isDbusError
Signed-off-by: Kang Chen <kongchen28@gmail.com>
2022-05-20 14:47:19 +08:00
Akihiro Suda 8093c54d91 Merge pull request #3446 from kolyshkin/risc
release: build riscv64 binary, build static PIE if supported
2022-05-19 18:49:27 +09:00
Kir Kolyshkin 47e09976a3 libct/cg/dev: privatize some functions
These are only used from inside the package, and we don't want them to
be public.

The only two methods left are Enable and Disable.

While at it, fix or suppress found lint-extra warnings.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-18 11:17:13 -07:00
Kir Kolyshkin b6967fa84c Decouple cgroup devices handling
This commit separates the functionality of setting cgroup device
rules out of libct/cgroups to libct/cgroups/devices package. This
package, if imported, sets the function variables in libct/cgroups and
libct/cgroups/systemd, so that a cgroup manager can use those to manage
devices. If those function variables are nil (when libct/cgroups/devices
are not imported), a cgroup manager returns the ErrDevicesUnsupported
in case any device rules are set in Resources.

It also consolidates the code from libct/cgroups/ebpf and
libct/cgroups/ebpf/devicefilter into libct/cgroups/devices.

Moved some tests in libct/cg/sd that require device management to
libct/sd/devices.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-18 11:17:08 -07:00
Kir Kolyshkin 25f1856236 libct/cg/sd: factor out devices.go
This moves the functionality related to devices, SkipDevices, and
SkipFreezeOnSet to a separate file, in preparation for the next commit.

No code changes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-18 11:14:03 -07:00
Aleksa Sarai 9524366183 merge branch 'pr-3384'
wineway (2):
  libct: use `unix.Getwd` instead of `os.Getwd` to avoid symlink
  go.mod: golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5

LGTMs: kolyshkin cyphar
Closes #3384
2022-05-13 09:01:16 +10:00
wineway d160116055 libct: use unix.Getwd instead of os.Getwd to avoid symlink
Signed-off-by: wineway <wangyuweihx@gmail.com>
2022-05-11 17:25:34 -07:00
wineway cab3888575 go.mod: golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5
to include https://go-review.googlesource.com/c/sys/+/387194 which ensured unix::Getwd returned path is absolute

Signed-off-by: wineway <wangyuweihx@gmail.com>
2022-05-11 17:25:34 -07:00
Kir Kolyshkin a14cc4059d release: add riscv64 binary
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Akihiro Suda 1d7b297128 libct/seccomp: add riscv64
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin dafcacb522 Makefile: set CGO_ENABLED=1 when needed
It doesn't matter whether static or dynamic linking is used, runc
always needs libcontainer/nsenter, which is written in C and thus
requires cgo. Same is true for libcontainer/integration.

In addition, contrib/pkg/seccompagent also needs cgo (if seccomp build
tag is set), as it need to be linked against libseccomp C library.

By default, cgo is disabled when cross-compiling, meaning that
CGO_ENABLED=1 has to be set explicitly in such cases.

In all other cases (e.g. other contrib binaries) we do not need cgo.

Remove CGO_ENABLED=1 from GO_BUILD_STATIC (as it does not have anything
to do with static linking), and add it to all targets that require it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin 21e32d47d3 Makefile: add support for static PIE
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin ab5c60d02f Makefile: fix GO_BUILDMODE setting
1. Set to empty value by default.

2. Assume Linux (remove GOOS check, since we do not support other OSes).

3. Instead of using a "not-supported" list, use a "supported" list
   (as Go release notes usually say which platforms are supported).
   As of today, -buildmode=pie is supported for:

 * linux/386, linux/amd64, linux/arm, linux/arm64, and linux/ppc64le
   (since Go 1.6, see https://tip.golang.org/doc/go1.6#compiler)

 * linux/s390x (since Go 1.7, which adds the initial port)

 * linux/riscv64 (since Go 1.16, see
   https://tip.golang.org/doc/go1.16#riscv)

   NOTE this does not mean we support these architectures; it is merely
   a way to see if -buildmode=pie can be used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin f2f6e59937 Makefile: add LDFLAGS_COMMON and LDFLAGS_STATIC
LDFLAGS_COMMON are used from two places, so it makes sense to dedup.

LDFLAGS_STATIC is a preparation for the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin f0f1b5f969 Dockerfile: don't use crossbuild-essential-*
All we need is gcc, libc-dev, and binutils. In addition to that,
crossbuild-essential installs g++, libstdc++-dev, and a bunch of perl
packages and libraries which we do not need.

This should speed up image building, as well as make it smaller.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin 476aa18abe Dockerfile: rm dpkg --add-architecture lines
Dockerfile used to install libseccomp-dev packages for different
architectures. This is no longer true since commit f30244ee1b, which
changed to cross-compiling libseccomp (so we can get a static library
to link against).

Thus, adding extra architectures is no longer needed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin d542ad65ba Dockerfile: nit
We do not use all the files from scripts, only seccomp.sh and lib.sh.

This prevents unneeded rebuild of the image if e.g.
scripts/release_build.sh has changed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Akihiro Suda 2661d59287 Merge pull request #3471 from kolyshkin/fix-fedora-ci-git
Vagrantfile.fedora: fix build wrt new git
2022-05-12 09:05:58 +09:00
Aleksa Sarai d04de3a9b7 Merge pull request from GHSA-f3fp-gc8g-vw66
runc: do not set inheritable capabilities
2022-05-12 08:15:42 +10:00
Kir Kolyshkin 98fe566c52 runc: do not set inheritable capabilities
Do not set inheritable capabilities in runc spec, runc exec --cap,
and in libcontainer integration tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-12 08:14:50 +10:00
Kir Kolyshkin 009e627cb0 Vagrantfile.fedora: fix build wrt new git
With the updated git in Fedora 35, we can't build it via sudo:

	ssh default 'sudo -i make -C /vagrant localunittest'
	make: Entering directory '/vagrant'
	fatal: unsafe repository ('/vagrant' is owned by someone else)
	To add an exception for this directory, call:

		git config --global --add safe.directory /vagrant
	go build -trimpath "-buildmode=pie"  -tags "seccomp" -ldflags "-X main.gitCommit= -X main.version=1.1.0+dev " -o runc .
	error obtaining VCS status: exit status 128
		Use -buildvcs=false to disable VCS stamping.
	make: Leaving directory '/vagrant'

This commit should fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 15:03:32 -07:00
Sebastiaan van Stijn 94105ca31d Merge pull request #3468 from kolyshkin/no-tun
Remove tun/tap from the default device rules
2022-05-11 00:28:55 +02:00
Akihiro Suda 33946701db Merge pull request #3469 from kolyshkin/fix-ci-typo
tests/int: fix a bad typo
2022-05-07 15:25:27 +09:00