Commit Graph

7836 Commits

Author SHA1 Message Date
Kir Kolyshkin 485f8f6b8f Merge pull request #5168 from cyphar/1.4-5009-close-fd-on-error
[1.4] Close fds on error
2026-03-12 12:38:05 -07:00
Kir Kolyshkin 5dac7379e7 [1.4] notify_socket: close fds on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 93792e6c13)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 19:15:37 +09:00
Kir Kolyshkin d934c6dd9e [1.4] libct: mountFd: close mountFile on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 8a9b4dcda6)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 19:15:36 +09:00
Kir Kolyshkin 0af85cbca8 [1.4] libct: newProcessComm: close fds on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit c24965b742)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 19:15:35 +09:00
Kir Kolyshkin ffc6092b8d [1.4] libct: startInitialization: add defer close
This function calls Init what normally never returns, so the defer only
works if there is an error and we can safely use it to close those fds
we opened. This was done for most but not all fds.

Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 88f897160c)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 19:15:28 +09:00
Aleksa Sarai 4fb2e1ceba [1.4] deps: update to cyphar.com/go-pathrs@v0.2.4
This includes a few fixes for 32-bit builds.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit b58e342758)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 19:00:19 +09:00
Aleksa Sarai 97f79dbf59 [1.4] README: document libpathrs build tag
Ever since v0.6.0 of github.com/cyphar/filepath-securejoin, pathrs-lite
has been able to transparently switch to using libpathrs as the backend
for safe path resolution (at compile-time, using a build tag). Note that
because build-tags apply globally, this allows for us to easily opt
pure-Go dependencies into all using libpathrs as well for our binaries.

In a future patch this will likely be enabled by default, but document
that this is an option for downstreams that want to opt-in to using
libpathrs.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit ab6f75dd25)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 19:00:17 +09:00
Aleksa Sarai 5424ac4ddb [1.4] script: seccomp.sh -> build-seccomp.sh
This name is far more descriptive.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit b1a9047c7a)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 19:00:16 +09:00
Aleksa Sarai ac7909922e [1.4] build: rename /opt/libseccomp cdylib directory
In a future patch this will contain other cdylibs so it deserves a
slightly more general name.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 8292574e7a)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 19:00:14 +09:00
Aleksa Sarai 8cdb38cd4e [1.4] build: treat armhf as ARMv7
The intention of commit 531e29e192 ("script/lib.sh: set GOARM=5 for
armel, GOARM=6 for armhf") was to properly support older ARM platforms
with our release builds.

However, we have never been able to support ARMv6 for our builds because
we use the Debian compiler to build the libseccomp we statically compile
into our binaries and (as per the now-deleted comment itself) Debian
treats armhf as being ARMv7 so the final binaries we produced were
always only ever compatible with ARMv7+.

This was a bit of an oddity before but when building libpathrs for
releases we will need to use Rust which makes the target more explicit
(and while it does support armhf, we are using the Debian-packaged Rust
cross-compiler and thus are in the same dilemma with what Debian
considers "armhf" to be).

All-in-all, it's better to just bite the bullet and just follow Debian
here properly.

Fixes: 531e29e192 ("script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 51ae8de054)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 19:00:13 +09:00
Aleksa Sarai ba78fffbe5 [1.4] dockerfile: switch to Debian 13
Debian 13 (trixie) was released a few months ago and it's probably
prudent to just upgrade. This is also necessary to get access to riscv64
repositories when we build libpathrs for inclusion in our runc binaries.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 6b757b6aa0)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 19:00:05 +09:00
Curd Becker 6b36291fd5 Add linter rule to guard against use of os.Is* error functions
Signed-off-by: Curd Becker <me@curd-becker.de>
(cherry picked from commit 58d24d2dfb)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-12 12:01:15 +09:00
Curd Becker 323a54ef0d Replace os.Is* error checking functions with their errors.Is counterpart
Signed-off-by: Curd Becker <me@curd-becker.de>
(cherry picked from commit 536e183451)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-12 12:01:15 +09:00
Aleksa Sarai f8040c3d1f Merge pull request #5161 from kolyshkin/1.4-5133
[1.4] libct/specconv: fix panic in initSystemdProps
2026-03-12 12:00:39 +09:00
Kir Kolyshkin 190a6c6e37 libct/specconv: fix panic in initSystemdProps
There is a chance of panic here -- eliminate it.

Add a test case (which panics before the fix).

Reported-by: Luke Hinds <luke@stacklok.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit a48a7cef96)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-11 15:21:31 -07:00
Kir Kolyshkin 168dcab909 libct/specconv: TestInitSystemdProps: use t.Run
Use t.Run for individual tests. Add missing desc fields.

Best reviewed with --ignore-all-space.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 392a221293)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-11 15:21:31 -07:00
Aleksa Sarai 323185e3e1 Merge pull request #5157 from kolyshkin/1.4-5153
[1.4] Revert "Preventing containers from being unable to be deleted"
2026-03-10 20:02:01 +09:00
Kir Kolyshkin 1672693373 Revert "Preventing containers from being unable to be deleted"
This fixes random failures to start a container in conmon integration
tests (see issue 5151).

I guess we need to find another way to fix issue 4645.

This reverts commit 1b39997e73.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5996fe143a)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-09 17:24:52 -07:00
Aleksa Sarai 1f9669fafb Merge pull request #5149 from kolyshkin/1.4-5025
[1.4] libct: fix resetting CPU affinity
2026-03-05 12:40:43 +11:00
Antti Kervinen 1c78358384 libct: fix resetting CPU affinity
unix.CPUSet is limited to 1024 CPUs. Calling
unix.SchedSetaffinity(pid, cpuset) removes all CPUs starting from 1024
from allowed CPUs of pid, even if cpuset is all ones. As a
consequence, when runc tries to reset CPU affinity to "allow all" by
default, it prevents all containers from CPUs 1024 onwards.

This change uses a huge CPU mask to play safe and get all possible
CPUs enabled with a single sched_setaffinity call.

Fixes: #5023

Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
(cherry picked from commit 700c944c4d)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-04 17:14:16 -08:00
Kir Kolyshkin c4dba84df7 Merge pull request #5147 from cyphar/1.4-keyring-fixes
[1.4] keyring fixes
2026-03-04 17:13:58 -08:00
Aleksa Sarai 392c8199d9 keyring: update AkihiroSuda's key
This comes from <https://github.com/AkihiroSuda.gpg> and is a valid
update of the key metadata.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 9ad18b1347)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 01:15:08 +11:00
Aleksa Sarai 21c6b2097e keyring: validate: allow maintainers to have no keys
Some maintainers appear to have removed their PGP keys, which causes
"gpg --import" during "make validate-keyring" to fail. The solution is
to switch to a non-fatal warning if no keys were imported.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 936a59b07f)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:46:12 +11:00
Aleksa Sarai 7c12b02755 keyring: remove asarai@suse.de key
I no longer work at SUSE and thus this key (and email address) are no
longer associated with me.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit a691486c83)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:46:12 +11:00
Akihiro Suda a92b322089 Merge pull request #5134 from kolyshkin/1.4-5124
[1.4] tests/int: Disable coredumps for SCMP_ACT_KILL tests
2026-03-01 03:21:23 +09:00
Ricardo Branco 6326d76098 tests/int: Disable coredumps for SCMP_ACT_KILL tests
SCMP_ACT_KILL terminates the process with a fatal signal, which may
produce a core dump depending on the host configuration.

While this is harmless on ephemeral CI instances, it can leave unwanted
core files on developer or customer systems. It also interferes with
test environments that detect unexpected core dumps.

Signed-off-by: Ricardo Branco <rbranco@suse.de>
(cherry picked from commit f18e97d312)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-26 18:37:30 -08:00
Aleksa Sarai 81dc3f393e merge #5125 into opencontainers/runc:release-1.4
Kir Kolyshkin (1):
  ci: update policycoreutils for CentOS 10

LGTMs: AkihiroSuda cyphar
2026-02-26 17:39:49 +11:00
Kir Kolyshkin fc7ac957ae ci: update policycoreutils for CentOS 10
When container-selinux 4:2.246.0-1.el10 is installed, it produces the
following %post script warnings:

> ...
>   Running scriptlet: container-selinux-4:2.246.0-1.el10.noarch            26/37
>   Installing       : container-selinux-4:2.246.0-1.el10.noarch            26/37
>   Running scriptlet: container-selinux-4:2.246.0-1.el10.noarch            26/37
> libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No data available).
> libsemanage.semanage_compile_module: container: libsepol.policydb_read: policydb module version 24 does not match my version range 4-23.
> libsemanage.semanage_compile_module: container: libsepol.sepol_module_package_read: invalid module in module package (at section 0).
> libsemanage.semanage_compile_module: container: libsepol.sepol_ppfile_to_module_package: Failed to read policy package.
> libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No data available).
> semodule:  Failed!
> ...

For some reason, dnf install still succeeds, but when the selinux tests
fail with:

> chcon: failed to change context of '/tmp/bats-run-3MMyYP/runc.szTqBc/bundle/runc' to ‘system_u:object_r:container_runtime_exec_t:s0’: Invalid argument

All this is fixed once policycoreutils is added to the list of RPMS so
it is updated (from 3.9-3.el10 to 3.10-1.el10) during the same
transaction.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 3235c5a90a)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-25 13:45:36 -08:00
Kir Kolyshkin 920ca5a4e0 Merge pull request #5116 from lifubang/backport-1.4-5091
[1.4] Fix runc exec vs go1.26 + older kernel
2026-02-12 11:58:04 -08:00
lfbzhm 2120bfa4fa Merge pull request #5117 from kolyshkin/1.4-fix-exec
[1.4] libct: prepareCgroupFD: fall back to container init cgroup
2026-02-12 09:53:53 +08:00
Kir Kolyshkin b9e3eec229 ci: add go 1.26
This commit is a squash of the following two commits:

1. ci: add go 1.26 rc2

This is mostly to test whether https://go.dev/cl/728642 results in
any test failures in the current CI matrix.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e4e05423e4)
Signed-off-by: lifubang <lifubang@acmcoder.com>

2. ci: bump Go 1.26rc2 -> 1.26.x

Since Go 1.26.0 is released today.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit daa5ffcc84)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-02-12 01:26:12 +00:00
Kir Kolyshkin 9ac76a086e tests/int: add "runc exec [init changes cgroup]"
Add a test case to reproduce runc issue 5089.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 1fdbab8107)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-11 12:04:56 -08:00
Kir Kolyshkin 8c8c41675c libct: prepareCgroupFD: fall back to container init cgroup
Previously, when prepareCgroupFD would not open container's cgroup
(as configured in config.json and saved to state.json), it returned
a fatal error, as we presumed a container can't exist without its own
cgroup.

Apparently, it can. In a case when container is configured without
cgroupns (i.e. it uses hosts cgroups), and /sys/fs/cgroup is mounted
read-write, a rootful container's init can move itself to an entirely
different cgroup (even a new one that it just created), and then the
original container cgroup is removed by the kernel (or systemd?) as
it has no processes left. By the way, from the systemd point of view
the container is gone. And yet it is still there, and users want
runc exec to work!

And it worked, thanks to the "let's try container init's cgroup"
fallback as added by commit c91fe9aeba ("cgroup2: exec: join the
cgroup of the init process on EBUSY"). The fallback was added for
the entirely different reason, but it happened to work in this very
case, too.

This behavior was broken with the introduction of CLONE_INTO_CGROUP
support.

While it is debatable whether this is a valid scenario when a container
moves itself into a different cgroup, this very setup is used by e.g.
buildkitd running in a privileged kubernetes container (see issue 5089).

To restore the way things are expected to work, add the same "try
container init's cgroup" fallback into prepareCgroupFD.

While at it, simplify the code flow.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6c07a37a58)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-11 12:04:56 -08:00
Kir Kolyshkin 404dce8e53 libct: refactor addIntoCgroupV2, fix wrt rootless
1. Refactor addIntoCgroupV2 in an attempt to simplify it.

2. Fix the bug of not trying the init cgroup fallback if
   rootlessCgroup is set. This is a bug because rootlessCgroup
   tells to ignore cgroup join errors, not to never try the fallback.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 1d030fab7d)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-11 12:04:56 -08:00
Kir Kolyshkin 4c530c9551 libct: factor out initProcessCgroupPath
Separate initProcessCgroupPath code out of addIntoCgroupV2.
To be used by the next patch.

While at it, describe the new scenario in which the container's
configured cgroup might not be available.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 94133fab97)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-11 12:04:56 -08:00
Aleksa Sarai 2d4e864979 merge #5114 into opencontainers/runc:release-1.4
Li Fubang (1):
  libct/specconv: fix partial clear of atime mount flags

LGTMs: rata cyphar
2026-02-12 03:29:49 +11:00
Kir Kolyshkin 685bbe04e1 Fix exec vs Go 1.26
Since [PR 4812], runc exec tries to use clone3 syscall with
CLONE_INTO_CGROUP, falling back to the old method if it is not
supported.

One issue with that approach is, a

> Cmd cannot be reused after calling its [Cmd.Start], [Cmd.Run],
> [Cmd.Output], or [Cmd.CombinedOutput] methods.

(from https://pkg.go.dev/os/exec#Cmd).

This is enforced since Go 1.26, see [CL 728642], and so runc exec
actually fails in specific scenarios (go1.26 and no CLONE_INTO_CGROUP
support).

The easiest workaround is to pre-copy the p.cmd structure (copy = *cmd).
From the [CL 734200] it looks like it is an acceptable way, but it might
break in the future as it also copies the private fields, so let's do a
proper field-by-field copy. If the upstream will add cmd.Clone method,
we will switch to it.

Also, we can probably be fine with a post-copy (once the first Start has
failed), but let's be conservative here and do a pre-copy.

[PR 4812]: https://github.com/opencontainers/runc/pull/4812
[CL 728642]: https://go.dev/cl/728642
[CL 734200]: https://go.dev/cl/734200

Reported-by: Efim Verzakov <efimverzakov@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit cb31d62f1c)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-02-11 10:23:55 +00:00
Kir Kolyshkin 6a057b84de libct: check cmd.Err after exec.Command call
Theoretically, exec.Command can set cmd.Err.

Practically, this should never happen (Linux, Go <= 1.26, exePath is
absolute), but in the unlikely case it does, let's fail early.

This is related to the cloneCmd (to be introduced by the following
commit) which chooses to not copy the Err field. Theoretically,
exec.Command can set Err and so the first call to cmd.Start will fail
(since Err != nil), and the second call to cmd.Start may succeed because
Err == nil. Yet, this scenario is highly unlikely, but better be safe
than sorry.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 82b7597a26)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-02-11 10:23:55 +00:00
lifubang 11a998368c libct/specconv: fix partial clear of atime mount flags
When parsing mount options into recAttrSet and recAttrClr,
the code sets attr_clr to individual atime flags (e.g.
MOUNT_ATTR_NOATIME or MOUNT_ATTR_STRICTATIME) when clearing
atime attributes. However, this violates the kernel's
requirement documented in mount_setattr(2)[1]:

> Note that, since the access-time values are an enumeration
> rather than bit values, a caller wanting to transition to a
> different access-time setting cannot simply specify the
> access-time setting in attr_set, but must also include
> MOUNT_ATTR__ATIME in the attr_clr field.  The kernel will
> verify that MOUNT_ATTR__ATIME isn't partially set in
> attr_clr (i.e., either all bits in the MOUNT_ATTR__ATIME
> bit field are either set or clear), and that attr_set
> doesn't have any access-time bits set if MOUNT_ATTR__ATIME
> isn't set in attr_clr.

Passing only a single atime flag (e.g. MOUNT_ATTR_RELATIME) in
attr_clr causes mount_setattr() to fail with EINVAL.

This change ensures that whenever an atime mode is updated,
attr_clr includes MOUNT_ATTR__ATIME to properly reset the
entire access-time attribute field before applying the new mode.

[1] https://man7.org/linux/man-pages/man2/mount_setattr.2.html

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 5560d55bfd)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-02-11 10:16:25 +00:00
Akihiro Suda e430416b62 Merge pull request #5110 from kolyshkin/1.4-backports
[1.4] assorted small backports
2026-02-11 14:40:36 +09:00
Kir Kolyshkin 5baeb39534 ci: bump shellcheck to v0.11.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 68771cfe51)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:06:26 -08:00
Kir Kolyshkin 37281de351 Use Go 1.25 for official builds
(as well as for testing on Cirrus CI)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 79b97d4642)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:06:26 -08:00
Kir Kolyshkin 0a743404a9 Bump seccomp to v2.6.0
This version was released almost a year ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f4710e5023)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:06:26 -08:00
Kir Kolyshkin ba82e372ce ci: bump bats to 1.12.0
This which is already using in CI on Fedora.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f128234354)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:06:26 -08:00
Kir Kolyshkin 585724bdaf libct/configs: mark MPOL_* constants as deprecated
Alas, these new constants are already in v1.4.0 release so we can't
remove those right away, but we can mark them as deprecated now
and target removal for v1.5.0.

So,
 - mark them as deprecated;
 - redefine via unix.MPOL_* counterparts;
 - fix the validator code to use unix.MPOL_* directly.

This amends commit a0e809a8.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 3741f9186d)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:06:26 -08:00
Aleksa Sarai 4378cb6b8c libct: switch to unix.SetMemPolicy wrapper
This is mostly a mechanical change, but we also need to change some
types to match the "mode int" argument that golang.org/x/sys/unix
decided to use.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit a0e809a8ba)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:06:26 -08:00
dependabot[bot] 1c03887f26 build(deps): bump golang.org/x/sys from 0.37.0 to 0.38.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.37.0 to 0.38.0.
- [Commits](https://github.com/golang/sys/compare/v0.37.0...v0.38.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 071beab281)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 14:06:26 -08:00
Kir Kolyshkin 741acec5b7 Enable gofumpt extra rules
Commit b2f8a74d "clothed" the naked return as inflicted by gofumpt
v0.9.0. Since gofumpt v0.9.2 this rule was moved to "extra" category,
not enabled by default. The only other "extra" rule is to group adjacent
parameters with the same type, which also makes sense.

Enable gofumpt "extra" rules, and reformat the code accordingly.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 67840cce4b)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 13:50:38 -08:00
Ariel Otilibili 16885f2d71 libcontainer/seccomp: Use for range over integers
The commit mentioned below has missed these changes.

Fixes: 17570625 ("Use for range over integers")
Signed-off-by: Ariel Otilibili <otilibil@eurecom.fr>
(cherry picked from commit 34da991298)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 13:50:05 -08:00
lfbzhm 3747639db3 Merge pull request #5094 from kolyshkin/1.4-5093
[1.4] build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0
2026-01-29 18:16:05 +08:00