Accepting request 1165425 from home:cyphar:docker
- Update to runc v1.2.0~rc1. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.1>. - Remove upstreamed patches. - 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch - 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch - 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch OBS-URL: https://build.opensuse.org/request/show/1165425 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=158
This commit is contained in:
parent
904cbe4ac7
commit
2d98556bab
@ -1,44 +0,0 @@
|
||||
From 0c224086deacb981d7ea0fcbdab39ddf7bc3f24e Mon Sep 17 00:00:00 2001
|
||||
From: Kir Kolyshkin <kolyshkin@gmail.com>
|
||||
Date: Fri, 14 Oct 2022 18:37:00 -0700
|
||||
Subject: [PATCH 1/3] bsc1221050: libct/seccomp/patchbpf: rm duplicated code
|
||||
|
||||
(This is a cherry-pick of 2cd05e44b662fb79c46d5ebfd6c71e9ebc98d40c.)
|
||||
|
||||
In findLastSyscalls, we convert libseccomp.ArchNative to the real
|
||||
libseccomp architecture, but archToNative already does that, so
|
||||
this code is redundant.
|
||||
|
||||
Remove the redundant code, and move its comment to archToNative.
|
||||
|
||||
Fixes: 7a8d7162f
|
||||
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
||||
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
||||
---
|
||||
libcontainer/seccomp/patchbpf/enosys_linux.go | 10 ----------
|
||||
1 file changed, 10 deletions(-)
|
||||
|
||||
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
|
||||
index efe6dca58b21..c9c1d4ccb685 100644
|
||||
--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
|
||||
+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
|
||||
@@ -233,16 +233,6 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
|
||||
return nil, fmt.Errorf("unable to validate seccomp architecture: %w", err)
|
||||
}
|
||||
|
||||
- // Map native architecture to a real architecture value to avoid
|
||||
- // doubling-up the lastSyscall mapping.
|
||||
- if arch == libseccomp.ArchNative {
|
||||
- nativeArch, err := libseccomp.GetNativeArch()
|
||||
- if err != nil {
|
||||
- return nil, fmt.Errorf("unable to get native architecture: %w", err)
|
||||
- }
|
||||
- arch = nativeArch
|
||||
- }
|
||||
-
|
||||
// Figure out native architecture representation of the architecture.
|
||||
nativeArch, err := archToNative(arch)
|
||||
if err != nil {
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,289 +0,0 @@
|
||||
From de510c0c092bae47cdc1b54da25544c3e101e6ec Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <cyphar@cyphar.com>
|
||||
Date: Wed, 13 Mar 2024 13:40:16 +1100
|
||||
Subject: [PATCH 2/3] bsc1221050: seccomp: patchbpf: rename nativeArch ->
|
||||
linuxAuditArch
|
||||
|
||||
(This is a backport of 6167f5ffc3e3fd53e6a41a2effa592a4873ad046.)
|
||||
|
||||
Calling the Linux AUDIT_* architecture constants "native" leads to
|
||||
confusing code when we are getting the actual native architecture of the
|
||||
running system.
|
||||
|
||||
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
||||
---
|
||||
libcontainer/seccomp/patchbpf/enosys_linux.go | 81 ++++++++++---------
|
||||
.../seccomp/patchbpf/enosys_linux_test.go | 16 ++--
|
||||
2 files changed, 49 insertions(+), 48 deletions(-)
|
||||
|
||||
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
|
||||
index c9c1d4ccb685..1b67fda85c64 100644
|
||||
--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
|
||||
+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
|
||||
@@ -164,11 +164,11 @@ func disassembleFilter(filter *libseccomp.ScmpFilter) ([]bpf.Instruction, error)
|
||||
return program, nil
|
||||
}
|
||||
|
||||
-type nativeArch uint32
|
||||
+type linuxAuditArch uint32
|
||||
|
||||
-const invalidArch nativeArch = 0
|
||||
+const invalidArch linuxAuditArch = 0
|
||||
|
||||
-func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) {
|
||||
+func scmpArchToAuditArch(arch libseccomp.ScmpArch) (linuxAuditArch, error) {
|
||||
switch arch {
|
||||
case libseccomp.ArchNative:
|
||||
// Convert to actual native architecture.
|
||||
@@ -176,48 +176,48 @@ func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) {
|
||||
if err != nil {
|
||||
return invalidArch, fmt.Errorf("unable to get native arch: %w", err)
|
||||
}
|
||||
- return archToNative(arch)
|
||||
+ return scmpArchToAuditArch(arch)
|
||||
case libseccomp.ArchX86:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_I386), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_I386), nil
|
||||
case libseccomp.ArchAMD64, libseccomp.ArchX32:
|
||||
// NOTE: x32 is treated like x86_64 except all x32 syscalls have the
|
||||
// 30th bit of the syscall number set to indicate that it's not a
|
||||
// normal x86_64 syscall.
|
||||
- return nativeArch(C.C_AUDIT_ARCH_X86_64), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_X86_64), nil
|
||||
case libseccomp.ArchARM:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_ARM), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_ARM), nil
|
||||
case libseccomp.ArchARM64:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_AARCH64), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_AARCH64), nil
|
||||
case libseccomp.ArchMIPS:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_MIPS), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_MIPS), nil
|
||||
case libseccomp.ArchMIPS64:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_MIPS64), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_MIPS64), nil
|
||||
case libseccomp.ArchMIPS64N32:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_MIPS64N32), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_MIPS64N32), nil
|
||||
case libseccomp.ArchMIPSEL:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_MIPSEL), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL), nil
|
||||
case libseccomp.ArchMIPSEL64:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_MIPSEL64), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL64), nil
|
||||
case libseccomp.ArchMIPSEL64N32:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_MIPSEL64N32), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL64N32), nil
|
||||
case libseccomp.ArchPPC:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_PPC), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_PPC), nil
|
||||
case libseccomp.ArchPPC64:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_PPC64), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_PPC64), nil
|
||||
case libseccomp.ArchPPC64LE:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_PPC64LE), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_PPC64LE), nil
|
||||
case libseccomp.ArchS390:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_S390), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_S390), nil
|
||||
case libseccomp.ArchS390X:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_S390X), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_S390X), nil
|
||||
case libseccomp.ArchRISCV64:
|
||||
- return nativeArch(C.C_AUDIT_ARCH_RISCV64), nil
|
||||
+ return linuxAuditArch(C.C_AUDIT_ARCH_RISCV64), nil
|
||||
default:
|
||||
return invalidArch, fmt.Errorf("unknown architecture: %v", arch)
|
||||
}
|
||||
}
|
||||
|
||||
-type lastSyscallMap map[nativeArch]map[libseccomp.ScmpArch]libseccomp.ScmpSyscall
|
||||
+type lastSyscallMap map[linuxAuditArch]map[libseccomp.ScmpArch]libseccomp.ScmpSyscall
|
||||
|
||||
// Figure out largest syscall number referenced in the filter for each
|
||||
// architecture. We will be generating code based on the native architecture
|
||||
@@ -234,17 +234,17 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
|
||||
}
|
||||
|
||||
// Figure out native architecture representation of the architecture.
|
||||
- nativeArch, err := archToNative(arch)
|
||||
+ auditArch, err := scmpArchToAuditArch(arch)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cannot map architecture %v to AUDIT_ARCH_ constant: %w", arch, err)
|
||||
}
|
||||
|
||||
- if _, ok := lastSyscalls[nativeArch]; !ok {
|
||||
- lastSyscalls[nativeArch] = map[libseccomp.ScmpArch]libseccomp.ScmpSyscall{}
|
||||
+ if _, ok := lastSyscalls[auditArch]; !ok {
|
||||
+ lastSyscalls[auditArch] = map[libseccomp.ScmpArch]libseccomp.ScmpSyscall{}
|
||||
}
|
||||
- if _, ok := lastSyscalls[nativeArch][arch]; ok {
|
||||
+ if _, ok := lastSyscalls[auditArch][arch]; ok {
|
||||
// Because of ArchNative we may hit the same entry multiple times.
|
||||
- // Just skip it if we've seen this (nativeArch, ScmpArch)
|
||||
+ // Just skip it if we've seen this (linuxAuditArch, ScmpArch)
|
||||
// combination before.
|
||||
continue
|
||||
}
|
||||
@@ -262,10 +262,11 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
|
||||
}
|
||||
}
|
||||
if largestSyscall != 0 {
|
||||
- lastSyscalls[nativeArch][arch] = largestSyscall
|
||||
+ logrus.Debugf("seccomp: largest syscall number for arch %v is %v", arch, largestSyscall)
|
||||
+ lastSyscalls[auditArch][arch] = largestSyscall
|
||||
} else {
|
||||
- logrus.Warnf("could not find any syscalls for arch %s", ociArch)
|
||||
- delete(lastSyscalls[nativeArch], arch)
|
||||
+ logrus.Warnf("could not find any syscalls for arch %v", arch)
|
||||
+ delete(lastSyscalls[auditArch], arch)
|
||||
}
|
||||
}
|
||||
return lastSyscalls, nil
|
||||
@@ -283,10 +284,10 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
|
||||
// close_range(2) which were added out-of-order in the syscall table between
|
||||
// kernel releases.
|
||||
func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) {
|
||||
- // A jump-table for each nativeArch used to generate the initial
|
||||
+ // A jump-table for each linuxAuditArch used to generate the initial
|
||||
// conditional jumps -- measured from the *END* of the program so they
|
||||
// remain valid after prepending to the tail.
|
||||
- archJumpTable := map[nativeArch]uint32{}
|
||||
+ archJumpTable := map[linuxAuditArch]uint32{}
|
||||
|
||||
// Generate our own -ENOSYS rules for each architecture. They have to be
|
||||
// generated in reverse (prepended to the tail of the program) because the
|
||||
@@ -299,7 +300,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
|
||||
}
|
||||
|
||||
// Generate the syscall -ENOSYS rules.
|
||||
- for nativeArch, maxSyscalls := range lastSyscalls {
|
||||
+ for auditArch, maxSyscalls := range lastSyscalls {
|
||||
// The number of instructions from the tail of this section which need
|
||||
// to be jumped in order to reach the -ENOSYS return. If the section
|
||||
// does not jump, it will fall through to the actual filter.
|
||||
@@ -380,7 +381,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
|
||||
|
||||
// If we're on x86 we need to add a check for x32 and if we're in
|
||||
// the wrong mode we jump over the section.
|
||||
- if uint32(nativeArch) == uint32(C.C_AUDIT_ARCH_X86_64) {
|
||||
+ if uint32(auditArch) == uint32(C.C_AUDIT_ARCH_X86_64) {
|
||||
// Generate a prefix to check the mode.
|
||||
switch scmpArch {
|
||||
case libseccomp.ArchAMD64:
|
||||
@@ -409,8 +410,8 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
|
||||
section = append(section, sectionTail...)
|
||||
case 2:
|
||||
// x32 and x86_64 are a unique case, we can't handle any others.
|
||||
- if uint32(nativeArch) != uint32(C.C_AUDIT_ARCH_X86_64) {
|
||||
- return nil, fmt.Errorf("unknown architecture overlap on native arch %#x", nativeArch)
|
||||
+ if uint32(auditArch) != uint32(C.C_AUDIT_ARCH_X86_64) {
|
||||
+ return nil, fmt.Errorf("unknown architecture overlap on native arch %#x", auditArch)
|
||||
}
|
||||
|
||||
x32sysno, ok := maxSyscalls[libseccomp.ArchX32]
|
||||
@@ -487,7 +488,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
|
||||
programTail = append(section, programTail...)
|
||||
|
||||
// Update jump table.
|
||||
- archJumpTable[nativeArch] = uint32(len(programTail))
|
||||
+ archJumpTable[auditArch] = uint32(len(programTail))
|
||||
}
|
||||
|
||||
// Add a dummy "jump to filter" for any architecture we might miss below.
|
||||
@@ -507,9 +508,9 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
|
||||
// architectures based on how large the jumps are going to be, or
|
||||
// re-sort the candidate architectures each time to make sure that we
|
||||
// pick the largest jump which is going to be smaller than 255.
|
||||
- for nativeArch := range lastSyscalls {
|
||||
+ for auditArch := range lastSyscalls {
|
||||
// We jump forwards but the jump table is calculated from the *END*.
|
||||
- jump := uint32(len(programTail)) - archJumpTable[nativeArch]
|
||||
+ jump := uint32(len(programTail)) - archJumpTable[auditArch]
|
||||
|
||||
// Same routine as above -- this is a basic jeq check, complicated
|
||||
// slightly if it turns out that we need to do a long jump.
|
||||
@@ -518,7 +519,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
|
||||
// jeq [arch],[jump]
|
||||
bpf.JumpIf{
|
||||
Cond: bpf.JumpEqual,
|
||||
- Val: uint32(nativeArch),
|
||||
+ Val: uint32(auditArch),
|
||||
SkipTrue: uint8(jump),
|
||||
},
|
||||
}, programTail...)
|
||||
@@ -527,7 +528,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
|
||||
// jne [arch],1
|
||||
bpf.JumpIf{
|
||||
Cond: bpf.JumpNotEqual,
|
||||
- Val: uint32(nativeArch),
|
||||
+ Val: uint32(auditArch),
|
||||
SkipTrue: 1,
|
||||
},
|
||||
// ja [jump]
|
||||
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
|
||||
index e2d363a43bd3..bdfeff68adb3 100644
|
||||
--- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go
|
||||
+++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
|
||||
@@ -23,7 +23,7 @@ type seccompData struct {
|
||||
}
|
||||
|
||||
// mockSyscallPayload creates a fake seccomp_data struct with the given data.
|
||||
-func mockSyscallPayload(t *testing.T, sysno libseccomp.ScmpSyscall, arch nativeArch, args ...uint64) []byte {
|
||||
+func mockSyscallPayload(t *testing.T, sysno libseccomp.ScmpSyscall, arch linuxAuditArch, args ...uint64) []byte {
|
||||
var buf bytes.Buffer
|
||||
|
||||
data := seccompData{
|
||||
@@ -150,8 +150,8 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
|
||||
|
||||
for _, arch := range testArches {
|
||||
type syscallTest struct {
|
||||
- syscall string
|
||||
sysno libseccomp.ScmpSyscall
|
||||
+ syscall string
|
||||
expected uint32
|
||||
}
|
||||
|
||||
@@ -160,7 +160,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
|
||||
t.Fatalf("unknown libseccomp architecture %q: %v", arch, err)
|
||||
}
|
||||
|
||||
- nativeArch, err := archToNative(scmpArch)
|
||||
+ auditArch, err := scmpArchToAuditArch(scmpArch)
|
||||
if err != nil {
|
||||
t.Fatalf("unknown audit architecture %q: %v", arch, err)
|
||||
}
|
||||
@@ -179,9 +179,9 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
|
||||
t.Fatalf("unknown syscall %q on arch %q: %v", syscall, arch, err)
|
||||
}
|
||||
syscallTests = append(syscallTests, syscallTest{
|
||||
- syscall,
|
||||
- sysno,
|
||||
- expected,
|
||||
+ sysno: sysno,
|
||||
+ syscall: syscall,
|
||||
+ expected: expected,
|
||||
})
|
||||
}
|
||||
|
||||
@@ -233,7 +233,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
|
||||
test.expected = retFallthrough
|
||||
}
|
||||
|
||||
- payload := mockSyscallPayload(t, test.sysno, nativeArch, 0x1337, 0xF00BA5)
|
||||
+ payload := mockSyscallPayload(t, test.sysno, auditArch, 0x1337, 0xF00BA5)
|
||||
// NOTE: golang.org/x/net/bpf returns int here rather
|
||||
// than uint32.
|
||||
rawRet, err := filter.Run(payload)
|
||||
@@ -247,7 +247,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
|
||||
t.Logf(" [%4.1d] %s", idx, insn)
|
||||
}
|
||||
t.Logf("payload: %#v", payload)
|
||||
- t.Errorf("filter %s(%d) %q(%d): got %#x, want %#x", arch, nativeArch, test.syscall, test.sysno, ret, test.expected)
|
||||
+ t.Errorf("filter %s(%d) %q(%d): got %#x, want %#x", arch, auditArch, test.syscall, test.sysno, ret, test.expected)
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,162 +0,0 @@
|
||||
From d8014991cb2555c17a8828d664a4b7b3924b1e9b Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <cyphar@cyphar.com>
|
||||
Date: Wed, 13 Mar 2024 16:12:51 +1100
|
||||
Subject: [PATCH 3/3] bsc1221050: seccomp: patchbpf: always include native
|
||||
architecture in stub
|
||||
|
||||
(This is a backport of 376417ba7646f05ddb1efa8fe30e2a3b53cf673b.)
|
||||
|
||||
It turns out that on ppc64le (at least), Docker doesn't include any
|
||||
architectures in the list of allowed architectures. libseccomp
|
||||
interprets this as "just include the default architecture" but patchbpf
|
||||
would return a no-op ENOSYS stub, which would lead to the exact issues
|
||||
that commit 7a8d7162f9d7 ("seccomp: prepend -ENOSYS stub to all
|
||||
filters") fixed for other architectures.
|
||||
|
||||
So, just always include the running architecture in the list. There's
|
||||
no real downside.
|
||||
|
||||
SUSE-Bugs: 1192051 1221050
|
||||
Ref: https://bugzilla.suse.com/show_bug.cgi?id=1192051#c6
|
||||
Reported-by: Fabian Vogt <fvogt@suse.com>
|
||||
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
||||
---
|
||||
libcontainer/seccomp/patchbpf/enosys_linux.go | 22 +++++++--
|
||||
.../seccomp/patchbpf/enosys_linux_test.go | 47 +++++++++++++++++--
|
||||
2 files changed, 61 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
|
||||
index 1b67fda85c64..d459ba8792ca 100644
|
||||
--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
|
||||
+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
|
||||
@@ -224,16 +224,30 @@ type lastSyscallMap map[linuxAuditArch]map[libseccomp.ScmpArch]libseccomp.ScmpSy
|
||||
// representation, but SCMP_ARCH_X32 means we have to track cases where the
|
||||
// same architecture has different largest syscalls based on the mode.
|
||||
func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
|
||||
- lastSyscalls := make(lastSyscallMap)
|
||||
- // Only loop over architectures which are present in the filter. Any other
|
||||
- // architectures will get the libseccomp bad architecture action anyway.
|
||||
+ scmpArchs := make(map[libseccomp.ScmpArch]struct{})
|
||||
for _, ociArch := range config.Architectures {
|
||||
arch, err := libseccomp.GetArchFromString(ociArch)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to validate seccomp architecture: %w", err)
|
||||
}
|
||||
+ scmpArchs[arch] = struct{}{}
|
||||
+ }
|
||||
+ // On architectures like ppc64le, Docker inexplicably doesn't include the
|
||||
+ // native architecture in the architecture list which results in no
|
||||
+ // architectures being present in the list at all (rendering the ENOSYS
|
||||
+ // stub a no-op). So, always include the native architecture.
|
||||
+ if nativeScmpArch, err := libseccomp.GetNativeArch(); err != nil {
|
||||
+ return nil, fmt.Errorf("unable to get native arch: %w", err)
|
||||
+ } else if _, ok := scmpArchs[nativeScmpArch]; !ok {
|
||||
+ logrus.Debugf("seccomp: adding implied native architecture %v to config set", nativeScmpArch)
|
||||
+ scmpArchs[nativeScmpArch] = struct{}{}
|
||||
+ }
|
||||
+ logrus.Debugf("seccomp: configured architecture set: %s", scmpArchs)
|
||||
|
||||
- // Figure out native architecture representation of the architecture.
|
||||
+ // Only loop over architectures which are present in the filter. Any other
|
||||
+ // architectures will get the libseccomp bad architecture action anyway.
|
||||
+ lastSyscalls := make(lastSyscallMap)
|
||||
+ for arch := range scmpArchs {
|
||||
auditArch, err := scmpArchToAuditArch(arch)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cannot map architecture %v to AUDIT_ARCH_ constant: %w", arch, err)
|
||||
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
|
||||
index bdfeff68adb3..3d442e1daa66 100644
|
||||
--- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go
|
||||
+++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
|
||||
@@ -12,6 +12,7 @@ import (
|
||||
"github.com/opencontainers/runc/libcontainer/configs"
|
||||
|
||||
libseccomp "github.com/seccomp/libseccomp-golang"
|
||||
+ "github.com/sirupsen/logrus"
|
||||
"golang.org/x/net/bpf"
|
||||
)
|
||||
|
||||
@@ -105,6 +106,18 @@ var testArches = []string{
|
||||
"ppc64le",
|
||||
"s390",
|
||||
"s390x",
|
||||
+ // Dummy value to indicate a configuration with no architecture specified.
|
||||
+ "native",
|
||||
+}
|
||||
+
|
||||
+var nativeArch string
|
||||
+
|
||||
+func init() {
|
||||
+ scmpNativeArch, err := libseccomp.GetNativeArch()
|
||||
+ if err != nil {
|
||||
+ logrus.Panicf("get native arch: %v", err)
|
||||
+ }
|
||||
+ nativeArch = scmpNativeArch.String()
|
||||
}
|
||||
|
||||
func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string) {
|
||||
@@ -155,6 +168,9 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
|
||||
expected uint32
|
||||
}
|
||||
|
||||
+ if arch == "native" {
|
||||
+ arch = nativeArch
|
||||
+ }
|
||||
scmpArch, err := libseccomp.GetArchFromString(arch)
|
||||
if err != nil {
|
||||
t.Fatalf("unknown libseccomp architecture %q: %v", arch, err)
|
||||
@@ -228,8 +244,15 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
|
||||
|
||||
// Test syscalls in the explicit list.
|
||||
for _, test := range syscallTests {
|
||||
- // Override the expected value in the two special cases.
|
||||
- if !archSet[arch] || isAllowAction(defaultAction) {
|
||||
+ // Override the expected value in the two special cases:
|
||||
+ // 1. If the default action is allow, the filter won't have
|
||||
+ // the stub prepended so we expect a fallthrough.
|
||||
+ // 2. If the executing architecture is not in the architecture
|
||||
+ // set, then the architecture is not handled by the stub --
|
||||
+ // *except* in the case of the native architecture (which
|
||||
+ // is always included in the stub).
|
||||
+ if isAllowAction(defaultAction) ||
|
||||
+ (!archSet[arch] && arch != nativeArch) {
|
||||
test.expected = retFallthrough
|
||||
}
|
||||
|
||||
@@ -263,7 +286,14 @@ var testActions = map[string]configs.Action{
|
||||
|
||||
func TestEnosysStub_SingleArch(t *testing.T) {
|
||||
for _, arch := range testArches {
|
||||
- arches := []string{arch}
|
||||
+ var arches []string
|
||||
+ // "native" indicates a blank architecture field for seccomp, to test
|
||||
+ // the case where the running architecture was not included in the
|
||||
+ // architecture. Docker doesn't always set the architecture for some
|
||||
+ // reason (namely for ppc64le).
|
||||
+ if arch != "native" {
|
||||
+ arches = append(arches, arch)
|
||||
+ }
|
||||
t.Run("arch="+arch, func(t *testing.T) {
|
||||
for name, action := range testActions {
|
||||
t.Run("action="+name, func(t *testing.T) {
|
||||
@@ -277,7 +307,16 @@ func TestEnosysStub_SingleArch(t *testing.T) {
|
||||
func TestEnosysStub_MultiArch(t *testing.T) {
|
||||
for end := 0; end < len(testArches); end++ {
|
||||
for start := 0; start < end; start++ {
|
||||
- arches := testArches[start:end]
|
||||
+ var arches []string
|
||||
+ for _, arch := range testArches[start:end] {
|
||||
+ // "native" indicates a blank architecture field for seccomp, to test
|
||||
+ // the case where the running architecture was not included in the
|
||||
+ // architecture. Docker doesn't always set the architecture for some
|
||||
+ // reason (namely for ppc64le).
|
||||
+ if arch != "native" {
|
||||
+ arches = append(arches, arch)
|
||||
+ }
|
||||
+ }
|
||||
if len(arches) <= 1 {
|
||||
continue
|
||||
}
|
||||
--
|
||||
2.44.0
|
||||
|
BIN
runc-1.1.12.tar.xz
(Stored with Git LFS)
BIN
runc-1.1.12.tar.xz
(Stored with Git LFS)
Binary file not shown.
@ -1,17 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmWvvCcQHGFzYXJhaUBz
|
||||
dXNlLmNvbQAKCRCeGKomfduNtG2oD/9yLwYdfbx4GU31kCuvTS3odH8XyplL4QLl
|
||||
TszoLO/50z/Y9r0QBNuLsDDvAWtsJAYTsRIwEwDgUuziHnbkbHCnE2C+6P7OWUKp
|
||||
7VS1mqWzWeVibt0hYBWcooJb8inA/ctwfppZlH8EnTdoyqp0bAuQKtj2muA+LTvN
|
||||
n/19qZ0/zAvErya5ugZCfnpJngOM0W//F5OSE/DKI3ct6o3AilxlzlhZuwkiYQud
|
||||
nwS5j4CvQp7GkJeuwDluUHGmsT8AW6P3McptS/BcT4wUKWhxcntJG1cdiZOFTW84
|
||||
3CLdwMPGQR0SVK5yPMbKogRtglODEW82Ytp4S8BB9sG5PS5rBsvnApSQxFluRMQT
|
||||
oaQsEKwPS+VSUwf44QR42iF3fB8dxmmmcautr5yaUiSx4DdFGj9jjrbMa9YCk2da
|
||||
J/5ExwJv5nP5R+uwOiH3ziZuFuuH1afbGLrT2ouv61/SMGiYiLEAyiegF94Zg2nu
|
||||
5RvMUz33LpEckLrlNN5u9q+/jbfJmZAUtdVafKQQTBRFKPCyHjOroKM11PzoHX6l
|
||||
3dsyEPbEfowZ+uM2z9wCfub529fNF8t9k9sUAIQsma5p7+l7xJMbOua2kd1kGiQU
|
||||
ec19+KD6ka4NHyDRwxe0iM6/AuFlKKUUTVGZjg2bD+ap0qgDjZ3R5lTmI1pJ8Win
|
||||
wfoEKZCm+A==
|
||||
=Sl8m
|
||||
-----END PGP SIGNATURE-----
|
3
runc-1.2.0-rc.1.tar.xz
Normal file
3
runc-1.2.0-rc.1.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:3f6fed97bf5db1d4eac43b622a62379e07f3f73dd1c3e5ee5c0f82a1c960e1f7
|
||||
size 1603252
|
17
runc-1.2.0-rc.1.tar.xz.asc
Normal file
17
runc-1.2.0-rc.1.tar.xz.asc
Normal file
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmYNM/MQHGFzYXJhaUBz
|
||||
dXNlLmNvbQAKCRCeGKomfduNtLTvEACihuWRg3CBLJuZFnV5YMkgYO1nhNfcY0TX
|
||||
BJWqrjleSkyhrWWNeGPmCLGvCLzQtk+pQzC8T2lN3/y4VNIsdSUrGrMP6uSh3uKu
|
||||
TF/IMBL5HJmowv+6RYcKb0kq9ta1lFR8LL63o7hn45xu5ZsnQGwEz+nI4IbrYRjr
|
||||
zPyYD5GQgkjFzBeHUb5BcbGNgZ62XTyyhZgUH8D/2+X9B/xqK6RKZ+dEVD4rU/nj
|
||||
rQafX4GHg+20OsmUj5AoE+nXkP98YyM33Nh9RQKNdDwS/OZ8lh24BtN4635VRINA
|
||||
EsCLKZKAb9Eu0Wqs/b0k8RsWblNEg/fDPvTg8bBJI6tIldVa8K4mqk6tOYL1zZzD
|
||||
33F5lhpNdstajFZuehXDHDqhDAQmJ0GAHDFeGZo7Am7wTmxSNNZ0gpo1zcWl9Y/D
|
||||
xW12H/oYtMwaj3MrtmlN+Os3V4pm16FgFM6LuPAR79FrXpu1l30D1wkVvQsp5pkD
|
||||
XaUxLw6kYzt5Z/PB13L7QccxojRDJtFCDf2n4DLHJWI/qFe57qYCwD0TP/gIDkOA
|
||||
HE4t7UU6lygPwIbc+0Zc5S7zOI3/CBgq1IWoMiZamAEs3FzPwt4jC3Czq9zemHPU
|
||||
7gyjR5rTVTJu9OOCVhyegxqD2fOxMOEKITAHrKIN+qnQkXAQ5gXeY4mHWr02tkkW
|
||||
7rsh+eQR2A==
|
||||
=io9I
|
||||
-----END PGP SIGNATURE-----
|
10
runc.changes
10
runc.changes
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 4 05:04:27 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to runc v1.2.0~rc1. Upstream changelog is available from
|
||||
<https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.1>.
|
||||
- Remove upstreamed patches.
|
||||
- 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
|
||||
- 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
|
||||
- 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 21 03:46:48 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
|
21
runc.spec
21
runc.spec
@ -18,25 +18,24 @@
|
||||
|
||||
|
||||
# MANUAL: Make sure you update this each time you update runc.
|
||||
%define git_version 51d5e94601ceffbbd85688df1c928ecccbfa4685
|
||||
%define git_short 51d5e94601ce
|
||||
%define git_version 275e6d85f78a9d0a90d9a714ba5f667561a4b0b9
|
||||
%define git_short 275e6d85f78a
|
||||
|
||||
%define project github.com/opencontainers/runc
|
||||
|
||||
Name: runc
|
||||
Version: 1.1.12
|
||||
# RPM doesn't handle semver rc releases nicely, so for rc releases we need to
|
||||
# do something different.
|
||||
%define upstream_version 1.2.0-rc.1
|
||||
Version: 1.2.0~rc1
|
||||
Release: 0
|
||||
Summary: Tool for spawning and running OCI containers
|
||||
License: Apache-2.0
|
||||
Group: System/Management
|
||||
URL: https://github.com/opencontainers/runc
|
||||
Source0: https://github.com/opencontainers/runc/releases/download/v%{version}/runc.tar.xz#/runc-%{version}.tar.xz
|
||||
Source1: https://github.com/opencontainers/runc/releases/download/v%{version}/runc.tar.xz.asc#/runc-%{version}.tar.xz.asc
|
||||
Source0: https://github.com/opencontainers/runc/releases/download/v%{upstream_version}/runc.tar.xz#/runc-%{upstream_version}.tar.xz
|
||||
Source1: https://github.com/opencontainers/runc/releases/download/v%{upstream_version}/runc.tar.xz.asc#/runc-%{upstream_version}.tar.xz.asc
|
||||
Source2: runc.keyring
|
||||
# SUSE-FIX-UPSTREAM: Backport of <https://github.com/opencontainers/runc/pull/4219>. bsc#1221050
|
||||
Patch10: 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
|
||||
Patch11: 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
|
||||
Patch12: 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
|
||||
BuildRequires: diffutils
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: go
|
||||
@ -58,7 +57,7 @@ Obsoletes: docker-runc_50a19c6
|
||||
ExcludeArch: s390
|
||||
|
||||
# Construct "git describe --dirty --long --always".
|
||||
%define git_describe v%{version}-0-g%{git_short}
|
||||
%define git_describe v%{upstream_version}-0-g%{git_short}
|
||||
|
||||
%description
|
||||
runc is a CLI tool for spawning and running containers according to the OCI
|
||||
@ -67,7 +66,7 @@ of Docker. It was originally designed to be a replacement for LXC within Docker,
|
||||
and has grown to become a separate project entirely.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}
|
||||
%setup -q -n %{name}-%{upstream_version}
|
||||
%autopatch -p1
|
||||
|
||||
%build
|
||||
|
Loading…
Reference in New Issue
Block a user