Accepting request 981401 from home:cyphar:docker

- Update to runc v1.1.3. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.3. (Includes a fix for bsc#1200088.) * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return `-EPERM` despite the existence of the `-ENOSYS` stub code (this was due to how s390x does syscall multiplexing). * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes. * Inability to compile with recent clang due to an issue with duplicate constants in libseccomp-golang. * When using systemd cgroup driver, skip adding device paths that don't exist, to stop systemd from emitting warnings about those paths. * Socket activation was failing when more than 3 sockets were used. * Various CI fixes. * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. * runc static binaries are now linked against libseccomp v2.5.4. - Remove upstreamed patches: - bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch OBS-URL: https://build.opensuse.org/request/show/981401 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=128
2022-06-09 00:28:16 +00:00 · 2022-06-09 00:28:16 +00:00 · 683f0a36dd
commit 683f0a36dd
parent bb89a115f8
7 changed files with 48 additions and 191 deletions
--- a/bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
+++ b/bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
@ -1,164 +0,0 @@
-From dcc3dc305307f530f8faf394c84d1dede29443ab Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <cyphar@cyphar.com>
-Date: Fri, 20 May 2022 10:39:41 +1000
-Subject: [PATCH] seccomp: enosys: always return -ENOSYS for setup(2) on
- s390(x)
-
-On s390x, syscalls above 255 are multiplexed using the (now otherwise
-unused) setup(2) syscall (syscall number 0). If the kernel supports the
-syscall then it will correctly translate the syscall number such that
-seccomp will correctly detect it -- however, for unknown syscalls the
-syscall number remains unchanged. This can be verified by running the
-following program under strace:
-
-	int main(void)
-	{
-		scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
-		seccomp_load(ctx);
-
-		return syscall(439, AT_FDCWD, "asdf", X_OK, 0);
-	}
-
-Which will then die with the following signal (on pre-5.8 kernels):
-
-	--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,
-	            si_call_addr=0x3ffb3006c22, si_syscall=__NR_setup,
-	            si_arch=AUDIT_ARCH_S390X} ---
-
-(Note that the si_syscall is __NR_setup, not __NR_faccessat2.)
-
-As a result, the -ENOSYS handling we had previously did not work
-completely correctly on s390x because any syscall not supported by the
-kernel would be treated as syscall number 0 rather than the actual
-syscall number.
-
-Always returning -ENOSYS will not cause any issues because in all of the
-cases where this multiplexing occurs, seccomp will see the remapped
-syscall number -- and no userspace program will call setup(2)
-intentionally (the syscall has not existed in Linux for decades and was
-originally a hack used early in Linux init prior to spawning pid1 -- so
-you will get -ENOSYS from the kernel anyway).
-
-SUSE-Bugs: bsc#1192051 bsc#1199565
-Backport: <https://github.com/opencontainers/runc/pull/3474>
-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
- libcontainer/seccomp/patchbpf/enosys_linux.go | 48 ++++++++++++++-----
- .../seccomp/patchbpf/enosys_linux_test.go     | 13 +++++
- 2 files changed, 50 insertions(+), 11 deletions(-)
-
-diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
-index 095fba7fd91f..6376512b086f 100644
--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
-+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
-@@ -80,6 +80,11 @@ import "C"
- 
- var retErrnoEnosys = uint32(C.C_ACT_ERRNO_ENOSYS)
- 
-+// This syscall is used for multiplexing "large" syscalls on s390(x). Unknown
-+// syscalls will end up with this syscall number, so we need to explcitly
-+// return -ENOSYS for this syscall on those architectures.
-+const s390xMultiplexSyscall libseccomp.ScmpSyscall = 0
-+
- func isAllowAction(action configs.Action) bool {
- 	switch action {
- 	// Trace is considered an "allow" action because a good tracer should
-@@ -315,7 +320,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
- 		// directly from the arch code so we need to do it here. Sadly we can't
- 		// share this code between architecture branches.
- 		section := []bpf.Instruction{
-			// load [0]
-+			// load [0] (syscall number)
- 			bpf.LoadAbsolute{Off: 0, Size: 4}, // NOTE: We assume sizeof(int) == 4.
- 		}
- 
-@@ -324,10 +329,37 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
- 			// No syscalls found for this arch -- skip it and move on.
- 			continue
- 		case 1:
-			// Get the only syscall in the map.
-			var sysno libseccomp.ScmpSyscall
-			for _, no := range maxSyscalls {
-+			// Get the only syscall and scmpArch in the map.
-+			var (
-+				scmpArch libseccomp.ScmpArch
-+				sysno    libseccomp.ScmpSyscall
-+			)
-+			for arch, no := range maxSyscalls {
- 				sysno = no
-+				scmpArch = arch
-+			}
-+
-+			switch scmpArch {
-+			// Return -ENOSYS for setup(2) on s390(x). This syscall is used for
-+			// multiplexing "large syscall number" syscalls, but if the syscall
-+			// number is not known to the kernel then the syscall number is
-+			// left unchanged (and because it is sysno=0, you'll end up with
-+			// EPERM for syscalls the kernel doesn't know about).
-+			//
-+			// The actual setup(2) syscall is never used by userspace anymore
-+			// (and hasn't existed for decades) outside of this multiplexing
-+			// scheme so returning -ENOSYS is fine.
-+			case libseccomp.ArchS390, libseccomp.ArchS390X:
-+				section = append(section, []bpf.Instruction{
-+					// jne [setup=0],1
-+					bpf.JumpIf{
-+						Cond:     bpf.JumpNotEqual,
-+						Val:      uint32(s390xMultiplexSyscall),
-+						SkipTrue: 1,
-+					},
-+					// ret [ENOSYS]
-+					bpf.RetConstant{Val: retErrnoEnosys},
-+				}...)
- 			}
- 
- 			// The simplest case just boils down to a single jgt instruction,
-@@ -359,12 +391,6 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
- 			// If we're on x86 we need to add a check for x32 and if we're in
- 			// the wrong mode we jump over the section.
- 			if uint32(nativeArch) == uint32(C.C_AUDIT_ARCH_X86_64) {
-				// Grab the only architecture in the map.
-				var scmpArch libseccomp.ScmpArch
-				for arch := range maxSyscalls {
-					scmpArch = arch
-				}
-
- 				// Generate a prefix to check the mode.
- 				switch scmpArch {
- 				case libseccomp.ArchAMD64:
-@@ -522,7 +548,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
- 
- 	// Prepend the load instruction for the architecture.
- 	programTail = append([]bpf.Instruction{
-		// load [4]
-+		// load [4] (architecture)
- 		bpf.LoadAbsolute{Off: 4, Size: 4}, // NOTE: We assume sizeof(int) == 4.
- 	}, programTail...)
- 
-diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
-index 727800aa50cd..e2d363a43bd3 100644
--- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go
-+++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
-@@ -213,6 +213,19 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
- 				})
- 			}
- 
-+			// If we're on s390(x) make sure you get -ENOSYS for the "setup"
-+			// syscall (this is done to work around an issue with s390x's
-+			// syscall multiplexing which results in unknown syscalls being a
-+			// setup(2) invocation).
-+			switch scmpArch {
-+			case libseccomp.ArchS390, libseccomp.ArchS390X:
-+				syscallTests = append(syscallTests, syscallTest{
-+					sysno:    s390xMultiplexSyscall,
-+					syscall:  "setup",
-+					expected: retErrnoEnosys,
-+				})
-+			}
-+
- 			// Test syscalls in the explicit list.
- 			for _, test := range syscallTests {
- 				// Override the expected value in the two special cases.
-- 
-2.36.1
-
--- a/runc-1.1.2.tar.xz
+++ b/runc-1.1.2.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:78ad532465ce4c2802480644a8756c30ae99c1bf779f0243af4bca11c4d041de
-size 1412344
--- a/runc-1.1.2.tar.xz.asc
+++ b/runc-1.1.2.tar.xz.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmJ8O6wPHGFzYXJhaUBz
-dXNlLmRlAAoJEJ4YqiZ92420Ac4P/0yniL3YMVM72wB7Wsm73WY8iNsa9q2kRGuY
-DS+VR3C5GuKCxebCLqa1Dt2xQu9VqSMP/pk+0lE8kYJSHjnFPNUNLFgC8+SJ1OC0
-JgOCNqy+WyMm4VKA4/jjlyaFC+KHz4DqiStQANeK4QfV2TOc12Aqig2XIA+RLwfG
-N44KFPruGXn7MgnXZA1HhfbOxbuq1MJWvlALDc44xPZlWm4wf4i6F42VrkLvkfHn
-jHFLjnTqYv4VgPeJrrZQWd0BDVzIOkWlf3aM3UL6hNU0BGb5zgo6O+CxjjUFSPav
-i4yWKq1Zx6J2U/HqviDL+L4BX+EV12Vg+RKV7TPwexXkCGO5WIET3ef8Pp7CX8DT
-l+tzSZKchs5ql4LH8bykAiatmqmkOjJIR3q155rkKqsV/Wcvuent8dWx4koopE9m
-RKRJlqiQzD3kWOrp8U6A0VwH3Zm0sxwfQC6NegDyHuXMiV/o6g/6YoevYGZqg9Ub
-z6IV+R5R5q+6ziKzzWAJRzMCowVN5f3UOKWo7ij0UIChts0sBG5otG8HNRXzqpi8
-nr/dDLXRamv8FPQbAUiWTGDOw2rz66Tje8jRV6vBALB0iD8UlAwCFm4JTnZUKn24
-ELWbSzmTctK5zA4s5gSCt4+eCyTHKCcb5pZwlNiOQsSjR/+4CwiLK7TFdwjzb72V
-tih7PMje
-=XSst
-----END PGP SIGNATURE-----
--- a/runc-1.1.3.tar.xz
+++ b/runc-1.1.3.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2db1f3a01ffd2f8fa3a259b9b512ca7d4dbf89be5765cc58d306e45658668453
+size 1413040
--- a/runc-1.1.3.tar.xz.asc
+++ b/runc-1.1.3.tar.xz.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmKhOw0PHGFzYXJhaUBz
+dXNlLmRlAAoJEJ4YqiZ92420MrQP/2QCwFFFDOGQvmnX4W/lhZaBpuNH5bDOpUAi
+fMucNUf+AherA7VwgOGgG28a7QdA9iV4yCz2kfokQFAha+fM+VSf+QIB+fUvoy/8
+qtpiFv69BEjo59Qcjgy1fpy2WrCGfLs6J4p6MsBySWjVxxSD1yCYNlntn2GTCbcq
+ArsoirqV+U9pjKJU5eqUK3Oxei0FRD/e2PnCkb6UdILti91xosCJ4KWAFwfan6O5
+b663HFq7E41bX17RR1Y8PYr9BMFzdDnN3W+xxi5F5fRdSV9F5/wKLouQ8FEe43PU
+2yYkixMkB9Z9PcV28uE9nXWbObhNfYlau0QLIakIgKCDjHX0HmBpwYmmtuL5Qln0
+/IsPCYXBCK75bIVQtSgoVZTap59M4QXYTBDidZyaY3yCeAhkzth+V+Hr2TeVSu2y
+OKvSzyAOHbKqUURjmUMzSoHrvFAYhQOhGi3iJKtnaDv5kiiVKQdCSfoa0TB4U1fP
+z8TbCxWjvGNjKwgt8kgLn74BiSerPdxlVE/Cc9P9rfG09BYha8TB5gMTKri/KiCP
+1LUwBpMkxRY4DoXmVrtfq6+0C7SE3d+s6ezB5+71Mu5YN3NFt+8vWIST94VmyU+a
+Zq0o5sVcEgvl5AP/ordXCDYxjg7kdWKegdZCDZ5BuF4tBNS7xLn3RihNTUHqhBT1
+XBfloHMo
+=lLbv
+-----END PGP SIGNATURE-----
--- a/runc.changes
+++ b/runc.changes
@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Thu Jun  9 00:22:16 UTC 2022 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.3. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.1.3.
+  (Includes a fix for bsc#1200088.)
+
+  * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
+    s390 and s390x. This solves the issue where syscalls the host kernel did not
+    support would return `-EPERM` despite the existence of the `-ENOSYS` stub
+    code (this was due to how s390x does syscall multiplexing).
+  * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
+    intended; this fix does not affect runc binary itself but is important for
+    libcontainer users such as Kubernetes.
+  * Inability to compile with recent clang due to an issue with duplicate
+    constants in libseccomp-golang.
+  * When using systemd cgroup driver, skip adding device paths that don't exist,
+    to stop systemd from emitting warnings about those paths.
+  * Socket activation was failing when more than 3 sockets were used.
+  * Various CI fixes.
+  * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
+  * runc static binaries are now linked against libseccomp v2.5.4.
+- Remove upstreamed patches:
+  - bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
+
 -------------------------------------------------------------------
 Mon May 23 03:02:32 UTC 2022 - Aleksa Sarai <asarai@suse.com>

--- a/runc.spec
+++ b/runc.spec
@ -22,12 +22,12 @@
 %define git_short   a916309fff0f

 # Package-wide golang version
-%define go_version 1.17
+%define go_version 1.18
 %define project github.com/opencontainers/runc

 Name:           runc
-Version:        1.1.2
-%define _version 1.1.2
+Version:        1.1.3
+%define _version 1.1.3
 Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0
@ -36,8 +36,6 @@ URL:            https://github.com/opencontainers/runc
 Source0:        https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz#/runc-%{version}.tar.xz
 Source1:        https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{version}.tar.xz.asc
 Source2:        runc.keyring
-# OPENSUSE-FIX-UPSTREAM: Backport of <https://github.com/opencontainers/runc/pull/3474>. bsc#1192051 bsc#1199565
-Patch1:         bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
 BuildRequires:  fdupes
 BuildRequires:  go-go-md2man
 # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires
@ -70,8 +68,6 @@ and has grown to become a separate project entirely.

 %prep
 %setup -q -n %{name}-%{_version}
-# bsc#1192051 bsc#1199565
-%patch1 -p1

 %build
 # build runc