Commit Graph

7271 Commits

Author SHA1 Message Date
Kir Kolyshkin 9b5065bced Merge pull request #5145 from cyphar/1.2-keyring-fixes
[1.2] keyring fixes
2026-03-04 17:15:22 -08:00
Aleksa Sarai 0f6d9e6ca1 keyring: update AkihiroSuda's key
This comes from <https://github.com/AkihiroSuda.gpg> and is a valid
update of the key metadata.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 9ad18b1347)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 01:14:34 +11:00
Aleksa Sarai 732adedbe4 keyring: validate: allow maintainers to have no keys
Some maintainers appear to have removed their PGP keys, which causes
"gpg --import" during "make validate-keyring" to fail. The solution is
to switch to a non-fatal warning if no keys were imported.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 936a59b07f)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:45:33 +11:00
Aleksa Sarai efc715fb7c keyring: remove asarai@suse.de key
I no longer work at SUSE and thus this key (and email address) are no
longer associated with me.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit a691486c83)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:45:24 +11:00
Kir Kolyshkin 449775e201 Merge pull request #5112 from kolyshkin/1.2-go125-126
[1.2] Test/build using supported Go version
2026-02-11 17:11:10 -08:00
Kir Kolyshkin eb63817bfb [1.2] ci: bump bats-action to v4.0.0
Older one fails on ARM for some reason.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 16:00:29 -08:00
Kir Kolyshkin 65256e0f13 [1.2] Test/build using supported Go version
In addition to testing with Go 1.22 (the oldest supported version in
this branch, let's switch to using the supported Go versions (1.25 and
1.26) for CI, and using oldest supported Go version (1.25) for the
official build.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 15:36:11 -08:00
Aleksa Sarai 77f2125179 merge #5045 into opencontainers/runc:release-1.2
Li Fu Bang (2):
  VERSION: back to development
  VERSION: release 1.2.9

LGTMs: rata cyphar
2025-11-28 10:33:19 +11:00
lifubang 4ab771fcee VERSION: back to development
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 03:00:32 +11:00
lifubang 6524246c68 VERSION: release 1.2.9
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.9
2025-11-28 03:00:31 +11:00
Kir Kolyshkin 7e5d01e11e Merge pull request #5043 from lifubang/backport-5014-fd-leaks-flake-1.2
[1.2] libct/int: TestFdLeaks: deflake
2025-11-26 17:58:27 -08:00
Kir Kolyshkin 0c910b9cab libct/int: TestFdLeaks: deflake
Since the recent CVE fixes, TestFdLeaksSystemd sometimes fails:

	=== RUN   TestFdLeaksSystemd
	    exec_test.go:1750: extra fd 9 -> /12224/task/13831/fd
	    exec_test.go:1753: found 1 extra fds after container.Run
	--- FAIL: TestFdLeaksSystemd (0.10s)

It might have been caused by the change to the test code in commit
ff6fe13 ("utils: use safe procfs for /proc/self/fd loop code") -- we are
now opening a file descriptor during the logic to get a list of file
descriptors. If the file descriptor happens to be allocated to a
different number, you'll get an error.

Let's try to filter out the fd used to read a directory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5fbc3bb019)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-26 14:21:16 +00:00
Aleksa Sarai 0675ec85b4 merge #5027 into opencontainers/runc:release-1.2
Li Fubang:
  integration: verify syscall compatibility after seccomp enforcement
  downgrade github.com/cyphar/filepath-securejoin from v0.6.0 to v0.5.2
  bump github.com/opencontainers/selinux from v1.13.0 to v1.13.1
  libct: add a defer fd close in createDeviceNode
  libct: always close m.dstFile in mountToRootfs
  ci: detect file descriptor leaks as comprehensively as possible

LGTMs: cyphar AkihiroSuda
2025-11-26 14:46:10 +11:00
lifubang edd38b067e integration: verify syscall compatibility after seccomp enforcement
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit d8706501cf)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:50:28 +00:00
lifubang 6b60c79f29 downgrade github.com/cyphar/filepath-securejoin from v0.6.0 to v0.5.2
The dependency was initially slated for an upgrade from v0.6.0 to v0.6.1
to address an fd leak. However, due to compatibility constraints, we
instead downgrade to v0.5, using v0.5.2 which includes a backported fix
for the same issue.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:49:54 +00:00
lifubang f5f38eb958 bump github.com/opencontainers/selinux from v1.13.0 to v1.13.1
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:49:54 +00:00
lifubang 9d18ca1505 libct: add a defer fd close in createDeviceNode
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 9a5e6262f0bf4e3e654b1a0d71bb804093948f85)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:49:54 +00:00
lifubang b854ef6450 libct: always close m.dstFile in mountToRootfs
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit e0272886047915899ec06e06665723fc453d3cbf)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:49:54 +00:00
lifubang 5be8737a1a ci: detect file descriptor leaks as comprehensively as possible
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit ba7f46d7119dc4bf57e2a13017333d1980494ea9)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 11:49:54 +00:00
lfbzhm 059c2a1675 Merge pull request #4998 from kolyshkin/1.2-check-go
[1.2] check/bump go version in Dockerfile
2025-11-20 17:50:25 +08:00
Kir Kolyshkin 04a7797f92 Use Go 1.24.x for release binaries
Since Go 1.23 is no longer supported, we should not use it.
Go 1.23 is still supported and is probably the best bet for
the release-1.2 branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:25:12 +08:00
Kir Kolyshkin b9e458a731 ci: add checking Go version from Dockerfile
This is to ensure that Go version in Dockerfile (which is used to build
release binaries) is:
 - currently supported;
 - used in CI tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit df4acc8867)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:25:12 +08:00
Kir Kolyshkin d94e558783 ci: faster git clone
For some reason, some jobs in .github/workflows/validate.yml
have "fetch-depth: 0" argument to actions/checkout, meaning
"all history for all branches and tags". Obviously this is
not needed here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e0b00171eb0f338cf024760019abdd4e7dec690f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:25:12 +08:00
dependabot[bot] 33b9a2c2fb build(deps): bump actions/checkout from 4 to 5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit cfb22c9a0f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:25:12 +08:00
lfbzhm f354304250 Merge pull request #5032 from cyphar/1.2-5017-ci-pin-parent-cgroup
[1.2] ci: ensure the cgroup parent always exists for rootless
2025-11-20 09:13:32 +08:00
lifubang e1ba58f4e9 ci: ensure the cgroup(v1) parent always exists for rootless
On some systems (e.g., AlmaLinux 8), systemd automatically removes cgroup paths
when they become empty (i.e., contain no processes). To prevent this, we spawn
a dummy process to pin the cgroup in place.
Fix: https://github.com/opencontainers/runc/issues/5003

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit bba7647d09)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-20 03:28:37 +11:00
lfbzhm e975615f6b Merge pull request #4974 from cyphar/1.2-tmpfs-mode
[1.2] rootfs: only set mode= for tmpfs mount if target already existed
2025-11-11 09:28:52 +08:00
lfbzhm 6e24b72bd4 Merge pull request #4978 from cyphar/1.2-selinux-1.13
[1.2] deps: update to github.com/opencontainers/selinux@v0.13.0
2025-11-11 09:22:15 +08:00
Aleksa Sarai c8588560cd rootfs: only set mode= for tmpfs mount if target already existed
This was always the intended behaviour but commit 72fbb34f50 ("rootfs:
switch to fd-based handling of mountpoint targets") regressed it when
adding a mechanism to create a file handle to the target if it didn't
already exist (causing the later stat to always succeed).

A lot of people depend on this functionality, so add some tests to make
sure we don't break it in the future.

Fixes: 72fbb34f50 ("rootfs: switch to fd-based handling of mountpoint targets")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 9a9719eeb4)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-11 03:11:50 +11:00
Aleksa Sarai 90362e017a deps: update to github.com/opencontainers/selinux@v0.13.0
This new version includes the fixes for CVE-2025-52881, so we can remove
the internal/third_party copy of the library we added in commit
ed6b1693b8 ("selinux: use safe procfs API for labels") as well as the
"replace" directive in go.mod (which is problematic for "go get"
installs).

Fixes: ed6b1693b8 ("selinux: use safe procfs API for labels")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 96f1962f91)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-08 02:17:27 +11:00
lfbzhm b4782082a5 Merge pull request #4965 from cyphar/1.2-4964-fix-mips
[1.2] libct: fix mips compilation
2025-11-06 11:07:33 +08:00
Kir Kolyshkin 0c07fcc1de libct: fix mips compilation
On MIPS arches, Rdev is uint32 so we have to convert it.

Fixes issue 4962.

Fixes: 8476df83 ("libct: add/use isDevNull, verifyDevNull")
Fixes: de87203e ("console: verify /dev/pts/ptmx before use")
Fixes: 398955bc ("console: add fallback for pre-TIOCGPTPEER kernels")
Reported-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 1b954f1f06)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-06 13:46:22 +11:00
Aleksa Sarai e8d829adbd merge security release into opencontainers/runc:release-1.2
Aleksa Sarai (23):
  VERSION: back to development
  VERSION: release v1.2.8
  rootfs: re-allow dangling symlinks in mount targets
  openat2: improve resilience on busy systems
  selinux: use safe procfs API for labels
  rootfs: switch to fd-based handling of mountpoint targets
  libct/system: use securejoin for /proc/$pid/stat
  init: use securejoin for /proc/self/setgroups
  init: write sysctls using safe procfs API
  utils: remove unneeded EnsureProcHandle
  utils: use safe procfs for /proc/self/fd loop code
  apparmor: use safe procfs API for labels
  rootfs: avoid using os.Create for new device inodes
  internal: add wrappers for securejoin.Proc*
  go.mod: update to github.com/cyphar/filepath-securejoin@v0.5.0
  console: verify /dev/pts/ptmx before use
  console: avoid trivial symlink attacks for /dev/console
  console: add fallback for pre-TIOCGPTPEER kernels
  console: use TIOCGPTPEER when allocating peer PTY
  *: switch to safer securejoin.Reopen
  internal: move utils.MkdirAllInRoot to internal/pathrs
  internal/sys: add VerifyInode helper
  internal: linux: add package doc-comment

Li Fubang (1):
  libct: align param type for mountCgroupV1/V2 functions

Kir Kolyshkin (3):
  libct: maskPaths: don't rely on ENOTDIR for mount
  libct: maskPaths: only ignore ENOENT on mount dest
  libct: add/use isDevNull, verifyDevNull

Fixes: CVE-2025-31133 GHSA-9493-h29p-rfm2
Fixes: CVE-2025-52565 GHSA-qw9x-cqr3-wc7r
Fixes: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 20:27:03 +11:00
Aleksa Sarai d38bdef92f VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 20:04:15 +11:00
Aleksa Sarai eeb7e6024f VERSION: release v1.2.8
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.8
2025-11-05 20:03:40 +11:00
Aleksa Sarai cdee962c39 merge private security patches into ghsa-release-1.2.8
Aleksa Sarai (21):
  rootfs: re-allow dangling symlinks in mount targets
  openat2: improve resilience on busy systems
  selinux: use safe procfs API for labels
  rootfs: switch to fd-based handling of mountpoint targets
  libct/system: use securejoin for /proc/$pid/stat
  init: use securejoin for /proc/self/setgroups
  init: write sysctls using safe procfs API
  utils: remove unneeded EnsureProcHandle
  utils: use safe procfs for /proc/self/fd loop code
  apparmor: use safe procfs API for labels
  rootfs: avoid using os.Create for new device inodes
  internal: add wrappers for securejoin.Proc*
  go.mod: update to github.com/cyphar/filepath-securejoin@v0.5.0
  console: verify /dev/pts/ptmx before use
  console: avoid trivial symlink attacks for /dev/console
  console: add fallback for pre-TIOCGPTPEER kernels
  console: use TIOCGPTPEER when allocating peer PTY
  *: switch to safer securejoin.Reopen
  internal: move utils.MkdirAllInRoot to internal/pathrs
  internal/sys: add VerifyInode helper
  internal: linux: add package doc-comment

Li Fubang (1):
  libct: align param type for mountCgroupV1/V2 functions

Kir Kolyshkin (3):
  libct: maskPaths: don't rely on ENOTDIR for mount
  libct: maskPaths: only ignore ENOENT on mount dest
  libct: add/use isDevNull, verifyDevNull

Fixes: CVE-2025-31133 GHSA-9493-h29p-rfm2
Fixes: CVE-2025-52565 GHSA-qw9x-cqr3-wc7r
Fixes: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Reported-by: Lei Wang <ssst0n3@gmail.com>
Reported-by: Li Fubang <lifubang@acmcoder.com>
Reported-by: Tõnis Tiigi <tonistiigi@gmail.com>
Reported-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 20:02:32 +11:00
Aleksa Sarai b4cb2f5436 rootfs: re-allow dangling symlinks in mount targets
It seems there are a fair few images where dangling symlinks are used as
path components for mount targets, which pathrs-lite does not support
(and it would be difficult to fully support this in a race-free way).

This was actually meant to be blocked by commit 63c2908164 ("rootfs:
try to scope MkdirAll to stay inside the rootfs"), followed by commit
dd827f7b71 ("utils: switch to securejoin.MkdirAllHandle"). However, we
still used SecureJoin to construct mountpoint targets, which means that
dangling symlinks were "resolved" before reaching pathrs-lite.

This patch basically re-adds this hack in order to reduce the breakages
we've seen so far.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 20:01:26 +11:00
Aleksa Sarai ee56b8571c openat2: improve resilience on busy systems
Previously, we would see a ~3% failure rate when starting containers
with mounts that contain ".." (which can trigger -EAGAIN). To counteract
this, filepath-securejoin v0.5.1 includes a bump of the internal retry
limit from 32 to 128, which lowers the failure rate to 0.12%.

However, there is still a risk of spurious failure on regular systems.
In order to try to provide more resilience (while avoiding DoS attacks),
this patch also includes an additional retry loop that terminates based
on a deadline rather than retry count. The deadline is 2ms, as my
testing found that ~800us for a single pathrs operation was the longest
latency due to -EAGAIN retries, and that was an outlier compared to the
more common ~400us latencies -- so 2ms should be more than enough for
any real system.

The failure rates above were based on more 50k runs of runc with an
attack script (from libpathrs) running a rename attack on all cores of a
16-core system, which is arguably a worst-case but heavily utilised
servers could likely approach similar results.

Tested-by: Phil Estes <estesp@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 20:00:18 +11:00
Kir Kolyshkin 2462b68fa2 Merge pull request #4943 from lifubang/backport-1.2-4934-4937
[1.2] ci: backport  #4934 #4937
2025-10-15 23:15:32 -07:00
Kir Kolyshkin 99e41a58f7 ci: only run lint-extra job on PRs to main
All the new code appears in main (not in the release branches),
and we only want extra linter rules to apply to new code.

Disable lint-extra job if the PR is not to the main branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 1c4dba693f)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-10-16 05:01:40 +00:00
Akihiro Suda f2a1c98662 CI: remove deprecated lima-vm/lima-actions/ssh
`lima-vm/lima-actions/ssh` is now merged into
`lima-vm/lima-actions/setup`.

https://github.com/lima-vm/lima-actions/releases/tag/v1.1.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit c0e6f42427)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-10-16 05:00:51 +00:00
Aleksa Sarai 8f901856f9 selinux: use safe procfs API for labels
Due to the sensitive nature of these fixes, it was not possible to
submit these upstream and vendor the upstream library. Instead, this
patch uses a fork of github.com/opencontainers/selinux, branched at
commit opencontainers/selinux@879a755db5.

In order to permit downstreams to build with this patched version, a
snapshot of the forked version has been included in
internal/third_party/selinux. Note that since we use "go mod vendor",
the patched code is usable even without being "go get"-able. Once the
embargo for this issue is lifted we can submit the patches upstream and
switch back to a proper upstream go.mod entry.

Also, this requires us to temporarily disable the CI job we have that
disallows "replace" directives.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-16 11:27:54 +11:00
Aleksa Sarai 948d6e9dbe rootfs: switch to fd-based handling of mountpoint targets
An attacker could race with us during mount configuration in order to
trick us into mounting over an unexpected path. This would bypass
checkProcMount() and would allow for security profiles to be left
unapplied by mounting over /proc/self/attr/... (or even more serious
outcomes such as killing the entire system by tricking runc into writing
strings to /proc/sysrq-trigger).

This is a larger issue with our current mount infrastructure, and the
ideal solution would be to rewrite it all to be fd-based (which would
also allow us to support the "new" mount API, which also avoids a bunch
of other issues with mount(8)). However, such a rewrite is not really
workable as a security fix, so this patch is a bit of a compromise
approach to fix the issue while also moving us a bit towards that
eventual end-goal.

The core issue in CVE-2025-52881 is that we currently use the (insecure)
SecureJoin to re-resolve mountpoint target paths multiple times during
mounting. Rather than generating a string from createMountpoint(), we
instead open an *os.File handle to the target mountpoint directly and
then operate on that handle. This will make it easier to remove
utils.WithProcfd() and rework mountViaFds() in the future.

The only real issue we need to work around is that we need to re-open
the mount target after doing the mount in order to get a handle to the
mountpoint -- pathrs.Reopen() doesn't work in this case (it just
re-opens the inode under the mountpoint) so we need to do a naive
re-open using the full path. Note that if we used move_mount(2) this
wouldn't be a problem because we would have a handle to the mountpoint
itself.

Note that this is still somewhat of a temporary solution -- ideally
mountViaFds would use *os.File directly to let us avoid some other
issues with using bare /proc/... paths, as well as also letting us more
easily use the new mount API on modern kernels.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Co-developed-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-16 11:27:54 +11:00
lifubang 7aa42ade85 libct: align param type for mountCgroupV1/V2 functions
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-10-16 11:27:54 +11:00
Aleksa Sarai a1ea773c3b libct/system: use securejoin for /proc/$pid/stat
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-16 11:27:53 +11:00
Aleksa Sarai f0f9a6ba7f init: use securejoin for /proc/self/setgroups
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-16 11:27:53 +11:00
Aleksa Sarai e416baeaf3 init: write sysctls using safe procfs API
sysctls could in principle also be used as a write gadget for arbitrary
procfs files. As this requires getting a non-subset=pid /proc handle we
amortise this by only allocating a single procfs handle for all sysctl
writes.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-16 11:27:53 +11:00
Aleksa Sarai 863f7bc443 utils: remove unneeded EnsureProcHandle
All of the callers of EnsureProcHandle now use filepath-securejoin's
ProcThreadSelf to get a file handle, which has much stricter
verification to avoid procfs attacks than EnsureProcHandle's very
simplistic filesystem type check.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-16 11:27:53 +11:00
Aleksa Sarai c9dd0e5ad9 utils: use safe procfs for /proc/self/fd loop code
From a safety perspective this might not be strictly required, but it
paves the way for us to remove utils.ProcThreadSelf.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-16 11:27:53 +11:00
Aleksa Sarai 47ab0b1e3b apparmor: use safe procfs API for labels
EnsureProcHandle only protects us against a tmpfs mount, but the risk of
a procfs path being used (such as /proc/self/sched) has been known for a
while. Now that filepath-securejoin has a reasonably safe procfs API,
switch to it.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-16 11:27:52 +11:00