Commit Graph

4126 Commits

Author SHA1 Message Date
Michael Crosby cad42f6e09
Merge pull request #2130 from cyphar/apparmor-verify-procfs
*: verify operations on /proc/... are on procfs
2019-09-30 10:50:03 -04:00
Aleksa Sarai d463f6485b
*: verify that operations on /proc/... are on procfs
This is an additional mitigation for CVE-2019-16884. The primary problem
is that Docker can be coerced into bind-mounting a file system on top of
/proc (resulting in label-related writes to /proc no longer happening).

While we are working on mitigations against permitting the mounts, this
helps avoid our code from being tricked into writing to non-procfs
files. This is not a perfect solution (after all, there might be a
bind-mount of a different procfs file over the target) but in order to
exploit that you would need to be able to tweak a config.json pretty
specifically (which thankfully Docker doesn't allow).

Specifically this stops AppArmor from not labeling a process silently
due to /proc/self/attr/... being incorrectly set, and stops any
accidental fd leaks because /proc/self/fd/... is not real.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-09-30 09:06:48 +10:00
Aleksa Sarai 9aef504415
vendor: update github.com/opencontainers/selinux
This is a bump to v1.3.0, plus the necessary CVE-2019-16884 mitigation.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-09-30 00:36:59 +10:00
tianye15 28e58a0f6a Support different field counts of cpuaact.stats
Signed-off-by: skilxnTL <tylxltt@gmail.com>
2019-09-29 10:20:58 +08:00
Julia Nedialkova e63b797f38 Handle ENODEV when accessing the freezer.state file
...when checking if a container is paused

Signed-off-by: Julia Nedialkova <julianedialkova@hotmail.com>
2019-09-27 17:02:56 +03:00
blacktop 84373aaa56 Add SCMP_ACT_LOG as a valid Seccomp action (#1951)
Signed-off-by: blacktop <blacktop@users.noreply.github.com>
2019-09-26 11:03:03 -04:00
Mrunal Patel 3e425f80a8
Merge pull request #2129 from crosbymichael/proc-mount
Only allow proc mount if it is procfs
2019-09-25 17:02:15 -07:00
Michael Crosby 331692baa7 Only allow proc mount if it is procfs
Fixes #2128

This allows proc to be bind mounted for host and rootless namespace usecases but
it removes the ability to mount over the top of proc with a directory.

```bash
> sudo docker run --rm  apparmor
docker: Error response from daemon: OCI runtime create failed:
container_linux.go:346: starting container process caused "process_linux.go:449:
container init caused \"rootfs_linux.go:58: mounting
\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\"
to rootfs
\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\"
at \\\"/proc\\\" caused
\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\"
cannot be mounted because it is not of type proc\\\"\"": unknown.

> sudo docker run --rm -v /proc:/proc apparmor

docker-default (enforce)        root     18989  0.9  0.0   1288     4 ?
Ss   16:47   0:00 sleep 20
```

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2019-09-24 11:00:18 -04:00
Michael Crosby 7507c64ff6
Merge pull request #2041 from jburianek/notify-socket-permissions
Change the permissions of the notify listener socket to rwx for everyone
2019-09-18 14:53:36 -04:00
Mrunal Patel bf27c2f86d
Merge pull request #2126 from flynn/fix-nsenter-unsupported
libcontainer/nsenter: Don't import C in non-cgo file
2019-09-12 10:12:54 -07:00
Jonathan Rudenberg af7b6547ec libcontainer/nsenter: Don't import C in non-cgo file
Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com>
2019-09-11 17:03:07 +00:00
Mrunal Patel 6c0555209b
Merge pull request #2125 from giuseppe/mount-cgroups
cgroup: support mount of cgroup2
2019-09-10 21:03:38 -07:00
Michael Crosby 267490e3ca
Merge pull request #2010 from lifubang/checkpointrootless
criu image path permission error when checkpoint rootless container
2019-09-10 15:40:31 -04:00
Mrunal Patel e7a87dd240
Merge pull request #2098 from adrianreber/master
man: fix man-pages
2019-09-09 12:50:17 -07:00
Giuseppe Scrivano 718a566e02
cgroup: support mount of cgroup2
convert a "cgroup" mount to "cgroup2" when the system uses cgroups v2
unified hierarchy.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-09-06 17:57:14 +02:00
Qiang Huang a6606a7ae9
Merge pull request #2029 from thaJeztah/bump_dependencies
Update dependencies
2019-09-06 09:12:14 +08:00
Sebastiaan van Stijn 115d4b9e57
bump golang/protobuf v1.0.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:33 +02:00
Sebastiaan van Stijn 85c02f3f30
bump coreos/go-systemd v19, godbus/dbus v5.0.1
- https://github.com/coreos/go-systemd/compare/v14..v19
  - coreos/go-systemd#248 dbus: add SetPropertiesSubscriber method
  - coreos/go-systemd#251 activation: add support for listeners with names
  - coreos/go-systemd#296 dbus: Fix API break from godbus
- https://github.com/godbus/dbus/compare/v3..v5.0.1
  - godbus/dbus#89 introduce MakeVariantWithSignature

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:30 +02:00
Sebastiaan van Stijn 21498b8e54
bump mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7
no significant changes, other than some linting fixes

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:28 +02:00
Sebastiaan van Stijn eb86f6037e
bump syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2
relevant changes:

  - syndtr/gocapability#14 capability: Deprecate NewPid and NewFile for NewPid2 and NewFile2
  - syndtr/gocapability#16 Fix capHeader.pid type

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:26 +02:00
Sebastiaan van Stijn 1150ce9c6e
bump urfave/cli v1.20.0
previous version was somewhere between v1.18 and v1.19

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:23 +02:00
Sebastiaan van Stijn 8e4f645fca
bump docker/go-units v0.3.3
relevant changes:

  - docker/go-units#8 Enhance FromHumanSize to parse float64 string
  - docker/go-units#20 Add `HumanSizeWithPrecision` function

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:43:44 +02:00
Sebastiaan van Stijn 0fc0662338
bump cyphar/filepath-securejoin v0.2.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:43:42 +02:00
Sebastiaan van Stijn 414a39dedb
bump containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
relevant changes:

- containerd/console#27 console_linux: Fix race: lock Cond before Signal

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:43:39 +02:00
Sebastiaan van Stijn de24d73350
bump github.com/pkg/errors 0.8.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:43:37 +02:00
Sebastiaan van Stijn 4be3c48e05
Reformat vendor.conf and pin all deps by git-sha
to make it better readable, and to encourage pinning by
sha, but align to a tagged release.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:43:33 +02:00
Mrunal Patel 0fd4342a92
Merge pull request #2028 from thaJeztah/bump_golang_versions
Update to Go 1.12 and drop obsolete versions
2019-09-05 16:30:01 -07:00
Mrunal Patel 92ac8e3f84
Merge pull request #2113 from giuseppe/cgroupv2
libcontainer: initial support for cgroups v2
2019-09-05 13:14:29 -07:00
Giuseppe Scrivano 524cb7c318
libcontainer: add systemd.UnifiedManager
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-09-05 13:02:27 +02:00
Giuseppe Scrivano ec11136828
libcontainer, cgroups: rename systemd.Manager to LegacyManager
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-09-05 13:02:26 +02:00
Giuseppe Scrivano 1932917b71
libcontainer: add initial support for cgroups v2
allow to set what subsystems are used by
libcontainer/cgroups/fs.Manager.

subsystemsUnified is used on a system running with cgroups v2 unified
mode.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-09-05 13:02:25 +02:00
Mrunal Patel 92d851e03b
Merge pull request #2123 from carlosedp/riscv64
Bump x/sys and update syscall for initial Risc-V support
2019-09-04 14:10:26 -07:00
Carlos de Paula 4316e4d047 Bump x/sys and update syscall to start Risc-V support
Signed-off-by: Carlos de Paula <me@carlosedp.com>
2019-08-29 12:09:08 -03:00
Mrunal Patel 51f2a861da
Merge pull request #2122 from AkihiroSuda/cleanup
nsenter: minor fixes
2019-08-28 12:28:36 -07:00
Akihiro Suda 0bc069d795 nsenter: fix clang-tidy warning
nsexec.c:148:3: warning: Initialized va_list 'args' is leaked [clang-analyzer-valist.Unterminated]

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-08-29 00:18:02 +09:00
Akihiro Suda b225ef58fb nsenter: minor clean up
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-08-28 19:50:35 +09:00
Mrunal Patel dd075602f1
Merge pull request #2120 from rhatdan/master
Rename cgroups_windows.go to cgroups_unsupported.go
2019-08-27 07:29:21 -07:00
Daniel J Walsh e4aa73424b
Rename cgroups_windows.go to cgroups_unsupported.go
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-08-26 18:13:52 -04:00
Mrunal Patel c61c7370f9
Merge pull request #2103 from sipsma/cgnil
cgroups/fs: check nil pointers in cgroup manager
2019-08-26 14:05:44 -07:00
Mrunal Patel 68d73f0a2e
Merge pull request #2107 from sashayakovtseva/public-get-devices
Make get devices function public
2019-08-26 09:58:10 -07:00
Mrunal Patel f061842f2c
Merge pull request #2119 from KentaTada/fix-proc-settings
libcontainer: update masked paths of /proc
2019-08-26 09:53:17 -07:00
Kenta Tada c740965a18 libcontainer: update masked paths of /proc
This commit updates the masked paths of /proc.

Related issues:
* https://github.com/moby/moby/pull/37404
* https://github.com/moby/moby/pull/38299
* https://github.com/moby/moby/pull/36368

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2019-08-26 12:25:56 +09:00
Mrunal Patel 3525eddec5
Merge pull request #2117 from filbranden/detection1
Remove libcontainer detection for systemd features
2019-08-25 13:15:15 -07:00
Mrunal Patel f7b658854c
Merge pull request #2116 from filbranden/running1
Avoid the dependency on cgo through go-systemd/util package
2019-08-25 13:13:56 -07:00
Filipe Brandenburger 518c855833 Remove libcontainer detection for systemd features
Transient units (and transient slice units) have been available for quite a
long time and RHEL 7 with systemd v219 (likely the oldest OS we care about at
this point) supports that. A system running a systemd without these features is
likely to break a lot of other stuff that runc/libcontainer care about.

Regarding delegated slices, modern systemd doesn't allow it and
runc/libcontainer run fine on it, so we might as well just stop requesting it
on older versions of systemd which allowed it. (Those versions never really
changed behavior significantly when that option was passed anyways.)

Signed-off-by: Filipe Brandenburger <filbranden@gmail.com>
2019-08-22 21:53:24 -07:00
Filipe Brandenburger 4ca00773ee Update vendored dependencies to remove go-systemd/util
This removes "github.com/coreos/go-systemd/util", no longer needed after
removing the dependency on it.

It also gets rid of "github.com/coreos/pkg/dlopen", since that was only
referred to by the aforementioned "util" package.

Tested that everything builds and works as expected.

Signed-off-by: Filipe Brandenburger <filbranden@gmail.com>
2019-08-22 21:09:40 -07:00
Filipe Brandenburger 588f040a77 Avoid the dependency on cgo through go-systemd/util package
This dependency is only needed in package "github.com/coreos/go-systemd/util"
and we only use it for IsRunningSystemd(), which is a simple Go function that
just stats a file.

Let's just borrow it here, so we remove the dependency and can remove that
package from vendored build.

This also removes dependencies on dlopen and on trying to find libsystemd.so
or libsystemd-login.so in the system.

Tested that this still builds and works as expected.

Signed-off-by: Filipe Brandenburger <filbranden@gmail.com>
2019-08-22 21:07:24 -07:00
sashayakovtseva afc24792dc Make get devices function public
Signed-off-by: sashayakovtseva <sasha@sylabs.io>
2019-08-15 17:16:47 +03:00
Erik Sipsma 9c822e4847 cgroups/fs: check nil pointers in cgroup manager
Signed-off-by: Erik Sipsma <sipsma@amazon.com>
2019-08-14 09:50:45 -07:00
Adrian Reber 1712af0e80
man: fix man-pages
The man-pages are using pre-formatted section to display the options for
all commands. The result on my system never looked correct:

OPTIONS
       --bundle value, -b value  path to the root [...]
          --console-socket value    path to an AF_UNIX [...]

The first line was always indented less than the other lines.

This commit makes the option block a pre-formatted block (as intended???) by
using 4 spaces instead of 3 spaces.

In addition the man-pages did not specify their name and section
correctly. This adds something like '% runc-run "8"' to all man-pages to
have correct title 'runc-run(8)' instead of 'NAME()' and it also adds
the section to the title: 'System Manager's Manual'.

This also fixes the use of '>' and '<' at multiple places. The markdown
source files were using "<container-id>" and similar which was (most of
the time) rendered as '""'. On some systems it was rendered correctly.

Signed-off-by: Adrian Reber <areber@redhat.com>
2019-08-06 21:29:31 +02:00