Commit Graph

6802 Commits

Author SHA1 Message Date
SuperQ ab6788d307 Remove dependabot ignore
The referenced issue was fixed in `github.com/urfave/cli` v1.22.6. We
can now remove the dependabot ignore for this package.

Signed-off-by: SuperQ <superq@gmail.com>
2024-03-15 08:38:53 +01:00
Aleksa Sarai 44114d32df merge #4179 into opencontainers/runc:main
Kir Kolyshkin (1):
  tests/int: fix flaky kill tests

LGTMs: AkihiroSuda cyphar
2024-03-15 17:57:12 +11:00
Aleksa Sarai e0cfcb3f85 merge #4222 into opencontainers/runc:main
lifubang (1):
  fix runc-dmz bin path error in Makefile

LGTMs: AkihiroSuda cyphar
2024-03-15 17:34:36 +11:00
lifubang da79b616a3 fix runc-dmz bin path error in Makefile
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-03-14 18:16:09 +08:00
Aleksa Sarai 1950892f69 merge #4174 into opencontainers/runc:main
Rodrigo Campos (3):
  Makefile: Fix runc-dmz removal
  contrib/cmd/memfd-bind: Mention runc-dmz needs RUNC_DMZ=true
  libct/dmz: Require RUNC_DMZ=true to opt-in

LGTMs: AkihiroSuda cyphar
2024-03-13 16:22:16 +11:00
dependabot[bot] 109a7a0478 Merge pull request #4203 from opencontainers/dependabot/go_modules/github.com/opencontainers/runtime-spec-1.2.0 2024-03-09 12:18:19 +00:00
dependabot[bot] 606251ab33 build(deps): bump github.com/opencontainers/runtime-spec
Bumps [github.com/opencontainers/runtime-spec](https://github.com/opencontainers/runtime-spec) from 1.1.1-0.20230823135140-4fec88fd00a4 to 1.2.0.
- [Release notes](https://github.com/opencontainers/runtime-spec/releases)
- [Changelog](https://github.com/opencontainers/runtime-spec/blob/main/ChangeLog)
- [Commits](https://github.com/opencontainers/runtime-spec/commits/v1.2.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runtime-spec
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-07 14:43:33 +09:00
Akihiro Suda ee7100854c Merge pull request #4216 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.33.0
build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
2024-03-07 14:41:36 +09:00
Akihiro Suda 9120ac6aa4 Merge pull request #4215 from opencontainers/dependabot/go_modules/golang.org/x/net-0.22.0
build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0
2024-03-07 14:41:17 +09:00
dependabot[bot] bb5673f265 build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.21.0 to 0.22.0.
- [Commits](https://github.com/golang/net/compare/v0.21.0...v0.22.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-06 12:59:33 +00:00
dependabot[bot] 7ab66b187c build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-06 12:59:30 +00:00
dependabot[bot] 1491dec992 Merge pull request #4214 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.18.0 2024-03-06 12:58:37 +00:00
dependabot[bot] 6056ed2dd6 build(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.17.0 to 0.18.0.
- [Commits](https://github.com/golang/sys/compare/v0.17.0...v0.18.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-05 04:18:12 +00:00
Rodrigo Campos fc76b136e1 Makefile: Fix runc-dmz removal
Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar>
2024-02-28 15:38:04 -03:00
Rodrigo Campos 46b72107f1 contrib/cmd/memfd-bind: Mention runc-dmz needs RUNC_DMZ=true
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-02-28 12:15:57 -03:00
Rodrigo Campos 1dae66f748 libct/dmz: Require RUNC_DMZ=true to opt-in
If it is compiled, the user needs to opt-in with this env variable to
use it.

While we are there, remove the RUNC_DMZ=legacy as that is now the
default.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-02-28 12:15:57 -03:00
lfbzhm 6cf6ddc358 Merge pull request #4208 from opencontainers/dependabot/github_actions/tim-actions/get-pr-commits-1.3.1
build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
2024-02-28 18:23:56 +08:00
dependabot[bot] 935d586b39 build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-27 04:45:06 +00:00
Kir Kolyshkin d5e4c33001 Merge pull request #4205 from santidhammo/4204-fix-vendor
Fixed spelling mistake in the Makefile at .PHONY vendor
2024-02-16 10:28:32 -08:00
Kir Kolyshkin 86360598bd tests/int: fix flaky kill tests
It takes some time for the kernel to kill the process (and remove its
PID from cgroup.procs). To ensure we don't have flakes from reading
cgroup.procs right after the kill, check and wait for processes to
actually be gone.

Fixes: 4163
Reported-by: lifubang@acmcoder.com
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-15 13:32:33 -08:00
Sjoerd van Leent 82499d428a Fixed spelling mistake in the Makefile at .PHONY vendor
* Simple error correction of a spelling mistake which was
  introduced at commit b8f75f3

Signed-off-by: Sjoerd van Leent <sjoerd.van.leent@alliander.com>
2024-02-15 16:27:37 +01:00
Mrunal Patel 675292473b Merge pull request #4202 from kolyshkin/golangci-annot
ci/golangci-lint: add checks permission
2024-02-14 11:05:21 -08:00
Mrunal Patel bb56ed9e5f Merge pull request #4201 from kolyshkin/cleanups
libct/nsenter: rm dead code
2024-02-14 11:04:46 -08:00
Mrunal Patel aa8ba5bd59 Merge pull request #4187 from kolyshkin/gawk
tests/int: use gawk where needed
2024-02-14 11:04:09 -08:00
Kir Kolyshkin 93e377233f ci/golangci-lint: add checks permission
This permission is now needed so that the linter can annotate code in a
PR (see [1]).

[1] https://github.com/golangci/golangci-lint-action/pull/931/commits/bc1904f0c946172fc1821908fc41649db49f0334

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 22:14:41 -08:00
Kir Kolyshkin 302b2e89a6 tests/int: use gawk where needed
This expression is specific to GNU awk (gawk), so if someone has other version
of awk installed, this won't work and it's not easy to see why.

Explicitly requiring gawk here is better.

Revert "tests/int/helpers: gawk -> awk"

This reverts commit 4e65118d02.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 14:44:42 -08:00
Kir Kolyshkin 9d2842debb Merge pull request #4200 from opencontainers/dependabot/github_actions/golangci/golangci-lint-action-4
build(deps): bump golangci/golangci-lint-action from 3 to 4
2024-02-12 14:35:20 -08:00
Kir Kolyshkin 3a9859bdc0 libct/nsenter: rm unused include
This was added by commit 9c444070 (to use LONG_MAX and INT_MAX) but the
code was later removed by commit ba0b5e26.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 13:19:12 -08:00
Kir Kolyshkin ea140db712 libct/nsenter: rm unused code
Commits b999376f and b999376f removed all users of this code.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 13:17:05 -08:00
dependabot[bot] 27cbabd00d build(deps): bump golangci/golangci-lint-action from 3 to 4
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 04:07:38 +00:00
lfbzhm fd4533aff2 Merge pull request #4196 from opencontainers/dependabot/go_modules/golang.org/x/net-0.21.0
build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
2024-02-10 01:15:48 +08:00
dependabot[bot] afd90f44e8 build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.20.0 to 0.21.0.
- [Commits](https://github.com/golang/net/compare/v0.20.0...v0.21.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-10 00:50:10 +08:00
Akihiro Suda 66bdcbca46 Merge pull request #4190 from opencontainers/dependabot/go_modules/github.com/containerd/console-1.0.4
build(deps): bump github.com/containerd/console from 1.0.3 to 1.0.4
2024-02-10 01:38:13 +09:00
dependabot[bot] 97632a6d1b build(deps): bump github.com/containerd/console from 1.0.3 to 1.0.4
Bumps [github.com/containerd/console](https://github.com/containerd/console) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/containerd/console/releases)
- [Commits](https://github.com/containerd/console/compare/v1.0.3...v1.0.4)

---
updated-dependencies:
- dependency-name: github.com/containerd/console
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-09 15:20:19 +00:00
Akihiro Suda 0147f9eb74 Merge pull request #4197 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.17.0
build(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0
2024-02-10 00:19:40 +09:00
dependabot[bot] 174940a7eb build(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/sys/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-08 22:29:27 +00:00
Kir Kolyshkin 56cc1be9db Merge pull request #4198 from lifubang/feat-TestCentos_Go1.21
[ci] update go version to 1.21 in cirrus ci
2024-02-08 14:23:55 -08:00
lfbzhm a596a05510 update go version to 1.21 in cirrus ci
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-02-08 08:24:13 -08:00
Kir Kolyshkin 7c004d8e05 Merge pull request #4192 from lifubang/feat-ClosePipeInExec
Close sync pipe explicitly in exec
2024-02-08 08:23:52 -08:00
lifubang bc4a869d5a test: no execve error msg synced to parent process
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-02-08 01:45:26 +00:00
lifubang d075058717 close the sync pipe explicitly in exec
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-02-08 01:45:06 +00:00
Aleksa Sarai 02120488a4 Merge pull request from GHSA-xr7r-f8xq-vfvv
fix GHSA-xr7r-f8xq-vfvv and harden fd leaks
2024-02-01 07:04:29 +11:00
Kir Kolyshkin 8454bbb613 Merge pull request #4175 from cyphar/fd-file-switch
init: use *os.File for passed file descriptors
2024-01-31 10:40:28 -08:00
Akihiro Suda 2dfc2feb43 Merge pull request #4173 from lifubang/fix-syncPipeClose
never send procError to parent process after sent procReady
2024-01-28 00:37:58 +09:00
lfbzhm 0bc4732c07 test for execve error without runc-dmz
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-01-25 04:52:29 +00:00
lifubang 35aa63ea87 never send procError after the socket closed
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-01-25 04:52:11 +00:00
Aleksa Sarai d8edada9f2 init: don't special-case logrus fds
We close the logfd before execve so there's no need to special case it.
In addition, it turns out that (*os.File).Fd() doesn't handle the case
where the file was closed and so it seems suspect to use that kind of
check.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:59 +11:00
Aleksa Sarai ee73091a8d libcontainer: mark all non-stdio fds O_CLOEXEC before spawning init
Given the core issue in GHSA-xr7r-f8xq-vfvv was that we were unknowingly
leaking file descriptors to "runc init", it seems prudent to make sure
we proactively prevent this in the future. The solution is to simply
mark all non-stdio file descriptors as O_CLOEXEC before we spawn "runc
init".

For libcontainer library users, this could result in unrelated files
being marked as O_CLOEXEC -- however (for the same reason we are doing
this for runc), for security reasons those files should've been marked
as O_CLOEXEC anyway.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:59 +11:00
Aleksa Sarai 89c93ddf28 cgroup: plug leaks of /sys/fs/cgroup handle
We auto-close this file descriptor in the final exec step, but it's
probably a good idea to not possibly leak the file descriptor to "runc
init" (we've had issues like this in the past) especially since it is a
directory handle from the host mount namespace.

In practice, on runc 1.1 this does leak to "runc init" but on main the
handle has a low enough file descriptor that it gets clobbered by the
ForkExec of "runc init".

OPEN_TREE_CLONE would let us protect this handle even further, but the
performance impact of creating an anonymous mount namespace is probably
not worth it.

Also, switch to using an *os.File for the handle so if it goes out of
scope during setup (i.e. an error occurs during setup) it will get
cleaned up by the GC.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:58 +11:00
Aleksa Sarai f2f16213e1 init: close internal fds before execve
If we leak a file descriptor referencing the host filesystem, an
attacker could use a /proc/self/fd magic-link as the source for execve
to execute a host binary in the container. This would allow the binary
itself (or a process inside the container in the 'runc exec' case) to
write to a host binary, leading to a container escape.

The simple solution is to make sure we close all file descriptors
immediately before the execve(2) step. Doing this earlier can lead to very
serious issues in Go (as file descriptors can be reused, any (*os.File)
reference could start silently operating on a different file) so we have
to do it as late as possible.

Unfortunately, there are some Go runtime file descriptors that we must
not close (otherwise the Go scheduler panics randomly). The only way of
being sure which file descriptors cannot be closed is to sneakily
go:linkname the runtime internal "internal/poll.IsPollDescriptor"
function. This is almost certainly not recommended but there isn't any
other way to be absolutely sure, while also closing any other possible
files.

In addition, we can keep the logrus forwarding logfd open because you
cannot execve a pipe and the contents of the pipe are so restricted
(JSON-encoded in a format we pick) that it seems unlikely you could even
construct shellcode. Closing the logfd causes issues if there is an
error returned from execve.

In mainline runc, runc-dmz protects us against this attack because the
intermediate execve(2) closes all of the O_CLOEXEC internal runc file
descriptors and thus runc-dmz cannot access them to attack the host.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:58 +11:00