Commit Graph

8084 Commits

Author SHA1 Message Date
Rodrigo Campos Catelin 881608b52a Merge pull request #5334 from opencontainers/dependabot/github_actions/actions/checkout-7
build(deps): bump actions/checkout from 6 to 7
2026-06-19 12:20:19 +02:00
Rodrigo Campos Catelin 53ec4c39d0 Merge pull request #5330 from AkihiroSuda/fix-5329
features: propagate version from the root urfave/cli command
2026-06-19 11:04:27 +02:00
dependabot[bot] b01a783897 build(deps): bump actions/checkout from 6 to 7
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-19 04:52:10 +00:00
Akihiro Suda 7dda063c9a features: propagate version from the root urfave/cli command
Fix #5329
Fix #5331

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2026-06-19 02:27:37 +09:00
Akihiro Suda a8d82ce580 Merge pull request #5291 from cyphar/libpathrs-0.2.5
deps: update to libpathrs 0.2.5
2026-06-19 01:38:24 +09:00
Aleksa Sarai 1e20abef19 runc: add libpathrs info to --version and features
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-06-18 11:57:38 +02:00
Aleksa Sarai d47bf88349 deps: update to libpathrs v0.2.5
This update includes a few breaking API changes that I needed to get in
before an actual runc release depends on it, so that we don't need to
deal with compatibility shims for them (or bumping the SOVERSION).

From a Go API perspective, there were no major changes -- though this
bump did also require a bump to github.com/cyphar/filepath-securejoin
because one of the wrapped APIs changed from int to uint64 as a flag
argument type. Again, better to get this done before we really depend on
this in a public way.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-06-18 11:57:38 +02:00
Akihiro Suda c6f4361b83 Merge pull request #5312 from kolyshkin/test-go-criu-protobuf-go-lite
deps: bump to go-criu v8.3.0, drop google protobuf
2026-06-18 09:31:48 +09:00
Kir Kolyshkin d114cbd9cf Merge pull request #5307 from ricardobranco777/seccomp
tests/integration: fix seccomp tests on big-endian architectures
2026-06-17 15:24:39 -07:00
Kir Kolyshkin f66ace4cfa deps: bump to go-criu v8.3.0
go-criu v8.3.0 switches to protobuf-go-lite, which helps to remove
google.golang.org/protobuf dependency from here, reducing the runc
binary size from ~16M to ~14M.

The only missing piece is proto.String, proto.Bool, proto.Int32 etc.
helpers that return a pointer to a given variable. Those are replaced
by a generic mkPtr, which in turn is to be replaced by the new builtin
once Go < 1.26 is no longer supported.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-06-15 12:09:36 -07:00
lfbzhm da3d022b06 Merge pull request #5319 from cyphar/changelog-forward-port
CHANGELOG: forward-port v1.3.6 / v1.4.3 / v1.5.0-rc.3 releases
2026-06-15 17:42:22 +08:00
Rodrigo Campos Catelin 49551071ea Merge pull request #5321 from opencontainers/dependabot/go_modules/github.com/urfave/cli/v3-3.10.0
build(deps): bump github.com/urfave/cli/v3 from 3.9.1 to 3.10.0
2026-06-15 11:32:30 +02:00
dependabot[bot] 8c112e2f63 build(deps): bump github.com/urfave/cli/v3 from 3.9.1 to 3.10.0
Bumps [github.com/urfave/cli/v3](https://github.com/urfave/cli) from 3.9.1 to 3.10.0.
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/urfave/cli/compare/v3.9.1...v3.10.0)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli/v3
  dependency-version: 3.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-15 04:52:27 +00:00
Aleksa Sarai f71b58d827 CHANGELOG: forward-port v1.3.6 / v1.4.3 / v1.5.0-rc.3 releases
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-06-13 19:56:56 +02:00
Aleksa Sarai 122fb7a642 merge CVE-2026-41579 fixes into runc:main
Aleksa Sarai (3):
  rootfs: make cgroupv1 subsystem symlinks fd-based
  rootfs: make /dev initialisation code fd-based
  rootfs: switch createDevices argument order

LGTMs: lifubang kolyshkin rata
2026-06-13 14:27:57 +02:00
Aleksa Sarai 66acd48f9d rootfs: make cgroupv1 subsystem symlinks fd-based
As with /dev symlinks, this was missed in commit d40b3439a9 ("rootfs:
switch to fd-based handling of mountpoint targets"). It's not really
clear to what extent this was exploitable (/sys/fs/cgroup is a tmpfs we
create) but it's better to just fix this anyway.

Fixes: d40b3439a9 ("rootfs: switch to fd-based handling of mountpoint targets")
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-13 00:26:52 +02:00
Aleksa Sarai 864db8042d rootfs: make /dev initialisation code fd-based
These codepaths are very old and operate on pure paths but before
pivot_root(2), meaning that a bad image with a malicious /dev symlink
could cause us to operate on host paths instead.

In practice this means that we could be tricked into removing a file
called "ptmx" (note that /dev/pts/ptmx and /dev/ptmx are both immune for
different reasons) or creating a very restricted set of symlinks (with
fixed targets and names). The scope of these bugs is thus quite limited,
but we definitely need to harden against it.

These codepaths were unfortunately missed during the fd-based rework in
commit d40b3439a9 ("rootfs: switch to fd-based handling of mountpoint
targets") -- I must've assumed they were called after pivot_root(2)...

Fixes: GHSA-xjvp-4fhw-gc47
Fixes: CVE-2026-41579
Fixes: d40b3439a9 ("rootfs: switch to fd-based handling of mountpoint targets")
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-12 18:12:37 +02:00
Aleksa Sarai fcf04eb41b rootfs: switch createDevices argument order
This argument order matches most other helpers we have and will also
match the changes we are about to make to setupPtmx and
setupDevSymlinks.

Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-12 18:12:37 +02:00
lfbzhm 20628648e0 Merge pull request #5316 from opencontainers/dependabot/go_modules/github.com/urfave/cli/v3-3.9.1
build(deps): bump github.com/urfave/cli/v3 from 3.9.0 to 3.9.1
2026-06-11 18:28:38 +08:00
dependabot[bot] 7e988a0279 build(deps): bump github.com/urfave/cli/v3 from 3.9.0 to 3.9.1
Bumps [github.com/urfave/cli/v3](https://github.com/urfave/cli) from 3.9.0 to 3.9.1.
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/urfave/cli/compare/v3.9.0...v3.9.1)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli/v3
  dependency-version: 3.9.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-11 10:16:36 +00:00
lfbzhm ba09e7ff06 Merge pull request #5315 from opencontainers/dependabot/go_modules/golang.org/x/net-0.56.0
build(deps): bump golang.org/x/net from 0.55.0 to 0.56.0
2026-06-11 18:14:44 +08:00
dependabot[bot] e6e4767529 build(deps): bump golang.org/x/net from 0.55.0 to 0.56.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.55.0 to 0.56.0.
- [Commits](https://github.com/golang/net/compare/v0.55.0...v0.56.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.56.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-11 04:52:27 +00:00
Kir Kolyshkin 27354cd3d8 Merge pull request #5314 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.46.0
build(deps): bump golang.org/x/sys from 0.45.0 to 0.46.0
2026-06-09 11:02:07 -07:00
dependabot[bot] 5198de1cfb build(deps): bump golang.org/x/sys from 0.45.0 to 0.46.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.45.0 to 0.46.0.
- [Commits](https://github.com/golang/sys/compare/v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-09 04:52:30 +00:00
Rodrigo Campos Catelin a7e766484c Merge pull request #5311 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.15.1
build(deps): bump github.com/opencontainers/selinux from 1.14.1 to 1.15.1
2026-06-05 11:27:59 +02:00
Rodrigo Campos Catelin 0f0ca6dd24 Merge pull request #5313 from kolyshkin/go-criu-v8
deps: bump go-criu to v8.2.0
2026-06-05 11:04:09 +02:00
Kir Kolyshkin 269405107f deps: bump go-criu to v8.2.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-06-04 10:48:15 -07:00
dependabot[bot] 9ffc42622a build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.14.1 to 1.15.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.14.1...v1.15.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-version: 1.15.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-03 22:17:11 +00:00
Ricardo Branco 31a13788ba tests/integration: fix seccomp tests on big-endian architectures
The hardcoded architecture list was little-endian only, causing
seccomp_arch_add() to fail with -EDOM on s390x.

Drop it.  It's optional and libseccomp automatically adds the native
architecture when the filter is created.

Fixes: https://github.com/opencontainers/runc/issues/4835

Signed-off-by: Ricardo Branco <rbranco@suse.de>
2026-06-01 18:35:42 +02:00
Akihiro Suda 3047d61ff9 Merge pull request #5302 from pstoeckle/main
chore: fix some typos in comments
2026-05-28 13:51:25 +09:00
Patrick Stoeckle e44aa440d9 chore: fix some typos in comments
Signed-off-by: Patrick Stoeckle <patrick.stoeckle@siemens.com>
2026-05-27 13:49:23 +02:00
Rodrigo Campos Catelin 3cb21b9246 Merge pull request #5295 from ricardobranco777/busybox138
Update `busybox:glibc` in integration tests to latest (1.38.0) builds
2026-05-27 09:02:58 +02:00
Ricardo Branco c7c2920db0 Update busybox:glibc in integration tests to latest (1.38.0) builds
This release fixes tests on ppc64le in busybox commit 3621595939e43:
"nsenter,unshare: don't use xvfork_parent_waits_and_exits(), it SEGVs
on ppc64le".

Fixes: https://github.com/opencontainers/runc/issues/4836

Signed-off-by: Ricardo Branco <rbranco@suse.de>
2026-05-26 17:38:12 +02:00
Rodrigo Campos Catelin a271890df2 Merge pull request #5297 from kolyshkin/fix-5203
runc list: fix error reporting for non-existent root
2026-05-26 17:18:47 +02:00
Ricardo Branco de39d5e79b tests/int: relax testPids fork error match string
The test checked for the exact BusyBox ash diagnostic "sh: can't fork".
With BusyBox 1.38, ash reports the failure as:

  /bin/sh: line 0: can't fork: Resource temporarily unavailable

Match the stable "can't fork" part of the error message instead.

Signed-off-by: Ricardo Branco <rbranco@suse.de>
2026-05-25 21:52:19 +02:00
Ricardo Branco 3acb097f93 tests/int: build TestPids pipelines programmatically
TestPids used long hand-written /bin/true pipelines for the 4-, 32- and
64-command cases. This made the test easy to typo and hard to review, as
seen by the earlier "bin/true" entries.

Build the shell pipelines instead, preserving the existing test coverage
while making the command counts explicit.

Signed-off-by: Ricardo Branco <rbranco@suse.de>
2026-05-25 21:52:19 +02:00
Kir Kolyshkin 98c442a0e6 runc list: fix error reporting for non-existent root
The idea of commit d1fca8e was right (report errors for non-existent
root, unless using the default root dir) but the logic was inverted.

Fix the logic.

Test case for default root requires non-existent /root/runc, which is
not always possible.

Reported-by: RedMakeUp <girafeeblue@gmail.com>
Co-authored-by: RedMakeUp <girafeeblue@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-05-22 17:31:42 -07:00
Rodrigo Campos Catelin d0aeb9e3e2 Merge pull request #5292 from opencontainers/dependabot/go_modules/golang.org/x/net-0.55.0
build(deps): bump golang.org/x/net from 0.54.0 to 0.55.0
2026-05-22 10:24:32 +02:00
dependabot[bot] 3003d0163c build(deps): bump golang.org/x/net from 0.54.0 to 0.55.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.54.0 to 0.55.0.
- [Commits](https://github.com/golang/net/compare/v0.54.0...v0.55.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.55.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-22 04:52:43 +00:00
Kir Kolyshkin 3e802d13d7 Merge pull request #5184 from lifubang/use-urfave-cli-v3
chore(deps): upgrade urfave/cli from v1 to v3
2026-05-19 22:40:02 -07:00
lifubang 098a2b4f49 remove urfave_cli_no_docs from build tags
After migrate from urfave/cli v1 (maintenance mode) to v3,
we don't need this build tag anymore.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 05:26:57 +00:00
lifubang 57fad01d52 chore(deps): upgrade urfave/cli from v1 to v3
Migrate from urfave/cli v1 (maintenance mode) to v3 to benefit from
active development, improved features, and long-term support.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 05:26:51 +00:00
Kir Kolyshkin 84762a5c1a Merge pull request #5285 from lifubang/followup-5275-maskpath
libct: Clean up and refactor maskPaths logic
2026-05-18 11:13:16 -07:00
lfbzhm 544621ae88 Merge pull request #5261 from kolyshkin/aa
Use sync.OnceFunc, sync.OnceValue[s]
2026-05-18 20:19:44 +08:00
lfbzhm e7b5943642 Merge pull request #5269 from kolyshkin/fix-5264
tests/int: fix flake in "resources.unified override"
2026-05-18 20:17:53 +08:00
lifubang b88635e57e libct: close rootFd ASAP in maskPaths
Close the root file descriptor immediately after use in maskPaths to
reduce the window during which an attacker could potentially exploit
an open fd to access or manipulate the root filesystem. This follows
the principle of least privilege and mitigates risks in compromised
or malicious container scenarios.

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-17 02:26:10 +00:00
lifubang e7e2f00248 libct: optimize maskPaths for single-directory case
This is a follow-up to #5275. That change reused a single tmpfs mount
to mask multiple directories, which is efficient when masking more than
one path. However, it introduced unnecessary overhead when only one
directory is masked. This commit restores the original behavior for the
single-path case while preserving shared tmpfs logic for multiple paths.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-16 05:50:01 +00:00
Kir Kolyshkin 16dde3befc libct/intelrdt: use sync.OnceFunc and sync.OnceValues
Switch from sync.Once to sync.OnceFunc and sync.OnceValues.

Keep Root a function (rather than a variable) because godoc
renders function doc better than a variable doc.

Switch to using internal function root internally.

Modify tests accordingly (and simplify NewIntelRdtTestUtil to
fakeRoot).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-05-15 17:14:15 -07:00
Kir Kolyshkin 2d2ae8809c libct/configs/validate: simplify intelrtd tests
The whole struct intelRdtStatus with its methods and a sync.Once is not
needed, since intelrtd.Is*Enabled methods are already run-once (or use
run-once and a simple comparison).

Yet it is still needed for the test to fake values returned by *Enabled.

Simplify to use func pointers which a test case overwrites.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-05-15 17:14:15 -07:00
Kir Kolyshkin 5cd0cb6d51 libct/intelrdt: remove newManager
It is not doing anything, and tests can just instantiate the &Manager{}.

Suggested-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-05-15 17:14:15 -07:00