On Wed, Feb 22, 2023 at 5:41 AM Hugo Simeliere via lists.yoctoproject.org <[email protected]> wrote: > > Bumping runc to last release-1.0. > Upstream based on commit df3cc4955002b5057fba92f1fd8b6fd94af3eb0b >
So this is based off the meta-virt commit you list. Has anything changed from the original ? If nothing has changed, then the original commit message should be maintained, with it noted that the commit is a cherry-pick of commit <x> If something has changed from the original commit, the original commit message should still be maintained, but any differences noted. Bruce > Signed-off-by: Hugo SIMELIERE <[email protected]> > --- > ...-GOBUILDFLAGS-for-runc-and-remove-re.patch | 40 ++-- > ...nly-allow-proc-mount-if-it-is-procfs.patch | 201 ------------------ > ...001-runc-Add-console-socket-dev-null.patch | 19 +- > .../0001-runc-docker-SIGUSR1-daemonize.patch | 21 +- > recipes-containers/runc/runc-docker_git.bb | 7 +- > .../runc/runc-opencontainers_git.bb | 7 +- > recipes-containers/runc/runc.inc | 15 +- > 7 files changed, 60 insertions(+), 250 deletions(-) > delete mode 100644 > recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch > > diff --git > a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch > > b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch > index 94cbb4c..c855d7b 100644 > --- > a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch > +++ > b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch > @@ -1,35 +1,37 @@ > -From d2c47a973f354ffd505bb4e809c59e57b543726d Mon Sep 17 00:00:00 2001 > -From: Chen Qi <[email protected]> > -Date: Tue, 6 Aug 2019 19:01:45 +0800 > +From 0fe50d2ca4517f5e3070585040f35ace413acd44 Mon Sep 17 00:00:00 2001 > +From: Bruce Ashfield <[email protected]> > +Date: Tue, 24 Aug 2021 11:38:23 -0400 > Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty > from static > > Signed-off-by: Chen Qi <[email protected]> > +[bva: refreshed for release 1.0.2] > +Signed-off-by: Bruce Ashfield <[email protected]> > --- > Makefile | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > -diff --git a/Makefile b/Makefile > -index 0f26a1c8..a0c6b40b 100644 > +diff --git a/src/import/Makefile b/src/import/Makefile > +index efbddf0d..4b174c80 100644 > --- a/src/import/Makefile > +++ b/src/import/Makefile > -@@ -30,7 +30,7 @@ SHELL := $(shell command -v bash 2>/dev/null) > - .DEFAULT: runc > +@@ -24,7 +24,7 @@ ifeq ($(shell $(GO) env GOOS),linux) > + endif > + endif > + endif > +-GO_BUILD := $(GO) build -trimpath $(MOD_VENDOR) $(GO_BUILDMODE) > $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \ > ++GO_BUILD := $(GO) build $(GOBUILDFLAGS) -trimpath $(MOD_VENDOR) > $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \ > + -ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) > $(EXTRA_LDFLAGS)" > + GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(MOD_VENDOR) > $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \ > + -ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X > main.version=$(VERSION) $(EXTRA_LDFLAGS)" > +@@ -41,7 +41,6 @@ recvtty: > > - runc: $(SOURCES) > -- $(GO) build -buildmode=pie $(EXTRA_FLAGS) -ldflags "-X > main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags > "$(BUILDTAGS)" -o runc . > -+ $(GO) build $(GOBUILDFLAGS) $(EXTRA_FLAGS) -ldflags "-X > main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags > "$(BUILDTAGS)" -o runc . > - > - all: runc recvtty > - > -@@ -41,7 +41,6 @@ contrib/cmd/recvtty/recvtty: $(SOURCES) > - > - static: $(SOURCES) > - CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo > osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static > -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o > runc . > -- CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo > osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static > -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o > contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty > + static: > + $(GO_BUILD_STATIC) -o runc . > +- $(GO_BUILD_STATIC) -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty > > release: > script/release.sh -r release/$(VERSION) -v $(VERSION) > -- > -2.17.1 > +2.19.1 > > diff --git > a/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch > > b/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch > deleted file mode 100644 > index 5aca99e..0000000 > --- > a/recipes-containers/runc/files/0001-Only-allow-proc-mount-if-it-is-procfs.patch > +++ /dev/null > @@ -1,201 +0,0 @@ > -From d75b05441772417a0828465a9483f16287937724 Mon Sep 17 00:00:00 2001 > -From: Michael Crosby <[email protected]> > -Date: Mon, 23 Sep 2019 16:45:45 -0400 > -Subject: [PATCH] Only allow proc mount if it is procfs > - > -Fixes #2128 > - > -This allows proc to be bind mounted for host and rootless namespace usecases > but > -it removes the ability to mount over the top of proc with a directory. > - > -```bash > -> sudo docker run --rm apparmor > -docker: Error response from daemon: OCI runtime create failed: > -container_linux.go:346: starting container process caused > "process_linux.go:449: > -container init caused \"rootfs_linux.go:58: mounting > -\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\" > -to rootfs > -\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\" > -at \\\"/proc\\\" caused > -\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\" > -cannot be mounted because it is not of type proc\\\"\"": unknown. > - > -> sudo docker run --rm -v /proc:/proc apparmor > - > -docker-default (enforce) root 18989 0.9 0.0 1288 4 ? > -Ss 16:47 0:00 sleep 20 > -``` > - > -Signed-off-by: Michael Crosby <[email protected]> > - > -Upstream-Status: Backport > [https://github.com/opencontainers/runc/pull/2129/commits/331692baa7afdf6c186f8667cb0e6362ea0802b3] > - > -CVE: CVE-2019-16884 > - > -Signed-off-by: Chen Qi <[email protected]> > ---- > - libcontainer/container_linux.go | 4 +-- > - libcontainer/rootfs_linux.go | 50 +++++++++++++++++++++++-------- > - libcontainer/rootfs_linux_test.go | 8 ++--- > - 3 files changed, 43 insertions(+), 19 deletions(-) > - > -diff --git a/libcontainer/container_linux.go > b/libcontainer/container_linux.go > -index 7e58e5e0..d51e35df 100644 > ---- a/src/import/libcontainer/container_linux.go > -+++ b/src/import/libcontainer/container_linux.go > -@@ -19,7 +19,7 @@ import ( > - "syscall" // only for SysProcAttr and Signal > - "time" > - > -- "github.com/cyphar/filepath-securejoin" > -+ securejoin "github.com/cyphar/filepath-securejoin" > - "github.com/opencontainers/runc/libcontainer/cgroups" > - "github.com/opencontainers/runc/libcontainer/configs" > - "github.com/opencontainers/runc/libcontainer/intelrdt" > -@@ -1160,7 +1160,7 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m > *configs.Mount) error { > - if err != nil { > - return err > - } > -- if err := checkMountDestination(c.config.Rootfs, dest); err != > nil { > -+ if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil { > - return err > - } > - m.Destination = dest > -diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go > -index f13b226e..5650b0ac 100644 > ---- a/src/import/libcontainer/rootfs_linux.go > -+++ b/src/import/libcontainer/rootfs_linux.go > -@@ -13,7 +13,7 @@ import ( > - "strings" > - "time" > - > -- "github.com/cyphar/filepath-securejoin" > -+ securejoin "github.com/cyphar/filepath-securejoin" > - "github.com/mrunalp/fileutils" > - "github.com/opencontainers/runc/libcontainer/cgroups" > - "github.com/opencontainers/runc/libcontainer/configs" > -@@ -197,7 +197,7 @@ func prepareBindMount(m *configs.Mount, rootfs string) > error { > - if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil > { > - return err > - } > -- if err := checkMountDestination(rootfs, dest); err != nil { > -+ if err := checkProcMount(rootfs, dest, m.Source); err != nil { > - return err > - } > - // update the mount with the correct dest after symlinks are resolved. > -@@ -388,7 +388,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel > string, enableCgroupns b > - if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err > != nil { > - return err > - } > -- if err := checkMountDestination(rootfs, dest); err != nil { > -+ if err := checkProcMount(rootfs, dest, m.Source); err != nil { > - return err > - } > - // update the mount with the correct dest after symlinks are > resolved. > -@@ -435,12 +435,12 @@ func getCgroupMounts(m *configs.Mount) > ([]*configs.Mount, error) { > - return binds, nil > - } > - > --// checkMountDestination checks to ensure that the mount destination is not > over the top of /proc. > -+// checkProcMount checks to ensure that the mount destination is not over > the top of /proc. > - // dest is required to be an abs path and have any symlinks resolved before > calling this function. > --func checkMountDestination(rootfs, dest string) error { > -- invalidDestinations := []string{ > -- "/proc", > -- } > -+// > -+// if source is nil, don't stat the filesystem. This is used for restore > of a checkpoint. > -+func checkProcMount(rootfs, dest, source string) error { > -+ const procPath = "/proc" > - // White list, it should be sub directories of invalid destinations > - validDestinations := []string{ > - // These entries can be bind mounted by files emulated by fuse, > -@@ -463,16 +463,40 @@ func checkMountDestination(rootfs, dest string) error { > - return nil > - } > - } > -- for _, invalid := range invalidDestinations { > -- path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest) > -+ path, err := filepath.Rel(filepath.Join(rootfs, procPath), dest) > -+ if err != nil { > -+ return err > -+ } > -+ // pass if the mount path is located outside of /proc > -+ if strings.HasPrefix(path, "..") { > -+ return nil > -+ } > -+ if path == "." { > -+ // an empty source is pasted on restore > -+ if source == "" { > -+ return nil > -+ } > -+ // only allow a mount on-top of proc if it's source is "proc" > -+ isproc, err := isProc(source) > - if err != nil { > - return err > - } > -- if path != "." && !strings.HasPrefix(path, "..") { > -- return fmt.Errorf("%q cannot be mounted because it is > located inside %q", dest, invalid) > -+ // pass if the mount is happening on top of /proc and the source > of > -+ // the mount is a proc filesystem > -+ if isproc { > -+ return nil > - } > -+ return fmt.Errorf("%q cannot be mounted because it is not of type > proc", dest) > - } > -- return nil > -+ return fmt.Errorf("%q cannot be mounted because it is inside /proc", > dest) > -+} > -+ > -+func isProc(path string) (bool, error) { > -+ var s unix.Statfs_t > -+ if err := unix.Statfs(path, &s); err != nil { > -+ return false, err > -+ } > -+ return s.Type == unix.PROC_SUPER_MAGIC, nil > - } > - > - func setupDevSymlinks(rootfs string) error { > -diff --git a/libcontainer/rootfs_linux_test.go > b/libcontainer/rootfs_linux_test.go > -index d755984b..1bfe7c66 100644 > ---- a/src/import/libcontainer/rootfs_linux_test.go > -+++ b/src/import/libcontainer/rootfs_linux_test.go > -@@ -10,7 +10,7 @@ import ( > - > - func TestCheckMountDestOnProc(t *testing.T) { > - dest := "/rootfs/proc/sys" > -- err := checkMountDestination("/rootfs", dest) > -+ err := checkProcMount("/rootfs", dest, "") > - if err == nil { > - t.Fatal("destination inside proc should return an error") > - } > -@@ -18,7 +18,7 @@ func TestCheckMountDestOnProc(t *testing.T) { > - > - func TestCheckMountDestOnProcChroot(t *testing.T) { > - dest := "/rootfs/proc/" > -- err := checkMountDestination("/rootfs", dest) > -+ err := checkProcMount("/rootfs", dest, "/proc") > - if err != nil { > - t.Fatal("destination inside proc when using chroot should not > return an error") > - } > -@@ -26,7 +26,7 @@ func TestCheckMountDestOnProcChroot(t *testing.T) { > - > - func TestCheckMountDestInSys(t *testing.T) { > - dest := "/rootfs//sys/fs/cgroup" > -- err := checkMountDestination("/rootfs", dest) > -+ err := checkProcMount("/rootfs", dest, "") > - if err != nil { > - t.Fatal("destination inside /sys should not return an error") > - } > -@@ -34,7 +34,7 @@ func TestCheckMountDestInSys(t *testing.T) { > - > - func TestCheckMountDestFalsePositive(t *testing.T) { > - dest := "/rootfs/sysfiles/fs/cgroup" > -- err := checkMountDestination("/rootfs", dest) > -+ err := checkProcMount("/rootfs", dest, "") > - if err != nil { > - t.Fatal(err) > - } > --- > -2.17.1 > - > diff --git > a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch > > b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch > index 48c1250..bcf4c10 100644 > --- > a/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch > +++ > b/recipes-containers/runc/runc-docker/0001-runc-Add-console-socket-dev-null.patch > @@ -12,11 +12,11 @@ Signed-off-by: Jason Wessel <[email protected]> > utils_linux.go | 5 +++++ > 1 file changed, 5 insertions(+) > > -diff --git a/utils_linux.go b/utils_linux.go > -index 8085f7fe..e6d31b35 100644 > ---- a/src/import/utils_linux.go > -+++ b/src/import/utils_linux.go > -@@ -227,6 +227,11 @@ type runner struct { > +Index: git/src/import/utils_linux.go > +=================================================================== > +--- git.orig/src/import/utils_linux.go > ++++ git/src/import/utils_linux.go > +@@ -267,6 +267,11 @@ > } > > func (r *runner) run(config *specs.Process) (int, error) { > @@ -25,9 +25,6 @@ index 8085f7fe..e6d31b35 100644 > + r.consoleSocket = "" > + config.Terminal = false > + } > - if err := r.checkTerminal(config); err != nil { > - r.destroy() > - return -1, err > --- > -2.11.0 > - > + var err error > + defer func() { > + if err != nil { > diff --git > a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch > > b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch > index 0af7495..4350c40 100644 > --- > a/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch > +++ > b/recipes-containers/runc/runc-docker/0001-runc-docker-SIGUSR1-daemonize.patch > @@ -33,15 +33,17 @@ Index: git/src/import/signals.go > =================================================================== > --- git.orig/src/import/signals.go > +++ git/src/import/signals.go > -@@ -6,6 +6,7 @@ > +@@ -5,7 +5,9 @@ > + import ( > "os" > "os/signal" > - "syscall" // only for Signal > -+ "strconv" > ++ "syscall" // only for Signal > > ++ "strconv" > "github.com/opencontainers/runc/libcontainer" > "github.com/opencontainers/runc/libcontainer/system" > -@@ -56,9 +57,6 @@ > + "github.com/opencontainers/runc/libcontainer/utils" > +@@ -55,9 +57,6 @@ > func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, > detach bool) (int, error) { > // make sure we know the pid of our main process so that we can return > // after it dies. > @@ -51,13 +53,14 @@ Index: git/src/import/signals.go > > pid1, err := process.Pid() > if err != nil { > -@@ -68,11 +66,60 @@ > +@@ -67,12 +66,61 @@ > if h.notifySocket != nil { > if detach { > - h.notifySocket.run(pid1) > + _ = h.notifySocket.run(pid1) > - return 0, nil > } > - go h.notifySocket.run(0) > + _ = h.notifySocket.run(os.Getpid()) > + go func() { _ = h.notifySocket.run(0) }() > } > > + if (detach) { > @@ -117,7 +120,7 @@ Index: git/src/import/utils_linux.go > =================================================================== > --- git.orig/src/import/utils_linux.go > +++ git/src/import/utils_linux.go > -@@ -347,7 +347,7 @@ > +@@ -345,7 +345,7 @@ > if err != nil { > r.terminate(process) > } > @@ -125,4 +128,4 @@ Index: git/src/import/utils_linux.go > + if (detach && os.Getenv("SIGUSR1_PARENT_PID") == "") { > return 0, nil > } > - r.destroy() > + if err == nil { > diff --git a/recipes-containers/runc/runc-docker_git.bb > b/recipes-containers/runc/runc-docker_git.bb > index 42b4cb5..2019ad3 100644 > --- a/recipes-containers/runc/runc-docker_git.bb > +++ b/recipes-containers/runc/runc-docker_git.bb > @@ -2,14 +2,13 @@ include runc.inc > > # Note: this rev is before the required protocol field, update when all > components > # have been updated to match. > -SRCREV_runc-docker = "425e105d5a03fabd737a126ad93d62a9eeede87f" > -SRC_URI = > "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker;protocol=https > \ > +SRCREV_runc-docker = "e0124d569cb2dfe93bd9fb8d7f4ade461e006464" > +SRC_URI = > "git://github.com/opencontainers/runc;branch=release-1.0;name=runc-docker;protocol=https > \ > file://0001-runc-Add-console-socket-dev-null.patch \ > > file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \ > file://0001-runc-docker-SIGUSR1-daemonize.patch \ > - file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \ > " > > -RUNC_VERSION = "1.0.0-rc8" > +RUNC_VERSION = "1.0.3" > > CVE_PRODUCT = "runc" > diff --git a/recipes-containers/runc/runc-opencontainers_git.bb > b/recipes-containers/runc/runc-opencontainers_git.bb > index ac6532c..4b1d0a0 100644 > --- a/recipes-containers/runc/runc-opencontainers_git.bb > +++ b/recipes-containers/runc/runc-opencontainers_git.bb > @@ -1,11 +1,10 @@ > include runc.inc > > -SRCREV = "652297c7c7e6c94e8d064ad5916c32891a6fd388" > +SRCREV = "e0124d569cb2dfe93bd9fb8d7f4ade461e006464" > SRC_URI = " \ > - git://github.com/opencontainers/runc;branch=main;protocol=https \ > + git://github.com/opencontainers/runc;branch=release-1.0;protocol=https \ > file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \ > - file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \ > " > -RUNC_VERSION = "1.0.0-rc8" > +RUNC_VERSION = "1.0.3" > > CVE_PRODUCT = "runc" > diff --git a/recipes-containers/runc/runc.inc > b/recipes-containers/runc/runc.inc > index 41ea41b..eb8aa02 100644 > --- a/recipes-containers/runc/runc.inc > +++ b/recipes-containers/runc/runc.inc > @@ -14,11 +14,17 @@ inherit go > inherit goarch > inherit pkgconfig > > -PACKAGECONFIG ??= "static" > PACKAGECONFIG[seccomp] = "seccomp,,libseccomp" > +PACKAGECONFIG[selinux] = "selinux,,libselinux" > # This PACKAGECONFIG serves the purpose of whether building runc as static > or not > PACKAGECONFIG[static] = "" > > +PACKAGECONFIG ??= "static \ > + ${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', > 'seccomp', '', d)} \ > + ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', > 'selinux', '', d)} \ > + " > + > + > PROVIDES += "virtual/runc" > RPROVIDES_${PN} = "virtual/runc" > > @@ -27,7 +33,12 @@ GO_IMPORT = "import" > LIBCONTAINER_PACKAGE="github.com/opencontainers/runc/libcontainer" > > do_configure[noexec] = "1" > -EXTRA_OEMAKE="BUILDTAGS='${PACKAGECONFIG_CONFARGS}' GO=${GO}" > + > + > +DISTRO_BUILDTAGS ?= "${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', > 'seccomp', '', d)} \ > + ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', > 'selinux', '', d)}" > + > +EXTRA_OEMAKE="BUILDTAGS='${PACKAGECONFIG_CONFARGS} ${DISTRO_BUILDTAGS}' > GO=${GO}" > > do_compile() { > # Set GOPATH. See 'PACKAGERS.md'. Don't rely on > -- > 2.39.2 > > > > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7894): https://lists.yoctoproject.org/g/meta-virtualization/message/7894 Mute This Topic: https://lists.yoctoproject.org/mt/97157077/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/leave/6693005/21656/1014668956/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
