Commit Graph

6247 Commits

Author SHA1 Message Date
Akihiro Suda df4eae457b rootless: fix /sys/fs/cgroup mounts
It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:

1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared
   (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)
2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro`
   (e.g., `runc spec --rootless`; this condition is very rare)

A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host.
Other users's cgroup hierarchies are not affected.

To fix the issue, this commit does:
1. Remount `/sys/fs/cgroup` to apply `MS_RDONLY` when it is being bind-mounted
2. Mask `/sys/fs/cgroup` when the bind source is unavailable

Fix CVE-2023-25809 (GHSA-m8cg-xc2p-r3fc)

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-14 14:16:25 +09:00
Akihiro Suda d5be3e2605 Merge pull request #3766 from AkihiroSuda/issue-template
Add `.github/ISSUE_TEMPLATE/config.yml`
2023-03-10 09:36:44 +09:00
Kir Kolyshkin 4ec7b90489 Merge pull request #3764 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.29.0
build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
2023-03-09 14:46:39 -08:00
Akihiro Suda 7d940bdf99 Add .github/ISSUE_TEMPLATE/config.yml
After merging this PR, the "Report a security vulnerability" button
will appear in "New issue" screen.

Demo: https://github.com/containerd/nerdctl/issues

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-10 00:03:41 +09:00
dependabot[bot] 6b41f8ed26 build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.29.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-09 04:59:44 +00:00
Kir Kolyshkin 6d0261c1ac Merge pull request #3757 from opencontainers/dependabot/go_modules/golang.org/x/net-0.8.0
build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
2023-03-07 11:00:03 -08:00
dependabot[bot] 6faef164f5 build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-06 05:03:16 +00:00
Kir Kolyshkin 69225fa919 Merge pull request #3724 from kinvolk/rata/nsexec-fixes
nsexec: Remove bogus kill to stage_2_pid
2023-03-01 15:50:00 -08:00
Kir Kolyshkin 58c192a1be Merge pull request #3661 from Wang-squirrel/dev1
Add support for umask when exec container
2023-02-27 19:33:03 -08:00
Wang-squirrel 7b4c3fc111 Add support for umask when exec container
Signed-off-by: WangXiaoSong <wang.xiaosong1@zte.com.cn>
2023-02-23 10:04:47 +08:00
Kir Kolyshkin 5a0642d6fd Merge pull request #3728 from AITsygunka/3727-bug-fix
Fix runc crushes when parsing invalid JSON specification file
2023-02-22 02:57:20 -08:00
Akihiro Suda 71f8b2af5c Merge pull request #3734 from kinvolk/rata/nsexec-add-debug-log
nsexec: Add debug logs to send mount sources
2023-02-22 13:19:06 +09:00
Akihiro Suda 7d4fde26f8 Merge pull request #3716 from AkihiroSuda/spec-v1.1.0-rc.1
go:mod: runtime-spec v1.1.0-rc.1; add docs/spec-conformance.md
2023-02-22 09:23:41 +09:00
Andrey Tsygunka 97ea1255ed Fix runc crushes when parsing invalid JSON
Signed-off-by: Andrey Tsygunka <dreamsider@mail.ru>
2023-02-16 15:45:19 +03:00
Kir Kolyshkin 537645fd52 Merge pull request #3747 from opencontainers/dependabot/go_modules/golang.org/x/net-0.7.0
build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
2023-02-15 17:31:13 -08:00
dependabot[bot] b3b0bde69b build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-15 04:59:08 +00:00
Akihiro Suda 4e3699c74c Merge pull request #3746 from crazy-max/fix-static-pie
Makefile: fix typo in LDFLAGS_STATIC
2023-02-15 11:35:09 +09:00
CrazyMax 2e44a20280 Makefile: fix typo in LDFLAGS_STATIC
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-02-14 21:27:26 +01:00
Kir Kolyshkin b199fb2e3f Merge pull request #3573 from chuanchang/add_tests_for_capabilities
tests: add tests for capabilities
2023-02-13 17:49:54 -08:00
Akihiro Suda 514ea70993 Merge pull request #3740 from kinvolk/rata/fix-basename-test
tests: Fix weird error on centos-9
2023-02-11 22:52:10 +09:00
Rodrigo Campos 2adeb6f952 nsexec: Remove bogus kill to stage_2_pid
stage_2_pid is not yet assigned, so this kills the PID -1, but as
the sane_kill() wrapper is just a nop in that case. Just remove these
calls to kill stage_2_pid before it is cloned/assigned.

I've checked by executing the error paths that no binary is left by mistake.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-02-10 16:07:51 +01:00
Rodrigo Campos 4d0a60ca7f tests: Fix weird error on centos-9
centos-9 unit test sometimes fails with:

	=== RUN   TestPodSkipDevicesUpdate
	    systemd_test.go:114: container stderr not empty: basename: missing operand
	        Try 'basename --help' for more information.
	--- FAIL: TestPodSkipDevicesUpdate (0.11s)

I'm not sure why the container output is an error in basename. It seems
likely that the bashrc in that distro is kind of broken. Let's just run
a sleep command and forget about bash.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-02-10 14:49:56 +01:00
Rodrigo Campos 2ca3d230e2 nsexec: Add debug logs to send mount sources
I was adding it to new code I was writing, and for completeness I added
to this case too.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-02-10 08:25:08 -03:00
Akihiro Suda e412b4e88c docs: add docs/spec-conformance.md
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-02-10 12:10:18 +09:00
Akihiro Suda 787fcf09e7 go.mod: github.com/opencontainers/runtime-spec v1.1.0-rc.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-02-10 12:10:14 +09:00
Kir Kolyshkin 5c2a1a0191 Merge pull request #3733 from opencontainers/dependabot/go_modules/golang.org/x/net-0.6.0
build(deps): bump golang.org/x/net from 0.5.0 to 0.6.0
2023-02-09 18:05:27 -08:00
Kir Kolyshkin aa21df97d0 Merge pull request #3732 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.11.0
build(deps): bump github.com/opencontainers/selinux from 1.10.2 to 1.11.0
2023-02-09 18:03:54 -08:00
Alex Jia fbfc6afe30 tests: add tests for capabilities
Signed-off-by: Alex Jia <ajia@redhat.com>
2023-02-09 16:36:08 -08:00
dependabot[bot] bc8d6e3b1f build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.10.2 to 1.11.0.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.10.2...v1.11.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-10 00:34:56 +00:00
dependabot[bot] 0e1346fe6d build(deps): bump golang.org/x/net from 0.5.0 to 0.6.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-09 16:55:01 +00:00
Sebastiaan van Stijn ca398783c0 Merge pull request #3730 from kolyshkin/fix-build
Dockerfile: fix build wrt new git
2023-02-09 17:21:27 +01:00
Kir Kolyshkin 42dffaaa4e Dockerfile: fix build wrt new git
With the updated git in golang:1.19-bullseye image, building fails with:

	make -C /go/src/github.com/opencontainers/runc PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig COMMIT_NO= EXTRA_FLAGS=-a 'EXTRA_LDFLAGS=-w -s -buildid=' static
	make[1]: Entering directory '/go/src/github.com/opencontainers/runc'
	fatal: detected dubious ownership in repository at '/go/src/github.com/opencontainers/runc'
	To add an exception for this directory, call:
		git config --global --add safe.directory /go/src/github.com/opencontainers/runc
	go build -trimpath -buildmode=pie -a -tags "seccomp urfave_cli_no_docs netgo osusergo" -ldflags "-X main.gitCommit= -X main.version=1.1.0+dev -linkmode external -extldflags --static-pie -w -s -buildid=" -o runc .
	error obtaining VCS status: exit status 128
		Use -buildvcs=false to disable VCS stamping.

This commit should fix it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-08 19:41:46 -08:00
Kir Kolyshkin 99968fc087 Merge pull request #3718 from austinvazquez/upgrade-go-compiler
Add Go 1.20, require Go 1.19, drop Go 1.18
2023-02-08 18:04:35 -08:00
Akihiro Suda dee9f5fc5d Merge pull request #3725 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.5.0
build(deps): bump golang.org/x/sys from 0.4.0 to 0.5.0
2023-02-08 11:56:36 +09:00
Sebastiaan van Stijn f8e2629e19 Merge pull request #3707 from Dzejrou/main
libcontainer: skip chown of /dev/null caused by fd redirection
2023-02-08 00:21:31 +01:00
Sebastiaan van Stijn 70df83fa5d Merge pull request #3719 from kolyshkin/no-clang-format
Disable clang-format
2023-02-07 15:50:35 +01:00
dependabot[bot] 14e3ce9edb build(deps): bump golang.org/x/sys from 0.4.0 to 0.5.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/sys/releases)
- [Commits](https://github.com/golang/sys/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-07 04:03:31 +00:00
Sebastiaan van Stijn df47453562 Merge pull request #3460 from kolyshkin/no-regexp
Do not use regexp
2023-02-06 15:35:29 +01:00
Kir Kolyshkin 1bb6209aa1 tests/int: test for /dev/null owner regression
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-03 01:24:45 +01:00
Jaroslav Jindrak 7e5e017dba libcontainer: skip chown of /dev/null caused by fd redirection
In 18c4760a (libct: fixStdioPermissions: skip chown if not needed)
the check whether the STDIO file descriptors point to /dev/null was
removed which can cause /dev/null to change ownership e.g. when using
docker exec on a running container:

$ ls -l /dev/null
crw-rw-rw- 1 root root 1, 3 Aug 1 14:12 /dev/null
$ docker exec -u test 0ad6d3064e9d ls
$ ls -l /dev/null
crw-rw-rw- 1 test root 1, 3 Aug 1 14:12 /dev/null

Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
2023-02-03 01:24:02 +01:00
Austin Vazquez 5ecd40b9bd Add Go 1.20, require Go 1.19, drop Go 1.18
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2023-02-02 19:56:26 +00:00
Kir Kolyshkin 81ca678f81 Disable clang-format
For the sake of developers who have LSP configured to auto-format the
code upon save (that would me with my new nvim setup), let's not
autoformat the C code when using clangd.

Initially I tried to write a set of rules for clang-format which is
identical to what we use (indent with a handful of options invoked
from cfmt target in Makefile), but it appears to be impossible.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-02 10:42:30 -08:00
Kir Kolyshkin 32d741358f Merge pull request #3377 from wineway/main
libct/cg: support SCHED_IDLE for runc cgroupfs
2023-01-31 19:19:03 -08:00
wineway 81c379fa8b support SCHED_IDLE for runc cgroupfs
Signed-off-by: wineway <wangyuweihx@gmail.com>
2023-01-31 15:19:05 +08:00
Akihiro Suda 8c5d3f09e3 Merge pull request #3712 from kinvolk/rata/nsexec-fixes
nsexec: Check for errors in write_log()
2023-01-31 09:45:55 +09:00
Rodrigo Campos 5ce511d6a6 nsexec: Check for errors in write_log()
First, check if strdup() fails and error out.

While we are there, the else case was missing brackets, as we only need
to check ret in the else case. Fix that too

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-01-27 18:40:08 +01:00
Mrunal Patel 01479215a9 Merge pull request #3546 from kolyshkin/criu-add-ignore-cgroup
checkpoint/restore: implement --manage-cgroups-mode ignore
2023-01-26 16:38:54 -08:00
Akihiro Suda a1c51c5698 Merge pull request #3701 from tianon/pin-busybox-debian
Explicitly pin busybox and debian downloads
2023-01-25 12:01:04 +09:00
Kir Kolyshkin 3fbc5ba7ca ci: add tests/int/get-images.sh check
This is to check that tests/integration/get-images.sh is in sync
with tests/integration/bootstrap-get-images.sh.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-01-24 16:43:12 -08:00
Tianon Gravi 6d28928c87 Explicitly pin busybox and debian downloads
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2023-01-24 16:42:50 -08:00