Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: opencontainers/runc
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 3563055cc765c78b333a41e2acdcda095d04a2a6
Choose a base ref
..
head repository: opencontainers/runc
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: a99f0a83cbbde0de6dfdbe2e8e500942f090bf84
Choose a head ref
Showing with 57 additions and 5,548 deletions.
  1. +0 −23 .github/workflows/test.yml
  2. +0 −1 .golangci-extra.yml
  3. +0 −1 .golangci.yml
  4. +27 −1 CHANGELOG.md
  5. +5 −23 Makefile
  6. +1 −2 README.md
  7. +0 −61 cc_platform.mk
  8. +3 −12 contrib/cmd/memfd-bind/README.md
  9. +1 −0 docs/experimental.md
  10. +12 −82 libcontainer/container_linux.go
  11. +0 −19 libcontainer/dmz/Makefile
  12. +0 −18 libcontainer/dmz/README.md
  13. +0 −27 libcontainer/dmz/_dmz.c
  14. +0 −1 libcontainer/dmz/binary/.gitignore
  15. 0 libcontainer/dmz/binary/dummy-file.txt
  16. +0 −9 libcontainer/dmz/dmz.go
  17. +0 −1 libcontainer/dmz/dmz_fallback_linux.go
  18. +0 −76 libcontainer/dmz/dmz_linux.go
  19. +0 −11 libcontainer/dmz/dmz_unsupported.go
  20. +0 −5 libcontainer/dmz/linux/README.md
  21. +0 −194 libcontainer/dmz/linux/stat.h
  22. +0 −157 libcontainer/dmz/nolibc/arch-aarch64.h
  23. +0 −199 libcontainer/dmz/nolibc/arch-arm.h
  24. +0 −178 libcontainer/dmz/nolibc/arch-i386.h
  25. +0 −164 libcontainer/dmz/nolibc/arch-loongarch.h
  26. +0 −195 libcontainer/dmz/nolibc/arch-mips.h
  27. +0 −221 libcontainer/dmz/nolibc/arch-powerpc.h
  28. +0 −160 libcontainer/dmz/nolibc/arch-riscv.h
  29. +0 −186 libcontainer/dmz/nolibc/arch-s390.h
  30. +0 −176 libcontainer/dmz/nolibc/arch-x86_64.h
  31. +0 −38 libcontainer/dmz/nolibc/arch.h
  32. +0 −25 libcontainer/dmz/nolibc/compiler.h
  33. +0 −61 libcontainer/dmz/nolibc/crt.h
  34. +0 −102 libcontainer/dmz/nolibc/ctype.h
  35. +0 −28 libcontainer/dmz/nolibc/errno.h
  36. +0 −111 libcontainer/dmz/nolibc/nolibc.h
  37. +0 −25 libcontainer/dmz/nolibc/signal.h
  38. +0 −51 libcontainer/dmz/nolibc/stackprotector.h
  39. +0 −36 libcontainer/dmz/nolibc/std.h
  40. +0 −113 libcontainer/dmz/nolibc/stdint.h
  41. +0 −383 libcontainer/dmz/nolibc/stdio.h
  42. +0 −444 libcontainer/dmz/nolibc/stdlib.h
  43. +0 −294 libcontainer/dmz/nolibc/string.h
  44. +0 −1,189 libcontainer/dmz/nolibc/sys.h
  45. +0 −31 libcontainer/dmz/nolibc/time.h
  46. +0 −241 libcontainer/dmz/nolibc/types.h
  47. +0 −68 libcontainer/dmz/nolibc/unistd.h
  48. +0 −15 libcontainer/dmz/xstat.h
  49. +2 −15 libcontainer/init_linux.go
  50. +1 −1 libcontainer/process.go
  51. +0 −10 libcontainer/setns_init_linux.go
  52. +0 −10 libcontainer/standard_init_linux.go
  53. +1 −1 run.go
  54. +3 −0 script/check-config.sh
  55. +1 −1 tests/integration/initramfs.bats
  56. +0 −44 tests/integration/run.bats
  57. +0 −8 tests/integration/selinux.bats
23 changes: 0 additions & 23 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -28,7 +28,6 @@ jobs:
rootless: ["rootless", ""]
race: ["-race", ""]
criu: ["", "criu-dev"]
dmz: ["", "runc_nodmz"]
exclude:
# Disable most of criu-dev jobs, as they are expensive
# (need to compile criu) and don't add much value/coverage.
@@ -38,26 +37,12 @@ jobs:
rootless: rootless
- criu: criu-dev
race: -race
- criu: criu-dev
dmz: runc_nodmz
# Disable most of runc_nodmz jobs, as they don't add much value
# (as dmz is disabled by default anyway).
- dmz: runc_nodmz
os: ubuntu-20.04
- dmz: runc_nodmz
go-version: 1.22.x
- dmz: runc_nodmz
rootless: rootless
- dmz: runc_nodmz
race: -race
- go-version: 1.22.x
os: actuated-arm64-6cpu-8gb
- race: "-race"
os: actuated-arm64-6cpu-8gb
- criu: criu-dev
os: actuated-arm64-6cpu-8gb
- dmz: runc_nodmz
os: actuated-arm64-6cpu-8gb

runs-on: ${{ matrix.os }}

@@ -150,8 +135,6 @@ jobs:
check-latest: true

- name: build
env:
EXTRA_BUILDTAGS: ${{ matrix.dmz }}
run: sudo -E PATH="$PATH" make EXTRA_FLAGS="${{ matrix.race }}" all

- name: Setup Bats and bats libs
@@ -171,8 +154,6 @@ jobs:
- name: unit test
if: matrix.rootless != 'rootless'
env:
EXTRA_BUILDTAGS: ${{ matrix.dmz }}
run: sudo -E PATH="$PATH" -- make TESTFLAGS="${{ matrix.race }}" localunittest

- name: add rootless user
@@ -209,8 +190,6 @@ jobs:
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
dmz: ["", "runc_nodmz"]
runs-on: ubuntu-22.04

steps:
@@ -234,8 +213,6 @@ jobs:
check-latest: true

- name: unit test
env:
EXTRA_BUILDTAGS: ${{ matrix.dmz }}
run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest

all-done:
1 change: 0 additions & 1 deletion .golangci-extra.yml
Original file line number Diff line number Diff line change
@@ -7,7 +7,6 @@
run:
build-tags:
- seccomp
- runc_nodmz

linters:
disable-all: true
1 change: 0 additions & 1 deletion .golangci.yml
Original file line number Diff line number Diff line change
@@ -3,7 +3,6 @@
run:
build-tags:
- seccomp
- runc_nodmz

linters:
enable:
28 changes: 27 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -300,6 +300,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

[cve-2019-5736]: https://github.com/advisories/GHSA-gxmr-w5mj-v8hh

## [1.1.15] - 2024-10-07

> How, dear sir, did you cross the flood? By not stopping, friend, and by not
> straining I crossed the flood.
### Fixed

* The `-ENOSYS` seccomp stub is now always generated for the native
architecture that `runc` is running on. This is needed to work around some
arguably specification-incompliant behaviour from Docker on architectures
such as ppc64le, where the allowed architecture list is set to `null`. This
ensures that we always generate at least one `-ENOSYS` stub for the native
architecture even with these weird configs. (#4391)
* On a system with older kernel, reading `/proc/self/mountinfo` may skip some
entries, as a consequence runc may not properly set mount propagation,
causing container mounts leak onto the host mount namespace. (#2404, #4425)

### Removed

* In order to fix performance issues in the "lightweight" bindfd protection
against [CVE-2019-5736], the temporary `ro` bind-mount of `/proc/self/exe`
has been removed. runc now creates a binary copy in all cases. (#4392, #2532)

[CVE-2019-5736]: https://www.openwall.com/lists/oss-security/2019/02/11/2

## [1.1.14] - 2024-09-03

> 年を取っていいことは、驚かなくなることね。
@@ -856,7 +881,8 @@ implementation (libcontainer) is *not* covered by this policy.
[1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1

<!-- 1.1.z patch releases -->
[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.14...release-1.1
[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.15...release-1.1
[1.1.15]: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15
[1.1.14]: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14
[1.1.13]: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13
[1.1.12]: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12
28 changes: 5 additions & 23 deletions Makefile
Original file line number Diff line number Diff line change
@@ -3,9 +3,6 @@ SHELL = /bin/bash
CONTAINER_ENGINE := docker
GO ?= go

# Get CC values for cross-compilation.
include cc_platform.mk

PREFIX ?= /usr/local
BINDIR := $(PREFIX)/sbin
MANDIR := $(PREFIX)/share/man
@@ -73,10 +70,10 @@ endif
.DEFAULT: runc

.PHONY: runc
runc: runc-bin verify-dmz-arch
runc: runc-bin

.PHONY: runc-bin
runc-bin: runc-dmz
runc-bin:
$(GO_BUILD) -o runc .

.PHONY: all
@@ -92,7 +89,7 @@ recvtty sd-helper seccompagent fs-idmap pidfd-kill remap-rootfs:

.PHONY: clean
clean:
rm -f runc runc-* libcontainer/dmz/binary/runc-dmz
rm -f runc runc-*
rm -f contrib/cmd/memfd-bind/memfd-bind
rm -f tests/cmd/recvtty/recvtty
rm -f tests/cmd/sd-helper/sd-helper
@@ -104,17 +101,12 @@ clean:
rm -rf man/man8

.PHONY: static
static: static-bin verify-dmz-arch
static: static-bin

.PHONY: static-bin
static-bin: runc-dmz
static-bin:
$(GO_BUILD_STATIC) -o runc .

.PHONY: runc-dmz
runc-dmz:
rm -f libcontainer/dmz/binary/runc-dmz
$(GO) generate -tags "$(BUILDTAGS)" ./libcontainer/dmz

.PHONY: releaseall
releaseall: RELEASE_ARGS := "-a 386 -a amd64 -a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x"
releaseall: release
@@ -254,16 +246,6 @@ verify-dependencies: vendor
|| (echo -e "git status:\n $$(git status -- go.mod go.sum vendor/)\nerror: vendor/, go.mod and/or go.sum not up to date. Run \"make vendor\" to update"; exit 1) \
&& echo "all vendor files are up to date."

.PHONY: verify-dmz-arch
verify-dmz-arch:
@if test -s libcontainer/dmz/binary/runc-dmz; then \
set -Eeuo pipefail; \
export LC_ALL=C; \
diff -u \
<(readelf -h runc | grep -E "(Machine|Flags):") \
<(readelf -h libcontainer/dmz/binary/runc-dmz | grep -E "(Machine|Flags):"); \
fi

.PHONY: validate-keyring
validate-keyring:
script/keyring_validate.sh
3 changes: 1 addition & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -106,15 +106,14 @@ make BUILDTAGS=""
| Build Tag | Feature | Enabled by Default | Dependencies |
|---------------|---------------------------------------|--------------------|---------------------|
| `seccomp` | Syscall filtering using `libseccomp`. | yes | `libseccomp` |
| `!runc_nodmz` | Reduce memory usage for CVE-2019-5736 protection by using a small C binary, [see `memfd-bind` for more details][contrib-memfd-bind]. `runc_nodmz` disables this **experimental feature** and causes runc to use a different protection mechanism which will further increases memory usage temporarily during container startup. To enable this feature you also need to set the `RUNC_DMZ=true` environment variable. | yes ||

The following build tags were used earlier, but are now obsoleted:
- **runc_nodmz** (since runc v1.2.1 runc dmz binary is dropped)
- **nokmem** (since runc v1.0.0-rc94 kernel memory settings are ignored)
- **apparmor** (since runc v1.0.0-rc93 the feature is always enabled)
- **selinux** (since runc v1.0.0-rc93 the feature is always enabled)

[contrib-memfd-bind]: /contrib/cmd/memfd-bind/README.md
[dmz README]: /libcontainer/dmz/README.md

### Running the test suite

61 changes: 0 additions & 61 deletions cc_platform.mk

This file was deleted.

15 changes: 3 additions & 12 deletions contrib/cmd/memfd-bind/README.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
## memfd-bind ##

`runc` normally has to make a binary copy of itself (or of a smaller helper
binary called `runc-dmz`) when constructing a container process in order to
defend against certain container runtime attacks such as CVE-2019-5736.
`runc` normally has to make a binary copy of itself when constructing a
container process in order to defend against certain container runtime attacks
such as CVE-2019-5736.

This cloned binary only exists until the container process starts (this means
for `runc run` and `runc exec`, it only exists for a few hundred milliseconds
@@ -34,15 +34,6 @@ much memory usage they can use:
* `memfd-bind` only creates a single in-memory copy of the `runc` binary (about
10MB), regardless of how many containers are running.

* `runc-dmz` is (depending on which libc it was compiled with) between 10kB and
1MB in size, and a copy is created once per process spawned inside a
container by runc (both the pid1 and every `runc exec`). The `RUNC_DMZ=true`
environment variable needs to be set to opt-in. There are circumstances where
using `runc-dmz` will fail in ways that runc cannot predict ahead of time (such
as restrictive LSMs applied to containers). `runc-dmz` also requires an
additional `execve` over the other options, though since the binary is so small
the cost is probably not even noticeable.

* The classic method of making a copy of the entire `runc` binary during
container process setup takes up about 10MB per process spawned inside the
container by runc (both pid1 and `runc exec`).
1 change: 1 addition & 0 deletions docs/experimental.md
Original file line number Diff line number Diff line change
@@ -6,3 +6,4 @@ Feature | Experimental release | Graduation rel
---------------------------------------- | -------------------- | ------------------
cgroup v2 | v1.0.0-rc91 | v1.0.0-rc93
The `runc features` command | v1.1.0 | v1.2.0
runc-dmz | v1.2.0-rc1 | Dropped in v1.2.1
Loading