Commit Graph

6026 Commits

Author SHA1 Message Date
Kir Kolyshkin e1d04cdfeb script/seccomp.sh: check tarball sha256
Add checking of downloaded tarball checksum.

In case it doesn't match the hardcoded value, the error is like this:

	libseccomp-2.5.4.tar.gz: FAILED
	sha256sum: WARNING: 1 computed checksum did NOT match

In case the checksum for a particular version is not specified in the
script, the error will look like this:

	./script/seccomp.sh: line 29: SECCOMP_SHA256[${ver}]: unbound variable

In case the the hardcoded value in the file is of wrong format/length,
we'll get:

	sha256sum: 'standard input': no properly formatted SHA256 checksum lines found

In any of these cases, the script aborts (due to set -e).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-25 18:29:07 -07:00
Akihiro Suda 016a0d29d1 Merge pull request #3452 from kolyshkin/separate-devices
Decouple setting cgroup device rules from cgroup manager
2022-05-25 18:11:36 +09:00
Aleksa Sarai 436b86f5d9 merge branch 'pr-3483'
Kir Kolyshkin:
  ci: drop docker layer caching from release job

LGTMs: thaJeztah cyphar
Closes #3483
2022-05-25 08:46:15 +10:00
Kir Kolyshkin fbafaf315e ci: drop docker layer caching from release job
This job is failing with "No space left on device" lately, and this
helps to fix it.

Besides, it seems that caching does not help to shorten execution times
(validate/release job succeeds in under 8 minutes now; ymmv).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-24 11:22:27 -07:00
Akihiro Suda 3f0daac908 Merge pull request #3480 from kolyshkin/bump-libseccomp
Dockerfile,scripts/release: bump libseccomp to v2.5.4
2022-05-24 13:13:19 +09:00
Kir Kolyshkin f7b07fd54c Dockerfile,scripts/release: bump libseccomp to v2.5.4
Release notes: https://github.com/seccomp/libseccomp/releases/tag/v2.5.4

This affects the released static binaries (as they are statically linked
against libseccomp).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-23 12:56:35 -07:00
Kir Kolyshkin 848aa38b8e Merge pull request #3474 from cyphar/seccomp-enosys-setup
seccomp: enosys: always return -ENOSYS for setup(2)
2022-05-23 10:43:54 -07:00
Aleksa Sarai 6a79271c31 seccomp: patchbpf: minor cleanups
Define sizeof(int) as a constant, and also return ENOSYS earlier in the
filter if it doesn't increase the number of instructions we generate
(this is a negligible performance improvement but it does make it easier
to understand the generated filter stub).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-05-23 16:36:07 +10:00
Aleksa Sarai be6488a5a9 seccomp: enosys: always return -ENOSYS for setup(2) on s390(x)
On s390x, syscalls above 255 are multiplexed using the (now otherwise
unused) setup(2) syscall (syscall number 0). If the kernel supports the
syscall then it will correctly translate the syscall number such that
seccomp will correctly detect it -- however, for unknown syscalls the
syscall number remains unchanged. This can be verified by running the
following program under strace:

	int main(void)
	{
		scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
		seccomp_load(ctx);

		return syscall(439, AT_FDCWD, "asdf", X_OK, 0);
	}

Which will then die with the following signal (on pre-5.8 kernels):

	--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,
	            si_call_addr=0x3ffb3006c22, si_syscall=__NR_setup,
	            si_arch=AUDIT_ARCH_S390X} ---

(Note that the si_syscall is __NR_setup, not __NR_faccessat2.)

As a result, the -ENOSYS handling we had previously did not work
completely correctly on s390x because any syscall not supported by the
kernel would be treated as syscall number 0 rather than the actual
syscall number.

Always returning -ENOSYS will not cause any issues because in all of the
cases where this multiplexing occurs, seccomp will see the remapped
syscall number -- and no userspace program will call setup(2)
intentionally (the syscall has not existed in Linux for decades and was
originally a hack used early in Linux init prior to spawning pid1 -- so
you will get -ENOSYS from the kernel anyway).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-05-23 16:36:07 +10:00
Kir Kolyshkin 967079dfc1 Merge pull request #3475 from chenk008/fix_dbus_connection_closed
libct/cg/sd: check dbus.ErrClosed instead of isDbusError
2022-05-20 11:07:06 -07:00
Kang Chen 0ca0bb9fee libct/cg/sd: check dbus.ErrClosed instead of isDbusError
Signed-off-by: Kang Chen <kongchen28@gmail.com>
2022-05-20 14:47:19 +08:00
Akihiro Suda 8093c54d91 Merge pull request #3446 from kolyshkin/risc
release: build riscv64 binary, build static PIE if supported
2022-05-19 18:49:27 +09:00
Kir Kolyshkin 47e09976a3 libct/cg/dev: privatize some functions
These are only used from inside the package, and we don't want them to
be public.

The only two methods left are Enable and Disable.

While at it, fix or suppress found lint-extra warnings.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-18 11:17:13 -07:00
Kir Kolyshkin b6967fa84c Decouple cgroup devices handling
This commit separates the functionality of setting cgroup device
rules out of libct/cgroups to libct/cgroups/devices package. This
package, if imported, sets the function variables in libct/cgroups and
libct/cgroups/systemd, so that a cgroup manager can use those to manage
devices. If those function variables are nil (when libct/cgroups/devices
are not imported), a cgroup manager returns the ErrDevicesUnsupported
in case any device rules are set in Resources.

It also consolidates the code from libct/cgroups/ebpf and
libct/cgroups/ebpf/devicefilter into libct/cgroups/devices.

Moved some tests in libct/cg/sd that require device management to
libct/sd/devices.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-18 11:17:08 -07:00
Kir Kolyshkin 25f1856236 libct/cg/sd: factor out devices.go
This moves the functionality related to devices, SkipDevices, and
SkipFreezeOnSet to a separate file, in preparation for the next commit.

No code changes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-18 11:14:03 -07:00
Aleksa Sarai 9524366183 merge branch 'pr-3384'
wineway (2):
  libct: use `unix.Getwd` instead of `os.Getwd` to avoid symlink
  go.mod: golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5

LGTMs: kolyshkin cyphar
Closes #3384
2022-05-13 09:01:16 +10:00
wineway d160116055 libct: use unix.Getwd instead of os.Getwd to avoid symlink
Signed-off-by: wineway <wangyuweihx@gmail.com>
2022-05-11 17:25:34 -07:00
wineway cab3888575 go.mod: golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5
to include https://go-review.googlesource.com/c/sys/+/387194 which ensured unix::Getwd returned path is absolute

Signed-off-by: wineway <wangyuweihx@gmail.com>
2022-05-11 17:25:34 -07:00
Kir Kolyshkin a14cc4059d release: add riscv64 binary
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Akihiro Suda 1d7b297128 libct/seccomp: add riscv64
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin dafcacb522 Makefile: set CGO_ENABLED=1 when needed
It doesn't matter whether static or dynamic linking is used, runc
always needs libcontainer/nsenter, which is written in C and thus
requires cgo. Same is true for libcontainer/integration.

In addition, contrib/pkg/seccompagent also needs cgo (if seccomp build
tag is set), as it need to be linked against libseccomp C library.

By default, cgo is disabled when cross-compiling, meaning that
CGO_ENABLED=1 has to be set explicitly in such cases.

In all other cases (e.g. other contrib binaries) we do not need cgo.

Remove CGO_ENABLED=1 from GO_BUILD_STATIC (as it does not have anything
to do with static linking), and add it to all targets that require it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin 21e32d47d3 Makefile: add support for static PIE
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin ab5c60d02f Makefile: fix GO_BUILDMODE setting
1. Set to empty value by default.

2. Assume Linux (remove GOOS check, since we do not support other OSes).

3. Instead of using a "not-supported" list, use a "supported" list
   (as Go release notes usually say which platforms are supported).
   As of today, -buildmode=pie is supported for:

 * linux/386, linux/amd64, linux/arm, linux/arm64, and linux/ppc64le
   (since Go 1.6, see https://tip.golang.org/doc/go1.6#compiler)

 * linux/s390x (since Go 1.7, which adds the initial port)

 * linux/riscv64 (since Go 1.16, see
   https://tip.golang.org/doc/go1.16#riscv)

   NOTE this does not mean we support these architectures; it is merely
   a way to see if -buildmode=pie can be used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin f2f6e59937 Makefile: add LDFLAGS_COMMON and LDFLAGS_STATIC
LDFLAGS_COMMON are used from two places, so it makes sense to dedup.

LDFLAGS_STATIC is a preparation for the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin f0f1b5f969 Dockerfile: don't use crossbuild-essential-*
All we need is gcc, libc-dev, and binutils. In addition to that,
crossbuild-essential installs g++, libstdc++-dev, and a bunch of perl
packages and libraries which we do not need.

This should speed up image building, as well as make it smaller.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin 476aa18abe Dockerfile: rm dpkg --add-architecture lines
Dockerfile used to install libseccomp-dev packages for different
architectures. This is no longer true since commit f30244ee1b, which
changed to cross-compiling libseccomp (so we can get a static library
to link against).

Thus, adding extra architectures is no longer needed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin d542ad65ba Dockerfile: nit
We do not use all the files from scripts, only seccomp.sh and lib.sh.

This prevents unneeded rebuild of the image if e.g.
scripts/release_build.sh has changed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Akihiro Suda 2661d59287 Merge pull request #3471 from kolyshkin/fix-fedora-ci-git
Vagrantfile.fedora: fix build wrt new git
2022-05-12 09:05:58 +09:00
Aleksa Sarai d04de3a9b7 Merge pull request from GHSA-f3fp-gc8g-vw66
runc: do not set inheritable capabilities
2022-05-12 08:15:42 +10:00
Kir Kolyshkin 98fe566c52 runc: do not set inheritable capabilities
Do not set inheritable capabilities in runc spec, runc exec --cap,
and in libcontainer integration tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-12 08:14:50 +10:00
Kir Kolyshkin 009e627cb0 Vagrantfile.fedora: fix build wrt new git
With the updated git in Fedora 35, we can't build it via sudo:

	ssh default 'sudo -i make -C /vagrant localunittest'
	make: Entering directory '/vagrant'
	fatal: unsafe repository ('/vagrant' is owned by someone else)
	To add an exception for this directory, call:

		git config --global --add safe.directory /vagrant
	go build -trimpath "-buildmode=pie"  -tags "seccomp" -ldflags "-X main.gitCommit= -X main.version=1.1.0+dev " -o runc .
	error obtaining VCS status: exit status 128
		Use -buildvcs=false to disable VCS stamping.
	make: Leaving directory '/vagrant'

This commit should fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 15:03:32 -07:00
Sebastiaan van Stijn 94105ca31d Merge pull request #3468 from kolyshkin/no-tun
Remove tun/tap from the default device rules
2022-05-11 00:28:55 +02:00
Akihiro Suda 33946701db Merge pull request #3469 from kolyshkin/fix-ci-typo
tests/int: fix a bad typo
2022-05-07 15:25:27 +09:00
Kir Kolyshkin 4d3e52f207 tests/int: fix a bad typo
As a result, cgroup v1 only tests are being skipped.

Fixes: a2123baf63
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-06 13:46:21 -07:00
Sebastiaan van Stijn aac018175e Merge pull request #3369 from kolyshkin/more-tests-nits
tests/int: nits and cleanups
2022-05-06 13:22:11 +02:00
Kir Kolyshkin 2ce40b6ad7 Remove tun/tap from the default device rules
Looking through git blame, this was added by commit 9fac18329
aka "Initial commit of runc binary", most probably by mistake.

Obviously, a container should not have access to tun/tap device, unless
it is explicitly specified in configuration.

Now, removing this might create a compatibility issue, but I see no
other choice.

Aside from the obvious misconfiguration, this should also fix the
annoying

> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory

messages from systemd on every container start, when runc uses systemd
cgroup driver, and the system runs an old (< v240) version of systemd
(the message was presumably eliminated by [1]).

[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-04 15:38:58 -07:00
Sebastiaan van Stijn da6f3b06e2 Merge pull request #3465 from crazy-max/update-libseccomp
vendor: bump seccomp/libseccomp-golang to f33da4d
2022-05-04 21:00:17 +02:00
Kir Kolyshkin 68427f33d0 libct/seccomp/config: add missing KillThread, KillProcess
OCI spec added SCMP_ACT_KILL_THREAD and SCMP_ACT_KILL_PROCESS almost two
years ago ([1], [2]), but runc support was half-finished [3].

Add these actions, and modify the test case to check them.

In addition, "runc features" now lists the new actions.

[1] https://github.com/opencontainers/runtime-spec/pull/1044
[2] https://github.com/opencontainers/runtime-spec/pull/1064
[3] https://github.com/opencontainers/runc/pulls/3204

Fixes: 4a4d4f109b
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e74fdeb88a)
2022-05-04 16:22:09 +02:00
CrazyMax df2bc1380e vendor: bump seccomp/libseccomp-golang to f33da4d
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-03 13:15:02 +02:00
CrazyMax 29a56b5206 fix deprecated ActKill
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-03 13:15:01 +02:00
Mrunal Patel 48464417f4 Merge pull request #3461 from kolyshkin/bump-urfave-cli
vendor: bump urfave/cli to v1.22.6
2022-04-25 16:06:37 -07:00
Sebastiaan van Stijn 255fe4099e Merge pull request #3445 from kolyshkin/gha-ro
ci/gha: limit jobs permissions
2022-04-22 20:44:37 +02:00
Sebastiaan van Stijn 062fc87995 Merge pull request #3451 from dsouzai/ns_last_pid
Allow mounting of /proc/sys/kernel/ns_last_pid
2022-04-22 20:41:58 +02:00
Kir Kolyshkin 9c710564fd vendor: bump urfave/cli to v1.22.6
This finally fixes the regression of not allowing -1 as an argument,
which is reported in https://github.com/urfave/cli/pull/1135.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-21 19:36:49 -07:00
Sebastiaan van Stijn 238717ddd3 Merge pull request #3457 from kolyshkin/ci-merge-lint-extra
ci/gha: convert lint-extra from a job to a step
2022-04-14 13:42:40 +02:00
Sebastiaan van Stijn 727aa42fd7 Merge pull request #3378 from kolyshkin/ci-verify-more
shellcheck/shfmt more files; run check-config in CI
2022-04-14 13:39:29 +02:00
Kir Kolyshkin 4642d5282e Merge pull request #3458 from opencontainers/dependabot/github_actions/actions/cache-3.0.2
build(deps): bump actions/cache from 3.0.1 to 3.0.2
2022-04-13 22:35:00 -07:00
Kir Kolyshkin fa83a17c57 ci/gha: convert lint-extra from a job to a step
There is no need to parallelize lint and lint-extra jobs,
and they only differ with the arguments to golangci-lint.
Given that the longest time spent in these jobs is installing
libseccomp-dev, and that the second linter run can probably
benefit a lot from caching, it makes sense to merge them.

Move lint-extra from a separate job to a step in lint job.

The implementation is motivated by [1] and relies on the fact
that the last commit being fetched is the merge commit. So,
we need to set fetch-depth to 2 to be able to see the diff of
the merge commit -- and this is what golangci-lint is using.

[1] https://github.com/golangci/golangci-lint-action/issues/449#issuecomment-1096995821

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-13 20:20:15 -07:00
Akihiro Suda b6e337ac93 Merge pull request #3459 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.6.1
build(deps): bump github.com/moby/sys/mountinfo from 0.6.0 to 0.6.1
2022-04-13 16:05:56 +09:00
dependabot[bot] de25777a4b build(deps): bump github.com/moby/sys/mountinfo from 0.6.0 to 0.6.1
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.6.0 to 0.6.1.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/signal/v0.6.0...mountinfo/v0.6.1)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-13 04:17:00 +00:00