Commit Graph

4005 Commits

Author SHA1 Message Date
Akihiro Suda faf1e44ea9 cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error
Fix #2167

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-11-07 15:43:27 +09:00
Mrunal Patel 46def4cc4c
Merge pull request #2154 from jpeach/2008-remove-static-build-tag
Remove the static_build build tag.
2019-11-04 17:10:59 -08:00
Michael Crosby b133feaeeb
Merge pull request #2145 from AkihiroSuda/ebpf
cgroup2: port over eBPF device controller from crun
2019-10-31 13:10:55 -04:00
Akihiro Suda ccd4436fc4 .travis.yml: add Fedora 31 vagrant box (for cgroup2)
As the baby step, only unit tests are executed.

Failing tests are currently skipped and will be fixed in follow-up PRs.

Fix #2124

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-31 16:53:01 +09:00
Akihiro Suda faf673ee45 cgroup2: port over eBPF device controller from crun
The implementation is based on https://github.com/containers/crun/blob/0.10.2/src/libcrun/ebpf.c

Although ebpf.c is originally licensed under LGPL-3.0-or-later, the author
Giuseppe Scrivano agreed to relicense the file in Apache License 2.0:
https://github.com/opencontainers/runc/issues/2144#issuecomment-543116397

See libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go for tested configurations.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-31 14:01:46 +09:00
Qiang Huang e57a774066
Merge pull request #2149 from AkihiroSuda/cgroup2-ps
cgroup2: implement `runc ps`
2019-10-31 09:44:39 +08:00
Qiang Huang d239ca8425
Merge pull request #2148 from AkihiroSuda/cg2-ignore-cpuset-when-no-config
cgroup2: cpuset_v2: skip Apply when no limit is specified
2019-10-29 21:57:58 +08:00
Mrunal Patel 03cf145f5a
Merge pull request #2159 from AkihiroSuda/cgroup2-mount-in-userns
cgroup2: allow mounting /sys/fs/cgroup in UserNS without unsharing CgroupNS
2019-10-28 19:19:09 -07:00
Mrunal Patel f04fb9980c
Merge pull request #2160 from AkihiroSuda/cgroup2-no-proc-cgroups
cgroup2: do not parse /proc/cgroups
2019-10-28 19:18:59 -07:00
Akihiro Suda 74a3fe5d1b cgroup2: do not parse /proc/cgroups
/proc/cgroups is meaningless for v2 and should be ignored.

https://github.com/torvalds/linux/blob/v5.3/Documentation/admin-guide/cgroup-v2.rst#deprecated-v1-core-features

* Now GetAllSubsystems() parses /sys/fs/cgroup/cgroup.controller, not /proc/cgroups.
  The function result also contains "pseudo" controllers: {"devices", "freezer"}.
  As it is hard to detect availability of pseudo controllers, pseudo controllers
  are always assumed to be available.

* Now IOGroupV2.Name() returns "io", not "blkio"

Fix #2155 #2156

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-28 00:00:33 +09:00
Akihiro Suda 9c81440fb5 cgroup2: allow mounting /sys/fs/cgroup in UserNS without unsharing CgroupNS
Bind-mount /sys/fs/cgroup when we are in UserNS but CgroupNS is not unshared,
because we cannot mount cgroup2.

This behavior correspond to crun v0.10.2.

Fix #2158

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-27 23:09:41 +09:00
James Peach 13919f5dfd Remove the static_build build tag.
The `static_build` build tag was introduced in e9944d0f
to remove build warnings related to systemd cgroup driver
dependencies. Since then, those dependencies have changed and
building the systemd cgroup driver no longer imports dlopen.

After this change, runc builds will always include the systemd
cgroup driver.

This fixes #2008.

Signed-off-by: James Peach <jpeach@apache.org>
2019-10-26 08:28:45 +11:00
Michael Crosby c4d8e1688c
Merge pull request #2140 from crosbymichael/fs-unified
Set unified mountpoint in find mnt func
2019-10-24 15:20:47 -04:00
Michael Crosby 792af40dc0
Merge pull request #1929 from kkallday/patch-1
Adds info about `userns` for rootless containers
2019-10-23 12:35:59 -04:00
Michael Crosby 8790f24326
Merge pull request #2147 from AkihiroSuda/iov2-remove-v1-code
io_v2.go: remove blkio v1 code
2019-10-23 10:45:59 -04:00
Michael Crosby 2cd9ba236b
Merge pull request #2146 from AkihiroSuda/doc-not-prod-ready
README.md: clarify cgroup2 support is not ready for production
2019-10-23 10:45:45 -04:00
Akihiro Suda dbd771e475 cgroup2: implement `runc ps`
Implemented `runc ps` for cgroup v2 , using a newly added method `m.GetUnifiedPath()`.
Unlike the v1  implementation that checks `m.GetPaths()["devices"]`, the v2 implementation does not require the device controller to be available.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-19 01:59:24 +09:00
Akihiro Suda 9996cf7d39 README.md: clarify cgroup2 support is not ready for production
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-19 01:51:11 +09:00
Akihiro Suda d918e7f408 cpuset_v2: skip Apply when no limit is specified
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-19 00:33:31 +09:00
Akihiro Suda 033936ef76 io_v2.go: remove blkio v1 code
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-18 21:33:48 +09:00
Radostin Stoyanov a610a84821 criu: Ensure other users cannot read c/r files
No checkpoint files should be readable by
anyone else but the user creating it.

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
2019-10-17 07:49:38 +01:00
Mrunal Patel 4e3701702e
Merge pull request #2139 from rst0git/desc-permisions
checkpoint: Set descriptors.json file mode to 0600
2019-10-16 15:27:08 -07:00
Michael Crosby b28f58f31b
Set unified mountpoint in find mnt func
This is needed for the fsv2 cgroups to work when there is a unified mountpoint.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2019-10-15 15:40:03 -04:00
Radostin Stoyanov f017e0f9e1 checkpoint: Set descriptors.json file mode to 0600
Prevent unprivileged users from being able to read descriptors.json

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
2019-10-12 19:29:44 +01:00
Aleksa Sarai c1485a1e88
merge branch 'pr-2134'
VERSION: back to development
  VERSION: update to 1.0.0-rc9

Vote: +4 -0 #1
LGTMs: @crosbymichael @hqhq @mrunalp
Closes #2134
2019-10-05 21:33:59 +10:00
Aleksa Sarai 1b8a1eeec3
merge branch 'pr-2132'
Support different field counts of cpuaact.stats

LGTMs: @crosbymichael @cyphar
Closes #2132
2019-10-02 01:50:47 +10:00
Michael Crosby ba16a38bc4
Merge pull request #2135 from mrueg/security
SECURITY: Add Security Policy
2019-10-01 11:49:49 -04:00
Manuel Rüger 4be50fe338 SECURITY: Add Security Policy
This should make the vuln reporting process more visible on GitHub
https://help.github.com/en/articles/adding-a-security-policy-to-your-repository

Signed-off-by: Manuel Rüger <manuel@rueg.eu>
2019-10-01 13:38:50 +02:00
Aleksa Sarai 2111613c19
VERSION: back to development
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-10-01 02:36:34 +10:00
Aleksa Sarai d736ef14f0
VERSION: update to 1.0.0-rc9
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-10-01 02:36:09 +10:00
Michael Crosby cad42f6e09
Merge pull request #2130 from cyphar/apparmor-verify-procfs
*: verify operations on /proc/... are on procfs
2019-09-30 10:50:03 -04:00
Aleksa Sarai d463f6485b
*: verify that operations on /proc/... are on procfs
This is an additional mitigation for CVE-2019-16884. The primary problem
is that Docker can be coerced into bind-mounting a file system on top of
/proc (resulting in label-related writes to /proc no longer happening).

While we are working on mitigations against permitting the mounts, this
helps avoid our code from being tricked into writing to non-procfs
files. This is not a perfect solution (after all, there might be a
bind-mount of a different procfs file over the target) but in order to
exploit that you would need to be able to tweak a config.json pretty
specifically (which thankfully Docker doesn't allow).

Specifically this stops AppArmor from not labeling a process silently
due to /proc/self/attr/... being incorrectly set, and stops any
accidental fd leaks because /proc/self/fd/... is not real.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-09-30 09:06:48 +10:00
Aleksa Sarai 9aef504415
vendor: update github.com/opencontainers/selinux
This is a bump to v1.3.0, plus the necessary CVE-2019-16884 mitigation.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-09-30 00:36:59 +10:00
tianye15 28e58a0f6a Support different field counts of cpuaact.stats
Signed-off-by: skilxnTL <tylxltt@gmail.com>
2019-09-29 10:20:58 +08:00
Julia Nedialkova e63b797f38 Handle ENODEV when accessing the freezer.state file
...when checking if a container is paused

Signed-off-by: Julia Nedialkova <julianedialkova@hotmail.com>
2019-09-27 17:02:56 +03:00
blacktop 84373aaa56 Add SCMP_ACT_LOG as a valid Seccomp action (#1951)
Signed-off-by: blacktop <blacktop@users.noreply.github.com>
2019-09-26 11:03:03 -04:00
Mrunal Patel 3e425f80a8
Merge pull request #2129 from crosbymichael/proc-mount
Only allow proc mount if it is procfs
2019-09-25 17:02:15 -07:00
Michael Crosby 331692baa7 Only allow proc mount if it is procfs
Fixes #2128

This allows proc to be bind mounted for host and rootless namespace usecases but
it removes the ability to mount over the top of proc with a directory.

```bash
> sudo docker run --rm  apparmor
docker: Error response from daemon: OCI runtime create failed:
container_linux.go:346: starting container process caused "process_linux.go:449:
container init caused \"rootfs_linux.go:58: mounting
\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\"
to rootfs
\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\"
at \\\"/proc\\\" caused
\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\"
cannot be mounted because it is not of type proc\\\"\"": unknown.

> sudo docker run --rm -v /proc:/proc apparmor

docker-default (enforce)        root     18989  0.9  0.0   1288     4 ?
Ss   16:47   0:00 sleep 20
```

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2019-09-24 11:00:18 -04:00
Michael Crosby 7507c64ff6
Merge pull request #2041 from jburianek/notify-socket-permissions
Change the permissions of the notify listener socket to rwx for everyone
2019-09-18 14:53:36 -04:00
Mrunal Patel bf27c2f86d
Merge pull request #2126 from flynn/fix-nsenter-unsupported
libcontainer/nsenter: Don't import C in non-cgo file
2019-09-12 10:12:54 -07:00
Jonathan Rudenberg af7b6547ec libcontainer/nsenter: Don't import C in non-cgo file
Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com>
2019-09-11 17:03:07 +00:00
Mrunal Patel 6c0555209b
Merge pull request #2125 from giuseppe/mount-cgroups
cgroup: support mount of cgroup2
2019-09-10 21:03:38 -07:00
Michael Crosby 267490e3ca
Merge pull request #2010 from lifubang/checkpointrootless
criu image path permission error when checkpoint rootless container
2019-09-10 15:40:31 -04:00
Mrunal Patel e7a87dd240
Merge pull request #2098 from adrianreber/master
man: fix man-pages
2019-09-09 12:50:17 -07:00
Giuseppe Scrivano 718a566e02
cgroup: support mount of cgroup2
convert a "cgroup" mount to "cgroup2" when the system uses cgroups v2
unified hierarchy.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-09-06 17:57:14 +02:00
Qiang Huang a6606a7ae9
Merge pull request #2029 from thaJeztah/bump_dependencies
Update dependencies
2019-09-06 09:12:14 +08:00
Sebastiaan van Stijn 115d4b9e57
bump golang/protobuf v1.0.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:33 +02:00
Sebastiaan van Stijn 85c02f3f30
bump coreos/go-systemd v19, godbus/dbus v5.0.1
- https://github.com/coreos/go-systemd/compare/v14..v19
  - coreos/go-systemd#248 dbus: add SetPropertiesSubscriber method
  - coreos/go-systemd#251 activation: add support for listeners with names
  - coreos/go-systemd#296 dbus: Fix API break from godbus
- https://github.com/godbus/dbus/compare/v3..v5.0.1
  - godbus/dbus#89 introduce MakeVariantWithSignature

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:30 +02:00
Sebastiaan van Stijn 21498b8e54
bump mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7
no significant changes, other than some linting fixes

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:28 +02:00
Sebastiaan van Stijn eb86f6037e
bump syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2
relevant changes:

  - syndtr/gocapability#14 capability: Deprecate NewPid and NewFile for NewPid2 and NewFile2
  - syndtr/gocapability#16 Fix capHeader.pid type

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:26 +02:00