From 7ca4f99483a7ace8995a3503cff9e4dca6cd2ef3 Mon Sep 17 00:00:00 2001 From: Maria Shaldybin Date: Wed, 6 Nov 2024 20:02:42 +0000 Subject: [PATCH] Pin opencontainers/runc to 1.1.14 Inigo test is failing to set memory with "device is busy" error. It looks like 1.1.15 has an issue where process joins cgroup before the setup is finished - https://github.com/opencontainers/runc/pull/4439 --- go.mod | 2 +- go.sum | 4 +- .../code.cloudfoundry.org/garden/container.go | 4 +- .../idmapper/idmapping.go | 2 +- .../opencontainers/runc/CHANGELOG.md | 30 +---- vendor/github.com/opencontainers/runc/VERSION | 2 +- .../runc/libcontainer/nsenter/cloned_binary.c | 67 +++++++++++ .../runc/libcontainer/rootfs_linux.go | 68 +++++++---- .../seccomp/patchbpf/enosys_linux.go | 113 +++++++++--------- vendor/modules.txt | 4 +- 10 files changed, 179 insertions(+), 117 deletions(-) diff --git a/go.mod b/go.mod index 16927c5e9..663014ad6 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ replace ( // TODO: when bumping to containerd 2.0, remove these pins github.com/Microsoft/hcsshim => github.com/Microsoft/hcsshim v0.11.7 github.com/containerd/go-runc => github.com/containerd/go-runc v1.0.0 - github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.15 + github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.14 ) require ( diff --git a/go.sum b/go.sum index 8f4335a6f..2ddafaafd 100644 --- a/go.sum +++ b/go.sum @@ -1560,8 +1560,8 @@ github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6 github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= -github.com/opencontainers/runc v1.1.15 h1:QMmSU2q1YUg3iOJX11phnaDi2A5/zhx4BR6h+XZ1DMA= -github.com/opencontainers/runc v1.1.15/go.mod h1:E4C2z+7BxR7GHXp0hAY53mek+x49X1LjPNeMTfRGvOA= +github.com/opencontainers/runc v1.1.14 h1:rgSuzbmgz5DUJjeSnw337TxDbRuqjs6iqQck/2weR6w= +github.com/opencontainers/runc v1.1.14/go.mod h1:E4C2z+7BxR7GHXp0hAY53mek+x49X1LjPNeMTfRGvOA= github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= diff --git a/vendor/code.cloudfoundry.org/garden/container.go b/vendor/code.cloudfoundry.org/garden/container.go index babf3bfbd..0508b9772 100644 --- a/vendor/code.cloudfoundry.org/garden/container.go +++ b/vendor/code.cloudfoundry.org/garden/container.go @@ -176,8 +176,8 @@ type TTYSpec struct { } type WindowSize struct { - Columns uint16 `json:"columns,omitempty"` - Rows uint16 `json:"rows,omitempty"` + Columns int `json:"columns,omitempty"` + Rows int `json:"rows,omitempty"` } type ProcessIO struct { diff --git a/vendor/code.cloudfoundry.org/idmapper/idmapping.go b/vendor/code.cloudfoundry.org/idmapper/idmapping.go index 9a5e4c5c9..87e6c3ec3 100644 --- a/vendor/code.cloudfoundry.org/idmapper/idmapping.go +++ b/vendor/code.cloudfoundry.org/idmapper/idmapping.go @@ -11,7 +11,7 @@ type MappingList []specs.LinuxIDMapping func (m MappingList) Map(id int) int { for _, m := range m { - if delta := int(int64(id) - int64(m.ContainerID)); delta < int(m.Size) { + if delta := id - int(m.ContainerID); delta < int(m.Size) { return int(m.HostID) + delta } } diff --git a/vendor/github.com/opencontainers/runc/CHANGELOG.md b/vendor/github.com/opencontainers/runc/CHANGELOG.md index 24296cfba..d7bef610b 100644 --- a/vendor/github.com/opencontainers/runc/CHANGELOG.md +++ b/vendor/github.com/opencontainers/runc/CHANGELOG.md @@ -6,31 +6,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased 1.1.z] -## [1.1.15] - 2024-10-07 - -> How, dear sir, did you cross the flood? By not stopping, friend, and by not -> straining I crossed the flood. - -### Fixed - - * The `-ENOSYS` seccomp stub is now always generated for the native - architecture that `runc` is running on. This is needed to work around some - arguably specification-incompliant behaviour from Docker on architectures - such as ppc64le, where the allowed architecture list is set to `null`. This - ensures that we always generate at least one `-ENOSYS` stub for the native - architecture even with these weird configs. (#4391) - * On a system with older kernel, reading `/proc/self/mountinfo` may skip some - entries, as a consequence runc may not properly set mount propagation, - causing container mounts leak onto the host mount namespace. (#2404, #4425) - -### Removed - - * In order to fix performance issues in the "lightweight" bindfd protection - against [CVE-2019-5736], the temporary `ro` bind-mount of `/proc/self/exe` - has been removed. runc now creates a binary copy in all cases. (#4392, #2532) - -[CVE-2019-5736]: https://www.openwall.com/lists/oss-security/2019/02/11/2 - ## [1.1.14] - 2024-09-03 > 年を取っていいことは、驚かなくなることね。 @@ -53,6 +28,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 (#4370, #4382) * rootfs: consolidate mountpoint creation logic. (#4359) +### Changed + ## [1.1.13] - 2024-06-13 > There is no certainty in the world. This is the only certainty I have. @@ -585,8 +562,7 @@ implementation (libcontainer) is *not* covered by this policy. [1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1 -[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.15...release-1.1 -[1.1.15]: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15 +[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.14...release-1.1 [1.1.14]: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14 [1.1.13]: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13 [1.1.12]: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12 diff --git a/vendor/github.com/opencontainers/runc/VERSION b/vendor/github.com/opencontainers/runc/VERSION index 645377eea..e9bc14996 100644 --- a/vendor/github.com/opencontainers/runc/VERSION +++ b/vendor/github.com/opencontainers/runc/VERSION @@ -1 +1 @@ -1.1.15 +1.1.14 diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c index 565748b13..d1b2d4c54 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c +++ b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c @@ -396,6 +396,61 @@ static int seal_execfd(int *fd, int fdtype) return -1; } +static int try_bindfd(void) +{ + int fd, ret = -1; + char template[PATH_MAX] = { 0 }; + char *prefix = getenv("_LIBCONTAINER_STATEDIR"); + + if (!prefix || *prefix != '/') + prefix = "/tmp"; + if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0) + return ret; + + /* + * We need somewhere to mount it, mounting anything over /proc/self is a + * BAD idea on the host -- even if we do it temporarily. + */ + fd = mkstemp(template); + if (fd < 0) + return ret; + close(fd); + + /* + * For obvious reasons this won't work in rootless mode because we haven't + * created a userns+mntns -- but getting that to work will be a bit + * complicated and it's only worth doing if someone actually needs it. + */ + ret = -EPERM; + if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0) + goto out; + if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0) + goto out_umount; + + /* Get read-only handle that we're sure can't be made read-write. */ + ret = open(template, O_PATH | O_CLOEXEC); + +out_umount: + /* + * Make sure the MNT_DETACH works, otherwise we could get remounted + * read-write and that would be quite bad (the fd would be made read-write + * too, invalidating the protection). + */ + if (umount2(template, MNT_DETACH) < 0) { + if (ret >= 0) + close(ret); + ret = -ENOTRECOVERABLE; + } + +out: + /* + * We don't care about unlink errors, the worst that happens is that + * there's an empty file left around in STATEDIR. + */ + unlink(template); + return ret; +} + static ssize_t fd_to_fd(int outfd, int infd) { ssize_t total = 0; @@ -430,6 +485,18 @@ static int clone_binary(void) size_t sent = 0; int fdtype = EFD_NONE; + /* + * Before we resort to copying, let's try creating an ro-binfd in one shot + * by getting a handle for a read-only bind-mount of the execfd. + */ + execfd = try_bindfd(); + if (execfd >= 0) + return execfd; + + /* + * Dammit, that didn't work -- time to copy the binary to a safe place we + * can seal the contents. + */ execfd = make_execfd(&fdtype); if (execfd < 0 || fdtype == EFD_NONE) return -ENOTRECOVERABLE; diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go index 04ec6d7e4..78b6998c3 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go @@ -801,33 +801,54 @@ func mknodDevice(dest string, node *devices.Device) error { return os.Chown(dest, int(node.Uid), int(node.Gid)) } -// rootfsParentMountPrivate ensures rootfs parent mount is private. -// This is needed for two reasons: -// - pivot_root() will fail if parent mount is shared; -// - when we bind mount rootfs, if its parent is not private, the new mount -// will propagate (leak!) to parent namespace and we don't want that. -func rootfsParentMountPrivate(path string) error { - var err error - // Assuming path is absolute and clean (this is checked in - // libcontainer/validate). Any error other than EINVAL means we failed, - // and EINVAL means this is not a mount point, so traverse up until we - // find one. - for { - err = unix.Mount("", path, "", unix.MS_PRIVATE, "") - if err == nil { - return nil +// Get the parent mount point of directory passed in as argument. Also return +// optional fields. +func getParentMount(rootfs string) (string, string, error) { + mi, err := mountinfo.GetMounts(mountinfo.ParentsFilter(rootfs)) + if err != nil { + return "", "", err + } + if len(mi) < 1 { + return "", "", fmt.Errorf("could not find parent mount of %s", rootfs) + } + + // find the longest mount point + var idx, maxlen int + for i := range mi { + if len(mi[i].Mountpoint) > maxlen { + maxlen = len(mi[i].Mountpoint) + idx = i } - if err != unix.EINVAL || path == "/" { //nolint:errorlint // unix errors are bare + } + return mi[idx].Mountpoint, mi[idx].Optional, nil +} + +// Make parent mount private if it was shared +func rootfsParentMountPrivate(rootfs string) error { + sharedMount := false + + parentMount, optionalOpts, err := getParentMount(rootfs) + if err != nil { + return err + } + + optsSplit := strings.Split(optionalOpts, " ") + for _, opt := range optsSplit { + if strings.HasPrefix(opt, "shared:") { + sharedMount = true break } - path = filepath.Dir(path) } - return &mountError{ - op: "remount-private", - target: path, - flags: unix.MS_PRIVATE, - err: err, + + // Make parent mount PRIVATE if it was shared. It is needed for two + // reasons. First of all pivot_root() will fail if parent mount is + // shared. Secondly when we bind mount rootfs it will propagate to + // parent namespace and we don't want that to happen. + if sharedMount { + return mount("", parentMount, "", "", unix.MS_PRIVATE, "") } + + return nil } func prepareRoot(config *configs.Config) error { @@ -839,6 +860,9 @@ func prepareRoot(config *configs.Config) error { return err } + // Make parent mount private to make sure following bind mount does + // not propagate in other namespaces. Also it will help with kernel + // check pass in pivot_root. (IS_SHARED(new_mnt->mnt_parent)) if err := rootfsParentMountPrivate(config.Rootfs); err != nil { return err } diff --git a/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go index d459ba879..efe6dca58 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go @@ -164,11 +164,11 @@ func disassembleFilter(filter *libseccomp.ScmpFilter) ([]bpf.Instruction, error) return program, nil } -type linuxAuditArch uint32 +type nativeArch uint32 -const invalidArch linuxAuditArch = 0 +const invalidArch nativeArch = 0 -func scmpArchToAuditArch(arch libseccomp.ScmpArch) (linuxAuditArch, error) { +func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) { switch arch { case libseccomp.ArchNative: // Convert to actual native architecture. @@ -176,89 +176,85 @@ func scmpArchToAuditArch(arch libseccomp.ScmpArch) (linuxAuditArch, error) { if err != nil { return invalidArch, fmt.Errorf("unable to get native arch: %w", err) } - return scmpArchToAuditArch(arch) + return archToNative(arch) case libseccomp.ArchX86: - return linuxAuditArch(C.C_AUDIT_ARCH_I386), nil + return nativeArch(C.C_AUDIT_ARCH_I386), nil case libseccomp.ArchAMD64, libseccomp.ArchX32: // NOTE: x32 is treated like x86_64 except all x32 syscalls have the // 30th bit of the syscall number set to indicate that it's not a // normal x86_64 syscall. - return linuxAuditArch(C.C_AUDIT_ARCH_X86_64), nil + return nativeArch(C.C_AUDIT_ARCH_X86_64), nil case libseccomp.ArchARM: - return linuxAuditArch(C.C_AUDIT_ARCH_ARM), nil + return nativeArch(C.C_AUDIT_ARCH_ARM), nil case libseccomp.ArchARM64: - return linuxAuditArch(C.C_AUDIT_ARCH_AARCH64), nil + return nativeArch(C.C_AUDIT_ARCH_AARCH64), nil case libseccomp.ArchMIPS: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPS), nil + return nativeArch(C.C_AUDIT_ARCH_MIPS), nil case libseccomp.ArchMIPS64: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPS64), nil + return nativeArch(C.C_AUDIT_ARCH_MIPS64), nil case libseccomp.ArchMIPS64N32: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPS64N32), nil + return nativeArch(C.C_AUDIT_ARCH_MIPS64N32), nil case libseccomp.ArchMIPSEL: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL), nil + return nativeArch(C.C_AUDIT_ARCH_MIPSEL), nil case libseccomp.ArchMIPSEL64: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL64), nil + return nativeArch(C.C_AUDIT_ARCH_MIPSEL64), nil case libseccomp.ArchMIPSEL64N32: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL64N32), nil + return nativeArch(C.C_AUDIT_ARCH_MIPSEL64N32), nil case libseccomp.ArchPPC: - return linuxAuditArch(C.C_AUDIT_ARCH_PPC), nil + return nativeArch(C.C_AUDIT_ARCH_PPC), nil case libseccomp.ArchPPC64: - return linuxAuditArch(C.C_AUDIT_ARCH_PPC64), nil + return nativeArch(C.C_AUDIT_ARCH_PPC64), nil case libseccomp.ArchPPC64LE: - return linuxAuditArch(C.C_AUDIT_ARCH_PPC64LE), nil + return nativeArch(C.C_AUDIT_ARCH_PPC64LE), nil case libseccomp.ArchS390: - return linuxAuditArch(C.C_AUDIT_ARCH_S390), nil + return nativeArch(C.C_AUDIT_ARCH_S390), nil case libseccomp.ArchS390X: - return linuxAuditArch(C.C_AUDIT_ARCH_S390X), nil + return nativeArch(C.C_AUDIT_ARCH_S390X), nil case libseccomp.ArchRISCV64: - return linuxAuditArch(C.C_AUDIT_ARCH_RISCV64), nil + return nativeArch(C.C_AUDIT_ARCH_RISCV64), nil default: return invalidArch, fmt.Errorf("unknown architecture: %v", arch) } } -type lastSyscallMap map[linuxAuditArch]map[libseccomp.ScmpArch]libseccomp.ScmpSyscall +type lastSyscallMap map[nativeArch]map[libseccomp.ScmpArch]libseccomp.ScmpSyscall // Figure out largest syscall number referenced in the filter for each // architecture. We will be generating code based on the native architecture // representation, but SCMP_ARCH_X32 means we have to track cases where the // same architecture has different largest syscalls based on the mode. func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) { - scmpArchs := make(map[libseccomp.ScmpArch]struct{}) + lastSyscalls := make(lastSyscallMap) + // Only loop over architectures which are present in the filter. Any other + // architectures will get the libseccomp bad architecture action anyway. for _, ociArch := range config.Architectures { arch, err := libseccomp.GetArchFromString(ociArch) if err != nil { return nil, fmt.Errorf("unable to validate seccomp architecture: %w", err) } - scmpArchs[arch] = struct{}{} - } - // On architectures like ppc64le, Docker inexplicably doesn't include the - // native architecture in the architecture list which results in no - // architectures being present in the list at all (rendering the ENOSYS - // stub a no-op). So, always include the native architecture. - if nativeScmpArch, err := libseccomp.GetNativeArch(); err != nil { - return nil, fmt.Errorf("unable to get native arch: %w", err) - } else if _, ok := scmpArchs[nativeScmpArch]; !ok { - logrus.Debugf("seccomp: adding implied native architecture %v to config set", nativeScmpArch) - scmpArchs[nativeScmpArch] = struct{}{} - } - logrus.Debugf("seccomp: configured architecture set: %s", scmpArchs) - // Only loop over architectures which are present in the filter. Any other - // architectures will get the libseccomp bad architecture action anyway. - lastSyscalls := make(lastSyscallMap) - for arch := range scmpArchs { - auditArch, err := scmpArchToAuditArch(arch) + // Map native architecture to a real architecture value to avoid + // doubling-up the lastSyscall mapping. + if arch == libseccomp.ArchNative { + nativeArch, err := libseccomp.GetNativeArch() + if err != nil { + return nil, fmt.Errorf("unable to get native architecture: %w", err) + } + arch = nativeArch + } + + // Figure out native architecture representation of the architecture. + nativeArch, err := archToNative(arch) if err != nil { return nil, fmt.Errorf("cannot map architecture %v to AUDIT_ARCH_ constant: %w", arch, err) } - if _, ok := lastSyscalls[auditArch]; !ok { - lastSyscalls[auditArch] = map[libseccomp.ScmpArch]libseccomp.ScmpSyscall{} + if _, ok := lastSyscalls[nativeArch]; !ok { + lastSyscalls[nativeArch] = map[libseccomp.ScmpArch]libseccomp.ScmpSyscall{} } - if _, ok := lastSyscalls[auditArch][arch]; ok { + if _, ok := lastSyscalls[nativeArch][arch]; ok { // Because of ArchNative we may hit the same entry multiple times. - // Just skip it if we've seen this (linuxAuditArch, ScmpArch) + // Just skip it if we've seen this (nativeArch, ScmpArch) // combination before. continue } @@ -276,11 +272,10 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) { } } if largestSyscall != 0 { - logrus.Debugf("seccomp: largest syscall number for arch %v is %v", arch, largestSyscall) - lastSyscalls[auditArch][arch] = largestSyscall + lastSyscalls[nativeArch][arch] = largestSyscall } else { - logrus.Warnf("could not find any syscalls for arch %v", arch) - delete(lastSyscalls[auditArch], arch) + logrus.Warnf("could not find any syscalls for arch %s", ociArch) + delete(lastSyscalls[nativeArch], arch) } } return lastSyscalls, nil @@ -298,10 +293,10 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) { // close_range(2) which were added out-of-order in the syscall table between // kernel releases. func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) { - // A jump-table for each linuxAuditArch used to generate the initial + // A jump-table for each nativeArch used to generate the initial // conditional jumps -- measured from the *END* of the program so they // remain valid after prepending to the tail. - archJumpTable := map[linuxAuditArch]uint32{} + archJumpTable := map[nativeArch]uint32{} // Generate our own -ENOSYS rules for each architecture. They have to be // generated in reverse (prepended to the tail of the program) because the @@ -314,7 +309,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) } // Generate the syscall -ENOSYS rules. - for auditArch, maxSyscalls := range lastSyscalls { + for nativeArch, maxSyscalls := range lastSyscalls { // The number of instructions from the tail of this section which need // to be jumped in order to reach the -ENOSYS return. If the section // does not jump, it will fall through to the actual filter. @@ -395,7 +390,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // If we're on x86 we need to add a check for x32 and if we're in // the wrong mode we jump over the section. - if uint32(auditArch) == uint32(C.C_AUDIT_ARCH_X86_64) { + if uint32(nativeArch) == uint32(C.C_AUDIT_ARCH_X86_64) { // Generate a prefix to check the mode. switch scmpArch { case libseccomp.ArchAMD64: @@ -424,8 +419,8 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) section = append(section, sectionTail...) case 2: // x32 and x86_64 are a unique case, we can't handle any others. - if uint32(auditArch) != uint32(C.C_AUDIT_ARCH_X86_64) { - return nil, fmt.Errorf("unknown architecture overlap on native arch %#x", auditArch) + if uint32(nativeArch) != uint32(C.C_AUDIT_ARCH_X86_64) { + return nil, fmt.Errorf("unknown architecture overlap on native arch %#x", nativeArch) } x32sysno, ok := maxSyscalls[libseccomp.ArchX32] @@ -502,7 +497,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) programTail = append(section, programTail...) // Update jump table. - archJumpTable[auditArch] = uint32(len(programTail)) + archJumpTable[nativeArch] = uint32(len(programTail)) } // Add a dummy "jump to filter" for any architecture we might miss below. @@ -522,9 +517,9 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // architectures based on how large the jumps are going to be, or // re-sort the candidate architectures each time to make sure that we // pick the largest jump which is going to be smaller than 255. - for auditArch := range lastSyscalls { + for nativeArch := range lastSyscalls { // We jump forwards but the jump table is calculated from the *END*. - jump := uint32(len(programTail)) - archJumpTable[auditArch] + jump := uint32(len(programTail)) - archJumpTable[nativeArch] // Same routine as above -- this is a basic jeq check, complicated // slightly if it turns out that we need to do a long jump. @@ -533,7 +528,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // jeq [arch],[jump] bpf.JumpIf{ Cond: bpf.JumpEqual, - Val: uint32(auditArch), + Val: uint32(nativeArch), SkipTrue: uint8(jump), }, }, programTail...) @@ -542,7 +537,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // jne [arch],1 bpf.JumpIf{ Cond: bpf.JumpNotEqual, - Val: uint32(auditArch), + Val: uint32(nativeArch), SkipTrue: 1, }, // ja [jump] diff --git a/vendor/modules.txt b/vendor/modules.txt index fb262a799..1707eec5a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -766,7 +766,7 @@ github.com/opencontainers/go-digest/digestset github.com/opencontainers/image-spec/identity github.com/opencontainers/image-spec/specs-go github.com/opencontainers/image-spec/specs-go/v1 -# github.com/opencontainers/runc v1.2.1 => github.com/opencontainers/runc v1.1.15 +# github.com/opencontainers/runc v1.2.1 => github.com/opencontainers/runc v1.1.14 ## explicit; go 1.18 github.com/opencontainers/runc github.com/opencontainers/runc/libcontainer @@ -1330,7 +1330,7 @@ tags.cncf.io/container-device-interface/pkg/parser tags.cncf.io/container-device-interface/specs-go # github.com/Microsoft/hcsshim => github.com/Microsoft/hcsshim v0.11.7 # github.com/containerd/go-runc => github.com/containerd/go-runc v1.0.0 -# github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.15 +# github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.14 # code.cloudfoundry.org/garden => ../garden # code.cloudfoundry.org/grootfs => ../grootfs # code.cloudfoundry.org/idmapper => ../idmapper