diff --git a/bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch b/bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch deleted file mode 100644 index afa6c2f..0000000 --- a/bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch +++ /dev/null @@ -1,164 +0,0 @@ -From dcc3dc305307f530f8faf394c84d1dede29443ab Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Fri, 20 May 2022 10:39:41 +1000 -Subject: [PATCH] seccomp: enosys: always return -ENOSYS for setup(2) on - s390(x) - -On s390x, syscalls above 255 are multiplexed using the (now otherwise -unused) setup(2) syscall (syscall number 0). If the kernel supports the -syscall then it will correctly translate the syscall number such that -seccomp will correctly detect it -- however, for unknown syscalls the -syscall number remains unchanged. This can be verified by running the -following program under strace: - - int main(void) - { - scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP); - seccomp_load(ctx); - - return syscall(439, AT_FDCWD, "asdf", X_OK, 0); - } - -Which will then die with the following signal (on pre-5.8 kernels): - - --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, - si_call_addr=0x3ffb3006c22, si_syscall=__NR_setup, - si_arch=AUDIT_ARCH_S390X} --- - -(Note that the si_syscall is __NR_setup, not __NR_faccessat2.) - -As a result, the -ENOSYS handling we had previously did not work -completely correctly on s390x because any syscall not supported by the -kernel would be treated as syscall number 0 rather than the actual -syscall number. - -Always returning -ENOSYS will not cause any issues because in all of the -cases where this multiplexing occurs, seccomp will see the remapped -syscall number -- and no userspace program will call setup(2) -intentionally (the syscall has not existed in Linux for decades and was -originally a hack used early in Linux init prior to spawning pid1 -- so -you will get -ENOSYS from the kernel anyway). - -SUSE-Bugs: bsc#1192051 bsc#1199565 -Backport: -Signed-off-by: Aleksa Sarai ---- - libcontainer/seccomp/patchbpf/enosys_linux.go | 48 ++++++++++++++----- - .../seccomp/patchbpf/enosys_linux_test.go | 13 +++++ - 2 files changed, 50 insertions(+), 11 deletions(-) - -diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go -index 095fba7fd91f..6376512b086f 100644 ---- a/libcontainer/seccomp/patchbpf/enosys_linux.go -+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go -@@ -80,6 +80,11 @@ import "C" - - var retErrnoEnosys = uint32(C.C_ACT_ERRNO_ENOSYS) - -+// This syscall is used for multiplexing "large" syscalls on s390(x). Unknown -+// syscalls will end up with this syscall number, so we need to explcitly -+// return -ENOSYS for this syscall on those architectures. -+const s390xMultiplexSyscall libseccomp.ScmpSyscall = 0 -+ - func isAllowAction(action configs.Action) bool { - switch action { - // Trace is considered an "allow" action because a good tracer should -@@ -315,7 +320,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) - // directly from the arch code so we need to do it here. Sadly we can't - // share this code between architecture branches. - section := []bpf.Instruction{ -- // load [0] -+ // load [0] (syscall number) - bpf.LoadAbsolute{Off: 0, Size: 4}, // NOTE: We assume sizeof(int) == 4. - } - -@@ -324,10 +329,37 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) - // No syscalls found for this arch -- skip it and move on. - continue - case 1: -- // Get the only syscall in the map. -- var sysno libseccomp.ScmpSyscall -- for _, no := range maxSyscalls { -+ // Get the only syscall and scmpArch in the map. -+ var ( -+ scmpArch libseccomp.ScmpArch -+ sysno libseccomp.ScmpSyscall -+ ) -+ for arch, no := range maxSyscalls { - sysno = no -+ scmpArch = arch -+ } -+ -+ switch scmpArch { -+ // Return -ENOSYS for setup(2) on s390(x). This syscall is used for -+ // multiplexing "large syscall number" syscalls, but if the syscall -+ // number is not known to the kernel then the syscall number is -+ // left unchanged (and because it is sysno=0, you'll end up with -+ // EPERM for syscalls the kernel doesn't know about). -+ // -+ // The actual setup(2) syscall is never used by userspace anymore -+ // (and hasn't existed for decades) outside of this multiplexing -+ // scheme so returning -ENOSYS is fine. -+ case libseccomp.ArchS390, libseccomp.ArchS390X: -+ section = append(section, []bpf.Instruction{ -+ // jne [setup=0],1 -+ bpf.JumpIf{ -+ Cond: bpf.JumpNotEqual, -+ Val: uint32(s390xMultiplexSyscall), -+ SkipTrue: 1, -+ }, -+ // ret [ENOSYS] -+ bpf.RetConstant{Val: retErrnoEnosys}, -+ }...) - } - - // The simplest case just boils down to a single jgt instruction, -@@ -359,12 +391,6 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) - // If we're on x86 we need to add a check for x32 and if we're in - // the wrong mode we jump over the section. - if uint32(nativeArch) == uint32(C.C_AUDIT_ARCH_X86_64) { -- // Grab the only architecture in the map. -- var scmpArch libseccomp.ScmpArch -- for arch := range maxSyscalls { -- scmpArch = arch -- } -- - // Generate a prefix to check the mode. - switch scmpArch { - case libseccomp.ArchAMD64: -@@ -522,7 +548,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) - - // Prepend the load instruction for the architecture. - programTail = append([]bpf.Instruction{ -- // load [4] -+ // load [4] (architecture) - bpf.LoadAbsolute{Off: 4, Size: 4}, // NOTE: We assume sizeof(int) == 4. - }, programTail...) - -diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go -index 727800aa50cd..e2d363a43bd3 100644 ---- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go -+++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go -@@ -213,6 +213,19 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string) - }) - } - -+ // If we're on s390(x) make sure you get -ENOSYS for the "setup" -+ // syscall (this is done to work around an issue with s390x's -+ // syscall multiplexing which results in unknown syscalls being a -+ // setup(2) invocation). -+ switch scmpArch { -+ case libseccomp.ArchS390, libseccomp.ArchS390X: -+ syscallTests = append(syscallTests, syscallTest{ -+ sysno: s390xMultiplexSyscall, -+ syscall: "setup", -+ expected: retErrnoEnosys, -+ }) -+ } -+ - // Test syscalls in the explicit list. - for _, test := range syscallTests { - // Override the expected value in the two special cases. --- -2.36.1 - diff --git a/runc-1.1.2.tar.xz b/runc-1.1.2.tar.xz deleted file mode 100644 index b7e7f2e..0000000 --- a/runc-1.1.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:78ad532465ce4c2802480644a8756c30ae99c1bf779f0243af4bca11c4d041de -size 1412344 diff --git a/runc-1.1.2.tar.xz.asc b/runc-1.1.2.tar.xz.asc deleted file mode 100644 index 6101e3e..0000000 --- a/runc-1.1.2.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmJ8O6wPHGFzYXJhaUBz -dXNlLmRlAAoJEJ4YqiZ92420Ac4P/0yniL3YMVM72wB7Wsm73WY8iNsa9q2kRGuY -DS+VR3C5GuKCxebCLqa1Dt2xQu9VqSMP/pk+0lE8kYJSHjnFPNUNLFgC8+SJ1OC0 -JgOCNqy+WyMm4VKA4/jjlyaFC+KHz4DqiStQANeK4QfV2TOc12Aqig2XIA+RLwfG -N44KFPruGXn7MgnXZA1HhfbOxbuq1MJWvlALDc44xPZlWm4wf4i6F42VrkLvkfHn -jHFLjnTqYv4VgPeJrrZQWd0BDVzIOkWlf3aM3UL6hNU0BGb5zgo6O+CxjjUFSPav -i4yWKq1Zx6J2U/HqviDL+L4BX+EV12Vg+RKV7TPwexXkCGO5WIET3ef8Pp7CX8DT -l+tzSZKchs5ql4LH8bykAiatmqmkOjJIR3q155rkKqsV/Wcvuent8dWx4koopE9m -RKRJlqiQzD3kWOrp8U6A0VwH3Zm0sxwfQC6NegDyHuXMiV/o6g/6YoevYGZqg9Ub -z6IV+R5R5q+6ziKzzWAJRzMCowVN5f3UOKWo7ij0UIChts0sBG5otG8HNRXzqpi8 -nr/dDLXRamv8FPQbAUiWTGDOw2rz66Tje8jRV6vBALB0iD8UlAwCFm4JTnZUKn24 -ELWbSzmTctK5zA4s5gSCt4+eCyTHKCcb5pZwlNiOQsSjR/+4CwiLK7TFdwjzb72V -tih7PMje -=XSst ------END PGP SIGNATURE----- diff --git a/runc-1.1.3.tar.xz b/runc-1.1.3.tar.xz new file mode 100644 index 0000000..9db5dd4 --- /dev/null +++ b/runc-1.1.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2db1f3a01ffd2f8fa3a259b9b512ca7d4dbf89be5765cc58d306e45658668453 +size 1413040 diff --git a/runc-1.1.3.tar.xz.asc b/runc-1.1.3.tar.xz.asc new file mode 100644 index 0000000..629637a --- /dev/null +++ b/runc-1.1.3.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmKhOw0PHGFzYXJhaUBz +dXNlLmRlAAoJEJ4YqiZ92420MrQP/2QCwFFFDOGQvmnX4W/lhZaBpuNH5bDOpUAi +fMucNUf+AherA7VwgOGgG28a7QdA9iV4yCz2kfokQFAha+fM+VSf+QIB+fUvoy/8 +qtpiFv69BEjo59Qcjgy1fpy2WrCGfLs6J4p6MsBySWjVxxSD1yCYNlntn2GTCbcq +ArsoirqV+U9pjKJU5eqUK3Oxei0FRD/e2PnCkb6UdILti91xosCJ4KWAFwfan6O5 +b663HFq7E41bX17RR1Y8PYr9BMFzdDnN3W+xxi5F5fRdSV9F5/wKLouQ8FEe43PU +2yYkixMkB9Z9PcV28uE9nXWbObhNfYlau0QLIakIgKCDjHX0HmBpwYmmtuL5Qln0 +/IsPCYXBCK75bIVQtSgoVZTap59M4QXYTBDidZyaY3yCeAhkzth+V+Hr2TeVSu2y +OKvSzyAOHbKqUURjmUMzSoHrvFAYhQOhGi3iJKtnaDv5kiiVKQdCSfoa0TB4U1fP +z8TbCxWjvGNjKwgt8kgLn74BiSerPdxlVE/Cc9P9rfG09BYha8TB5gMTKri/KiCP +1LUwBpMkxRY4DoXmVrtfq6+0C7SE3d+s6ezB5+71Mu5YN3NFt+8vWIST94VmyU+a +Zq0o5sVcEgvl5AP/ordXCDYxjg7kdWKegdZCDZ5BuF4tBNS7xLn3RihNTUHqhBT1 +XBfloHMo +=lLbv +-----END PGP SIGNATURE----- diff --git a/runc.changes b/runc.changes index 1bb5bc4..0a849e0 100644 --- a/runc.changes +++ b/runc.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Thu Jun 9 00:22:16 UTC 2022 - Aleksa Sarai + +- Update to runc v1.1.3. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.1.3. + (Includes a fix for bsc#1200088.) + + * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on + s390 and s390x. This solves the issue where syscalls the host kernel did not + support would return `-EPERM` despite the existence of the `-ENOSYS` stub + code (this was due to how s390x does syscall multiplexing). + * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as + intended; this fix does not affect runc binary itself but is important for + libcontainer users such as Kubernetes. + * Inability to compile with recent clang due to an issue with duplicate + constants in libseccomp-golang. + * When using systemd cgroup driver, skip adding device paths that don't exist, + to stop systemd from emitting warnings about those paths. + * Socket activation was failing when more than 3 sockets were used. + * Various CI fixes. + * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. + * runc static binaries are now linked against libseccomp v2.5.4. +- Remove upstreamed patches: + - bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch + ------------------------------------------------------------------- Mon May 23 03:02:32 UTC 2022 - Aleksa Sarai diff --git a/runc.spec b/runc.spec index 98b1380..7d2a67d 100644 --- a/runc.spec +++ b/runc.spec @@ -22,12 +22,12 @@ %define git_short a916309fff0f # Package-wide golang version -%define go_version 1.17 +%define go_version 1.18 %define project github.com/opencontainers/runc Name: runc -Version: 1.1.2 -%define _version 1.1.2 +Version: 1.1.3 +%define _version 1.1.3 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 @@ -36,8 +36,6 @@ URL: https://github.com/opencontainers/runc Source0: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz#/runc-%{version}.tar.xz Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{version}.tar.xz.asc Source2: runc.keyring -# OPENSUSE-FIX-UPSTREAM: Backport of . bsc#1192051 bsc#1199565 -Patch1: bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch BuildRequires: fdupes BuildRequires: go-go-md2man # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires @@ -70,8 +68,6 @@ and has grown to become a separate project entirely. %prep %setup -q -n %{name}-%{_version} -# bsc#1192051 bsc#1199565 -%patch1 -p1 %build # build runc