Commit Graph

6773 Commits

Author SHA1 Message Date
Kir Kolyshkin ea140db712 libct/nsenter: rm unused code
Commits b999376f and b999376f removed all users of this code.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 13:17:05 -08:00
lfbzhm fd4533aff2 Merge pull request #4196 from opencontainers/dependabot/go_modules/golang.org/x/net-0.21.0
build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
2024-02-10 01:15:48 +08:00
dependabot[bot] afd90f44e8 build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.20.0 to 0.21.0.
- [Commits](https://github.com/golang/net/compare/v0.20.0...v0.21.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-10 00:50:10 +08:00
Akihiro Suda 66bdcbca46 Merge pull request #4190 from opencontainers/dependabot/go_modules/github.com/containerd/console-1.0.4
build(deps): bump github.com/containerd/console from 1.0.3 to 1.0.4
2024-02-10 01:38:13 +09:00
dependabot[bot] 97632a6d1b build(deps): bump github.com/containerd/console from 1.0.3 to 1.0.4
Bumps [github.com/containerd/console](https://github.com/containerd/console) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/containerd/console/releases)
- [Commits](https://github.com/containerd/console/compare/v1.0.3...v1.0.4)

---
updated-dependencies:
- dependency-name: github.com/containerd/console
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-09 15:20:19 +00:00
Akihiro Suda 0147f9eb74 Merge pull request #4197 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.17.0
build(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0
2024-02-10 00:19:40 +09:00
dependabot[bot] 174940a7eb build(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/sys/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-08 22:29:27 +00:00
Kir Kolyshkin 56cc1be9db Merge pull request #4198 from lifubang/feat-TestCentos_Go1.21
[ci] update go version to 1.21 in cirrus ci
2024-02-08 14:23:55 -08:00
lfbzhm a596a05510 update go version to 1.21 in cirrus ci
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-02-08 08:24:13 -08:00
Kir Kolyshkin 7c004d8e05 Merge pull request #4192 from lifubang/feat-ClosePipeInExec
Close sync pipe explicitly in exec
2024-02-08 08:23:52 -08:00
lifubang bc4a869d5a test: no execve error msg synced to parent process
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-02-08 01:45:26 +00:00
lifubang d075058717 close the sync pipe explicitly in exec
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-02-08 01:45:06 +00:00
Aleksa Sarai 02120488a4 Merge pull request from GHSA-xr7r-f8xq-vfvv
fix GHSA-xr7r-f8xq-vfvv and harden fd leaks
2024-02-01 07:04:29 +11:00
Kir Kolyshkin 8454bbb613 Merge pull request #4175 from cyphar/fd-file-switch
init: use *os.File for passed file descriptors
2024-01-31 10:40:28 -08:00
Akihiro Suda 2dfc2feb43 Merge pull request #4173 from lifubang/fix-syncPipeClose
never send procError to parent process after sent procReady
2024-01-28 00:37:58 +09:00
lfbzhm 0bc4732c07 test for execve error without runc-dmz
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-01-25 04:52:29 +00:00
lifubang 35aa63ea87 never send procError after the socket closed
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-01-25 04:52:11 +00:00
Aleksa Sarai d8edada9f2 init: don't special-case logrus fds
We close the logfd before execve so there's no need to special case it.
In addition, it turns out that (*os.File).Fd() doesn't handle the case
where the file was closed and so it seems suspect to use that kind of
check.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:59 +11:00
Aleksa Sarai ee73091a8d libcontainer: mark all non-stdio fds O_CLOEXEC before spawning init
Given the core issue in GHSA-xr7r-f8xq-vfvv was that we were unknowingly
leaking file descriptors to "runc init", it seems prudent to make sure
we proactively prevent this in the future. The solution is to simply
mark all non-stdio file descriptors as O_CLOEXEC before we spawn "runc
init".

For libcontainer library users, this could result in unrelated files
being marked as O_CLOEXEC -- however (for the same reason we are doing
this for runc), for security reasons those files should've been marked
as O_CLOEXEC anyway.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:59 +11:00
Aleksa Sarai 89c93ddf28 cgroup: plug leaks of /sys/fs/cgroup handle
We auto-close this file descriptor in the final exec step, but it's
probably a good idea to not possibly leak the file descriptor to "runc
init" (we've had issues like this in the past) especially since it is a
directory handle from the host mount namespace.

In practice, on runc 1.1 this does leak to "runc init" but on main the
handle has a low enough file descriptor that it gets clobbered by the
ForkExec of "runc init".

OPEN_TREE_CLONE would let us protect this handle even further, but the
performance impact of creating an anonymous mount namespace is probably
not worth it.

Also, switch to using an *os.File for the handle so if it goes out of
scope during setup (i.e. an error occurs during setup) it will get
cleaned up by the GC.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:58 +11:00
Aleksa Sarai f2f16213e1 init: close internal fds before execve
If we leak a file descriptor referencing the host filesystem, an
attacker could use a /proc/self/fd magic-link as the source for execve
to execute a host binary in the container. This would allow the binary
itself (or a process inside the container in the 'runc exec' case) to
write to a host binary, leading to a container escape.

The simple solution is to make sure we close all file descriptors
immediately before the execve(2) step. Doing this earlier can lead to very
serious issues in Go (as file descriptors can be reused, any (*os.File)
reference could start silently operating on a different file) so we have
to do it as late as possible.

Unfortunately, there are some Go runtime file descriptors that we must
not close (otherwise the Go scheduler panics randomly). The only way of
being sure which file descriptors cannot be closed is to sneakily
go:linkname the runtime internal "internal/poll.IsPollDescriptor"
function. This is almost certainly not recommended but there isn't any
other way to be absolutely sure, while also closing any other possible
files.

In addition, we can keep the logrus forwarding logfd open because you
cannot execve a pipe and the contents of the pipe are so restricted
(JSON-encoded in a format we pick) that it seems unlikely you could even
construct shellcode. Closing the logfd causes issues if there is an
error returned from execve.

In mainline runc, runc-dmz protects us against this attack because the
intermediate execve(2) closes all of the O_CLOEXEC internal runc file
descriptors and thus runc-dmz cannot access them to attack the host.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:58 +11:00
Aleksa Sarai 8e1cd2f56d init: verify after chdir that cwd is inside the container
If a file descriptor of a directory in the host's mount namespace is
leaked to runc init, a malicious config.json could use /proc/self/fd/...
as a working directory to allow for host filesystem access after the
container runs. This can also be exploited by a container process if it
knows that an administrator will use "runc exec --cwd" and the target
--cwd (the attacker can change that cwd to be a symlink pointing to
/proc/self/fd/... and wait for the process to exec and then snoop on
/proc/$pid/cwd to get access to the host). The former issue can lead to
a critical vulnerability in Docker and Kubernetes, while the latter is a
container breakout.

We can (ab)use the fact that getcwd(2) on Linux detects this exact case,
and getcwd(3) and Go's Getwd() return an error as a result. Thus, if we
just do os.Getwd() after chdir we can easily detect this case and error
out.

In runc 1.1, a /sys/fs/cgroup handle happens to be leaked to "runc
init", making this exploitable. On runc main it just so happens that the
leaked /sys/fs/cgroup gets clobbered and thus this is only consistently
exploitable for runc 1.1.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Co-developed-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
[refactored the implementation and added more comments]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:58 +11:00
Akihiro Suda 313ec8bcab Merge pull request #4176 from cyphar/cyphar-gpg-key
keyring: update key expiries
2024-01-23 21:18:51 +09:00
lfbzhm 4baaf18cfd Merge pull request #4172 from kinvolk/rata/runc-dmz
Fix runc-dmz error printing
2024-01-22 18:01:27 +08:00
Aleksa Sarai 7094efb192 init: use *os.File for passed file descriptors
While it doesn't make much of a practical difference, it seems far more
reasonable to use os.NewFile to wrap all of our passed file descriptors
to make sure they're tracked by the Go runtime and that we don't
double-close them.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-22 17:34:14 +11:00
Aleksa Sarai 093c83e13e keyring: update AkihiroSuda key expiry
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-22 16:16:17 +11:00
Aleksa Sarai 34eceb21e2 keyring: update cyphar@cyphar.com key expiry
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-22 16:15:52 +11:00
Rodrigo Campos fe95a2a06a tests/integration: Test exec failures
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-01-21 15:35:46 +01:00
Rodrigo Campos 8afeccc827 libct/dmz: Print execve() errors
This error code is using functions that are present in nolibc too.

When using nolibc, the error is printed like:

	exec /runc.armel: errno=8

When using libc, as its perror() implementation translates the errno to
a message, it is printed like:

	exec /runc.armel: exec format error

Note that when using libc, the error is printed in the same way as
before.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-01-21 15:35:46 +01:00
Akihiro Suda 10754b3d68 Merge pull request #4126 from ChHapp/patch-1
check-config.sh: Add CONFIG_NETFILTER_XT_MATCH_COMMENT to check
2024-01-18 11:28:53 +09:00
Akihiro Suda 0c5a735355 Merge pull request #4167 from opencontainers/dependabot/go_modules/golang.org/x/net-0.20.0
build(deps): bump golang.org/x/net from 0.19.0 to 0.20.0
2024-01-09 15:48:28 +09:00
dependabot[bot] b1e3c3c75c build(deps): bump golang.org/x/net from 0.19.0 to 0.20.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.19.0 to 0.20.0.
- [Commits](https://github.com/golang/net/compare/v0.19.0...v0.20.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-09 04:20:08 +00:00
Christian Happ 2a473a7630 Add CONFIG_NETFILTER_XT_MATCH_COMMENT to check
It seems that newer podman versions need the kernel comment flag too.

By podman run, iptables using -m comment in the iptables-command to add the corresponding network rules.

Signed-off-by: Christian Happ <Christian.Happ@jumo.net>
2024-01-08 12:00:08 +01:00
Aleksa Sarai cbd852b330 merge #4152 into opencontainers/runc:main
Akihiro Suda (1):
  script/check-config.sh: check CONFIG_CHECKPOINT_RESTORE

Kir Kolyshkin (4):
  script/check-config.sh: check CONFIG_BLK_CGROUP_IOCOST
  scripts/check-config: fix kernel version checks
  script/check-config: disable colors
  scripts/check-config: don't check MEMCG_SWAP on newer kernels

LGTMs: AkihiroSuda cyphar
2024-01-08 09:50:14 +11:00
Aleksa Sarai c255024a82 merge #4146 into opencontainers/runc:main
Akihiro Suda (1):
  TestCheckpoint: skip on ErrCriuMissingFeatures

LGTMs: cyphar kolyshkin lifubang
2024-01-07 00:32:33 +11:00
dependabot[bot] ab146f2335 Merge pull request #4161 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.16.0 2024-01-05 09:36:48 +00:00
Aleksa Sarai 03f46d7185 merge #4159 into opencontainers/runc:main
lfbzhm (2):
  we have implemented idmapped-mounts with no limitations
  we have supported rsvd hugetlb cgroup

LGTMs: AkihiroSuda cyphar
2024-01-05 20:08:27 +11:00
dependabot[bot] e1e3ca02d9 build(deps): bump golang.org/x/sys from 0.15.0 to 0.16.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.15.0 to 0.16.0.
- [Commits](https://github.com/golang/sys/compare/v0.15.0...v0.16.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-05 04:27:10 +00:00
lfbzhm f4f282c259 Merge pull request #4151 from lengrongfu/fix/scheudle-validate
fix scheduler validate
2024-01-05 11:30:06 +08:00
lengrongfu 68438ba272 fix scheduler validate
Signed-off-by: lengrongfu <lenronfu@gmail.com>
2024-01-05 09:50:41 +08:00
lfbzhm 55c9d6bf01 we have implemented idmapped-mounts with no limitations
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-01-04 19:24:21 +08:00
lfbzhm e90d8cb8fe we have supported rsvd hugetlb cgroup
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-01-04 19:24:21 +08:00
Akihiro Suda 827c707823 Merge pull request #4139 from lifubang/fix-clean-remap-rootfs
remove remap-rootfs bin when running make clean
2024-01-04 17:36:08 +09:00
lfbzhm 35988abe20 Merge pull request #4157 from kinvolk/rata/idmap-errormsg
libct: Improve error msg when idmap is not supported
2023-12-29 22:48:53 +08:00
Rodrigo Campos a7c3e07c8f libct: Improve error msg when idmap is not supported
This gives a more clear error message when idmap mounts are not
supported on the source filesystem. For example, a k8s user will see
this now in kubectl describe pod:

	  Warning  Failed     2s (x2 over 4s)  kubelet, 127.0.0.1  Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: failed to fulfil mount request: failed to set MOUNT_ATTR_IDMAP on /var/lib/kubelet/pods/f037a704-742c-40fe-8dbf-17ed9225c4df/volumes/kubernetes.io~empty-dir/hugepage: invalid argument (maybe the source filesystem doesn't support idmap mounts on this kernel?): unknown

This gives a hint on where to look at.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-12-28 14:15:24 +01:00
Akihiro Suda c48c428b1d Merge pull request #4155 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.32.0
build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
2023-12-26 03:30:33 +09:00
dependabot[bot] 43306be3f0 build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
Bumps google.golang.org/protobuf from 1.31.0 to 1.32.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-25 04:35:41 +00:00
Kir Kolyshkin 5a4f52178d script/check-config.sh: check CONFIG_BLK_CGROUP_IOCOST
For `io.weight`

Co-authored-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:07:43 -08:00
Kir Kolyshkin d87366f019 scripts/check-config: fix kernel version checks
Looking at the code, I found out that kernel_lt function was actually
doing le ("less than or equal") rather than lt ("less than") operation.
Let's fix this and do exactly what the name says.

A bigger issue is, the function use was not consistent (some uses
implied "less than or equal").

To fix the usage, find out all relevant kernel commits and kernel
versions that have them (the latter is done using "git describe
--contains $sha"), and fix the wrong cases. While at it, add references
to all these kernel commits for the future generations of
check-config.sh hackers.

Also, add kernel_ge function which is the opposite of kernel_lt,
and document both.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:07:43 -08:00
Akihiro Suda 7f65cc75c7 script/check-config.sh: check CONFIG_CHECKPOINT_RESTORE
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-12-20 10:07:43 -08:00