Michael Crosby
792af40dc0
Merge pull request #1929 from kkallday/patch-1
...
Adds info about `userns` for rootless containers
2019-10-23 12:35:59 -04:00
Michael Crosby
8790f24326
Merge pull request #2147 from AkihiroSuda/iov2-remove-v1-code
...
io_v2.go: remove blkio v1 code
2019-10-23 10:45:59 -04:00
Michael Crosby
2cd9ba236b
Merge pull request #2146 from AkihiroSuda/doc-not-prod-ready
...
README.md: clarify cgroup2 support is not ready for production
2019-10-23 10:45:45 -04:00
Akihiro Suda
dbd771e475
cgroup2: implement `runc ps`
...
Implemented `runc ps` for cgroup v2 , using a newly added method `m.GetUnifiedPath()`.
Unlike the v1 implementation that checks `m.GetPaths()["devices"]`, the v2 implementation does not require the device controller to be available.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-19 01:59:24 +09:00
Akihiro Suda
9996cf7d39
README.md: clarify cgroup2 support is not ready for production
...
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-19 01:51:11 +09:00
Akihiro Suda
d918e7f408
cpuset_v2: skip Apply when no limit is specified
...
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-19 00:33:31 +09:00
Akihiro Suda
033936ef76
io_v2.go: remove blkio v1 code
...
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-18 21:33:48 +09:00
Radostin Stoyanov
a610a84821
criu: Ensure other users cannot read c/r files
...
No checkpoint files should be readable by
anyone else but the user creating it.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
2019-10-17 07:49:38 +01:00
Mrunal Patel
4e3701702e
Merge pull request #2139 from rst0git/desc-permisions
...
checkpoint: Set descriptors.json file mode to 0600
2019-10-16 15:27:08 -07:00
Michael Crosby
b28f58f31b
Set unified mountpoint in find mnt func
...
This is needed for the fsv2 cgroups to work when there is a unified mountpoint.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2019-10-15 15:40:03 -04:00
Radostin Stoyanov
f017e0f9e1
checkpoint: Set descriptors.json file mode to 0600
...
Prevent unprivileged users from being able to read descriptors.json
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
2019-10-12 19:29:44 +01:00
Aleksa Sarai
c1485a1e88
merge branch 'pr-2134'
...
VERSION: back to development
VERSION: update to 1.0.0-rc9
Vote: +4 -0 #1
LGTMs: @crosbymichael @hqhq @mrunalp
Closes #2134
2019-10-05 21:33:59 +10:00
Aleksa Sarai
1b8a1eeec3
merge branch 'pr-2132'
...
Support different field counts of cpuaact.stats
LGTMs: @crosbymichael @cyphar
Closes #2132
2019-10-02 01:50:47 +10:00
Michael Crosby
ba16a38bc4
Merge pull request #2135 from mrueg/security
...
SECURITY: Add Security Policy
2019-10-01 11:49:49 -04:00
Manuel Rüger
4be50fe338
SECURITY: Add Security Policy
...
This should make the vuln reporting process more visible on GitHub
https://help.github.com/en/articles/adding-a-security-policy-to-your-repository
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
2019-10-01 13:38:50 +02:00
Aleksa Sarai
2111613c19
VERSION: back to development
...
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-10-01 02:36:34 +10:00
Aleksa Sarai
d736ef14f0
VERSION: update to 1.0.0-rc9
...
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-10-01 02:36:09 +10:00
Michael Crosby
cad42f6e09
Merge pull request #2130 from cyphar/apparmor-verify-procfs
...
*: verify operations on /proc/... are on procfs
2019-09-30 10:50:03 -04:00
Aleksa Sarai
d463f6485b
*: verify that operations on /proc/... are on procfs
...
This is an additional mitigation for CVE-2019-16884. The primary problem
is that Docker can be coerced into bind-mounting a file system on top of
/proc (resulting in label-related writes to /proc no longer happening).
While we are working on mitigations against permitting the mounts, this
helps avoid our code from being tricked into writing to non-procfs
files. This is not a perfect solution (after all, there might be a
bind-mount of a different procfs file over the target) but in order to
exploit that you would need to be able to tweak a config.json pretty
specifically (which thankfully Docker doesn't allow).
Specifically this stops AppArmor from not labeling a process silently
due to /proc/self/attr/... being incorrectly set, and stops any
accidental fd leaks because /proc/self/fd/... is not real.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-09-30 09:06:48 +10:00
Aleksa Sarai
9aef504415
vendor: update github.com/opencontainers/selinux
...
This is a bump to v1.3.0, plus the necessary CVE-2019-16884 mitigation.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-09-30 00:36:59 +10:00
tianye15
28e58a0f6a
Support different field counts of cpuaact.stats
...
Signed-off-by: skilxnTL <tylxltt@gmail.com>
2019-09-29 10:20:58 +08:00
Julia Nedialkova
e63b797f38
Handle ENODEV when accessing the freezer.state file
...
...when checking if a container is paused
Signed-off-by: Julia Nedialkova <julianedialkova@hotmail.com>
2019-09-27 17:02:56 +03:00
blacktop
84373aaa56
Add SCMP_ACT_LOG as a valid Seccomp action ( #1951 )
...
Signed-off-by: blacktop <blacktop@users.noreply.github.com>
2019-09-26 11:03:03 -04:00
Mrunal Patel
3e425f80a8
Merge pull request #2129 from crosbymichael/proc-mount
...
Only allow proc mount if it is procfs
2019-09-25 17:02:15 -07:00
Michael Crosby
331692baa7
Only allow proc mount if it is procfs
...
Fixes #2128
This allows proc to be bind mounted for host and rootless namespace usecases but
it removes the ability to mount over the top of proc with a directory.
```bash
> sudo docker run --rm apparmor
docker: Error response from daemon: OCI runtime create failed:
container_linux.go:346: starting container process caused "process_linux.go:449:
container init caused \"rootfs_linux.go:58: mounting
\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\"
to rootfs
\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\"
at \\\"/proc\\\" caused
\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\"
cannot be mounted because it is not of type proc\\\"\"": unknown.
> sudo docker run --rm -v /proc:/proc apparmor
docker-default (enforce) root 18989 0.9 0.0 1288 4 ?
Ss 16:47 0:00 sleep 20
```
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2019-09-24 11:00:18 -04:00
Michael Crosby
7507c64ff6
Merge pull request #2041 from jburianek/notify-socket-permissions
...
Change the permissions of the notify listener socket to rwx for everyone
2019-09-18 14:53:36 -04:00
Mrunal Patel
bf27c2f86d
Merge pull request #2126 from flynn/fix-nsenter-unsupported
...
libcontainer/nsenter: Don't import C in non-cgo file
2019-09-12 10:12:54 -07:00
Jonathan Rudenberg
af7b6547ec
libcontainer/nsenter: Don't import C in non-cgo file
...
Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com>
2019-09-11 17:03:07 +00:00
Mrunal Patel
6c0555209b
Merge pull request #2125 from giuseppe/mount-cgroups
...
cgroup: support mount of cgroup2
2019-09-10 21:03:38 -07:00
Michael Crosby
267490e3ca
Merge pull request #2010 from lifubang/checkpointrootless
...
criu image path permission error when checkpoint rootless container
2019-09-10 15:40:31 -04:00
Mrunal Patel
e7a87dd240
Merge pull request #2098 from adrianreber/master
...
man: fix man-pages
2019-09-09 12:50:17 -07:00
Giuseppe Scrivano
718a566e02
cgroup: support mount of cgroup2
...
convert a "cgroup" mount to "cgroup2" when the system uses cgroups v2
unified hierarchy.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-09-06 17:57:14 +02:00
Qiang Huang
a6606a7ae9
Merge pull request #2029 from thaJeztah/bump_dependencies
...
Update dependencies
2019-09-06 09:12:14 +08:00
Sebastiaan van Stijn
115d4b9e57
bump golang/protobuf v1.0.0
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:33 +02:00
Sebastiaan van Stijn
85c02f3f30
bump coreos/go-systemd v19, godbus/dbus v5.0.1
...
- https://github.com/coreos/go-systemd/compare/v14..v19
- coreos/go-systemd#248 dbus: add SetPropertiesSubscriber method
- coreos/go-systemd#251 activation: add support for listeners with names
- coreos/go-systemd#296 dbus: Fix API break from godbus
- https://github.com/godbus/dbus/compare/v3..v5.0.1
- godbus/dbus#89 introduce MakeVariantWithSignature
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:30 +02:00
Sebastiaan van Stijn
21498b8e54
bump mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7
...
no significant changes, other than some linting fixes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:28 +02:00
Sebastiaan van Stijn
eb86f6037e
bump syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2
...
relevant changes:
- syndtr/gocapability#14 capability: Deprecate NewPid and NewFile for NewPid2 and NewFile2
- syndtr/gocapability#16 Fix capHeader.pid type
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:26 +02:00
Sebastiaan van Stijn
1150ce9c6e
bump urfave/cli v1.20.0
...
previous version was somewhere between v1.18 and v1.19
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:44:23 +02:00
Sebastiaan van Stijn
8e4f645fca
bump docker/go-units v0.3.3
...
relevant changes:
- docker/go-units#8 Enhance FromHumanSize to parse float64 string
- docker/go-units#20 Add `HumanSizeWithPrecision` function
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:43:44 +02:00
Sebastiaan van Stijn
0fc0662338
bump cyphar/filepath-securejoin v0.2.2
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:43:42 +02:00
Sebastiaan van Stijn
414a39dedb
bump containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
...
relevant changes:
- containerd/console#27 console_linux: Fix race: lock Cond before Signal
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:43:39 +02:00
Sebastiaan van Stijn
de24d73350
bump github.com/pkg/errors 0.8.1
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:43:37 +02:00
Sebastiaan van Stijn
4be3c48e05
Reformat vendor.conf and pin all deps by git-sha
...
to make it better readable, and to encourage pinning by
sha, but align to a tagged release.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-06 01:43:33 +02:00
Mrunal Patel
0fd4342a92
Merge pull request #2028 from thaJeztah/bump_golang_versions
...
Update to Go 1.12 and drop obsolete versions
2019-09-05 16:30:01 -07:00
Mrunal Patel
92ac8e3f84
Merge pull request #2113 from giuseppe/cgroupv2
...
libcontainer: initial support for cgroups v2
2019-09-05 13:14:29 -07:00
Giuseppe Scrivano
524cb7c318
libcontainer: add systemd.UnifiedManager
...
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-09-05 13:02:27 +02:00
Giuseppe Scrivano
ec11136828
libcontainer, cgroups: rename systemd.Manager to LegacyManager
...
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-09-05 13:02:26 +02:00
Giuseppe Scrivano
1932917b71
libcontainer: add initial support for cgroups v2
...
allow to set what subsystems are used by
libcontainer/cgroups/fs.Manager.
subsystemsUnified is used on a system running with cgroups v2 unified
mode.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-09-05 13:02:25 +02:00
Mrunal Patel
92d851e03b
Merge pull request #2123 from carlosedp/riscv64
...
Bump x/sys and update syscall for initial Risc-V support
2019-09-04 14:10:26 -07:00
Carlos de Paula
4316e4d047
Bump x/sys and update syscall to start Risc-V support
...
Signed-off-by: Carlos de Paula <me@carlosedp.com>
2019-08-29 12:09:08 -03:00