7561 Commits

Author SHA1 Message Date
Aleksa Sarai 491b69bab9 VERSION: release v1.3.6
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.3.6
2026-06-13 14:27:28 +02:00
Aleksa Sarai d934454b2e merge CVE-2026-41579 fixes into release-1.3
Aleksa Sarai (8):
  rootfs: make cgroupv1 subsystem symlinks fd-based
  rootfs: make /dev initialisation code fd-based
  rootfs: switch createDevices argument order
  pathrs: add MkdirAllParentInRoot helper
  pathrs: add "hallucination" helpers for SecureJoin magic
  pathrs: rename MkdirAllInRootOpen -> MkdirAllInRoot
  libct: switch final WithProcfd users to WithProcfdFile
  libcontainer: move CleanPath and StripRoot to internal/pathrs

Li Fubang (2):
  integration: add some tests for bind mount through dangling symlinks
  libct: use preopened rootfs more

Kir Kolyshkin (3):
  Pre-open container root directory
  libct: minor refactor in mountToRootfs
  libct: mountCgroupV1: address TODO

LGTMs: lifubang kolyshkin rata
2026-06-13 13:38:02 +02:00
Aleksa Sarai 9432ad3a96 rootfs: make cgroupv1 subsystem symlinks fd-based
As with /dev symlinks, this was missed in commit d40b3439a9 ("rootfs:
switch to fd-based handling of mountpoint targets"). It's not really
clear to what extent this was exploitable (/sys/fs/cgroup is a tmpfs we
create) but it's better to just fix this anyway.

Fixes: d40b3439a9 ("rootfs: switch to fd-based handling of mountpoint targets")
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
(cherry picked from commit 66acd48f9d)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-13 00:27:30 +02:00
Aleksa Sarai a8e53f2c6d rootfs: make /dev initialisation code fd-based
These codepaths are very old and operate on pure paths but before
pivot_root(2), meaning that a bad image with a malicious /dev symlink
could cause us to operate on host paths instead.

In practice this means that we could be tricked into removing a file
called "ptmx" (note that /dev/pts/ptmx and /dev/ptmx are both immune for
different reasons) or creating a very restricted set of symlinks (with
fixed targets and names). The scope of these bugs is thus quite limited,
but we definitely need to harden against it.

These codepaths were unfortunately missed during the fd-based rework in
commit d40b3439a9 ("rootfs: switch to fd-based handling of mountpoint
targets") -- I must've assumed they were called after pivot_root(2)...

Fixes: GHSA-xjvp-4fhw-gc47
Fixes: CVE-2026-41579
Fixes: d40b3439a9 ("rootfs: switch to fd-based handling of mountpoint targets")
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
(cherry picked from commit 864db8042d)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-13 00:05:48 +02:00
Aleksa Sarai 78c50d4a5f rootfs: switch createDevices argument order
This argument order matches most other helpers we have and will also
match the changes we are about to make to setupPtmx and
setupDevSymlinks.

Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
(cherry picked from commit fcf04eb41b)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-13 00:04:40 +02:00
lfbzhm 083e21ed0f libct: use preopened rootfs more
This uses preopened rootfs in Chdir and pivotRoot.

While at it, add O_PATH when opening oldroot in pivotRoot.

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5b094ed1ac)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-13 00:04:26 +02:00
Kir Kolyshkin 42cfcbe453 Pre-open container root directory
A lot of filesystem-related stuff happens inside the container root
directory, and we have used its name before. It makes sense to pre-open
it and use a *os.File handle instead.

Function names in internal/pathrs are kept as is for simplicity (and it
is an internal package), but they now accept root as *os.File.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

(cherry picked from commit 28cb321887)

It was also necessary to cherry-pick a missing hunk from commit
b88635e57e ("libct: close rootFd ASAP in maskPaths") that was not
backported to 1.3 in the backported patch commit 9a2fec0a9a ("libct:
close rootFd ASAP in maskPaths").

Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-13 00:01:12 +02:00
Kir Kolyshkin 2e9b6a8a16 libct: minor refactor in mountToRootfs
No change in functionality, just a preparation for the next patch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 78b80677f6)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-12 23:53:36 +02:00
Kir Kolyshkin edf5328b9b libct: mountCgroupV1: address TODO
Indeed, it does not make sense to prepend c.root once we started using
MkdirAllInRoot in commit 63c29081.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 60352524d3)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-12 23:53:24 +02:00
lifubang 3661a9d4b3 integration: add some tests for bind mount through dangling symlinks
We intentionally broke this in commit d40b3439a9 ("rootfs: switch to
fd-based handling of mountpoint targets") under the assumption that most
users do not need this feature. Sadly it turns out they do, and so
commit 3f925525b4 ("rootfs: re-allow dangling symlinks in mount
targets") added a hotfix to re-add this functionality.

This patch adds some much-needed tests for this behaviour, since it
seems we are going to need to keep this for compatibility reasons (at
least until runc v2...).

Co-developed-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 15d7c214cd)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-12 23:52:47 +02:00
Aleksa Sarai fd76e504ed pathrs: add MkdirAllParentInRoot helper
While CreateInRoot supports hallucinating the target path, we do not use
it directly when constructing device inode targets because we need to
have different handling for mknod and bind-mounts.

The solution is to simply have a more generic MkdirAllParentInRoot
helper that MkdirAll's the parent directory of the target path and then
allows the caller to create the trailing component however they like.
(This can be used by CreateInRoot internally as well!)

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 195e9551e4)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-12 23:52:17 +02:00
Aleksa Sarai d0ff22b574 pathrs: add "hallucination" helpers for SecureJoin magic
In order to maintain compatibility with previous releases of runc (which
permitted dangling symlinks as path components by permitting
non-existent path components to be treated like real directories) we
have to first do SecureJoin to construct a target path that is
compatible with the old behaviour but has all dangling symlinks (or
other invalid paths like ".." components after non-existent directories)
removed.

This is effectively a more generic verison of commit 3f925525b4
("rootfs: re-allow dangling symlinks in mount targets") and will let us
remove the need for open-coding SecureJoin workarounds.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit cfb74326be)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-12 23:52:01 +02:00
Aleksa Sarai b60f248d71 pathrs: rename MkdirAllInRootOpen -> MkdirAllInRoot
Now that MkdirAllInRoot has been removed, we can make MkdirAllInRootOpen
less wordy by renaming it to MkdirAllInRoot. This is a non-functional
change.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 20c5a8ec4a)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-12 23:51:52 +02:00
Aleksa Sarai ec44abc710 libct: switch final WithProcfd users to WithProcfdFile
This probably should've been done as part of commit d40b3439a9
("rootfs: switch to fd-based handling of mountpoint targets") but it
seems I missed them when doing the rest of the conversions.

This also lets us remove utils.WithProcfd entirely, as well as
pathrs.MkdirAllInRoot. Unfortunately, WithProcfd was exposed in the
externally-importable "libcontainer/utils" package and so we need to
have a deprecation notice to remove it in runc 1.5.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 9dbd37e06f)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-12 23:51:40 +02:00
Aleksa Sarai 4c89edc65c libcontainer: move CleanPath and StripRoot to internal/pathrs
These helpers will be needed for the compatibility code added in future
patches in this series, but because "internal/pathrs" is imported by
"libcontainer/utils" we need to move them so that we can avoid circular
dependencies.

Because the old functions were in a non-internal package it is possible
some downstreams use them, so add some wrappers but mark them as
deprecated.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 42a1e19d67)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-12 23:50:56 +02:00
Rodrigo Campos Catelin 1acfea8239 Merge pull request #5282 from lifubang/backport-5275-1.3
[1.3] libct: reuse tmpfs for directory masks
2026-06-01 15:08:55 +02:00
Rodrigo Campos Catelin e01d7bea0b Merge pull request #5288 from lifubang/backport-5269-1.3
[1.3] tests/int: fix flake in "resources.unified override" (backport #5269)
2026-05-22 10:23:27 +02:00
lifubang 9a2fec0a9a libct: close rootFd ASAP in maskPaths
Close the root file descriptor immediately after use in maskPaths to
reduce the window during which an attacker could potentially exploit
an open fd to access or manipulate the root filesystem. This follows
the principle of least privilege and mitigates risks in compromised
or malicious container scenarios.

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit b88635e57e)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 10:29:01 +00:00
lifubang 76424b4b0b libct: optimize maskPaths for single-directory case
This is a follow-up to #5275. That change reused a single tmpfs mount
to mask multiple directories, which is efficient when masking more than
one path. However, it introduced unnecessary overhead when only one
directory is masked. This commit restores the original behavior for the
single-path case while preserving shared tmpfs logic for multiple paths.

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit e7e2f00248)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 10:27:46 +00:00
lifubang 02887a1e82 integration: reuse tmpfs for directory masks
Co-authored-by: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 124772f354)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 10:26:33 +00:00
lifubang dd9efbcd69 libct: reuse tmpfs for directory masks
Kubernetes may add one sysfs thermal_throttle entry per CPU to
maskedPaths. On large Intel systems this can produce many directory
masks for a single container. runc currently handles each directory
mask with a separate read-only tmpfs mount, and therefore a separate
tmpfs superblock.

On Linux 4.18/RHEL 8 kernels, creating and tearing down many tmpfs
superblocks can contend on the global shrinker_rwsem when containers
start or stop concurrently.

Use one read-only tmpfs for directory masks and bind-mount it over the
remaining directory targets. The first non-procfs-fd directory mount is
reopened through the container root fd before it is reused. File masks
still bind /dev/null, and procfs fd targets keep the existing
one-tmpfs-per-target behaviour because they are fd aliases rather than
stable rootfs paths.

If the bind-mount of the shared source fails (e.g. due to kernel
restrictions), fall back to individual tmpfs mounts for all remaining
directories. Tmpfs mounts use nr_blocks=1,nr_inodes=1 to minimise
kernel resource usage.

The bind mounts do not create additional tmpfs superblocks. They also
retain the read-only mount flag inherited from the source vfsmount, so
the masking semantics remain unchanged.

xref: kubernetes/kubernetes#138512
xref: kubernetes/kubernetes#138388
xref: kubernetes/kubernetes#131018

Co-authored-by: Davanum Srinivas <davanum@gmail.com>
Refactored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit c046c9b973)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 10:26:33 +00:00
lifubang e0d23b4362 libct: enforce strict tmpfs limits for masked paths
Previously, masked directories (e.g., /proc/acpi, /proc/scsi) were
mounted as read-only tmpfs without explicit size or inode limits.
Although these mounts are meant to be empty and unwritable, the lack
of resource constraints means that—should an attacker bypass the
read-only protection (e.g., via container escape, mount namespace
manipulation, or a kernel vulnerability)—the tmpfs could consume up
to 50% of system memory by default (the kernel's default tmpfs limit).

To mitigate this risk in high-density container environments and
adhere to the principle of least privilege, we now explicitly set:
  - nr_blocks=1 (sufficient for at most one block size)
  - nr_inodes=1 (sufficient for at most one inode)
Ref: https://man7.org/linux/man-pages/man5/tmpfs.5.html

These limits ensure that even if compromised, kernel memory usage
remains strictly bounded and negligible.

This change aligns with best practices used by other container
runtimes and strengthens defense-in-depth for sensitive masked paths.

Co-authored-by: Davanum Srinivas <davanum@gmail.com>
Refactored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit e57a7a4c8f)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 10:25:31 +00:00
Kir Kolyshkin b41e6c6a15 tests/int: fix flake in "resources.unified override"
As runc binary grows in size over time (new features, more
dependencies) some tests start to flake because of low memory limits.

One such test is "runc run (cgroup v2 resources.unified override)";
it obviously fails because of 1M memory limit:

> runc run failed: unable to start container process: container init was OOM-killed (memory limit too low?)

Increase the limits 4x. Do the same for the "unified only" test.

Fixes issue 5264.

Reported-by: Kevin Berry <kpberry11@gmail.com>
Reported-by: Ricardo Branco <rbranco@suse.de>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 3fabb4d070)
Signed-off-by: lifubang <lifubang@acmcoder.com>
Co-authored-by: Claude <noreply@anthropic.com>
2026-05-18 13:49:21 +00:00
lfbzhm 235f9e479a Merge pull request #5253 from AkihiroSuda/cherrypick-5239-1.3
[release-1.3] Complete migration from Cirrus CI to GHA (Lima)
2026-04-19 08:52:31 +08:00
Akihiro Suda 65f37ff962 CI: lima: add template name to cache key
The cache created for almalinux-8 could be overwritten for almalinux-9

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit ff4470156e)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2026-04-17 17:40:50 +09:00
Akihiro Suda 287d64ded5 Complete migration from Cirrus CI to GHA (Lima)
Fix issue 5238

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 9d697a9222)
(cherry-pick was not clean)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2026-04-17 17:40:44 +09:00
lfbzhm 760c2f9229 Merge pull request #5228 from kolyshkin/1.3-5226
[1.3] tests/rootless.sh: fix skipping idmap tests for systemd
2026-04-09 09:33:48 +08:00
Kir Kolyshkin 0994b10477 tests/rootless.sh: fix skipping idmap tests for systemd
When RUNC_USE_SYSTEMD is set, tests/rootless.sh is using

	ssh -tt rootless@localhost

to run tests as rootless user. In this case, local environment is not
passed to the user's ssh session (unless explicitly specified), and so
the tests do not get ROOTLESS_FEATURES.

As a result, idmap-related tests are skipped when running as rootless
using systemd cgroup driver:

	integration test (systemd driver)
	...
	[02] run rootless tests ... (idmap)
	...
	ok 286 runc run detached ({u,g}id != 0) # skip test requires rootless_idmap
	...

Fix this by creating a list of environment variables needed by the
tests, and adding those to ssh command line (in case of ssh) or
exporting (in case of sudo) so both cases work similarly.

Also, modify disable_idmap to unset variables set in enable_idmap so
they are not exported at all if idmap is not in features.

Fixes: bf15cc99 ("cgroup v2: support rootless systemd")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 3e0829d195)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-08 10:59:10 -07:00
Kir Kolyshkin e1acb831b7 tests: rename AUX_{DIR,UID} to ROOTLESS_AUX_*
Also, fix the typo (AUX_DIX) in cleanup.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit ac2a53be8e)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-08 10:59:10 -07:00
Rodrigo Campos Catelin aad22c1f00 Merge pull request #5215 from lifubang/backport-5210-1.3
[1.3] Fix SIGCHLD race in signal handler setup
2026-04-02 12:20:45 +02:00
lifubang 0e5ac1768b Fix SIGCHLD race in signal handler setup
When signal installation was moved to a goroutine for performance,
containers that exited quickly could complete before SIGCHLD was
registered, causing runc to hang waiting for the signal.

This fix ensures SIGCHLD is registered immediately in the main thread
before other signals are handled in the goroutine, maintaining performance
while guaranteeing no missed SIGCHLD notifications for fast-exiting
containers.

Reported-by: Ayato Tokubi <atokubi@redhat.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 404181e4cc)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-04-02 01:11:04 +00:00
Rodrigo Campos Catelin f201daa877 Merge pull request #5188 from kolyshkin/1.3-5159
[1.3] ci: add conmon tests run
2026-03-20 13:57:19 +01:00
Kir Kolyshkin bc6ab82dd9 ci: add conmon tests run
This adds a CI job to run conmon tests with runc.

Related to issue 5151, PR 5153.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 192e3d416f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-19 16:57:48 -07:00
Kir Kolyshkin a1344da4e4 Merge pull request #5180 from kolyshkin/1.3.5
Release 1.3.5
2026-03-17 09:52:11 -07:00
Kir Kolyshkin e7fa3df0df VERSION: back to development
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-17 09:28:43 -07:00
Kir Kolyshkin 488fc13e1f VERSION: release 1.3.5
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
v1.3.5
2026-03-17 09:27:57 -07:00
Kir Kolyshkin c5f4a413c2 Merge pull request #5181 from kolyshkin/1.3-go126
[1.3] ci: add go 1.26
2026-03-17 09:25:22 -07:00
Kir Kolyshkin 692817afb2 ci: add go 1.26
Same as commit b9e3eec in release-1.4 branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-16 14:13:13 -07:00
Aleksa Sarai 9183ee6e5a Merge pull request #5158 from kolyshkin/1.3-5153
[1.3] Revert "Preventing containers from being unable to be deleted"
2026-03-10 20:02:18 +09:00
Kir Kolyshkin 3755b0e48c Revert "Preventing containers from being unable to be deleted"
This fixes random failures to start a container in conmon integration
tests (see issue 5151).

I guess we need to find another way to fix issue 4645.

This reverts commit 1b39997e73.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5996fe143a)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-09 17:26:27 -07:00
Kir Kolyshkin abf41c1f3c Merge pull request #5146 from cyphar/1.3-keyring-fixes
[1.3] keyring fixes
2026-03-04 17:14:54 -08:00
Aleksa Sarai 030e224e7f keyring: update AkihiroSuda's key
This comes from <https://github.com/AkihiroSuda.gpg> and is a valid
update of the key metadata.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 9ad18b1347)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 01:15:04 +11:00
Aleksa Sarai ccea037662 keyring: validate: allow maintainers to have no keys
Some maintainers appear to have removed their PGP keys, which causes
"gpg --import" during "make validate-keyring" to fail. The solution is
to switch to a non-fatal warning if no keys were imported.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 936a59b07f)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:45:51 +11:00
Aleksa Sarai e001bca433 keyring: remove asarai@suse.de key
I no longer work at SUSE and thus this key (and email address) are no
longer associated with me.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit a691486c83)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:45:51 +11:00
Akihiro Suda ffd5a10d58 Merge pull request #5135 from kolyshkin/1.3-5124
[1.3] tests/int: Disable coredumps for SCMP_ACT_KILL tests
2026-03-01 03:21:35 +09:00
Ricardo Branco d6fd9457e1 tests/int: Disable coredumps for SCMP_ACT_KILL tests
SCMP_ACT_KILL terminates the process with a fatal signal, which may
produce a core dump depending on the host configuration.

While this is harmless on ephemeral CI instances, it can leave unwanted
core files on developer or customer systems. It also interferes with
test environments that detect unexpected core dumps.

Signed-off-by: Ricardo Branco <rbranco@suse.de>
(cherry picked from commit f18e97d312)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-26 18:38:01 -08:00
Aleksa Sarai 1566d1d0e0 merge #5126 into opencontainers/runc:release-1.3
Kir Kolyshkin (1):
  ci: update policycoreutils for CentOS 10

LGTMS: AkihiroSuda cyphar
2026-02-26 17:39:09 +11:00
Kir Kolyshkin 72b10af772 ci: update policycoreutils for CentOS 10
When container-selinux 4:2.246.0-1.el10 is installed, it produces the
following %post script warnings:

> ...
>   Running scriptlet: container-selinux-4:2.246.0-1.el10.noarch            26/37
>   Installing       : container-selinux-4:2.246.0-1.el10.noarch            26/37
>   Running scriptlet: container-selinux-4:2.246.0-1.el10.noarch            26/37
> libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No data available).
> libsemanage.semanage_compile_module: container: libsepol.policydb_read: policydb module version 24 does not match my version range 4-23.
> libsemanage.semanage_compile_module: container: libsepol.sepol_module_package_read: invalid module in module package (at section 0).
> libsemanage.semanage_compile_module: container: libsepol.sepol_ppfile_to_module_package: Failed to read policy package.
> libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No data available).
> semodule:  Failed!
> ...

For some reason, dnf install still succeeds, but when the selinux tests
fail with:

> chcon: failed to change context of '/tmp/bats-run-3MMyYP/runc.szTqBc/bundle/runc' to ‘system_u:object_r:container_runtime_exec_t:s0’: Invalid argument

All this is fixed once policycoreutils is added to the list of RPMS so
it is updated (from 3.9-3.el10 to 3.10-1.el10) during the same
transaction.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 3235c5a90a)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-25 13:46:12 -08:00
Aleksa Sarai 20f15488eb merge #5115 into opencontainers/runc:release-1.3
Li Fubang (1):
  libct/specconv: fix partial clear of atime mount flags

LGTMs: rata cyphar
2026-02-12 03:29:07 +11:00
lifubang bb7d09e63e libct/specconv: fix partial clear of atime mount flags
When parsing mount options into recAttrSet and recAttrClr,
the code sets attr_clr to individual atime flags (e.g.
MOUNT_ATTR_NOATIME or MOUNT_ATTR_STRICTATIME) when clearing
atime attributes. However, this violates the kernel's
requirement documented in mount_setattr(2)[1]:

> Note that, since the access-time values are an enumeration
> rather than bit values, a caller wanting to transition to a
> different access-time setting cannot simply specify the
> access-time setting in attr_set, but must also include
> MOUNT_ATTR__ATIME in the attr_clr field.  The kernel will
> verify that MOUNT_ATTR__ATIME isn't partially set in
> attr_clr (i.e., either all bits in the MOUNT_ATTR__ATIME
> bit field are either set or clear), and that attr_set
> doesn't have any access-time bits set if MOUNT_ATTR__ATIME
> isn't set in attr_clr.

Passing only a single atime flag (e.g. MOUNT_ATTR_RELATIME) in
attr_clr causes mount_setattr() to fail with EINVAL.

This change ensures that whenever an atime mode is updated,
attr_clr includes MOUNT_ATTR__ATIME to properly reset the
entire access-time attribute field before applying the new mode.

[1] https://man7.org/linux/man-pages/man2/mount_setattr.2.html

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 5560d55bfd)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-02-11 10:18:18 +00:00