Bumping runc to last release-1.0. Upstream based on commit df3cc4955002b5057fba92f1fd8b6fd94af3eb0b
Signed-off-by: Hugo SIMELIERE <[email protected]> --- ...-GOBUILDFLAGS-for-runc-and-remove-re.patch | 40 ++-- ...nly-allow-proc-mount-if-it-is-procfs.patch | 201 ------------------ ...001-runc-Add-console-socket-dev-null.patch | 19 +- .../0001-runc-docker-SIGUSR1-daemonize.patch | 21 +- recipes-containers/runc/runc-docker_git.bb | 7 +- .../runc/runc-opencontainers_git.bb | 7 +- recipes-containers/runc/runc.inc | 15 +- 7 files changed, 60 insertions(+), 250 deletions(-) delete mode 100644 recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch diff --git a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch index 94cbb4c..c855d7b 100644 --- a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch +++ b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch @@ -1,35 +1,37 @@ -From d2c47a973f354ffd505bb4e809c59e57b543726d Mon Sep 17 00:00:00 2001 -From: Chen Qi <[email protected]> -Date: Tue, 6 Aug 2019 19:01:45 +0800 +From 0fe50d2ca4517f5e3070585040f35ace413acd44 Mon Sep 17 00:00:00 2001 +From: Bruce Ashfield <[email protected]> +Date: Tue, 24 Aug 2021 11:38:23 -0400 Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty from static Signed-off-by: Chen Qi <[email protected]> +[bva: refreshed for release 1.0.2] +Signed-off-by: Bruce Ashfield <[email protected]> --- Makefile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) -diff --git a/Makefile b/Makefile -index 0f26a1c8..a0c6b40b 100644 +diff --git a/src/import/Makefile b/src/import/Makefile +index efbddf0d..4b174c80 100644 --- a/src/import/Makefile +++ b/src/import/Makefile -@@ -30,7 +30,7 @@ SHELL := $(shell command -v bash 2>/dev/null) - .DEFAULT: runc +@@ -24,7 +24,7 @@ ifeq ($(shell $(GO) env GOOS),linux) + endif + endif + endif +-GO_BUILD := $(GO) build -trimpath $(MOD_VENDOR) $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \ ++GO_BUILD := $(GO) build $(GOBUILDFLAGS) -trimpath $(MOD_VENDOR) $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \ + -ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)" + GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(MOD_VENDOR) $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \ + -ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)" +@@ -41,7 +41,6 @@ recvtty: - runc: $(SOURCES) -- $(GO) build -buildmode=pie $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o runc . -+ $(GO) build $(GOBUILDFLAGS) $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o runc . - - all: runc recvtty - -@@ -41,7 +41,6 @@ contrib/cmd/recvtty/recvtty: $(SOURCES) - - static: $(SOURCES) - CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o runc . -- CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty + static: + $(GO_BUILD_STATIC) -o runc . +- $(GO_BUILD_STATIC) -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty release: script/release.sh -r release/$(VERSION) -v $(VERSION) -- -2.17.1 +2.19.1 diff --git a/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch b/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch deleted file mode 100644 index 5aca99e..0000000 --- a/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch +++ /dev/null @@ -1,201 +0,0 @@ -From d75b05441772417a0828465a9483f16287937724 Mon Sep 17 00:00:00 2001 -From: Michael Crosby <[email protected]> -Date: Mon, 23 Sep 2019 16:45:45 -0400 -Subject: [PATCH] Only allow proc mount if it is procfs - -Fixes #2128 - -This allows proc to be bind mounted for host and rootless namespace usecases but -it removes the ability to mount over the top of proc with a directory. - -```bash -> sudo docker run --rm apparmor -docker: Error response from daemon: OCI runtime create failed: -container_linux.go:346: starting container process caused "process_linux.go:449: -container init caused \"rootfs_linux.go:58: mounting -\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\" -to rootfs -\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\" -at \\\"/proc\\\" caused -\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\" -cannot be mounted because it is not of type proc\\\"\"": unknown. - -> sudo docker run --rm -v /proc:/proc apparmor - -docker-default (enforce) root 18989 0.9 0.0 1288 4 ? -Ss 16:47 0:00 sleep 20 -``` - -Signed-off-by: Michael Crosby <[email protected]> - -Upstream-Status: Backport [https://github.com/opencontainers/runc/pull/2129/commits/331692baa7afdf6c186f8667cb0e6362ea0802b3] - -CVE: CVE-2019-16884 - -Signed-off-by: Chen Qi <[email protected]> ---- - libcontainer/container_linux.go | 4 +-- - libcontainer/rootfs_linux.go | 50 +++++++++++++++++++++++-------- - libcontainer/rootfs_linux_test.go | 8 ++--- - 3 files changed, 43 insertions(+), 19 deletions(-) - -diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go -index 7e58e5e0..d51e35df 100644 ---- a/src/import/libcontainer/container_linux.go -+++ b/src/import/libcontainer/container_linux.go -@@ -19,7 +19,7 @@ import ( - "syscall" // only for SysProcAttr and Signal - "time" - -- "github.com/cyphar/filepath-securejoin" -+ securejoin "github.com/cyphar/filepath-securejoin" - "github.com/opencontainers/runc/libcontainer/cgroups" - "github.com/opencontainers/runc/libcontainer/configs" - "github.com/opencontainers/runc/libcontainer/intelrdt" -@@ -1160,7 +1160,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error { - if err != nil { - return err - } -- if err := checkMountDestination(c.config.Rootfs, dest); err != nil { -+ if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil { - return err - } - m.Destination = dest -diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go -index f13b226e..5650b0ac 100644 ---- a/src/import/libcontainer/rootfs_linux.go -+++ b/src/import/libcontainer/rootfs_linux.go -@@ -13,7 +13,7 @@ import ( - "strings" - "time" - -- "github.com/cyphar/filepath-securejoin" -+ securejoin "github.com/cyphar/filepath-securejoin" - "github.com/mrunalp/fileutils" - "github.com/opencontainers/runc/libcontainer/cgroups" - "github.com/opencontainers/runc/libcontainer/configs" -@@ -197,7 +197,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) error { - if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil { - return err - } -- if err := checkMountDestination(rootfs, dest); err != nil { -+ if err := checkProcMount(rootfs, dest, m.Source); err != nil { - return err - } - // update the mount with the correct dest after symlinks are resolved. -@@ -388,7 +388,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b - if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil { - return err - } -- if err := checkMountDestination(rootfs, dest); err != nil { -+ if err := checkProcMount(rootfs, dest, m.Source); err != nil { - return err - } - // update the mount with the correct dest after symlinks are resolved. -@@ -435,12 +435,12 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) { - return binds, nil - } - --// checkMountDestination checks to ensure that the mount destination is not over the top of /proc. -+// checkProcMount checks to ensure that the mount destination is not over the top of /proc. - // dest is required to be an abs path and have any symlinks resolved before calling this function. --func checkMountDestination(rootfs, dest string) error { -- invalidDestinations := []string{ -- "/proc", -- } -+// -+// if source is nil, don't stat the filesystem. This is used for restore of a checkpoint. -+func checkProcMount(rootfs, dest, source string) error { -+ const procPath = "/proc" - // White list, it should be sub directories of invalid destinations - validDestinations := []string{ - // These entries can be bind mounted by files emulated by fuse, -@@ -463,16 +463,40 @@ func checkMountDestination(rootfs, dest string) error { - return nil - } - } -- for _, invalid := range invalidDestinations { -- path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest) -+ path, err := filepath.Rel(filepath.Join(rootfs, procPath), dest) -+ if err != nil { -+ return err -+ } -+ // pass if the mount path is located outside of /proc -+ if strings.HasPrefix(path, "..") { -+ return nil -+ } -+ if path == "." { -+ // an empty source is pasted on restore -+ if source == "" { -+ return nil -+ } -+ // only allow a mount on-top of proc if it's source is "proc" -+ isproc, err := isProc(source) - if err != nil { - return err - } -- if path != "." && !strings.HasPrefix(path, "..") { -- return fmt.Errorf("%q cannot be mounted because it is located inside %q", dest, invalid) -+ // pass if the mount is happening on top of /proc and the source of -+ // the mount is a proc filesystem -+ if isproc { -+ return nil - } -+ return fmt.Errorf("%q cannot be mounted because it is not of type proc", dest) - } -- return nil -+ return fmt.Errorf("%q cannot be mounted because it is inside /proc", dest) -+} -+ -+func isProc(path string) (bool, error) { -+ var s unix.Statfs_t -+ if err := unix.Statfs(path, &s); err != nil { -+ return false, err -+ } -+ return s.Type == unix.PROC_SUPER_MAGIC, nil - } - - func setupDevSymlinks(rootfs string) error { -diff --git a/libcontainer/rootfs_linux_test.go b/libcontainer/rootfs_linux_test.go -index d755984b..1bfe7c66 100644 ---- a/src/import/libcontainer/rootfs_linux_test.go -+++ b/src/import/libcontainer/rootfs_linux_test.go -@@ -10,7 +10,7 @@ import ( - - func TestCheckMountDestOnProc(t *testing.T) { - dest := "/rootfs/proc/sys" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "") - if err == nil { - t.Fatal("destination inside proc should return an error") - } -@@ -18,7 +18,7 @@ func TestCheckMountDestOnProc(t *testing.T) { - - func TestCheckMountDestOnProcChroot(t *testing.T) { - dest := "/rootfs/proc/" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "/proc") - if err != nil { - t.Fatal("destination inside proc when using chroot should not return an error") - } -@@ -26,7 +26,7 @@ func TestCheckMountDestOnProcChroot(t *testing.T) { - - func TestCheckMountDestInSys(t *testing.T) { - dest := "/rootfs//sys/fs/cgroup" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "") - if err != nil { - t.Fatal("destination inside /sys should not return an error") - } -@@ -34,7 +34,7 @@ func TestCheckMountDestInSys(t *testing.T) { - - func TestCheckMountDestFalsePositive(t *testing.T) { - dest := "/rootfs/sysfiles/fs/cgroup" -- err := checkMountDestination("/rootfs", dest) -+ err := checkProcMount("/rootfs", dest, "") - if err != nil { - t.Fatal(err) - } --- -2.17.1 - diff --git a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch index 48c1250..bcf4c10 100644 --- a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch +++ b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch @@ -12,11 +12,11 @@ Signed-off-by: Jason Wessel <[email protected]> utils_linux.go | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/utils_linux.go b/utils_linux.go -index 8085f7fe..e6d31b35 100644 ---- a/src/import/utils_linux.go -+++ b/src/import/utils_linux.go -@@ -227,6 +227,11 @@ type runner struct { +Index: git/src/import/utils_linux.go +=================================================================== +--- git.orig/src/import/utils_linux.go ++++ git/src/import/utils_linux.go +@@ -267,6 +267,11 @@ } func (r *runner) run(config *specs.Process) (int, error) { @@ -25,9 +25,6 @@ index 8085f7fe..e6d31b35 100644 + r.consoleSocket = "" + config.Terminal = false + } - if err := r.checkTerminal(config); err != nil { - r.destroy() - return -1, err --- -2.11.0 - + var err error + defer func() { + if err != nil { diff --git a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch index 0af7495..4350c40 100644 --- a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch +++ b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch @@ -33,15 +33,17 @@ Index: git/src/import/signals.go =================================================================== --- git.orig/src/import/signals.go +++ git/src/import/signals.go -@@ -6,6 +6,7 @@ +@@ -5,7 +5,9 @@ + import ( "os" "os/signal" - "syscall" // only for Signal -+ "strconv" ++ "syscall" // only for Signal ++ "strconv" "github.com/opencontainers/runc/libcontainer" "github.com/opencontainers/runc/libcontainer/system" -@@ -56,9 +57,6 @@ + "github.com/opencontainers/runc/libcontainer/utils" +@@ -55,9 +57,6 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach bool) (int, error) { // make sure we know the pid of our main process so that we can return // after it dies. @@ -51,13 +53,14 @@ Index: git/src/import/signals.go pid1, err := process.Pid() if err != nil { -@@ -68,11 +66,60 @@ +@@ -67,12 +66,61 @@ if h.notifySocket != nil { if detach { - h.notifySocket.run(pid1) + _ = h.notifySocket.run(pid1) - return 0, nil } - go h.notifySocket.run(0) + _ = h.notifySocket.run(os.Getpid()) + go func() { _ = h.notifySocket.run(0) }() } + if (detach) { @@ -117,7 +120,7 @@ Index: git/src/import/utils_linux.go =================================================================== --- git.orig/src/import/utils_linux.go +++ git/src/import/utils_linux.go -@@ -347,7 +347,7 @@ +@@ -345,7 +345,7 @@ if err != nil { r.terminate(process) } @@ -125,4 +128,4 @@ Index: git/src/import/utils_linux.go + if (detach && os.Getenv("SIGUSR1_PARENT_PID") == "") { return 0, nil } - r.destroy() + if err == nil { diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb index 42b4cb5..2019ad3 100644 --- a/recipes-containers/runc/runc-docker_git.bb +++ b/recipes-containers/runc/runc-docker_git.bb @@ -2,14 +2,13 @@ include runc.inc # Note: this rev is before the required protocol field, update when all components # have been updated to match. -SRCREV_runc-docker = "425e105d5a03fabd737a126ad93d62a9eeede87f" -SRC_URI = "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker;protocol=https \ +SRCREV_runc-docker = "e0124d569cb2dfe93bd9fb8d7f4ade461e006464" +SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.0;name=runc-docker;protocol=https \ file://0001-runc-Add-console-socket-dev-null.patch \ file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \ file://0001-runc-docker-SIGUSR1-daemonize.patch \ - file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \ " -RUNC_VERSION = "1.0.0-rc8" +RUNC_VERSION = "1.0.3" CVE_PRODUCT = "runc" diff --git a/recipes-containers/runc/runc-opencontainers_git.bb b/recipes-containers/runc/runc-opencontainers_git.bb index ac6532c..4b1d0a0 100644 --- a/recipes-containers/runc/runc-opencontainers_git.bb +++ b/recipes-containers/runc/runc-opencontainers_git.bb @@ -1,11 +1,10 @@ include runc.inc -SRCREV = "652297c7c7e6c94e8d064ad5916c32891a6fd388" +SRCREV = "e0124d569cb2dfe93bd9fb8d7f4ade461e006464" SRC_URI = " \ - git://github.com/opencontainers/runc;branch=main;protocol=https \ + git://github.com/opencontainers/runc;branch=release-1.0;protocol=https \ file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \ - file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \ " -RUNC_VERSION = "1.0.0-rc8" +RUNC_VERSION = "1.0.3" CVE_PRODUCT = "runc" diff --git a/recipes-containers/runc/runc.inc b/recipes-containers/runc/runc.inc index 41ea41b..eb8aa02 100644 --- a/recipes-containers/runc/runc.inc +++ b/recipes-containers/runc/runc.inc @@ -14,11 +14,17 @@ inherit go inherit goarch inherit pkgconfig -PACKAGECONFIG ??= "static" PACKAGECONFIG[seccomp] = "seccomp,,libseccomp" +PACKAGECONFIG[selinux] = "selinux,,libselinux" # This PACKAGECONFIG serves the purpose of whether building runc as static or not PACKAGECONFIG[static] = "" +PACKAGECONFIG ??= "static \ + ${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \ + " + + PROVIDES += "virtual/runc" RPROVIDES_${PN} = "virtual/runc" @@ -27,7 +33,12 @@ GO_IMPORT = "import" LIBCONTAINER_PACKAGE="github.com/opencontainers/runc/libcontainer" do_configure[noexec] = "1" -EXTRA_OEMAKE="BUILDTAGS='${PACKAGECONFIG_CONFARGS}' GO=${GO}" + + +DISTRO_BUILDTAGS ?= "${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" + +EXTRA_OEMAKE="BUILDTAGS='${PACKAGECONFIG_CONFARGS} ${DISTRO_BUILDTAGS}' GO=${GO}" do_compile() { # Set GOPATH. See 'PACKAGERS.md'. Don't rely on -- 2.39.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7890): https://lists.yoctoproject.org/g/meta-virtualization/message/7890 Mute This Topic: https://lists.yoctoproject.org/mt/97157077/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
