Commit Graph

6812 Commits

Author SHA1 Message Date
Aleksa Sarai a1acca9acb merge #4219 into opencontainers/runc:main
Aleksa Sarai (2):
  seccomp: patchbpf: always include native architecture in stub
  seccomp: patchbpf: rename nativeArch -> linuxAuditArch

LGTMs: AkihiroSuda kolyshkin
2024-03-29 12:44:51 +11:00
Aleksa Sarai ccc500c427 seccomp: patchbpf: always include native architecture in stub
It turns out that on ppc64le (at least), Docker doesn't include any
architectures in the list of allowed architectures. libseccomp
interprets this as "just include the default architecture" but patchbpf
would return a no-op ENOSYS stub, which would lead to the exact issues
that commit 7a8d7162f9 ("seccomp: prepend -ENOSYS stub to all
filters") fixed for other architectures.

So, just always include the running architecture in the list. There's
no real downside.

Ref: https://bugzilla.suse.com/show_bug.cgi?id=1192051#c6
Reported-by: Fabian Vogt <fvogt@suse.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-29 12:01:47 +11:00
Aleksa Sarai b288abeaa5 seccomp: patchbpf: rename nativeArch -> linuxAuditArch
Calling the Linux AUDIT_* architecture constants "native" leads to
confusing code when we are getting the actual native architecture of the
running system.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-29 12:01:47 +11:00
Akihiro Suda 8e69225e2e Merge pull request #4220 from cyphar/runc-dmz-no-selinux-magic
dmz: remove SELinux special-casing
2024-03-27 14:16:52 +09:00
lfbzhm 3db0871f1c Merge pull request #4217 from AkihiroSuda/features-unsafe
features: implement returning potentiallyUnsafeConfigAnnotations list
2024-03-25 19:00:01 +08:00
lfbzhm 18c313be72 Merge pull request #4223 from cyphar/seccomp-2.5.5
build: update libseccomp to v2.5.5
2024-03-16 08:02:10 +08:00
lfbzhm d6df41c767 Merge pull request #4224 from SuperQ/update_urfave_cli
Remove dependabot ignore
2024-03-16 07:59:02 +08:00
SuperQ ab6788d307 Remove dependabot ignore
The referenced issue was fixed in `github.com/urfave/cli` v1.22.6. We
can now remove the dependabot ignore for this package.

Signed-off-by: SuperQ <superq@gmail.com>
2024-03-15 08:38:53 +01:00
Aleksa Sarai cdccf6d615 build: update libseccomp to v2.5.5
This adds support for syscalls up to Linux 6.7-rc3.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-15 17:57:54 +11:00
Aleksa Sarai 44114d32df merge #4179 into opencontainers/runc:main
Kir Kolyshkin (1):
  tests/int: fix flaky kill tests

LGTMs: AkihiroSuda cyphar
2024-03-15 17:57:12 +11:00
Aleksa Sarai e0cfcb3f85 merge #4222 into opencontainers/runc:main
lifubang (1):
  fix runc-dmz bin path error in Makefile

LGTMs: AkihiroSuda cyphar
2024-03-15 17:34:36 +11:00
lifubang da79b616a3 fix runc-dmz bin path error in Makefile
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-03-14 18:16:09 +08:00
Aleksa Sarai 37581ad340 dmz: remove SELinux special-casing
Now that runc-dmz is opt-in, we no longer need to try to detect whether
SELinux would cause issues for us. We can also remove the
special-purpose build-tag we added.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-13 18:18:09 +11:00
Aleksa Sarai 1950892f69 merge #4174 into opencontainers/runc:main
Rodrigo Campos (3):
  Makefile: Fix runc-dmz removal
  contrib/cmd/memfd-bind: Mention runc-dmz needs RUNC_DMZ=true
  libct/dmz: Require RUNC_DMZ=true to opt-in

LGTMs: AkihiroSuda cyphar
2024-03-13 16:22:16 +11:00
Akihiro Suda eefc6ae254 features: implement returning potentiallyUnsafeConfigAnnotations list
See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-09 21:31:49 +09:00
dependabot[bot] 109a7a0478 Merge pull request #4203 from opencontainers/dependabot/go_modules/github.com/opencontainers/runtime-spec-1.2.0 2024-03-09 12:18:19 +00:00
dependabot[bot] 606251ab33 build(deps): bump github.com/opencontainers/runtime-spec
Bumps [github.com/opencontainers/runtime-spec](https://github.com/opencontainers/runtime-spec) from 1.1.1-0.20230823135140-4fec88fd00a4 to 1.2.0.
- [Release notes](https://github.com/opencontainers/runtime-spec/releases)
- [Changelog](https://github.com/opencontainers/runtime-spec/blob/main/ChangeLog)
- [Commits](https://github.com/opencontainers/runtime-spec/commits/v1.2.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runtime-spec
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-07 14:43:33 +09:00
Akihiro Suda ee7100854c Merge pull request #4216 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.33.0
build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
2024-03-07 14:41:36 +09:00
Akihiro Suda 9120ac6aa4 Merge pull request #4215 from opencontainers/dependabot/go_modules/golang.org/x/net-0.22.0
build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0
2024-03-07 14:41:17 +09:00
dependabot[bot] bb5673f265 build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.21.0 to 0.22.0.
- [Commits](https://github.com/golang/net/compare/v0.21.0...v0.22.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-06 12:59:33 +00:00
dependabot[bot] 7ab66b187c build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-06 12:59:30 +00:00
dependabot[bot] 1491dec992 Merge pull request #4214 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.18.0 2024-03-06 12:58:37 +00:00
dependabot[bot] 6056ed2dd6 build(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.17.0 to 0.18.0.
- [Commits](https://github.com/golang/sys/compare/v0.17.0...v0.18.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-05 04:18:12 +00:00
Rodrigo Campos fc76b136e1 Makefile: Fix runc-dmz removal
Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar>
2024-02-28 15:38:04 -03:00
Rodrigo Campos 46b72107f1 contrib/cmd/memfd-bind: Mention runc-dmz needs RUNC_DMZ=true
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-02-28 12:15:57 -03:00
Rodrigo Campos 1dae66f748 libct/dmz: Require RUNC_DMZ=true to opt-in
If it is compiled, the user needs to opt-in with this env variable to
use it.

While we are there, remove the RUNC_DMZ=legacy as that is now the
default.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-02-28 12:15:57 -03:00
lfbzhm 6cf6ddc358 Merge pull request #4208 from opencontainers/dependabot/github_actions/tim-actions/get-pr-commits-1.3.1
build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
2024-02-28 18:23:56 +08:00
dependabot[bot] 935d586b39 build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-27 04:45:06 +00:00
Kir Kolyshkin d5e4c33001 Merge pull request #4205 from santidhammo/4204-fix-vendor
Fixed spelling mistake in the Makefile at .PHONY vendor
2024-02-16 10:28:32 -08:00
Kir Kolyshkin 86360598bd tests/int: fix flaky kill tests
It takes some time for the kernel to kill the process (and remove its
PID from cgroup.procs). To ensure we don't have flakes from reading
cgroup.procs right after the kill, check and wait for processes to
actually be gone.

Fixes: 4163
Reported-by: lifubang@acmcoder.com
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-15 13:32:33 -08:00
Sjoerd van Leent 82499d428a Fixed spelling mistake in the Makefile at .PHONY vendor
* Simple error correction of a spelling mistake which was
  introduced at commit b8f75f3

Signed-off-by: Sjoerd van Leent <sjoerd.van.leent@alliander.com>
2024-02-15 16:27:37 +01:00
Mrunal Patel 675292473b Merge pull request #4202 from kolyshkin/golangci-annot
ci/golangci-lint: add checks permission
2024-02-14 11:05:21 -08:00
Mrunal Patel bb56ed9e5f Merge pull request #4201 from kolyshkin/cleanups
libct/nsenter: rm dead code
2024-02-14 11:04:46 -08:00
Mrunal Patel aa8ba5bd59 Merge pull request #4187 from kolyshkin/gawk
tests/int: use gawk where needed
2024-02-14 11:04:09 -08:00
Kir Kolyshkin 93e377233f ci/golangci-lint: add checks permission
This permission is now needed so that the linter can annotate code in a
PR (see [1]).

[1] https://github.com/golangci/golangci-lint-action/pull/931/commits/bc1904f0c946172fc1821908fc41649db49f0334

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 22:14:41 -08:00
Kir Kolyshkin 302b2e89a6 tests/int: use gawk where needed
This expression is specific to GNU awk (gawk), so if someone has other version
of awk installed, this won't work and it's not easy to see why.

Explicitly requiring gawk here is better.

Revert "tests/int/helpers: gawk -> awk"

This reverts commit 4e65118d02.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 14:44:42 -08:00
Kir Kolyshkin 9d2842debb Merge pull request #4200 from opencontainers/dependabot/github_actions/golangci/golangci-lint-action-4
build(deps): bump golangci/golangci-lint-action from 3 to 4
2024-02-12 14:35:20 -08:00
Kir Kolyshkin 3a9859bdc0 libct/nsenter: rm unused include
This was added by commit 9c444070 (to use LONG_MAX and INT_MAX) but the
code was later removed by commit ba0b5e26.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 13:19:12 -08:00
Kir Kolyshkin ea140db712 libct/nsenter: rm unused code
Commits b999376f and b999376f removed all users of this code.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 13:17:05 -08:00
dependabot[bot] 27cbabd00d build(deps): bump golangci/golangci-lint-action from 3 to 4
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 04:07:38 +00:00
lfbzhm fd4533aff2 Merge pull request #4196 from opencontainers/dependabot/go_modules/golang.org/x/net-0.21.0
build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
2024-02-10 01:15:48 +08:00
dependabot[bot] afd90f44e8 build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.20.0 to 0.21.0.
- [Commits](https://github.com/golang/net/compare/v0.20.0...v0.21.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-10 00:50:10 +08:00
Akihiro Suda 66bdcbca46 Merge pull request #4190 from opencontainers/dependabot/go_modules/github.com/containerd/console-1.0.4
build(deps): bump github.com/containerd/console from 1.0.3 to 1.0.4
2024-02-10 01:38:13 +09:00
dependabot[bot] 97632a6d1b build(deps): bump github.com/containerd/console from 1.0.3 to 1.0.4
Bumps [github.com/containerd/console](https://github.com/containerd/console) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/containerd/console/releases)
- [Commits](https://github.com/containerd/console/compare/v1.0.3...v1.0.4)

---
updated-dependencies:
- dependency-name: github.com/containerd/console
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-09 15:20:19 +00:00
Akihiro Suda 0147f9eb74 Merge pull request #4197 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.17.0
build(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0
2024-02-10 00:19:40 +09:00
dependabot[bot] 174940a7eb build(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/sys/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-08 22:29:27 +00:00
Kir Kolyshkin 56cc1be9db Merge pull request #4198 from lifubang/feat-TestCentos_Go1.21
[ci] update go version to 1.21 in cirrus ci
2024-02-08 14:23:55 -08:00
lfbzhm a596a05510 update go version to 1.21 in cirrus ci
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-02-08 08:24:13 -08:00
Kir Kolyshkin 7c004d8e05 Merge pull request #4192 from lifubang/feat-ClosePipeInExec
Close sync pipe explicitly in exec
2024-02-08 08:23:52 -08:00
lifubang bc4a869d5a test: no execve error msg synced to parent process
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-02-08 01:45:26 +00:00