Accepting request 981401 from home:cyphar:docker
- Update to runc v1.1.3. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.3. (Includes a fix for bsc#1200088.) * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return `-EPERM` despite the existence of the `-ENOSYS` stub code (this was due to how s390x does syscall multiplexing). * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes. * Inability to compile with recent clang due to an issue with duplicate constants in libseccomp-golang. * When using systemd cgroup driver, skip adding device paths that don't exist, to stop systemd from emitting warnings about those paths. * Socket activation was failing when more than 3 sockets were used. * Various CI fixes. * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. * runc static binaries are now linked against libseccomp v2.5.4. - Remove upstreamed patches: - bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch OBS-URL: https://build.opensuse.org/request/show/981401 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=128
This commit is contained in:
parent
bb89a115f8
commit
683f0a36dd
@ -1,164 +0,0 @@
|
|||||||
From dcc3dc305307f530f8faf394c84d1dede29443ab Mon Sep 17 00:00:00 2001
|
|
||||||
From: Aleksa Sarai <cyphar@cyphar.com>
|
|
||||||
Date: Fri, 20 May 2022 10:39:41 +1000
|
|
||||||
Subject: [PATCH] seccomp: enosys: always return -ENOSYS for setup(2) on
|
|
||||||
s390(x)
|
|
||||||
|
|
||||||
On s390x, syscalls above 255 are multiplexed using the (now otherwise
|
|
||||||
unused) setup(2) syscall (syscall number 0). If the kernel supports the
|
|
||||||
syscall then it will correctly translate the syscall number such that
|
|
||||||
seccomp will correctly detect it -- however, for unknown syscalls the
|
|
||||||
syscall number remains unchanged. This can be verified by running the
|
|
||||||
following program under strace:
|
|
||||||
|
|
||||||
int main(void)
|
|
||||||
{
|
|
||||||
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
|
|
||||||
seccomp_load(ctx);
|
|
||||||
|
|
||||||
return syscall(439, AT_FDCWD, "asdf", X_OK, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
Which will then die with the following signal (on pre-5.8 kernels):
|
|
||||||
|
|
||||||
--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,
|
|
||||||
si_call_addr=0x3ffb3006c22, si_syscall=__NR_setup,
|
|
||||||
si_arch=AUDIT_ARCH_S390X} ---
|
|
||||||
|
|
||||||
(Note that the si_syscall is __NR_setup, not __NR_faccessat2.)
|
|
||||||
|
|
||||||
As a result, the -ENOSYS handling we had previously did not work
|
|
||||||
completely correctly on s390x because any syscall not supported by the
|
|
||||||
kernel would be treated as syscall number 0 rather than the actual
|
|
||||||
syscall number.
|
|
||||||
|
|
||||||
Always returning -ENOSYS will not cause any issues because in all of the
|
|
||||||
cases where this multiplexing occurs, seccomp will see the remapped
|
|
||||||
syscall number -- and no userspace program will call setup(2)
|
|
||||||
intentionally (the syscall has not existed in Linux for decades and was
|
|
||||||
originally a hack used early in Linux init prior to spawning pid1 -- so
|
|
||||||
you will get -ENOSYS from the kernel anyway).
|
|
||||||
|
|
||||||
SUSE-Bugs: bsc#1192051 bsc#1199565
|
|
||||||
Backport: <https://github.com/opencontainers/runc/pull/3474>
|
|
||||||
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
|
||||||
---
|
|
||||||
libcontainer/seccomp/patchbpf/enosys_linux.go | 48 ++++++++++++++-----
|
|
||||||
.../seccomp/patchbpf/enosys_linux_test.go | 13 +++++
|
|
||||||
2 files changed, 50 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
|
|
||||||
index 095fba7fd91f..6376512b086f 100644
|
|
||||||
--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
|
|
||||||
+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
|
|
||||||
@@ -80,6 +80,11 @@ import "C"
|
|
||||||
|
|
||||||
var retErrnoEnosys = uint32(C.C_ACT_ERRNO_ENOSYS)
|
|
||||||
|
|
||||||
+// This syscall is used for multiplexing "large" syscalls on s390(x). Unknown
|
|
||||||
+// syscalls will end up with this syscall number, so we need to explcitly
|
|
||||||
+// return -ENOSYS for this syscall on those architectures.
|
|
||||||
+const s390xMultiplexSyscall libseccomp.ScmpSyscall = 0
|
|
||||||
+
|
|
||||||
func isAllowAction(action configs.Action) bool {
|
|
||||||
switch action {
|
|
||||||
// Trace is considered an "allow" action because a good tracer should
|
|
||||||
@@ -315,7 +320,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
|
|
||||||
// directly from the arch code so we need to do it here. Sadly we can't
|
|
||||||
// share this code between architecture branches.
|
|
||||||
section := []bpf.Instruction{
|
|
||||||
- // load [0]
|
|
||||||
+ // load [0] (syscall number)
|
|
||||||
bpf.LoadAbsolute{Off: 0, Size: 4}, // NOTE: We assume sizeof(int) == 4.
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -324,10 +329,37 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
|
|
||||||
// No syscalls found for this arch -- skip it and move on.
|
|
||||||
continue
|
|
||||||
case 1:
|
|
||||||
- // Get the only syscall in the map.
|
|
||||||
- var sysno libseccomp.ScmpSyscall
|
|
||||||
- for _, no := range maxSyscalls {
|
|
||||||
+ // Get the only syscall and scmpArch in the map.
|
|
||||||
+ var (
|
|
||||||
+ scmpArch libseccomp.ScmpArch
|
|
||||||
+ sysno libseccomp.ScmpSyscall
|
|
||||||
+ )
|
|
||||||
+ for arch, no := range maxSyscalls {
|
|
||||||
sysno = no
|
|
||||||
+ scmpArch = arch
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ switch scmpArch {
|
|
||||||
+ // Return -ENOSYS for setup(2) on s390(x). This syscall is used for
|
|
||||||
+ // multiplexing "large syscall number" syscalls, but if the syscall
|
|
||||||
+ // number is not known to the kernel then the syscall number is
|
|
||||||
+ // left unchanged (and because it is sysno=0, you'll end up with
|
|
||||||
+ // EPERM for syscalls the kernel doesn't know about).
|
|
||||||
+ //
|
|
||||||
+ // The actual setup(2) syscall is never used by userspace anymore
|
|
||||||
+ // (and hasn't existed for decades) outside of this multiplexing
|
|
||||||
+ // scheme so returning -ENOSYS is fine.
|
|
||||||
+ case libseccomp.ArchS390, libseccomp.ArchS390X:
|
|
||||||
+ section = append(section, []bpf.Instruction{
|
|
||||||
+ // jne [setup=0],1
|
|
||||||
+ bpf.JumpIf{
|
|
||||||
+ Cond: bpf.JumpNotEqual,
|
|
||||||
+ Val: uint32(s390xMultiplexSyscall),
|
|
||||||
+ SkipTrue: 1,
|
|
||||||
+ },
|
|
||||||
+ // ret [ENOSYS]
|
|
||||||
+ bpf.RetConstant{Val: retErrnoEnosys},
|
|
||||||
+ }...)
|
|
||||||
}
|
|
||||||
|
|
||||||
// The simplest case just boils down to a single jgt instruction,
|
|
||||||
@@ -359,12 +391,6 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
|
|
||||||
// If we're on x86 we need to add a check for x32 and if we're in
|
|
||||||
// the wrong mode we jump over the section.
|
|
||||||
if uint32(nativeArch) == uint32(C.C_AUDIT_ARCH_X86_64) {
|
|
||||||
- // Grab the only architecture in the map.
|
|
||||||
- var scmpArch libseccomp.ScmpArch
|
|
||||||
- for arch := range maxSyscalls {
|
|
||||||
- scmpArch = arch
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
// Generate a prefix to check the mode.
|
|
||||||
switch scmpArch {
|
|
||||||
case libseccomp.ArchAMD64:
|
|
||||||
@@ -522,7 +548,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
|
|
||||||
|
|
||||||
// Prepend the load instruction for the architecture.
|
|
||||||
programTail = append([]bpf.Instruction{
|
|
||||||
- // load [4]
|
|
||||||
+ // load [4] (architecture)
|
|
||||||
bpf.LoadAbsolute{Off: 4, Size: 4}, // NOTE: We assume sizeof(int) == 4.
|
|
||||||
}, programTail...)
|
|
||||||
|
|
||||||
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
|
|
||||||
index 727800aa50cd..e2d363a43bd3 100644
|
|
||||||
--- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go
|
|
||||||
+++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
|
|
||||||
@@ -213,6 +213,19 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
+ // If we're on s390(x) make sure you get -ENOSYS for the "setup"
|
|
||||||
+ // syscall (this is done to work around an issue with s390x's
|
|
||||||
+ // syscall multiplexing which results in unknown syscalls being a
|
|
||||||
+ // setup(2) invocation).
|
|
||||||
+ switch scmpArch {
|
|
||||||
+ case libseccomp.ArchS390, libseccomp.ArchS390X:
|
|
||||||
+ syscallTests = append(syscallTests, syscallTest{
|
|
||||||
+ sysno: s390xMultiplexSyscall,
|
|
||||||
+ syscall: "setup",
|
|
||||||
+ expected: retErrnoEnosys,
|
|
||||||
+ })
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
// Test syscalls in the explicit list.
|
|
||||||
for _, test := range syscallTests {
|
|
||||||
// Override the expected value in the two special cases.
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:78ad532465ce4c2802480644a8756c30ae99c1bf779f0243af4bca11c4d041de
|
|
||||||
size 1412344
|
|
@ -1,17 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmJ8O6wPHGFzYXJhaUBz
|
|
||||||
dXNlLmRlAAoJEJ4YqiZ92420Ac4P/0yniL3YMVM72wB7Wsm73WY8iNsa9q2kRGuY
|
|
||||||
DS+VR3C5GuKCxebCLqa1Dt2xQu9VqSMP/pk+0lE8kYJSHjnFPNUNLFgC8+SJ1OC0
|
|
||||||
JgOCNqy+WyMm4VKA4/jjlyaFC+KHz4DqiStQANeK4QfV2TOc12Aqig2XIA+RLwfG
|
|
||||||
N44KFPruGXn7MgnXZA1HhfbOxbuq1MJWvlALDc44xPZlWm4wf4i6F42VrkLvkfHn
|
|
||||||
jHFLjnTqYv4VgPeJrrZQWd0BDVzIOkWlf3aM3UL6hNU0BGb5zgo6O+CxjjUFSPav
|
|
||||||
i4yWKq1Zx6J2U/HqviDL+L4BX+EV12Vg+RKV7TPwexXkCGO5WIET3ef8Pp7CX8DT
|
|
||||||
l+tzSZKchs5ql4LH8bykAiatmqmkOjJIR3q155rkKqsV/Wcvuent8dWx4koopE9m
|
|
||||||
RKRJlqiQzD3kWOrp8U6A0VwH3Zm0sxwfQC6NegDyHuXMiV/o6g/6YoevYGZqg9Ub
|
|
||||||
z6IV+R5R5q+6ziKzzWAJRzMCowVN5f3UOKWo7ij0UIChts0sBG5otG8HNRXzqpi8
|
|
||||||
nr/dDLXRamv8FPQbAUiWTGDOw2rz66Tje8jRV6vBALB0iD8UlAwCFm4JTnZUKn24
|
|
||||||
ELWbSzmTctK5zA4s5gSCt4+eCyTHKCcb5pZwlNiOQsSjR/+4CwiLK7TFdwjzb72V
|
|
||||||
tih7PMje
|
|
||||||
=XSst
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
runc-1.1.3.tar.xz
Normal file
3
runc-1.1.3.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:2db1f3a01ffd2f8fa3a259b9b512ca7d4dbf89be5765cc58d306e45658668453
|
||||||
|
size 1413040
|
17
runc-1.1.3.tar.xz.asc
Normal file
17
runc-1.1.3.tar.xz.asc
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmKhOw0PHGFzYXJhaUBz
|
||||||
|
dXNlLmRlAAoJEJ4YqiZ92420MrQP/2QCwFFFDOGQvmnX4W/lhZaBpuNH5bDOpUAi
|
||||||
|
fMucNUf+AherA7VwgOGgG28a7QdA9iV4yCz2kfokQFAha+fM+VSf+QIB+fUvoy/8
|
||||||
|
qtpiFv69BEjo59Qcjgy1fpy2WrCGfLs6J4p6MsBySWjVxxSD1yCYNlntn2GTCbcq
|
||||||
|
ArsoirqV+U9pjKJU5eqUK3Oxei0FRD/e2PnCkb6UdILti91xosCJ4KWAFwfan6O5
|
||||||
|
b663HFq7E41bX17RR1Y8PYr9BMFzdDnN3W+xxi5F5fRdSV9F5/wKLouQ8FEe43PU
|
||||||
|
2yYkixMkB9Z9PcV28uE9nXWbObhNfYlau0QLIakIgKCDjHX0HmBpwYmmtuL5Qln0
|
||||||
|
/IsPCYXBCK75bIVQtSgoVZTap59M4QXYTBDidZyaY3yCeAhkzth+V+Hr2TeVSu2y
|
||||||
|
OKvSzyAOHbKqUURjmUMzSoHrvFAYhQOhGi3iJKtnaDv5kiiVKQdCSfoa0TB4U1fP
|
||||||
|
z8TbCxWjvGNjKwgt8kgLn74BiSerPdxlVE/Cc9P9rfG09BYha8TB5gMTKri/KiCP
|
||||||
|
1LUwBpMkxRY4DoXmVrtfq6+0C7SE3d+s6ezB5+71Mu5YN3NFt+8vWIST94VmyU+a
|
||||||
|
Zq0o5sVcEgvl5AP/ordXCDYxjg7kdWKegdZCDZ5BuF4tBNS7xLn3RihNTUHqhBT1
|
||||||
|
XBfloHMo
|
||||||
|
=lLbv
|
||||||
|
-----END PGP SIGNATURE-----
|
25
runc.changes
25
runc.changes
@ -1,3 +1,28 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jun 9 00:22:16 UTC 2022 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
- Update to runc v1.1.3. Upstream changelog is available from
|
||||||
|
https://github.com/opencontainers/runc/releases/tag/v1.1.3.
|
||||||
|
(Includes a fix for bsc#1200088.)
|
||||||
|
|
||||||
|
* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
|
||||||
|
s390 and s390x. This solves the issue where syscalls the host kernel did not
|
||||||
|
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
|
||||||
|
code (this was due to how s390x does syscall multiplexing).
|
||||||
|
* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
|
||||||
|
intended; this fix does not affect runc binary itself but is important for
|
||||||
|
libcontainer users such as Kubernetes.
|
||||||
|
* Inability to compile with recent clang due to an issue with duplicate
|
||||||
|
constants in libseccomp-golang.
|
||||||
|
* When using systemd cgroup driver, skip adding device paths that don't exist,
|
||||||
|
to stop systemd from emitting warnings about those paths.
|
||||||
|
* Socket activation was failing when more than 3 sockets were used.
|
||||||
|
* Various CI fixes.
|
||||||
|
* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
|
||||||
|
* runc static binaries are now linked against libseccomp v2.5.4.
|
||||||
|
- Remove upstreamed patches:
|
||||||
|
- bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon May 23 03:02:32 UTC 2022 - Aleksa Sarai <asarai@suse.com>
|
Mon May 23 03:02:32 UTC 2022 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
10
runc.spec
10
runc.spec
@ -22,12 +22,12 @@
|
|||||||
%define git_short a916309fff0f
|
%define git_short a916309fff0f
|
||||||
|
|
||||||
# Package-wide golang version
|
# Package-wide golang version
|
||||||
%define go_version 1.17
|
%define go_version 1.18
|
||||||
%define project github.com/opencontainers/runc
|
%define project github.com/opencontainers/runc
|
||||||
|
|
||||||
Name: runc
|
Name: runc
|
||||||
Version: 1.1.2
|
Version: 1.1.3
|
||||||
%define _version 1.1.2
|
%define _version 1.1.3
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Tool for spawning and running OCI containers
|
Summary: Tool for spawning and running OCI containers
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
@ -36,8 +36,6 @@ URL: https://github.com/opencontainers/runc
|
|||||||
Source0: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz#/runc-%{version}.tar.xz
|
Source0: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz#/runc-%{version}.tar.xz
|
||||||
Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{version}.tar.xz.asc
|
Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{version}.tar.xz.asc
|
||||||
Source2: runc.keyring
|
Source2: runc.keyring
|
||||||
# OPENSUSE-FIX-UPSTREAM: Backport of <https://github.com/opencontainers/runc/pull/3474>. bsc#1192051 bsc#1199565
|
|
||||||
Patch1: bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
|
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: go-go-md2man
|
BuildRequires: go-go-md2man
|
||||||
# Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires
|
# Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires
|
||||||
@ -70,8 +68,6 @@ and has grown to become a separate project entirely.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{_version}
|
%setup -q -n %{name}-%{_version}
|
||||||
# bsc#1192051 bsc#1199565
|
|
||||||
%patch1 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# build runc
|
# build runc
|
||||||
|
Loading…
Reference in New Issue
Block a user