.github/workflows/test.yml

@@ -28,7 +28,6 @@ jobs:
         rootless: ["rootless", ""]
         race: ["-race", ""]
         criu: ["", "criu-dev"]
-        dmz: ["", "runc_nodmz"]
         exclude:
           # Disable most of criu-dev jobs, as they are expensive
           # (need to compile criu) and don't add much value/coverage.
@@ -38,26 +37,12 @@ jobs:
             rootless: rootless
           - criu: criu-dev
             race: -race
-          - criu: criu-dev
-            dmz: runc_nodmz
-          # Disable most of runc_nodmz jobs, as they don't add much value
-          # (as dmz is disabled by default anyway).
-          - dmz: runc_nodmz
-            os: ubuntu-20.04
-          - dmz: runc_nodmz
-            go-version: 1.22.x
-          - dmz: runc_nodmz
-            rootless: rootless
-          - dmz: runc_nodmz
-            race: -race
           - go-version: 1.22.x
             os: actuated-arm64-6cpu-8gb
           - race: "-race"
             os: actuated-arm64-6cpu-8gb
           - criu: criu-dev
             os: actuated-arm64-6cpu-8gb
-          - dmz: runc_nodmz
-            os: actuated-arm64-6cpu-8gb
 
     runs-on: ${{ matrix.os }}
 
@@ -150,8 +135,6 @@ jobs:
         check-latest: true
 
     - name: build
-      env:
-        EXTRA_BUILDTAGS: ${{ matrix.dmz }}
       run: sudo -E PATH="$PATH" make EXTRA_FLAGS="${{ matrix.race }}" all
 
     - name: Setup Bats and bats libs
@@ -171,8 +154,6 @@ jobs:
 
     - name: unit test
       if: matrix.rootless != 'rootless'
-      env:
-        EXTRA_BUILDTAGS: ${{ matrix.dmz }}
       run: sudo -E PATH="$PATH" -- make TESTFLAGS="${{ matrix.race }}" localunittest
 
     - name: add rootless user
@@ -209,8 +190,6 @@ jobs:
     timeout-minutes: 15
     strategy:
       fail-fast: false
-      matrix:
-        dmz: ["", "runc_nodmz"]
     runs-on: ubuntu-22.04
 
     steps:
@@ -234,8 +213,6 @@ jobs:
         check-latest: true
 
     - name: unit test
-      env:
-        EXTRA_BUILDTAGS: ${{ matrix.dmz }}
       run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest
 
   all-done:

.golangci-extra.yml

@@ -7,7 +7,6 @@
 run:
   build-tags:
     - seccomp
-    - runc_nodmz
 
 linters:
   disable-all: true

.golangci.yml

@@ -3,7 +3,6 @@
 run:
   build-tags:
     - seccomp
-    - runc_nodmz
 
 linters:
   enable:

CHANGELOG.md

@@ -300,6 +300,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 [cve-2019-5736]: https://github.com/advisories/GHSA-gxmr-w5mj-v8hh
 
+## [1.1.15] - 2024-10-07
+
+> How, dear sir, did you cross the flood? By not stopping, friend, and by not
+> straining I crossed the flood.
+
+### Fixed
+
+ * The `-ENOSYS` seccomp stub is now always generated for the native
+   architecture that `runc` is running on. This is needed to work around some
+   arguably specification-incompliant behaviour from Docker on architectures
+   such as ppc64le, where the allowed architecture list is set to `null`. This
+   ensures that we always generate at least one `-ENOSYS` stub for the native
+   architecture even with these weird configs. (#4391)
+ * On a system with older kernel, reading `/proc/self/mountinfo` may skip some
+   entries, as a consequence runc may not properly set mount propagation,
+   causing container mounts leak onto the host mount namespace. (#2404, #4425)
+
+### Removed
+
+ * In order to fix performance issues in the "lightweight" bindfd protection
+   against [CVE-2019-5736], the temporary `ro` bind-mount of `/proc/self/exe`
+   has been removed. runc now creates a binary copy in all cases. (#4392, #2532)
+
+[CVE-2019-5736]: https://www.openwall.com/lists/oss-security/2019/02/11/2
+
 ## [1.1.14] - 2024-09-03
 
 > 年を取っていいことは、驚かなくなることね。
@@ -856,7 +881,8 @@ implementation (libcontainer) is *not* covered by this policy.
 [1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1
 
 <!-- 1.1.z patch releases -->
-[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.14...release-1.1
+[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.15...release-1.1
+[1.1.15]: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15
 [1.1.14]: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14
 [1.1.13]: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13
 [1.1.12]: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12

Makefile

@@ -3,9 +3,6 @@ SHELL = /bin/bash
 CONTAINER_ENGINE := docker
 GO ?= go
 
-# Get CC values for cross-compilation.
-include cc_platform.mk
-
 PREFIX ?= /usr/local
 BINDIR := $(PREFIX)/sbin
 MANDIR := $(PREFIX)/share/man
@@ -73,10 +70,10 @@ endif
 .DEFAULT: runc
 
 .PHONY: runc
-runc: runc-bin verify-dmz-arch
+runc: runc-bin
 
 .PHONY: runc-bin
-runc-bin: runc-dmz
+runc-bin:
 	$(GO_BUILD) -o runc .
 
 .PHONY: all
@@ -92,7 +89,7 @@ recvtty sd-helper seccompagent fs-idmap pidfd-kill remap-rootfs:
 
 .PHONY: clean
 clean:
-	rm -f runc runc-* libcontainer/dmz/binary/runc-dmz
+	rm -f runc runc-*
 	rm -f contrib/cmd/memfd-bind/memfd-bind
 	rm -f tests/cmd/recvtty/recvtty
 	rm -f tests/cmd/sd-helper/sd-helper
@@ -104,17 +101,12 @@ clean:
 	rm -rf man/man8
 
 .PHONY: static
-static: static-bin verify-dmz-arch
+static: static-bin
 
 .PHONY: static-bin
-static-bin: runc-dmz
+static-bin:
 	$(GO_BUILD_STATIC) -o runc .
 
-.PHONY: runc-dmz
-runc-dmz:
-	rm -f libcontainer/dmz/binary/runc-dmz
-	$(GO) generate -tags "$(BUILDTAGS)" ./libcontainer/dmz
-
 .PHONY: releaseall
 releaseall: RELEASE_ARGS := "-a 386 -a amd64 -a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x"
 releaseall: release
@@ -254,16 +246,6 @@ verify-dependencies: vendor
 		|| (echo -e "git status:\n $$(git status -- go.mod go.sum vendor/)\nerror: vendor/, go.mod and/or go.sum not up to date. Run \"make vendor\" to update"; exit 1) \
 		&& echo "all vendor files are up to date."
 
-.PHONY: verify-dmz-arch
-verify-dmz-arch:
-	@if test -s libcontainer/dmz/binary/runc-dmz; then \
-		set -Eeuo pipefail; \
-		export LC_ALL=C; \
-		diff -u \
-			<(readelf -h runc | grep -E "(Machine|Flags):") \
-			<(readelf -h libcontainer/dmz/binary/runc-dmz | grep -E "(Machine|Flags):"); \
-	fi
-
 .PHONY: validate-keyring
 validate-keyring:
 	script/keyring_validate.sh

README.md

@@ -106,15 +106,14 @@ make BUILDTAGS=""
 | Build Tag     | Feature                               | Enabled by Default | Dependencies        |
 |---------------|---------------------------------------|--------------------|---------------------|
 | `seccomp`     | Syscall filtering using `libseccomp`. | yes                | `libseccomp`        |
-| `!runc_nodmz` | Reduce memory usage for CVE-2019-5736 protection by using a small C binary, [see `memfd-bind` for more details][contrib-memfd-bind]. `runc_nodmz` disables this **experimental feature** and causes runc to use a different protection mechanism which will further increases memory usage temporarily during container startup. To enable this feature you also need to set the `RUNC_DMZ=true` environment variable. | yes ||
 
 The following build tags were used earlier, but are now obsoleted:
+ - **runc_nodmz** (since runc v1.2.1 runc dmz binary is dropped)
  - **nokmem** (since runc v1.0.0-rc94 kernel memory settings are ignored)
  - **apparmor** (since runc v1.0.0-rc93 the feature is always enabled)
  - **selinux**  (since runc v1.0.0-rc93 the feature is always enabled)
 
  [contrib-memfd-bind]: /contrib/cmd/memfd-bind/README.md
- [dmz README]: /libcontainer/dmz/README.md
 
 ### Running the test suite
 

contrib/cmd/memfd-bind/README.md

@@ -1,8 +1,8 @@
 ## memfd-bind ##
 
-`runc` normally has to make a binary copy of itself (or of a smaller helper
-binary called `runc-dmz`) when constructing a container process in order to
-defend against certain container runtime attacks such as CVE-2019-5736.
+`runc` normally has to make a binary copy of itself when constructing a
+container process in order to defend against certain container runtime attacks
+such as CVE-2019-5736.
 
 This cloned binary only exists until the container process starts (this means
 for `runc run` and `runc exec`, it only exists for a few hundred milliseconds
@@ -34,15 +34,6 @@ much memory usage they can use:
 * `memfd-bind` only creates a single in-memory copy of the `runc` binary (about
   10MB), regardless of how many containers are running.
 
-* `runc-dmz` is (depending on which libc it was compiled with) between 10kB and
-  1MB in size, and a copy is created once per process spawned inside a
-  container by runc (both the pid1 and every `runc exec`). The `RUNC_DMZ=true`
-  environment variable needs to be set to opt-in. There are circumstances where
-  using `runc-dmz` will fail in ways that runc cannot predict ahead of time (such
-  as restrictive LSMs applied to containers).  `runc-dmz` also requires an
-  additional `execve` over the other options, though since the binary is so small
-  the cost is probably not even noticeable.
-
 * The classic method of making a copy of the entire `runc` binary during
   container process setup takes up about 10MB per process spawned inside the
   container by runc (both pid1 and `runc exec`).

docs/experimental.md

@@ -6,3 +6,4 @@ Feature                                  | Experimental release | Graduation rel
 ---------------------------------------- | -------------------- | ------------------
 cgroup v2                                | v1.0.0-rc91          | v1.0.0-rc93
 The `runc features` command              | v1.1.0               | v1.2.0
+runc-dmz                                 | v1.2.0-rc1           | Dropped in v1.2.1