Skip to content

Commit

Permalink
Merge branch 'main' into groupv1
Browse files Browse the repository at this point in the history
  • Loading branch information
tomaszduda23 authored Dec 8, 2024
2 parents bbb3244 + e075206 commit 112ec75
Show file tree
Hide file tree
Showing 67 changed files with 2,043 additions and 581 deletions.
2 changes: 2 additions & 0 deletions EMERITUS.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,7 @@ contributions to our collective success:
* Rohit Jnagal (@rjnagal)
* Victor Marmol (@vmarmol)
* Michael Crosby (@crosbymichael)
* Daniel, Dao Quang Minh (@dqminh)
* Qiang Huang (@hqhq)

We thank these members for their service to the OCI community.
2 changes: 0 additions & 2 deletions MAINTAINERS
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
Mrunal Patel <[email protected]> (@mrunalp)
Daniel, Dao Quang Minh <[email protected]> (@dqminh)
Qiang Huang <[email protected]> (@hqhq)
Aleksa Sarai <[email protected]> (@cyphar)
Akihiro Suda <[email protected]> (@AkihiroSuda)
Kir Kolyshkin <[email protected]> (@kolyshkin)
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,7 @@ install-man: man
.PHONY: cfmt
cfmt: C_SRC=$(shell git ls-files '*.c' | grep -v '^vendor/')
cfmt:
indent -linux -l120 -il0 -ppi2 -cp1 -T size_t -T jmp_buf $(C_SRC)
indent -linux -l120 -il0 -ppi2 -cp1 -sar -T size_t -T jmp_buf $(C_SRC)

.PHONY: shellcheck
shellcheck:
Expand Down
2 changes: 0 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,6 @@ The following build tags were used earlier, but are now obsoleted:
- **apparmor** (since runc v1.0.0-rc93 the feature is always enabled)
- **selinux** (since runc v1.0.0-rc93 the feature is always enabled)

[contrib-memfd-bind]: /contrib/cmd/memfd-bind/README.md

### Running the test suite

`runc` currently supports running its test suite via Docker.
Expand Down
13 changes: 12 additions & 1 deletion contrib/cmd/memfd-bind/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,15 @@
## memfd-bind ##

`runc` normally has to make a binary copy of itself when constructing a
> **NOTE**: Since runc 1.2.0, runc will now use a private overlayfs mount to
> protect the runc binary (if you are on Linux 5.1 or later). This protection
> is far more light-weight than memfd-bind, and for most users this should
> obviate the need for `memfd-bind` entirely. Rootless containers will still
> make a memfd copy (unless you are using `runc` itself inside a user namespace
> -- a-la [`rootlesskit`][rootlesskit] -- and are on Linux 5.11 or later), but
> `memfd-bind` is not particularly useful for rootless container users anyway
> (see [Caveats](#Caveats) for more details).
`runc` sometimes has to make a binary copy of itself when constructing a
container process in order to defend against certain container runtime attacks
such as CVE-2019-5736.

Expand Down Expand Up @@ -38,6 +47,8 @@ much memory usage they can use:
container process setup takes up about 10MB per process spawned inside the
container by runc (both pid1 and `runc exec`).

[rootlesskit]: https://github.com/rootless-containers/rootlesskit

### Caveats ###

There are several downsides with using `memfd-bind` on the `runc` binary:
Expand Down
10 changes: 5 additions & 5 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@ require (
github.com/cilium/ebpf v0.16.0
github.com/containerd/console v1.0.4
github.com/coreos/go-systemd/v22 v22.5.0
github.com/cyphar/filepath-securejoin v0.3.4
github.com/cyphar/filepath-securejoin v0.3.5
github.com/docker/go-units v0.5.0
github.com/godbus/dbus/v5 v5.1.0
github.com/moby/sys/capability v0.4.0
github.com/moby/sys/mountinfo v0.7.2
github.com/moby/sys/user v0.3.0
github.com/moby/sys/userns v0.1.0
Expand All @@ -23,12 +24,11 @@ require (
github.com/opencontainers/selinux v1.11.1
github.com/seccomp/libseccomp-golang v0.10.0
github.com/sirupsen/logrus v1.9.3
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
github.com/urfave/cli v1.22.16
github.com/vishvananda/netlink v1.3.0
golang.org/x/net v0.30.0
golang.org/x/sys v0.26.0
google.golang.org/protobuf v1.35.1
golang.org/x/net v0.32.0
golang.org/x/sys v0.28.0
google.golang.org/protobuf v1.35.2
)

require (
Expand Down
20 changes: 10 additions & 10 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc=
github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8=
github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM=
github.com/cyphar/filepath-securejoin v0.3.5 h1:L81NHjquoQmcPgXcttUS9qTSR/+bXry6pbSINQGpjj4=
github.com/cyphar/filepath-securejoin v0.3.5/go.mod h1:edhVd3c6OXKjUmSrVa/tGJRS9joFTxlslFCAyaxigkE=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
Expand Down Expand Up @@ -39,6 +39,8 @@ github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/
github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
github.com/moby/sys/capability v0.4.0 h1:4D4mI6KlNtWMCM1Z/K0i7RV1FkX+DBDHKVJpCndZoHk=
github.com/moby/sys/capability v0.4.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
Expand Down Expand Up @@ -73,8 +75,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/urfave/cli v1.22.16 h1:MH0k6uJxdwdeWQTwhSO42Pwr4YLrNLwBtg1MRgTqPdQ=
github.com/urfave/cli v1.22.16/go.mod h1:EeJR6BKodywf4zciqrdw6hpCPk68JO9z5LazXZMn5Po=
github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk=
Expand All @@ -83,22 +83,22 @@ github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1Y
github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI=
golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io=
google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
Expand Down
30 changes: 0 additions & 30 deletions internal/testutil/testutil.go

This file was deleted.

86 changes: 55 additions & 31 deletions libcontainer/capabilities/capabilities.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,41 +3,36 @@
package capabilities

import (
"fmt"
"sort"
"strings"
"sync"

"github.com/moby/sys/capability"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/sirupsen/logrus"
"github.com/syndtr/gocapability/capability"
)

const allCapabilityTypes = capability.CAPS | capability.BOUNDING | capability.AMBIENT
func capToStr(c capability.Cap) string {
return "CAP_" + strings.ToUpper(c.String())
}

var (
capabilityMap map[string]capability.Cap
capTypes = []capability.CapType{
capability.BOUNDING,
capability.PERMITTED,
capability.INHERITABLE,
capability.EFFECTIVE,
capability.AMBIENT,
var capMap = sync.OnceValues(func() (map[string]capability.Cap, error) {
list, err := capability.ListSupported()
if err != nil {
return nil, err
}
)

func init() {
capabilityMap = make(map[string]capability.Cap, capability.CAP_LAST_CAP+1)
for _, c := range capability.List() {
if c > capability.CAP_LAST_CAP {
continue
}
capabilityMap["CAP_"+strings.ToUpper(c.String())] = c
cm := make(map[string]capability.Cap, len(list))
for _, c := range list {
cm[capToStr(c)] = c
}
}
return cm, nil
})

// KnownCapabilities returns the list of the known capabilities.
// Used by `runc features`.
func KnownCapabilities() []string {
list := capability.List()
list := capability.ListKnown()
res := make([]string, len(list))
for i, c := range list {
res[i] = "CAP_" + strings.ToUpper(c.String())
Expand All @@ -49,11 +44,12 @@ func KnownCapabilities() []string {
// or Capabilities that are unavailable in the current environment are ignored,
// printing a warning instead.
func New(capConfig *configs.Capabilities) (*Caps, error) {
var (
err error
c Caps
)
var c Caps

_, err := capMap()
if err != nil {
return nil, err
}
unknownCaps := make(map[string]struct{})
c.caps = map[capability.CapType][]capability.Cap{
capability.BOUNDING: capSlice(capConfig.Bounding, unknownCaps),
Expand All @@ -75,9 +71,10 @@ func New(capConfig *configs.Capabilities) (*Caps, error) {
// equivalent, and returns them as a slice. Unknown or unavailable capabilities
// are not returned, but appended to unknownCaps.
func capSlice(caps []string, unknownCaps map[string]struct{}) []capability.Cap {
var out []capability.Cap
cm, _ := capMap()
out := make([]capability.Cap, 0, len(caps))
for _, c := range caps {
if v, ok := capabilityMap[c]; !ok {
if v, ok := cm[c]; !ok {
unknownCaps[c] = struct{}{}
} else {
out = append(out, v)
Expand All @@ -88,7 +85,7 @@ func capSlice(caps []string, unknownCaps map[string]struct{}) []capability.Cap {

// mapKeys returns the keys of input in sorted order
func mapKeys(input map[string]struct{}) []string {
var keys []string
keys := make([]string, 0, len(input))
for c := range input {
keys = append(keys, c)
}
Expand All @@ -111,9 +108,36 @@ func (c *Caps) ApplyBoundingSet() error {

// Apply sets all the capabilities for the current process in the config.
func (c *Caps) ApplyCaps() error {
c.pid.Clear(allCapabilityTypes)
for _, g := range capTypes {
c.pid.Clear(capability.CAPS | capability.BOUNDS)
for _, g := range []capability.CapType{
capability.EFFECTIVE,
capability.PERMITTED,
capability.INHERITABLE,
capability.BOUNDING,
} {
c.pid.Set(g, c.caps[g]...)
}
return c.pid.Apply(allCapabilityTypes)
if err := c.pid.Apply(capability.CAPS | capability.BOUNDS); err != nil {
return fmt.Errorf("can't apply capabilities: %w", err)
}

// Old version of capability package used to ignore errors from setting
// ambient capabilities, which is now fixed (see
// https://github.com/kolyshkin/capability/pull/3).
//
// To maintain backward compatibility, set ambient caps one by one and
// don't return any errors, only warn.
ambs := c.caps[capability.AMBIENT]
err := capability.ResetAmbient()
if err != nil {
return fmt.Errorf("can't reset ambient capabilities: %w", err)
}
for _, a := range ambs {
err := capability.SetAmbient(true, a)
if err != nil {
logrus.Warnf("can't raise ambient capability %s: %v", capToStr(a), err)
}
}

return nil
}
10 changes: 9 additions & 1 deletion libcontainer/capabilities/capabilities_linux_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,20 @@ import (
"os"
"testing"

"github.com/moby/sys/capability"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/sirupsen/logrus"
"github.com/sirupsen/logrus/hooks/test"
"github.com/syndtr/gocapability/capability"
)

var capTypes = []capability.CapType{
capability.BOUNDING,
capability.PERMITTED,
capability.INHERITABLE,
capability.EFFECTIVE,
capability.AMBIENT,
}

func TestNew(t *testing.T) {
cs := []string{"CAP_CHOWN", "CAP_UNKNOWN", "CAP_UNKNOWN2"}
conf := configs.Capabilities{
Expand Down
22 changes: 14 additions & 8 deletions libcontainer/cgroups/devices/ebpf_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -107,14 +107,14 @@ func haveBpfProgReplace() bool {
},
})
if err != nil {
logrus.Debugf("checking for BPF_F_REPLACE support: ebpf.NewProgram failed: %v", err)
logrus.Warnf("checking for BPF_F_REPLACE support: ebpf.NewProgram failed: %v", err)
return
}
defer prog.Close()

devnull, err := os.Open("/dev/null")
if err != nil {
logrus.Debugf("checking for BPF_F_REPLACE support: open dummy target fd: %v", err)
logrus.Warnf("checking for BPF_F_REPLACE support: open dummy target fd: %v", err)
return
}
defer devnull.Close()
Expand All @@ -123,20 +123,26 @@ func haveBpfProgReplace() bool {
// BPF_CGROUP_DEVICE programs. If passing BPF_F_REPLACE gives us EINVAL
// we know that the feature isn't present.
err = link.RawAttachProgram(link.RawAttachProgramOptions{
// We rely on this fd being checked after attachFlags.
// We rely on this fd being checked after attachFlags in the kernel.
Target: int(devnull.Fd()),
// Attempt to "replace" bad fds with this program.
// Attempt to "replace" our BPF program with itself. This will
// always fail, but we should get -EINVAL if BPF_F_REPLACE is not
// supported.
Anchor: link.ReplaceProgram(prog),
Program: prog,
Attach: ebpf.AttachCGroupDevice,
Flags: unix.BPF_F_ALLOW_MULTI | unix.BPF_F_REPLACE,
Flags: unix.BPF_F_ALLOW_MULTI,
})
if errors.Is(err, unix.EINVAL) {
if errors.Is(err, ebpf.ErrNotSupported) || errors.Is(err, unix.EINVAL) {
// not supported
return
}
// attach_flags test succeeded.
if !errors.Is(err, unix.EBADF) {
logrus.Debugf("checking for BPF_F_REPLACE: got unexpected (not EBADF or EINVAL) error: %v", err)
// If we see any new errors here, it's possible that there is a
// regression due to a cilium/ebpf update and the above EINVAL
// checks are not working. So, be loud about it so someone notices
// and we can get the issue fixed quicker.
logrus.Warnf("checking for BPF_F_REPLACE: got unexpected (not EBADF or EINVAL) error: %v", err)
}
haveBpfProgReplaceBool = true
})
Expand Down
Loading

0 comments on commit 112ec75

Please sign in to comment.