diff --git a/.cirrus.yml b/.cirrus.yml index d23d36c7052..a3fb3218e53 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -77,7 +77,7 @@ task: env: HOME: /root CIRRUS_WORKING_DIR: /home/runc - GO_VERSION: "1.20" + GO_VERSION: "1.21" BATS_VERSION: "v1.9.0" RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux # yamllint disable rule:key-duplicates diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 53ad8d4c7d6..007ec338f28 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -25,6 +25,7 @@ jobs: permissions: contents: read pull-requests: read + checks: write # to allow the action to annotate code in the PR. runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 @@ -38,7 +39,7 @@ jobs: run: | sudo apt -q update sudo apt -q install libseccomp-dev - - uses: golangci/golangci-lint-action@v3 + - uses: golangci/golangci-lint-action@v4 with: version: v1.54 # Extra linters, only checking new code from a pull request. diff --git a/Makefile b/Makefile index d9e41aa47bf..40e9fc1e0f8 100644 --- a/Makefile +++ b/Makefile @@ -221,7 +221,7 @@ shfmt: localshfmt: shfmt -d -w . -.PHONY: venodr +.PHONY: vendor vendor: $(GO) mod tidy $(GO) mod vendor diff --git a/go.mod b/go.mod index d71cabdc8b1..b8cba65b5d0 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.20 require ( github.com/checkpoint-restore/go-criu/v6 v6.3.0 github.com/cilium/ebpf v0.12.3 - github.com/containerd/console v1.0.3 + github.com/containerd/console v1.0.4 github.com/coreos/go-systemd/v22 v22.5.0 github.com/cyphar/filepath-securejoin v0.2.4 github.com/docker/go-units v0.5.0 @@ -20,8 +20,8 @@ require ( github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 github.com/urfave/cli v1.22.12 github.com/vishvananda/netlink v1.1.0 - golang.org/x/net v0.19.0 - golang.org/x/sys v0.16.0 + golang.org/x/net v0.21.0 + golang.org/x/sys v0.17.0 google.golang.org/protobuf v1.32.0 ) diff --git a/go.sum b/go.sum index 27002e30d09..e5f2e175147 100644 --- a/go.sum +++ b/go.sum @@ -3,8 +3,8 @@ github.com/checkpoint-restore/go-criu/v6 v6.3.0 h1:mIdrSO2cPNWQY1truPg6uHLXyKHk3 github.com/checkpoint-restore/go-criu/v6 v6.3.0/go.mod h1:rrRTN/uSwY2X+BPRl/gkulo9gsKOSAeVp9/K2tv7xZI= github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4= github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM= -github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw= -github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= +github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro= +github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w= @@ -65,14 +65,15 @@ github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7Zo github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI= golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= -golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= -golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= diff --git a/libcontainer/cgroups/file.go b/libcontainer/cgroups/file.go index 6c93ce4502d..16aae5a3b7c 100644 --- a/libcontainer/cgroups/file.go +++ b/libcontainer/cgroups/file.go @@ -66,16 +66,16 @@ var ( // TestMode is set to true by unit tests that need "fake" cgroupfs. TestMode bool - cgroupFd int = -1 - prepOnce sync.Once - prepErr error - resolveFlags uint64 + cgroupRootHandle *os.File + prepOnce sync.Once + prepErr error + resolveFlags uint64 ) func prepareOpenat2() error { prepOnce.Do(func() { fd, err := unix.Openat2(-1, cgroupfsDir, &unix.OpenHow{ - Flags: unix.O_DIRECTORY | unix.O_PATH, + Flags: unix.O_DIRECTORY | unix.O_PATH | unix.O_CLOEXEC, }) if err != nil { prepErr = &os.PathError{Op: "openat2", Path: cgroupfsDir, Err: err} @@ -86,15 +86,16 @@ func prepareOpenat2() error { } return } + file := os.NewFile(uintptr(fd), cgroupfsDir) + var st unix.Statfs_t - if err = unix.Fstatfs(fd, &st); err != nil { + if err := unix.Fstatfs(int(file.Fd()), &st); err != nil { prepErr = &os.PathError{Op: "statfs", Path: cgroupfsDir, Err: err} logrus.Warnf("falling back to securejoin: %s", prepErr) return } - cgroupFd = fd - + cgroupRootHandle = file resolveFlags = unix.RESOLVE_BENEATH | unix.RESOLVE_NO_MAGICLINKS if st.Type == unix.CGROUP2_SUPER_MAGIC { // cgroupv2 has a single mountpoint and no "cpu,cpuacct" symlinks @@ -121,7 +122,7 @@ func openFile(dir, file string, flags int) (*os.File, error) { return openFallback(path, flags, mode) } - fd, err := unix.Openat2(cgroupFd, relPath, + fd, err := unix.Openat2(int(cgroupRootHandle.Fd()), relPath, &unix.OpenHow{ Resolve: resolveFlags, Flags: uint64(flags) | unix.O_CLOEXEC, @@ -129,21 +130,21 @@ func openFile(dir, file string, flags int) (*os.File, error) { }) if err != nil { err = &os.PathError{Op: "openat2", Path: path, Err: err} - // Check if cgroupFd is still opened to cgroupfsDir + // Check if cgroupRootHandle is still opened to cgroupfsDir // (happens when this package is incorrectly used // across the chroot/pivot_root/mntns boundary, or // when /sys/fs/cgroup is remounted). // // TODO: if such usage will ever be common, amend this - // to reopen cgroupFd and retry openat2. - fdPath, closer := utils.ProcThreadSelf("fd/" + strconv.Itoa(cgroupFd)) + // to reopen cgroupRootHandle and retry openat2. + fdPath, closer := utils.ProcThreadSelf("fd/" + strconv.Itoa(int(cgroupRootHandle.Fd()))) defer closer() fdDest, _ := os.Readlink(fdPath) if fdDest != cgroupfsDir { - // Wrap the error so it is clear that cgroupFd + // Wrap the error so it is clear that cgroupRootHandle // is opened to an unexpected/wrong directory. - err = fmt.Errorf("cgroupFd %d unexpectedly opened to %s != %s: %w", - cgroupFd, fdDest, cgroupfsDir, err) + err = fmt.Errorf("cgroupRootHandle %d unexpectedly opened to %s != %s: %w", + cgroupRootHandle.Fd(), fdDest, cgroupfsDir, err) } return nil, err } diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go index 5fdafdbca80..b3075fd34df 100644 --- a/libcontainer/container_linux.go +++ b/libcontainer/container_linux.go @@ -332,6 +332,15 @@ func (c *Container) start(process *Process) (retErr error) { }() } + // Before starting "runc init", mark all non-stdio open files as O_CLOEXEC + // to make sure we don't leak any files into "runc init". Any files to be + // passed to "runc init" through ExtraFiles will get dup2'd by the Go + // runtime and thus their O_CLOEXEC flag will be cleared. This is some + // additional protection against attacks like CVE-2024-21626, by making + // sure we never leak files to "runc init" we didn't intend to. + if err := utils.CloseExecFrom(3); err != nil { + return fmt.Errorf("unable to mark non-stdio fds as cloexec: %w", err) + } if err := parent.start(); err != nil { return fmt.Errorf("unable to start container process: %w", err) } diff --git a/libcontainer/dmz/_dmz.c b/libcontainer/dmz/_dmz.c index 2855e60d5cd..e4cfcf087e7 100644 --- a/libcontainer/dmz/_dmz.c +++ b/libcontainer/dmz/_dmz.c @@ -1,4 +1,7 @@ #ifdef RUNC_USE_STDLIB +# include +# include +# include # include #else # include "xstat.h" @@ -11,5 +14,14 @@ int main(int argc, char **argv) { if (argc < 1) return 127; - return execve(argv[0], argv, environ); + int ret = execve(argv[0], argv, environ); + if (ret) { + /* NOTE: This error message format MUST match Go's format. */ + char err_msg[5 + PATH_MAX + 1] = "exec "; // "exec " + argv[0] + '\0' + strncat(err_msg, argv[0], PATH_MAX); + err_msg[sizeof(err_msg) - 1] = '\0'; + + perror(err_msg); + } + return ret; } diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go index 0117ace5990..591981e9874 100644 --- a/libcontainer/init_linux.go +++ b/libcontainer/init_linux.go @@ -7,6 +7,7 @@ import ( "fmt" "net" "os" + "path/filepath" "runtime" "runtime/debug" "strconv" @@ -89,7 +90,7 @@ func Init() { } // Normally, StartInitialization() never returns, meaning // if we are here, it had failed. - os.Exit(1) + os.Exit(255) } // Normally, this function does not return. If it returns, with or without an @@ -107,7 +108,11 @@ func startInitialization() (retErr error) { defer func() { // If this defer is ever called, this means initialization has failed. - // Send the error back to the parent process in the form of an initError. + // Send the error back to the parent process in the form of an initError + // if the sync socket has not been closed. + if syncPipe.isClosed() { + return + } ierr := initError{Message: retErr.Error()} if err := writeSyncArg(syncPipe, procError, ierr); err != nil { fmt.Fprintln(os.Stderr, err) @@ -137,24 +142,26 @@ func startInitialization() (retErr error) { logrus.SetLevel(logrus.Level(logLevel)) } - logFD, err := strconv.Atoi(os.Getenv("_LIBCONTAINER_LOGPIPE")) + logFd, err := strconv.Atoi(os.Getenv("_LIBCONTAINER_LOGPIPE")) if err != nil { return fmt.Errorf("unable to convert _LIBCONTAINER_LOGPIPE: %w", err) } + logPipe := os.NewFile(uintptr(logFd), "logpipe") - logrus.SetOutput(os.NewFile(uintptr(logFD), "logpipe")) + logrus.SetOutput(logPipe) logrus.SetFormatter(new(logrus.JSONFormatter)) logrus.Debug("child process in init()") // Only init processes have FIFOFD. - fifofd := -1 + var fifoFile *os.File envInitType := os.Getenv("_LIBCONTAINER_INITTYPE") it := initType(envInitType) if it == initStandard { - envFifoFd := os.Getenv("_LIBCONTAINER_FIFOFD") - if fifofd, err = strconv.Atoi(envFifoFd); err != nil { + fifoFd, err := strconv.Atoi(os.Getenv("_LIBCONTAINER_FIFOFD")) + if err != nil { return fmt.Errorf("unable to convert _LIBCONTAINER_FIFOFD: %w", err) } + fifoFile = os.NewFile(uintptr(fifoFd), "initfifo") } var consoleSocket *os.File @@ -208,10 +215,10 @@ func startInitialization() (retErr error) { } // If init succeeds, it will not return, hence none of the defers will be called. - return containerInit(it, &config, syncPipe, consoleSocket, pidfdSocket, fifofd, logFD, dmzExe) + return containerInit(it, &config, syncPipe, consoleSocket, pidfdSocket, fifoFile, logPipe, dmzExe) } -func containerInit(t initType, config *initConfig, pipe *syncSocket, consoleSocket, pidfdSocket *os.File, fifoFd, logFd int, dmzExe *os.File) error { +func containerInit(t initType, config *initConfig, pipe *syncSocket, consoleSocket, pidfdSocket, fifoFile, logPipe, dmzExe *os.File) error { if err := populateProcessEnvironment(config.Env); err != nil { return err } @@ -223,7 +230,7 @@ func containerInit(t initType, config *initConfig, pipe *syncSocket, consoleSock consoleSocket: consoleSocket, pidfdSocket: pidfdSocket, config: config, - logFd: logFd, + logPipe: logPipe, dmzExe: dmzExe, } return i.Init() @@ -234,8 +241,8 @@ func containerInit(t initType, config *initConfig, pipe *syncSocket, consoleSock pidfdSocket: pidfdSocket, parentPid: unix.Getppid(), config: config, - fifoFd: fifoFd, - logFd: logFd, + fifoFile: fifoFile, + logPipe: logPipe, dmzExe: dmzExe, } return i.Init() @@ -268,6 +275,32 @@ func populateProcessEnvironment(env []string) error { return nil } +// verifyCwd ensures that the current directory is actually inside the mount +// namespace root of the current process. +func verifyCwd() error { + // getcwd(2) on Linux detects if cwd is outside of the rootfs of the + // current mount namespace root, and in that case prefixes "(unreachable)" + // to the returned string. glibc's getcwd(3) and Go's Getwd() both detect + // when this happens and return ENOENT rather than returning a non-absolute + // path. In both cases we can therefore easily detect if we have an invalid + // cwd by checking the return value of getcwd(3). See getcwd(3) for more + // details, and CVE-2024-21626 for the security issue that motivated this + // check. + // + // We have to use unix.Getwd() here because os.Getwd() has a workaround for + // $PWD which involves doing stat(.), which can fail if the current + // directory is inaccessible to the container process. + if wd, err := unix.Getwd(); errors.Is(err, unix.ENOENT) { + return errors.New("current working directory is outside of container mount namespace root -- possible container breakout detected") + } else if err != nil { + return fmt.Errorf("failed to verify if current working directory is safe: %w", err) + } else if !filepath.IsAbs(wd) { + // We shouldn't ever hit this, but check just in case. + return fmt.Errorf("current working directory is not absolute -- possible container breakout detected: cwd is %q", wd) + } + return nil +} + // finalizeNamespace drops the caps, sets the correct user // and working dir, and closes any leaked file descriptors // before executing the command inside the namespace @@ -326,6 +359,10 @@ func finalizeNamespace(config *initConfig) error { return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %w", config.Cwd, err) } } + // Make sure our final working directory is inside the container. + if err := verifyCwd(); err != nil { + return err + } if err := system.ClearKeepCaps(); err != nil { return fmt.Errorf("unable to clear keep caps: %w", err) } diff --git a/libcontainer/integration/seccomp_test.go b/libcontainer/integration/seccomp_test.go index 31092a0a5d2..ecdfa7957df 100644 --- a/libcontainer/integration/seccomp_test.go +++ b/libcontainer/integration/seccomp_test.go @@ -13,7 +13,7 @@ import ( libseccomp "github.com/seccomp/libseccomp-golang" ) -func TestSeccompDenyGetcwdWithErrno(t *testing.T) { +func TestSeccompDenySyslogWithErrno(t *testing.T) { if testing.Short() { return } @@ -25,7 +25,7 @@ func TestSeccompDenyGetcwdWithErrno(t *testing.T) { DefaultAction: configs.Allow, Syscalls: []*configs.Syscall{ { - Name: "getcwd", + Name: "syslog", Action: configs.Errno, ErrnoRet: &errnoRet, }, @@ -39,7 +39,7 @@ func TestSeccompDenyGetcwdWithErrno(t *testing.T) { buffers := newStdBuffers() pwd := &libcontainer.Process{ Cwd: "/", - Args: []string{"pwd"}, + Args: []string{"dmesg"}, Env: standardEnvironment, Stdin: buffers.Stdin, Stdout: buffers.Stdout, @@ -65,17 +65,17 @@ func TestSeccompDenyGetcwdWithErrno(t *testing.T) { } if exitCode == 0 { - t.Fatalf("Getcwd should fail with negative exit code, instead got %d!", exitCode) + t.Fatalf("dmesg should fail with negative exit code, instead got %d!", exitCode) } - expected := "pwd: getcwd: No such process" + expected := "dmesg: klogctl: No such process" actual := strings.Trim(buffers.Stderr.String(), "\n") if actual != expected { t.Fatalf("Expected output %s but got %s\n", expected, actual) } } -func TestSeccompDenyGetcwd(t *testing.T) { +func TestSeccompDenySyslog(t *testing.T) { if testing.Short() { return } @@ -85,7 +85,7 @@ func TestSeccompDenyGetcwd(t *testing.T) { DefaultAction: configs.Allow, Syscalls: []*configs.Syscall{ { - Name: "getcwd", + Name: "syslog", Action: configs.Errno, }, }, @@ -98,7 +98,7 @@ func TestSeccompDenyGetcwd(t *testing.T) { buffers := newStdBuffers() pwd := &libcontainer.Process{ Cwd: "/", - Args: []string{"pwd"}, + Args: []string{"dmesg"}, Env: standardEnvironment, Stdin: buffers.Stdin, Stdout: buffers.Stdout, @@ -124,10 +124,10 @@ func TestSeccompDenyGetcwd(t *testing.T) { } if exitCode == 0 { - t.Fatalf("Getcwd should fail with negative exit code, instead got %d!", exitCode) + t.Fatalf("dmesg should fail with negative exit code, instead got %d!", exitCode) } - expected := "pwd: getcwd: Operation not permitted" + expected := "dmesg: klogctl: Operation not permitted" actual := strings.Trim(buffers.Stderr.String(), "\n") if actual != expected { t.Fatalf("Expected output %s but got %s\n", expected, actual) diff --git a/libcontainer/mount_linux.go b/libcontainer/mount_linux.go index 285e03fa491..f9b1adf51db 100644 --- a/libcontainer/mount_linux.go +++ b/libcontainer/mount_linux.go @@ -113,12 +113,12 @@ func mountViaFds(source string, srcFile *mountSource, target, dstFd, fstype stri // mount(2), we need to get a safe handle to /proc/thread-self. This // isn't needed for move_mount(2) because in that case the path is just // a dummy string used for error info. - fdStr := strconv.Itoa(int(srcFile.file.Fd())) + srcFileFd := srcFile.file.Fd() if isMoveMount { - src = "/proc/self/fd/" + fdStr + src = "/proc/self/fd/" + strconv.Itoa(int(srcFileFd)) } else { var closer utils.ProcThreadSelfCloser - src, closer = utils.ProcThreadSelf("fd/" + fdStr) + src, closer = utils.ProcThreadSelfFd(srcFileFd) defer closer() } } diff --git a/libcontainer/nsenter/ipc.c b/libcontainer/nsenter/ipc.c deleted file mode 100644 index 01321a718cb..00000000000 --- a/libcontainer/nsenter/ipc.c +++ /dev/null @@ -1,84 +0,0 @@ -#define _GNU_SOURCE -#include -#include -#include -#include -#include "ipc.h" -#include "log.h" - -int receive_fd(int sockfd) -{ - int bytes_read; - struct msghdr msg = { }; - struct cmsghdr *cmsg; - struct iovec iov = { }; - char null_byte = '\0'; - int ret; - int fd_count; - - iov.iov_base = &null_byte; - iov.iov_len = 1; - - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - - msg.msg_controllen = CMSG_SPACE(sizeof(int)); - msg.msg_control = malloc(msg.msg_controllen); - if (msg.msg_control == NULL) { - bail("Can't allocate memory to receive fd."); - } - - memset(msg.msg_control, 0, msg.msg_controllen); - - bytes_read = recvmsg(sockfd, &msg, MSG_CMSG_CLOEXEC); - if (bytes_read != 1) - bail("failed to receive fd from unix socket %d", sockfd); - if (msg.msg_flags & MSG_CTRUNC) - bail("received truncated control message from unix socket %d", sockfd); - - cmsg = CMSG_FIRSTHDR(&msg); - if (!cmsg) - bail("received message from unix socket %d without control message", sockfd); - - if (cmsg->cmsg_level != SOL_SOCKET) - bail("received unknown control message from unix socket %d: cmsg_level=%d", sockfd, cmsg->cmsg_level); - - if (cmsg->cmsg_type != SCM_RIGHTS) - bail("received unknown control message from unix socket %d: cmsg_type=%d", sockfd, cmsg->cmsg_type); - - fd_count = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int); - if (fd_count != 1) - bail("received control message from unix socket %d with too many fds: %d", sockfd, fd_count); - - ret = *(int *)CMSG_DATA(cmsg); - free(msg.msg_control); - return ret; -} - -int send_fd(int sockfd, int fd) -{ - struct msghdr msg = { }; - struct cmsghdr *cmsg; - struct iovec iov[1] = { }; - char null_byte = '\0'; - - iov[0].iov_base = &null_byte; - iov[0].iov_len = 1; - - msg.msg_iov = iov; - msg.msg_iovlen = 1; - - /* We send only one fd as specified by cmsg->cmsg_len below, even - * though msg.msg_controllen might have more space due to alignment. */ - msg.msg_controllen = CMSG_SPACE(sizeof(int)); - msg.msg_control = alloca(msg.msg_controllen); - memset(msg.msg_control, 0, msg.msg_controllen); - - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_SOCKET; - cmsg->cmsg_type = SCM_RIGHTS; - cmsg->cmsg_len = CMSG_LEN(sizeof(int)); - memcpy(CMSG_DATA(cmsg), &fd, sizeof(int)); - - return sendmsg(sockfd, &msg, 0); -} diff --git a/libcontainer/nsenter/ipc.h b/libcontainer/nsenter/ipc.h deleted file mode 100644 index 6e5972697d9..00000000000 --- a/libcontainer/nsenter/ipc.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef NSENTER_IPC_H -#define NSENTER_IPC_H - -int receive_fd(int sockfd); - -/* - * send_fd passes the open file descriptor fd to another process via the UNIX - * domain socket sockfd. The return value of the sendmsg(2) call is returned. - */ -int send_fd(int sockfd, int fd); - -#endif /* NSENTER_IPC_H */ diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c index bfc6a79a8e1..c771ac7e116 100644 --- a/libcontainer/nsenter/nsexec.c +++ b/libcontainer/nsenter/nsexec.c @@ -4,7 +4,6 @@ #include #include #include -#include #include #include #include @@ -28,7 +27,6 @@ #include #include "getenv.h" -#include "ipc.h" #include "log.h" /* Get all of the CLONE_NEW* flags. */ #include "namespace.h" diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go index 0dd72f95e7f..ba48604d988 100644 --- a/libcontainer/setns_init_linux.go +++ b/libcontainer/setns_init_linux.go @@ -5,7 +5,6 @@ import ( "fmt" "os" "os/exec" - "strconv" "github.com/opencontainers/selinux/go-selinux" "github.com/sirupsen/logrus" @@ -15,6 +14,7 @@ import ( "github.com/opencontainers/runc/libcontainer/keys" "github.com/opencontainers/runc/libcontainer/seccomp" "github.com/opencontainers/runc/libcontainer/system" + "github.com/opencontainers/runc/libcontainer/utils" ) // linuxSetnsInit performs the container's initialization for running a new process @@ -24,7 +24,7 @@ type linuxSetnsInit struct { consoleSocket *os.File pidfdSocket *os.File config *initConfig - logFd int + logPipe *os.File dmzExe *os.File } @@ -129,15 +129,38 @@ func (l *linuxSetnsInit) Init() error { } } + // Close the pipe to signal that we have completed our init. + // Please keep this because we don't want to get a pipe write error if + // there is an error from `execve` after all fds closed. + _ = l.pipe.Close() + // Close the log pipe fd so the parent's ForwardLogs can exit. logrus.Debugf("setns_init: about to exec") - if err := unix.Close(l.logFd); err != nil { - return &os.PathError{Op: "close log pipe", Path: "fd " + strconv.Itoa(l.logFd), Err: err} + if err := l.logPipe.Close(); err != nil { + return fmt.Errorf("close log pipe: %w", err) } if l.dmzExe != nil { l.config.Args[0] = name return system.Fexecve(l.dmzExe.Fd(), l.config.Args, os.Environ()) } + // Close all file descriptors we are not passing to the container. This is + // necessary because the execve target could use internal runc fds as the + // execve path, potentially giving access to binary files from the host + // (which can then be opened by container processes, leading to container + // escapes). Note that because this operation will close any open file + // descriptors that are referenced by (*os.File) handles from underneath + // the Go runtime, we must not do any file operations after this point + // (otherwise the (*os.File) finaliser could close the wrong file). See + // CVE-2024-21626 for more information as to why this protection is + // necessary. + // + // This is not needed for runc-dmz, because the extra execve(2) step means + // that all O_CLOEXEC file descriptors have already been closed and thus + // the second execve(2) from runc-dmz cannot access internal file + // descriptors from runc. + if err := utils.UnsafeCloseFrom(l.config.PassedFilesCount + 3); err != nil { + return err + } return system.Exec(name, l.config.Args, os.Environ()) } diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go index 496aeb94900..4447032cf59 100644 --- a/libcontainer/standard_init_linux.go +++ b/libcontainer/standard_init_linux.go @@ -5,7 +5,6 @@ import ( "fmt" "os" "os/exec" - "strconv" "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux" @@ -25,8 +24,8 @@ type linuxStandardInit struct { consoleSocket *os.File pidfdSocket *os.File parentPid int - fifoFd int - logFd int + fifoFile *os.File + logPipe *os.File dmzExe *os.File config *initConfig } @@ -249,11 +248,11 @@ func (l *linuxStandardInit) Init() error { // Close the log pipe fd so the parent's ForwardLogs can exit. logrus.Debugf("init: about to wait on exec fifo") - if err := unix.Close(l.logFd); err != nil { - return &os.PathError{Op: "close log pipe", Path: "fd " + strconv.Itoa(l.logFd), Err: err} + if err := l.logPipe.Close(); err != nil { + return fmt.Errorf("close log pipe: %w", err) } - fifoPath, closer := utils.ProcThreadSelf("fd/" + strconv.Itoa(l.fifoFd)) + fifoPath, closer := utils.ProcThreadSelfFd(l.fifoFile.Fd()) defer closer() // Wait for the FIFO to be opened on the other side before exec-ing the @@ -274,7 +273,7 @@ func (l *linuxStandardInit) Init() error { // N.B. the core issue itself (passing dirfds to the host filesystem) has // since been resolved. // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 - _ = unix.Close(l.fifoFd) + _ = l.fifoFile.Close() s := l.config.SpecState s.Pid = unix.Getpid() @@ -287,5 +286,23 @@ func (l *linuxStandardInit) Init() error { l.config.Args[0] = name return system.Fexecve(l.dmzExe.Fd(), l.config.Args, os.Environ()) } + // Close all file descriptors we are not passing to the container. This is + // necessary because the execve target could use internal runc fds as the + // execve path, potentially giving access to binary files from the host + // (which can then be opened by container processes, leading to container + // escapes). Note that because this operation will close any open file + // descriptors that are referenced by (*os.File) handles from underneath + // the Go runtime, we must not do any file operations after this point + // (otherwise the (*os.File) finaliser could close the wrong file). See + // CVE-2024-21626 for more information as to why this protection is + // necessary. + // + // This is not needed for runc-dmz, because the extra execve(2) step means + // that all O_CLOEXEC file descriptors have already been closed and thus + // the second execve(2) from runc-dmz cannot access internal file + // descriptors from runc. + if err := utils.UnsafeCloseFrom(l.config.PassedFilesCount + 3); err != nil { + return err + } return system.Exec(name, l.config.Args, os.Environ()) } diff --git a/libcontainer/sync_unix.go b/libcontainer/sync_unix.go index f94486cb300..c5d8f55ec95 100644 --- a/libcontainer/sync_unix.go +++ b/libcontainer/sync_unix.go @@ -4,6 +4,7 @@ import ( "fmt" "io" "os" + "sync/atomic" "golang.org/x/sys/unix" ) @@ -14,7 +15,8 @@ import ( // which ends up making things like json.Decoder hang forever if the packet is // bigger than the internal read buffer. type syncSocket struct { - f *os.File + f *os.File + closed atomic.Bool } func newSyncSocket(f *os.File) *syncSocket { @@ -26,9 +28,15 @@ func (s *syncSocket) File() *os.File { } func (s *syncSocket) Close() error { + // Even with errors from Close(), we have to assume the pipe was closed. + s.closed.Store(true) return s.f.Close() } +func (s *syncSocket) isClosed() bool { + return s.closed.Load() +} + func (s *syncSocket) WritePacket(b []byte) (int, error) { return s.f.Write(b) } diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go index a48221b000a..f57f0874a06 100644 --- a/libcontainer/utils/utils_unix.go +++ b/libcontainer/utils/utils_unix.go @@ -11,6 +11,7 @@ import ( "runtime" "strconv" "sync" + _ "unsafe" // for go:linkname securejoin "github.com/cyphar/filepath-securejoin" "github.com/sirupsen/logrus" @@ -53,14 +54,11 @@ func haveCloseRangeCloexec() bool { return haveCloseRangeCloexecBool } -// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for -// the process (except for those below the given fd value). -func CloseExecFrom(minFd int) error { - if haveCloseRangeCloexec() { - err := unix.CloseRange(uint(minFd), math.MaxUint, unix.CLOSE_RANGE_CLOEXEC) - return os.NewSyscallError("close_range", err) - } +type fdFunc func(fd int) +// fdRangeFrom calls the passed fdFunc for each file descriptor that is open in +// the current process. +func fdRangeFrom(minFd int, fn fdFunc) error { procSelfFd, closer := ProcThreadSelf("fd") defer closer() @@ -88,15 +86,67 @@ func CloseExecFrom(minFd int) error { if fd < minFd { continue } - // Intentionally ignore errors from unix.CloseOnExec -- the cases where - // this might fail are basically file descriptors that have already - // been closed (including and especially the one that was created when - // os.ReadDir did the "opendir" syscall). - unix.CloseOnExec(fd) + // Ignore the file descriptor we used for readdir, as it will be closed + // when we return. + if uintptr(fd) == fdDir.Fd() { + continue + } + // Run the closure. + fn(fd) } return nil } +// CloseExecFrom sets the O_CLOEXEC flag on all file descriptors greater or +// equal to minFd in the current process. +func CloseExecFrom(minFd int) error { + // Use close_range(CLOSE_RANGE_CLOEXEC) if possible. + if haveCloseRangeCloexec() { + err := unix.CloseRange(uint(minFd), math.MaxUint, unix.CLOSE_RANGE_CLOEXEC) + return os.NewSyscallError("close_range", err) + } + // Otherwise, fall back to the standard loop. + return fdRangeFrom(minFd, unix.CloseOnExec) +} + +//go:linkname runtime_IsPollDescriptor internal/poll.IsPollDescriptor + +// In order to make sure we do not close the internal epoll descriptors the Go +// runtime uses, we need to ensure that we skip descriptors that match +// "internal/poll".IsPollDescriptor. Yes, this is a Go runtime internal thing, +// unfortunately there's no other way to be sure we're only keeping the file +// descriptors the Go runtime needs. Hopefully nothing blows up doing this... +func runtime_IsPollDescriptor(fd uintptr) bool //nolint:revive + +// UnsafeCloseFrom closes all file descriptors greater or equal to minFd in the +// current process, except for those critical to Go's runtime (such as the +// netpoll management descriptors). +// +// NOTE: That this function is incredibly dangerous to use in most Go code, as +// closing file descriptors from underneath *os.File handles can lead to very +// bad behaviour (the closed file descriptor can be re-used and then any +// *os.File operations would apply to the wrong file). This function is only +// intended to be called from the last stage of runc init. +func UnsafeCloseFrom(minFd int) error { + // We cannot use close_range(2) even if it is available, because we must + // not close some file descriptors. + return fdRangeFrom(minFd, func(fd int) { + if runtime_IsPollDescriptor(uintptr(fd)) { + // These are the Go runtimes internal netpoll file descriptors. + // These file descriptors are operated on deep in the Go scheduler, + // and closing those files from underneath Go can result in panics. + // There is no issue with keeping them because they are not + // executable and are not useful to an attacker anyway. Also we + // don't have any choice. + return + } + // There's nothing we can do about errors from close(2), and the + // only likely error to be seen is EBADF which indicates the fd was + // already closed (in which case, we got what we wanted). + _ = unix.Close(fd) + }) +} + // NewSockPair returns a new SOCK_STREAM unix socket pair. func NewSockPair(name string) (parent, child *os.File, err error) { fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0) @@ -202,3 +252,12 @@ func ProcThreadSelf(subpath string) (string, ProcThreadSelfCloser) { } return threadSelf + subpath, runtime.UnlockOSThread } + +// ProcThreadSelfFd is small wrapper around ProcThreadSelf to make it easier to +// create a /proc/thread-self handle for given file descriptor. +// +// It is basically equivalent to ProcThreadSelf(fmt.Sprintf("fd/%d", fd)), but +// without using fmt.Sprintf to avoid unneeded overhead. +func ProcThreadSelfFd(fd uintptr) (string, ProcThreadSelfCloser) { + return ProcThreadSelf("fd/" + strconv.FormatUint(uint64(fd), 10)) +} diff --git a/runc.keyring b/runc.keyring index 84b4ca38a1e..3fb6d283636 100644 --- a/runc.keyring +++ b/runc.keyring @@ -72,18 +72,18 @@ KWr9ByCKAwVHsaSgVSJE/dse4f1toqeEHHbWk682U4RqOWZR4bA0 pub ed25519 2019-06-21 [C] C9C370B246B09F6DBCFC744C34401015D1D2D386 uid [ultimate] Aleksa Sarai -sub ed25519 2022-09-30 [S] [expires: 2024-09-29] -sub cv25519 2022-09-30 [E] [expires: 2024-09-29] -sub ed25519 2022-09-30 [A] [expires: 2024-09-29] +sub ed25519 2022-09-30 [S] [expires: 2030-03-25] +sub cv25519 2022-09-30 [E] [expires: 2030-03-25] +sub ed25519 2022-09-30 [A] [expires: 2030-03-25] -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: github=cyphar mDMEXQxvLxYJKwYBBAHaRw8BAQdArRQoZs9YzYtQIiPA1qdvUT8Q0wbPZyRV65Tz QNTIZla0IEFsZWtzYSBTYXJhaSA8Y3lwaGFyQGN5cGhhci5jb20+iJAEExYIADgF -CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTJw3CyRrCfbbz8dEw0QBAV0dLThgUC -XQzCHwIbAQAKCRA0QBAV0dLThvUpAP9SwyOijLqEBz1A9pTqRAB0l/r+ABq+iUmH -UjMHO34LZAD/biRuAadaxIYJtmn7nKA55doyN2fQXhjArqypJ1SQywi4MwRdDMJS +CwkIBwIGFQoJCAsCBBYCAwECHgECF4ACGwEWIQTJw3CyRrCfbbz8dEw0QBAV0dLT +hgUCZa3xwQAKCRA0QBAV0dLThpQyAQDGzjZyyWWmd6Ykg5/lymp2MLIg1f2jG6ew +AiPT4ATkBAD/RgdLDf1IQStEH7pHmQa1qvqyRq1jeEgF23KruXbbdQ64MwRdDMJS FgkrBgEEAdpHDwEBB0B2IGusH7LuDH3hNT6JYM30S7G92FGogA6a9WQzKRlqvIh4 BCgWCgAgFiEEycNwskawn228/HRMNEAQFdHS04YFAmM2ukUCHQEACgkQNEAQFdHS 04ZTQAEAjAT0fXVJHdRL6UMCxDYsgjG+QyH1mr7gKgbPvB8A5LgBAN4QDqCxIY3b @@ -106,20 +106,20 @@ o7lcWozXFlQDOM7eoT4avvWOVcsaD4h4BBgWCAAgFiEEycNwskawn228/HRMNEAQ FdHS04YFAl0Mwo0CGyAACgkQNEAQFdHS04ajxQEAsZf1yDORUVYicREc/7z0U+51 DJzeAexeJTYM+N+x13EA/0Ex+o7qQ7dZLGDn7x4LSbd39C+++suHsEaE4XwlX6cH uDMEYza6SxYJKwYBBAHaRw8BAQdAE3s7dZQFuImQX2tWshIdGjeUKZc7rlMcrZ6+ -q25gaH2I9QQYFgoAJhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpLAhsCBQkD -wmcAAIEJEDRAEBXR0tOGdiAEGRYKAB0WIQS2TklVsp+j1GPyqQYol/rSt+lEbwUC -Yza6SwAKCRAol/rSt+lEb9obAQC8ij4yJTU7ZcAtTx2ZMjj8EoruGb3ku6VpRyx1 -+pyQQgD/QgQ7X1G7xtwuVpY0kHYga1yoKLA2ycT8F8PrVtF7pAMWkgD9EWe1E77C -BVd//i3ib+h9ikCeJ+gaxc6aU24ZBcN2tfUBAJmCmYQ0VEbXyvCqkdJEQ4qk5Y9C -2V4w83dj4a5RYKUGuDgEYza6YBIKKwYBBAGXVQEFAQEHQKECW5Y7nUGCka0/WcCM -OerRY95Pm2DQVL76QzvhXD8tAwEIB4h+BBgWCgAmFiEEycNwskawn228/HRMNEAQ -FdHS04YFAmM2umACGwwFCQPCZwAACgkQNEAQFdHS04bkuwEA7AEL+iSPlA8/YILp -0sFMzmtRqTDMqx2BY8K5wEk9fusA/jAhbeJw57bZYvK4MghfUa9tRocyII84UmOA -cgDbPPIFuDMEYza6bhYJKwYBBAHaRw8BAQdAgHXd0yf6MPXJZCZ3TFz8xLymyPsD -TF2SQwwqM4+nYbeIfgQYFgoAJhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpu -AhsgBQkDwmcAAAoJEDRAEBXR0tOGB8UA/0wf8uECKMmXGQ4DNi+ei2E9Ft6GL8qw -UGjwM/EKH2RoAP9HNRRKBjDxs/AZ3pBx1Q8hnHELLo0kXPc+3BG6Pht5BA== -=KN4V +q25gaH2I9QQYFgoAJgIbAhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJlrfJcBQkO +EpjFAIF2IAQZFgoAHRYhBLZOSVWyn6PUY/KpBiiX+tK36URvBQJjNrpLAAoJECiX ++tK36URv2hsBALyKPjIlNTtlwC1PHZkyOPwSiu4ZveS7pWlHLHX6nJBCAP9CBDtf +UbvG3C5WljSQdiBrXKgosDbJxPwXw+tW0XukAwkQNEAQFdHS04bMkQEA9elVwA0A ++ywDw+jnifIc98XqLI+KF3Xl0A9+lMuwthMBAO00DeAEjkryFMGp62GPNHqr/r6p ++6DIeUjWgK4Sh8IMuDgEYza6YBIKKwYBBAGXVQEFAQEHQKECW5Y7nUGCka0/WcCM +OerRY95Pm2DQVL76QzvhXD8tAwEIB4h+BBgWCgAmAhsMFiEEycNwskawn228/HRM +NEAQFdHS04YFAmWt8lwFCQ4SmLAACgkQNEAQFdHS04apHgD+MIRj2kujpxtQt04D +ZB+hofBtHIEMo2tplFBYvhZ6KOMA/1q3aRv6jnWAv8woc50KitP4/+iPmfyzaBA/ +8XA5DdIKuDMEYza6bhYJKwYBBAHaRw8BAQdAgHXd0yf6MPXJZCZ3TFz8xLymyPsD +TF2SQwwqM4+nYbeIfgQYFgoAJgIbIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJl +rfJcBQkOEpiiAAoJEDRAEBXR0tOGAUwA/jbaz04OXnV3PYC/yQUsUJsihCTqz4Ne +lxxclgJYU604APsFzpoLD0oUlfMn5Fh75ftkKPrwiHpTj4rRU6oIQu1/Bg== +=Ab7w -----END PGP PUBLIC KEY BLOCK----- pub rsa2048 2020-04-28 [SC] [expires: 2025-04-18] @@ -159,11 +159,11 @@ S1NPMeS7+G/gPN9Ze9qFmOF2p57cmEa+8mriZCYY3BcUBOiMOV5HSBKJwqA2M8au =GkpD -----END PGP PUBLIC KEY BLOCK----- -pub rsa3072 2019-07-25 [SC] [expires: 2023-11-02] +pub rsa3072 2019-07-25 [SC] [expires: 2025-07-27] C020EA876CE4E06C7AB95AEF49524C6F9F638F1A uid [ultimate] Akihiro Suda uid [ultimate] Akihiro Suda -sub rsa3072 2019-07-25 [E] [expires: 2023-11-02] +sub rsa3072 2019-07-25 [E] [expires: 2025-07-27] -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: github=AkihiroSuda @@ -178,26 +178,26 @@ dsyq4W565jNRV/HWRUMR+LDIS1KiEalzDoID3aUXRHHLUQG0oqX8jqFJUqp1P9pO 9nezuUDg8SsaBg8O4tyv/CZq/FeF3RMMc2EHTiO8HTERqmRMxUFZv3bkgA4GnjnA 3wsZhLXQq+UaIJUAEQEAAbQsQWtpaGlybyBTdWRhIDxha2loaXJvLnN1ZGEuY3pA aGNvLm50dC5jby5qcD6JAdQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC -F4AWIQTAIOqHbOTgbHq5Wu9JUkxvn2OPGgUCYYDT5gUJCAkhxwAKCRBJUkxvn2OP -GiHnC/wOqAvEcRmpKjqx4QUNkE34oGwiPgV5vyDlQElvBzyazQEcIdt9xaIE+4IS -7L7L6Q7WOGxWCvmRZ58E32m4RB1F8L7XQW0l3f6jESYLGPb6XDloux5poJzGxaGK -9gd6ItNmjOCmt08Icv0ZVTvKv20ej71aepllE5UaM9p5AlEwLkzQxPoGpB7E1Sdy -citRg6YEqTY+i5IeZ5xMthWXcushyLRRvm43DwbPsuZHVC1yMfo5VrF9JE65BdE9 -dIsCrZDnde/jUm4pAAwyAKSLLRVgj4xVP0XIdO2nVXDBWp9z4gUt/gMjuutO1a2U -Xw+XhkirUb2C++L0KvVBMbU303Q+xV/iaYjAuFjNy94HZms0iTBTB4qFHT4ClYHi -mNwTgfwRclpywkHzDi8496hsyzoVCeHSsu+ScDE1qAw6zrxASZXevYhhB2aBLr1s -d58WsYA37iXTEO4Hxm5V0Wh110hlCGFwcN8vWNhMCdIj7JN8nWZQNLZyppN7bCDu -FX8cE260I0FraWhpcm8gU3VkYSA8c3VkYS5reW90b0BnbWFpbC5jb20+iQHUBBMB +F4AWIQTAIOqHbOTgbHq5Wu9JUkxvn2OPGgUCZMPL2QUJC0wZugAKCRBJUkxvn2OP +GqTiC/93jTl0ci2zWC8vVBPSyjHDrpOhn+3ukCeC7VxHOdo6hBwbsxqaBUWi0Maf +p9oa4HzmsQjhMM+i3/Q/jHBvijXQ2UO5MaDrLhacoAW8i/YeU2aKn2yIyrQPIdc/ +tlcwjvsRPt534DOisf1N5+w6Y4DRgt2tNl0KOjEBmXsBWN7Fg+QRfLeNWKS9soq7 +QkI68T0e0h752FmI8TK4yy6FrhLVUU2ArLcOV2wjx5zKnWjgX7BbwYjAp8fi9hcC +XdmSvllQ8U9Y2ll8dDq3HBmo+uI4lfz31S4B5EKo4Wn+3bA4Y+VBNoJfoKyLeOgr +0cmo6SRJIsVaSvAJcMZ6oq+jvTDuygfRkxxgoTzCgwre7CPzcvC8gC0sYOB34TN4 +UogwN3pFmCPfi5TjXsx7vgfWKlHgwe3L/5aoQjTm+z6WanTHbIqOK9QkIuGykMpL +7nOJeH9LoRzpzc8aOwIOki2bbo7s9yzL8Gil+zaqe16Q+Y7wVBxSRxbg/3oUTi1K +/uM8N4S0I0FraWhpcm8gU3VkYSA8c3VkYS5reW90b0BnbWFpbC5jb20+iQHUBBMB CgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEwCDqh2zk4Gx6uVrvSVJM -b59jjxoFAmGA0+YFCQgJIccACgkQSVJMb59jjxoMJwwAgZxXa8DPoUWeazt5TIVX -omVcsor2J75CqPKlOjvSVXSnCzkBM1kYN2RwVjNivuIEUWPDOohvUvJxllkm7dxd -g+XfLL3/luB4B+R06n78339K0pu4+n5eDIF0UiNbfuGocqFtVBXuC0uj7ZWPJnZe -tdbspisggJ8Q2Im7mQPQRQZ1Q1qBlogxpeeDzyGkrLRusryfd8LwPz7/8I59pkwG -hkNm0+JbaDJ1NtFElX+XvPaOxfCB3ut94CUjac0DdkQNDX+i2ruZNAsIjEuxQbuT -UAc1ouv+R126SBqVdkRLtRw+d0DmAR7PiL37C8KjQa6s+H46jzhLDQ0a3frZdo2w -c1Sony8C60w9q8wpGjJjjelTimsEW8aa7e17xMVgZrawAOAPDuGvbRMGl6fla9T2 -ZYTF6QDzoeqB4VgL441yJm0c2/c6L8gz8ehCNGyqxtfFX+8OO4W3+p4a/mKP8MLz -9l04g71QkuAi3bF7bbrsWmagMXJJJWTHbizDLaytI/6nuQGNBF06GR8BDACxpQ9c +b59jjxoFAmTDy9kFCQtMGboACgkQSVJMb59jjxogzgv/a+4+T5Xoklt0rGujSgtD +ogpQp4guaImEhkPieWMPG7+UfqxwoMLcvLE5kTzqLPe1DdYs8Tm/gtteHttLUfjD +qwY/+BsqIYYMJMRoXFBk2iokn0m/36da7WKpN+5r5ssujsvGj991k4oLQgFV0kEx +f4PSRxWQNlAqp4OfQNI91S7oMDH94dR+V5TIYYHxsPsnCvygD72GVER4G5mUvkCH +Nf8aqeckVxu8uZ/2LiNtYxbh5pwriuj8XbifuawdMdjpTvwAAa2DuKqCtj9cuQIt +hmOF1ux68TRxk//QGPqX49+WT0mwdHBX/I/nZVTOGt9sjjKU5m1o+rUiVHtQ3Yhw +fSLWEbfZiTjWDPWpjLU+r3C2qCiJyPjNpsxYAp4y3v511BXesejcXm24+MHFym5F +ngyAItzwDD9ieTt3uviuC64VZVz7NgnDMUK0LumKh9mrZZ20dTcX9Vw70o41CMQN +yBKloXOSPzQDZp1ZXzR3P/22WXG/e52YuU3Aw1femld+uQGNBF06GR8BDACxpQ9c y72+/WZGon+CToNj+a24PiduyExfFv26E0D77ACS6UAC5jz71mSuLbHiauQ3MHj+ 786z4m4St8+HjDL9YrAe19MobxWsLHAFvBJ8UHfZdkLzBkIKPHz7TUqlhvFR13b6 ZAZVZk975hgCT3LpzA1miHBY2E5WDpVa3pe94xshVHL3iVf9Jv1a4hmM+eu0gxX4 @@ -206,16 +206,16 @@ Qf6sg0b/k6/vkVveopeeH28zb/nnVuhgGSxcbiZUrFC9EfhX4/6NNFRhE300AjeF bP7SoXx3qRhr993BDSP32r44hy+kYLhZP5K5oXivcITJZuGcJh49P4QuYGrnODIL gEhedWeePcJXFcEz09teizlWKGzd+EA3uwYd/bQelflwXkGuCLaoNv4qcH3oJDp1 vYI0zT7hGvnz3thRLg3SOWFq5cBhnfNGXPLsoNZBzWGn2cm5MJYSKjIM470AEQEA -AYkBvAQYAQoAJgIbDBYhBMAg6ods5OBserla70lSTG+fY48aBQJhgNRTBQkICSI0 -AAoJEElSTG+fY48a3YML/3snhGBx/Xd0EcK0pzyvyivZwavlGsQPAF2c1Rj7Lr1i -eUrp6CZ/yW7/oAvlk6Ngc0SoWba/pgnz7bVQEc21JTY86M1bRLLh3fmYCx8YFbsR -43zVr2bxDledzKV3bIuWStWbljHECuNTT91907pc3r4jv+jN4ZaXVUQ9pXj0DrV+ -MTJVCo7nrEXiq6q1WqaUAV9dMQE3rWGFa2u45QCZGLckOu3cuSCU8CVxSScmxgII -bUBu17xDzQnDkdcEQzzkZtDOrwF76dPdlrW69PXtC9oElRJbGCERivqlrpKDagXI -h4eZYfcFb2gc0qZjblvfVHiot65WM9bUsSAUAEfskYqIGLshzV9MrxFYQYvgt3ym -Qs7D8ORJiphjaOvDeqVyGdPm/rN5SVMVGYpJX6EkZkHinV/kRChtuLAD7NQ3YH5O -5l+Ehze9Nm4laEXQC/tme9B1XH0PUBJk1x8NeoVrYCTnypVFfRw37mC9XBu5TF6U -ix7vx45U/EvZrqmkDrEFOQ== -=4+1P +AYkBvAQYAQoAJgIbDBYhBMAg6ods5OBserla70lSTG+fY48aBQJkw8uyBQkLTBmT +AAoJEElSTG+fY48ayhsL+gLvKlfkYgxodyWKR5hOiUMKWE5tqfQY6kqrgssPYw+u +Fn69AamQLt4I2AHRg0AHjoZEsMfR19uXZ24XwwcWwgWU6yRJgMSIK67bLvL+d686 +m2KQ2PpmfDrizUgY4J0sY+tzwNZeWxQiFy/Ni6AdEqJvJQDsrKYJ2GGWm6JMZCPw +y3h5ouueieiEc0pvwEz2kg64uv6p8SUV1me66IXQaGseXb/BcW+Ap2WJO+IZjtNB +qhk+V+1x5ZT6s9RecjiTDmKfZ71zyRWplkfL22+4XVEc3qLS3r0ZSzeIA4JPRf+N +yCGjavdTNgu2bTo8iSgBq2NRT9kNwTaS8j883L0eY/JJktrfWnWE4qAuXBqLzkIl +smspRWy0byLQrrzk9stncF/CDt5XuHPcsXOcRVXVyM+/RXqWKdNAwZO67HD4wJR9 +YR4avhGZZXguH3b0ka2zO8sxTju/09yb07NJ2qfjfWSHCmaj9KuhhE0EO625tckS +58ceqolNBtrydoYZOc2CKw== +=ol6W -----END PGP PUBLIC KEY BLOCK----- diff --git a/script/check-config.sh b/script/check-config.sh index d54055023e9..c71ee72f2a7 100755 --- a/script/check-config.sh +++ b/script/check-config.sh @@ -236,7 +236,7 @@ flags=( KEYS VETH BRIDGE BRIDGE_NETFILTER IP_NF_FILTER IP_NF_TARGET_MASQUERADE - NETFILTER_XT_MATCH_{ADDRTYPE,CONNTRACK,IPVS} + NETFILTER_XT_MATCH_{ADDRTYPE,COMMENT,CONNTRACK,IPVS} IP_NF_NAT NF_NAT # required for bind-mounting /dev/mqueue into containers diff --git a/tests/integration/exec.bats b/tests/integration/exec.bats index 069214cc956..2809070486e 100644 --- a/tests/integration/exec.bats +++ b/tests/integration/exec.bats @@ -322,3 +322,21 @@ function check_exec_debug() { runc exec --cgroup second test_busybox grep -w second /proc/self/cgroup [ "$status" -eq 0 ] } + +@test "RUNC_DMZ=legacy runc exec [execve error]" { + cat <rootfs/run.sh +#!/mmnnttbb foo bar +sh +EOF + chmod +x rootfs/run.sh + RUNC_DMZ=legacy runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox + RUNC_DMZ=legacy runc exec -t test_busybox /run.sh + [ "$status" -ne 0 ] + + # After the sync socket closed, we should not send error to parent + # process, or else we will get a unnecessary error log(#4171). + # Although we never close the sync socket when doing exec, + # but we need to keep this test to ensure this behavior is always right. + [ ${#lines[@]} -eq 1 ] + [[ ${lines[0]} = *"exec /run.sh: no such file or directory"* ]] +} diff --git a/tests/integration/helpers.bash b/tests/integration/helpers.bash index 42f862511c3..85e1113c46e 100755 --- a/tests/integration/helpers.bash +++ b/tests/integration/helpers.bash @@ -132,7 +132,8 @@ function init_cgroup_paths() { CGROUP_SUBSYSTEMS=$(awk '!/^#/ {print $1}' /proc/cgroups) local g base_path for g in ${CGROUP_SUBSYSTEMS}; do - base_path=$(awk '$(NF-2) == "cgroup" && $NF ~ /\<'"${g}"'\>/ { print $5; exit }' /proc/self/mountinfo) + # This uses gawk-specific feature (\< ... \>). + base_path=$(gawk '$(NF-2) == "cgroup" && $NF ~ /\<'"${g}"'\>/ { print $5; exit }' /proc/self/mountinfo) test -z "$base_path" && continue eval CGROUP_"${g^^}"_BASE_PATH="${base_path}" done diff --git a/tests/integration/run.bats b/tests/integration/run.bats index f6bd3c86500..82c58027780 100644 --- a/tests/integration/run.bats +++ b/tests/integration/run.bats @@ -230,3 +230,36 @@ function teardown() { grep -E '^monotonic\s+7881\s+2718281$' <<<"$output" grep -E '^boottime\s+1337\s+3141519$' <<<"$output" } + +@test "runc run [exec error]" { + cat <rootfs/run.sh +#!/mmnnttbb foo bar +sh +EOF + chmod +x rootfs/run.sh + update_config '.process.args = [ "/run.sh" ]' + runc run test_hello + + # Ensure that the output contains the right error message. For runc-dmz, both + # nolibc and libc have the same formatting string (but libc will print the + # errno description rather than just the number), and for runc_nodmz the error + # message from Go starts with the same string. + [ "$status" -ne 0 ] + [[ "$output" = *"exec /run.sh: "* ]] +} + +@test "RUNC_DMZ=legacy runc run [execve error]" { + cat <rootfs/run.sh +#!/mmnnttbb foo bar +sh +EOF + chmod +x rootfs/run.sh + update_config '.process.args = [ "/run.sh" ]' + RUNC_DMZ=legacy runc run test_hello + [ "$status" -ne 0 ] + + # After the sync socket closed, we should not send error to parent + # process, or else we will get a unnecessary error log(#4171). + [ ${#lines[@]} -eq 1 ] + [[ ${lines[0]} = "exec /run.sh: no such file or directory" ]] +} diff --git a/vendor/github.com/containerd/console/.golangci.yml b/vendor/github.com/containerd/console/.golangci.yml index fcba5e885f0..abe3d84bb16 100644 --- a/vendor/github.com/containerd/console/.golangci.yml +++ b/vendor/github.com/containerd/console/.golangci.yml @@ -1,16 +1,16 @@ linters: enable: - - structcheck - - varcheck - - staticcheck - - unconvert - gofmt - goimports - - golint - ineffassign - - vet - - unused - misspell + - revive + - staticcheck + - structcheck + - unconvert + - unused + - varcheck + - vet disable: - errcheck diff --git a/vendor/github.com/containerd/console/README.md b/vendor/github.com/containerd/console/README.md index 580b461a73d..a849a728f1e 100644 --- a/vendor/github.com/containerd/console/README.md +++ b/vendor/github.com/containerd/console/README.md @@ -22,8 +22,8 @@ current.Resize(ws) console is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE). As a containerd sub-project, you will find the: - * [Project governance](https://github.com/containerd/project/blob/master/GOVERNANCE.md), - * [Maintainers](https://github.com/containerd/project/blob/master/MAINTAINERS), - * and [Contributing guidelines](https://github.com/containerd/project/blob/master/CONTRIBUTING.md) + * [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md), + * [Maintainers](https://github.com/containerd/project/blob/main/MAINTAINERS), + * and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md) information in our [`containerd/project`](https://github.com/containerd/project) repository. diff --git a/vendor/github.com/containerd/console/console.go b/vendor/github.com/containerd/console/console.go index f989d28a41c..dd587d88e07 100644 --- a/vendor/github.com/containerd/console/console.go +++ b/vendor/github.com/containerd/console/console.go @@ -22,7 +22,10 @@ import ( "os" ) -var ErrNotAConsole = errors.New("provided file is not a console") +var ( + ErrNotAConsole = errors.New("provided file is not a console") + ErrNotImplemented = errors.New("not implemented") +) type File interface { io.ReadWriteCloser @@ -45,7 +48,7 @@ type Console interface { SetRaw() error // DisableEcho disables echo on the console DisableEcho() error - // Reset restores the console to its orignal state + // Reset restores the console to its original state Reset() error // Size returns the window size of the console Size() (WinSize, error) @@ -78,7 +81,7 @@ func Current() (c Console) { } // ConsoleFromFile returns a console using the provided file -// nolint:golint +// nolint:revive func ConsoleFromFile(f File) (Console, error) { if err := checkConsole(f); err != nil { return nil, err diff --git a/vendor/github.com/containerd/console/console_linux.go b/vendor/github.com/containerd/console/console_linux.go index c1c839ee3ae..28b77b7a389 100644 --- a/vendor/github.com/containerd/console/console_linux.go +++ b/vendor/github.com/containerd/console/console_linux.go @@ -1,3 +1,4 @@ +//go:build linux // +build linux /* diff --git a/vendor/github.com/containerd/console/console_other.go b/vendor/github.com/containerd/console/console_other.go new file mode 100644 index 00000000000..933dfadddae --- /dev/null +++ b/vendor/github.com/containerd/console/console_other.go @@ -0,0 +1,36 @@ +//go:build !darwin && !freebsd && !linux && !netbsd && !openbsd && !solaris && !windows && !zos +// +build !darwin,!freebsd,!linux,!netbsd,!openbsd,!solaris,!windows,!zos + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package console + +// NewPty creates a new pty pair +// The master is returned as the first console and a string +// with the path to the pty slave is returned as the second +func NewPty() (Console, string, error) { + return nil, "", ErrNotImplemented +} + +// checkConsole checks if the provided file is a console +func checkConsole(f File) error { + return ErrNotAConsole +} + +func newMaster(f File) (Console, error) { + return nil, ErrNotImplemented +} diff --git a/vendor/github.com/containerd/console/console_unix.go b/vendor/github.com/containerd/console/console_unix.go index a08117695e3..161f5d126cb 100644 --- a/vendor/github.com/containerd/console/console_unix.go +++ b/vendor/github.com/containerd/console/console_unix.go @@ -1,4 +1,5 @@ -// +build darwin freebsd linux netbsd openbsd solaris +//go:build darwin || freebsd || linux || netbsd || openbsd || zos +// +build darwin freebsd linux netbsd openbsd zos /* Copyright The containerd Authors. diff --git a/vendor/github.com/containerd/console/console_windows.go b/vendor/github.com/containerd/console/console_windows.go index 787c11fe56f..6896db1825f 100644 --- a/vendor/github.com/containerd/console/console_windows.go +++ b/vendor/github.com/containerd/console/console_windows.go @@ -24,12 +24,13 @@ import ( "golang.org/x/sys/windows" ) -var ( - vtInputSupported bool - ErrNotImplemented = errors.New("not implemented") -) +var vtInputSupported bool func (m *master) initStdios() { + // Note: We discard console mode warnings, because in/out can be redirected. + // + // TODO: Investigate opening CONOUT$/CONIN$ to handle this correctly + m.in = windows.Handle(os.Stdin.Fd()) if err := windows.GetConsoleMode(m.in, &m.inMode); err == nil { // Validate that windows.ENABLE_VIRTUAL_TERMINAL_INPUT is supported, but do not set it. @@ -39,8 +40,6 @@ func (m *master) initStdios() { // Unconditionally set the console mode back even on failure because SetConsoleMode // remembers invalid bits on input handles. windows.SetConsoleMode(m.in, m.inMode) - } else { - fmt.Printf("failed to get console mode for stdin: %v\n", err) } m.out = windows.Handle(os.Stdout.Fd()) @@ -50,8 +49,6 @@ func (m *master) initStdios() { } else { windows.SetConsoleMode(m.out, m.outMode) } - } else { - fmt.Printf("failed to get console mode for stdout: %v\n", err) } m.err = windows.Handle(os.Stderr.Fd()) @@ -61,8 +58,6 @@ func (m *master) initStdios() { } else { windows.SetConsoleMode(m.err, m.errMode) } - } else { - fmt.Printf("failed to get console mode for stderr: %v\n", err) } } @@ -94,6 +89,8 @@ func (m *master) SetRaw() error { } func (m *master) Reset() error { + var errs []error + for _, s := range []struct { fd windows.Handle mode uint32 @@ -103,10 +100,16 @@ func (m *master) Reset() error { {m.err, m.errMode}, } { if err := windows.SetConsoleMode(s.fd, s.mode); err != nil { - return fmt.Errorf("unable to restore console mode: %w", err) + // we can't just abort on the first error, otherwise we might leave + // the console in an unexpected state. + errs = append(errs, fmt.Errorf("unable to restore console mode: %w", err)) } } + if len(errs) > 0 { + return errs[0] + } + return nil } diff --git a/vendor/github.com/containerd/console/console_zos.go b/vendor/github.com/containerd/console/console_zos.go deleted file mode 100644 index b348a839a03..00000000000 --- a/vendor/github.com/containerd/console/console_zos.go +++ /dev/null @@ -1,163 +0,0 @@ -// +build zos - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package console - -import ( - "fmt" - "os" - - "golang.org/x/sys/unix" -) - -// NewPty creates a new pty pair -// The master is returned as the first console and a string -// with the path to the pty slave is returned as the second -func NewPty() (Console, string, error) { - var f File - var err error - var slave string - for i := 0;; i++ { - ptyp := fmt.Sprintf("/dev/ptyp%04d", i) - f, err = os.OpenFile(ptyp, os.O_RDWR, 0600) - if err == nil { - slave = fmt.Sprintf("/dev/ttyp%04d", i) - break - } - if os.IsNotExist(err) { - return nil, "", err - } - // else probably Resource Busy - } - m, err := newMaster(f) - if err != nil { - return nil, "", err - } - return m, slave, nil -} - -type master struct { - f File - original *unix.Termios -} - -func (m *master) Read(b []byte) (int, error) { - return m.f.Read(b) -} - -func (m *master) Write(b []byte) (int, error) { - return m.f.Write(b) -} - -func (m *master) Close() error { - return m.f.Close() -} - -func (m *master) Resize(ws WinSize) error { - return tcswinsz(m.f.Fd(), ws) -} - -func (m *master) ResizeFrom(c Console) error { - ws, err := c.Size() - if err != nil { - return err - } - return m.Resize(ws) -} - -func (m *master) Reset() error { - if m.original == nil { - return nil - } - return tcset(m.f.Fd(), m.original) -} - -func (m *master) getCurrent() (unix.Termios, error) { - var termios unix.Termios - if err := tcget(m.f.Fd(), &termios); err != nil { - return unix.Termios{}, err - } - return termios, nil -} - -func (m *master) SetRaw() error { - rawState, err := m.getCurrent() - if err != nil { - return err - } - rawState = cfmakeraw(rawState) - rawState.Oflag = rawState.Oflag | unix.OPOST - return tcset(m.f.Fd(), &rawState) -} - -func (m *master) DisableEcho() error { - rawState, err := m.getCurrent() - if err != nil { - return err - } - rawState.Lflag = rawState.Lflag &^ unix.ECHO - return tcset(m.f.Fd(), &rawState) -} - -func (m *master) Size() (WinSize, error) { - return tcgwinsz(m.f.Fd()) -} - -func (m *master) Fd() uintptr { - return m.f.Fd() -} - -func (m *master) Name() string { - return m.f.Name() -} - -// checkConsole checks if the provided file is a console -func checkConsole(f File) error { - var termios unix.Termios - if tcget(f.Fd(), &termios) != nil { - return ErrNotAConsole - } - return nil -} - -func newMaster(f File) (Console, error) { - m := &master{ - f: f, - } - t, err := m.getCurrent() - if err != nil { - return nil, err - } - m.original = &t - return m, nil -} - -// ClearONLCR sets the necessary tty_ioctl(4)s to ensure that a pty pair -// created by us acts normally. In particular, a not-very-well-known default of -// Linux unix98 ptys is that they have +onlcr by default. While this isn't a -// problem for terminal emulators, because we relay data from the terminal we -// also relay that funky line discipline. -func ClearONLCR(fd uintptr) error { - return setONLCR(fd, false) -} - -// SetONLCR sets the necessary tty_ioctl(4)s to ensure that a pty pair -// created by us acts as intended for a terminal emulator. -func SetONLCR(fd uintptr) error { - return setONLCR(fd, true) -} diff --git a/vendor/github.com/containerd/console/pty_freebsd_cgo.go b/vendor/github.com/containerd/console/pty_freebsd_cgo.go index cbd3cd7ea43..22368623aab 100644 --- a/vendor/github.com/containerd/console/pty_freebsd_cgo.go +++ b/vendor/github.com/containerd/console/pty_freebsd_cgo.go @@ -1,3 +1,4 @@ +//go:build freebsd && cgo // +build freebsd,cgo /* diff --git a/vendor/github.com/containerd/console/pty_freebsd_nocgo.go b/vendor/github.com/containerd/console/pty_freebsd_nocgo.go index b5e43181d4f..ceb90a47b81 100644 --- a/vendor/github.com/containerd/console/pty_freebsd_nocgo.go +++ b/vendor/github.com/containerd/console/pty_freebsd_nocgo.go @@ -1,3 +1,4 @@ +//go:build freebsd && !cgo // +build freebsd,!cgo /* diff --git a/vendor/github.com/containerd/console/pty_unix.go b/vendor/github.com/containerd/console/pty_unix.go index d5a6bd8ca2e..f5a5b8058c6 100644 --- a/vendor/github.com/containerd/console/pty_unix.go +++ b/vendor/github.com/containerd/console/pty_unix.go @@ -1,4 +1,5 @@ -// +build darwin linux netbsd openbsd solaris +//go:build darwin || linux || netbsd || openbsd +// +build darwin linux netbsd openbsd /* Copyright The containerd Authors. diff --git a/vendor/github.com/containerd/console/pty_zos.go b/vendor/github.com/containerd/console/pty_zos.go new file mode 100644 index 00000000000..58f59aba58c --- /dev/null +++ b/vendor/github.com/containerd/console/pty_zos.go @@ -0,0 +1,43 @@ +//go:build zos +// +build zos + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package console + +import ( + "fmt" + "os" +) + +// openpt allocates a new pseudo-terminal by opening the first available /dev/ptypXX device +func openpt() (*os.File, error) { + var f *os.File + var err error + for i := 0; ; i++ { + ptyp := fmt.Sprintf("/dev/ptyp%04d", i) + f, err = os.OpenFile(ptyp, os.O_RDWR, 0600) + if err == nil { + break + } + if os.IsNotExist(err) { + return nil, err + } + // else probably Resource Busy + } + return f, nil +} diff --git a/vendor/github.com/containerd/console/tc_freebsd_cgo.go b/vendor/github.com/containerd/console/tc_freebsd_cgo.go index 0f3d2727309..33282579411 100644 --- a/vendor/github.com/containerd/console/tc_freebsd_cgo.go +++ b/vendor/github.com/containerd/console/tc_freebsd_cgo.go @@ -1,3 +1,4 @@ +//go:build freebsd && cgo // +build freebsd,cgo /* diff --git a/vendor/github.com/containerd/console/tc_freebsd_nocgo.go b/vendor/github.com/containerd/console/tc_freebsd_nocgo.go index 087fc158a16..18a9b9cbea9 100644 --- a/vendor/github.com/containerd/console/tc_freebsd_nocgo.go +++ b/vendor/github.com/containerd/console/tc_freebsd_nocgo.go @@ -1,3 +1,4 @@ +//go:build freebsd && !cgo // +build freebsd,!cgo /* diff --git a/vendor/github.com/containerd/console/tc_openbsd_cgo.go b/vendor/github.com/containerd/console/tc_openbsd_cgo.go index f0cec06a72d..0e76f6cc3e0 100644 --- a/vendor/github.com/containerd/console/tc_openbsd_cgo.go +++ b/vendor/github.com/containerd/console/tc_openbsd_cgo.go @@ -1,3 +1,4 @@ +//go:build openbsd && cgo // +build openbsd,cgo /* diff --git a/vendor/github.com/containerd/console/tc_openbsd_nocgo.go b/vendor/github.com/containerd/console/tc_openbsd_nocgo.go index daccce20585..dca92418b0e 100644 --- a/vendor/github.com/containerd/console/tc_openbsd_nocgo.go +++ b/vendor/github.com/containerd/console/tc_openbsd_nocgo.go @@ -1,3 +1,4 @@ +//go:build openbsd && !cgo // +build openbsd,!cgo /* diff --git a/vendor/github.com/containerd/console/tc_solaris_cgo.go b/vendor/github.com/containerd/console/tc_solaris_cgo.go deleted file mode 100644 index e36a68edd1e..00000000000 --- a/vendor/github.com/containerd/console/tc_solaris_cgo.go +++ /dev/null @@ -1,51 +0,0 @@ -// +build solaris,cgo - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package console - -import ( - "os" - - "golang.org/x/sys/unix" -) - -//#include -import "C" - -const ( - cmdTcGet = unix.TCGETS - cmdTcSet = unix.TCSETS -) - -// ptsname retrieves the name of the first available pts for the given master. -func ptsname(f *os.File) (string, error) { - ptspath, err := C.ptsname(C.int(f.Fd())) - if err != nil { - return "", err - } - return C.GoString(ptspath), nil -} - -// unlockpt unlocks the slave pseudoterminal device corresponding to the master pseudoterminal referred to by f. -// unlockpt should be called before opening the slave side of a pty. -func unlockpt(f *os.File) error { - if _, err := C.grantpt(C.int(f.Fd())); err != nil { - return err - } - return nil -} diff --git a/vendor/github.com/containerd/console/tc_solaris_nocgo.go b/vendor/github.com/containerd/console/tc_solaris_nocgo.go deleted file mode 100644 index eb0bd2c36b8..00000000000 --- a/vendor/github.com/containerd/console/tc_solaris_nocgo.go +++ /dev/null @@ -1,47 +0,0 @@ -// +build solaris,!cgo - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -// -// Implementing the functions below requires cgo support. Non-cgo stubs -// versions are defined below to enable cross-compilation of source code -// that depends on these functions, but the resultant cross-compiled -// binaries cannot actually be used. If the stub function(s) below are -// actually invoked they will display an error message and cause the -// calling process to exit. -// - -package console - -import ( - "os" - - "golang.org/x/sys/unix" -) - -const ( - cmdTcGet = unix.TCGETS - cmdTcSet = unix.TCSETS -) - -func ptsname(f *os.File) (string, error) { - panic("ptsname() support requires cgo.") -} - -func unlockpt(f *os.File) error { - panic("unlockpt() support requires cgo.") -} diff --git a/vendor/github.com/containerd/console/tc_unix.go b/vendor/github.com/containerd/console/tc_unix.go index a6bf01e8d1a..2ecf188fca3 100644 --- a/vendor/github.com/containerd/console/tc_unix.go +++ b/vendor/github.com/containerd/console/tc_unix.go @@ -1,4 +1,5 @@ -// +build darwin freebsd linux netbsd openbsd solaris zos +//go:build darwin || freebsd || linux || netbsd || openbsd || zos +// +build darwin freebsd linux netbsd openbsd zos /* Copyright The containerd Authors. @@ -83,7 +84,7 @@ func cfmakeraw(t unix.Termios) unix.Termios { t.Oflag &^= unix.OPOST t.Lflag &^= (unix.ECHO | unix.ECHONL | unix.ICANON | unix.ISIG | unix.IEXTEN) t.Cflag &^= (unix.CSIZE | unix.PARENB) - t.Cflag &^= unix.CS8 + t.Cflag |= unix.CS8 t.Cc[unix.VMIN] = 1 t.Cc[unix.VTIME] = 0 diff --git a/vendor/github.com/containerd/console/tc_zos.go b/vendor/github.com/containerd/console/tc_zos.go index 4262eaf4cc0..fc90ba5fb86 100644 --- a/vendor/github.com/containerd/console/tc_zos.go +++ b/vendor/github.com/containerd/console/tc_zos.go @@ -17,6 +17,9 @@ package console import ( + "os" + "strings" + "golang.org/x/sys/unix" ) @@ -24,3 +27,13 @@ const ( cmdTcGet = unix.TCGETS cmdTcSet = unix.TCSETS ) + +// unlockpt is a no-op on zos. +func unlockpt(_ *os.File) error { + return nil +} + +// ptsname retrieves the name of the first available pts for the given master. +func ptsname(f *os.File) (string, error) { + return "/dev/ttyp" + strings.TrimPrefix(f.Name(), "/dev/ptyp"), nil +} diff --git a/vendor/golang.org/x/sys/unix/mkerrors.sh b/vendor/golang.org/x/sys/unix/mkerrors.sh index c6492020ec7..fdcaa974d23 100644 --- a/vendor/golang.org/x/sys/unix/mkerrors.sh +++ b/vendor/golang.org/x/sys/unix/mkerrors.sh @@ -584,7 +584,7 @@ ccflags="$@" $2 ~ /^KEY_(SPEC|REQKEY_DEFL)_/ || $2 ~ /^KEYCTL_/ || $2 ~ /^PERF_/ || - $2 ~ /^SECCOMP_MODE_/ || + $2 ~ /^SECCOMP_/ || $2 ~ /^SEEK_/ || $2 ~ /^SCHED_/ || $2 ~ /^SPLICE_/ || diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux.go b/vendor/golang.org/x/sys/unix/zerrors_linux.go index a5d3ff8df95..36bf8399f4f 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go @@ -1785,6 +1785,8 @@ const ( LANDLOCK_ACCESS_FS_REMOVE_FILE = 0x20 LANDLOCK_ACCESS_FS_TRUNCATE = 0x4000 LANDLOCK_ACCESS_FS_WRITE_FILE = 0x2 + LANDLOCK_ACCESS_NET_BIND_TCP = 0x1 + LANDLOCK_ACCESS_NET_CONNECT_TCP = 0x2 LANDLOCK_CREATE_RULESET_VERSION = 0x1 LINUX_REBOOT_CMD_CAD_OFF = 0x0 LINUX_REBOOT_CMD_CAD_ON = 0x89abcdef @@ -2465,6 +2467,7 @@ const ( PR_MCE_KILL_GET = 0x22 PR_MCE_KILL_LATE = 0x0 PR_MCE_KILL_SET = 0x1 + PR_MDWE_NO_INHERIT = 0x2 PR_MDWE_REFUSE_EXEC_GAIN = 0x1 PR_MPX_DISABLE_MANAGEMENT = 0x2c PR_MPX_ENABLE_MANAGEMENT = 0x2b @@ -2669,8 +2672,9 @@ const ( RTAX_FEATURES = 0xc RTAX_FEATURE_ALLFRAG = 0x8 RTAX_FEATURE_ECN = 0x1 - RTAX_FEATURE_MASK = 0xf + RTAX_FEATURE_MASK = 0x1f RTAX_FEATURE_SACK = 0x2 + RTAX_FEATURE_TCP_USEC_TS = 0x10 RTAX_FEATURE_TIMESTAMP = 0x4 RTAX_HOPLIMIT = 0xa RTAX_INITCWND = 0xb @@ -2913,9 +2917,38 @@ const ( SCM_RIGHTS = 0x1 SCM_TIMESTAMP = 0x1d SC_LOG_FLUSH = 0x100000 + SECCOMP_ADDFD_FLAG_SEND = 0x2 + SECCOMP_ADDFD_FLAG_SETFD = 0x1 + SECCOMP_FILTER_FLAG_LOG = 0x2 + SECCOMP_FILTER_FLAG_NEW_LISTENER = 0x8 + SECCOMP_FILTER_FLAG_SPEC_ALLOW = 0x4 + SECCOMP_FILTER_FLAG_TSYNC = 0x1 + SECCOMP_FILTER_FLAG_TSYNC_ESRCH = 0x10 + SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV = 0x20 + SECCOMP_GET_ACTION_AVAIL = 0x2 + SECCOMP_GET_NOTIF_SIZES = 0x3 + SECCOMP_IOCTL_NOTIF_RECV = 0xc0502100 + SECCOMP_IOCTL_NOTIF_SEND = 0xc0182101 + SECCOMP_IOC_MAGIC = '!' SECCOMP_MODE_DISABLED = 0x0 SECCOMP_MODE_FILTER = 0x2 SECCOMP_MODE_STRICT = 0x1 + SECCOMP_RET_ACTION = 0x7fff0000 + SECCOMP_RET_ACTION_FULL = 0xffff0000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_RET_DATA = 0xffff + SECCOMP_RET_ERRNO = 0x50000 + SECCOMP_RET_KILL = 0x0 + SECCOMP_RET_KILL_PROCESS = 0x80000000 + SECCOMP_RET_KILL_THREAD = 0x0 + SECCOMP_RET_LOG = 0x7ffc0000 + SECCOMP_RET_TRACE = 0x7ff00000 + SECCOMP_RET_TRAP = 0x30000 + SECCOMP_RET_USER_NOTIF = 0x7fc00000 + SECCOMP_SET_MODE_FILTER = 0x1 + SECCOMP_SET_MODE_STRICT = 0x0 + SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP = 0x1 + SECCOMP_USER_NOTIF_FLAG_CONTINUE = 0x1 SECRETMEM_MAGIC = 0x5345434d SECURITYFS_MAGIC = 0x73636673 SEEK_CUR = 0x1 @@ -3075,6 +3108,7 @@ const ( SOL_TIPC = 0x10f SOL_TLS = 0x11a SOL_UDP = 0x11 + SOL_VSOCK = 0x11f SOL_X25 = 0x106 SOL_XDP = 0x11b SOMAXCONN = 0x1000 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go index 4920821cf3b..42ff8c3c1b0 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go @@ -281,6 +281,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x800 SIOCATMARK = 0x8905 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go index a0c1e411275..dca436004fa 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go @@ -282,6 +282,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x800 SIOCATMARK = 0x8905 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go index c63985560f6..5cca668ac30 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go @@ -288,6 +288,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x800 SIOCATMARK = 0x8905 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go index 47cc62e25c1..d8cae6d1534 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go @@ -278,6 +278,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x800 SIOCATMARK = 0x8905 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go index 27ac4a09e22..28e39afdcb4 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go @@ -275,6 +275,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x800 SIOCATMARK = 0x8905 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go index 54694642a5d..cd66e92cb42 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go @@ -281,6 +281,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x80 SIOCATMARK = 0x40047307 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go index 3adb81d7582..c1595eba78e 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go @@ -281,6 +281,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x80 SIOCATMARK = 0x40047307 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go index 2dfe98f0d1b..ee9456b0da7 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go @@ -281,6 +281,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x80 SIOCATMARK = 0x40047307 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go index f5398f84f04..8cfca81e1b5 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go @@ -281,6 +281,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x80 SIOCATMARK = 0x40047307 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go index c54f152d68f..60b0deb3af7 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go @@ -336,6 +336,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x800 SIOCATMARK = 0x8905 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go index 76057dc72fb..f90aa7281bf 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go @@ -340,6 +340,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x800 SIOCATMARK = 0x8905 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go index e0c3725e2b8..ba9e0150338 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go @@ -340,6 +340,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x800 SIOCATMARK = 0x8905 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go index 18f2813ed54..07cdfd6e9fd 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go @@ -272,6 +272,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x800 SIOCATMARK = 0x8905 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go index 11619d4ec88..2f1dd214a74 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go @@ -344,6 +344,9 @@ const ( SCM_TIMESTAMPNS = 0x23 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x40082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x40082104 SFD_CLOEXEC = 0x80000 SFD_NONBLOCK = 0x800 SIOCATMARK = 0x8905 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go index 396d994da79..f40519d9018 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go @@ -335,6 +335,9 @@ const ( SCM_TIMESTAMPNS = 0x21 SCM_TXTIME = 0x3f SCM_WIFI_STATUS = 0x25 + SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 + SECCOMP_IOCTL_NOTIF_ID_VALID = 0x80082102 + SECCOMP_IOCTL_NOTIF_SET_FLAGS = 0x80082104 SFD_CLOEXEC = 0x400000 SFD_NONBLOCK = 0x4000 SF_FP = 0x38 diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go index fcf3ecbddee..0cc3ce496e2 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go @@ -448,4 +448,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 450 SYS_CACHESTAT = 451 SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go index f56dc2504ae..856d92d69ef 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go @@ -371,4 +371,7 @@ const ( SYS_CACHESTAT = 451 SYS_FCHMODAT2 = 452 SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go index 974bf246767..8d467094cf5 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go @@ -412,4 +412,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 450 SYS_CACHESTAT = 451 SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go index 39a2739e231..edc173244d0 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go @@ -315,4 +315,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 450 SYS_CACHESTAT = 451 SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go index cf9c9d77e10..445eba20615 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go @@ -309,4 +309,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 450 SYS_CACHESTAT = 451 SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go index 10b7362ef44..adba01bca70 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go @@ -432,4 +432,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 4450 SYS_CACHESTAT = 4451 SYS_FCHMODAT2 = 4452 + SYS_MAP_SHADOW_STACK = 4453 + SYS_FUTEX_WAKE = 4454 + SYS_FUTEX_WAIT = 4455 + SYS_FUTEX_REQUEUE = 4456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go index cd4d8b4fd35..014c4e9c7a7 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go @@ -362,4 +362,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 5450 SYS_CACHESTAT = 5451 SYS_FCHMODAT2 = 5452 + SYS_MAP_SHADOW_STACK = 5453 + SYS_FUTEX_WAKE = 5454 + SYS_FUTEX_WAIT = 5455 + SYS_FUTEX_REQUEUE = 5456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go index 2c0efca818b..ccc97d74d05 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go @@ -362,4 +362,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 5450 SYS_CACHESTAT = 5451 SYS_FCHMODAT2 = 5452 + SYS_MAP_SHADOW_STACK = 5453 + SYS_FUTEX_WAKE = 5454 + SYS_FUTEX_WAIT = 5455 + SYS_FUTEX_REQUEUE = 5456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go index a72e31d391d..ec2b64a95d7 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go @@ -432,4 +432,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 4450 SYS_CACHESTAT = 4451 SYS_FCHMODAT2 = 4452 + SYS_MAP_SHADOW_STACK = 4453 + SYS_FUTEX_WAKE = 4454 + SYS_FUTEX_WAIT = 4455 + SYS_FUTEX_REQUEUE = 4456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go index c7d1e374713..21a839e338b 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go @@ -439,4 +439,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 450 SYS_CACHESTAT = 451 SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go index f4d4838c870..c11121ec3b4 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go @@ -411,4 +411,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 450 SYS_CACHESTAT = 451 SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go index b64f0e59114..909b631fcb4 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go @@ -411,4 +411,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 450 SYS_CACHESTAT = 451 SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go index 95711195a06..e49bed16ea6 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go @@ -316,4 +316,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 450 SYS_CACHESTAT = 451 SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go index f94e943bc4f..66017d2d32b 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go @@ -377,4 +377,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 450 SYS_CACHESTAT = 451 SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go index ba0c2bc5154..47bab18dced 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go @@ -390,4 +390,8 @@ const ( SYS_SET_MEMPOLICY_HOME_NODE = 450 SYS_CACHESTAT = 451 SYS_FCHMODAT2 = 452 + SYS_MAP_SHADOW_STACK = 453 + SYS_FUTEX_WAKE = 454 + SYS_FUTEX_WAIT = 455 + SYS_FUTEX_REQUEUE = 456 ) diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux.go b/vendor/golang.org/x/sys/unix/ztypes_linux.go index bbf8399ff58..dc0c955eecd 100644 --- a/vendor/golang.org/x/sys/unix/ztypes_linux.go +++ b/vendor/golang.org/x/sys/unix/ztypes_linux.go @@ -174,7 +174,8 @@ type FscryptPolicyV2 struct { Contents_encryption_mode uint8 Filenames_encryption_mode uint8 Flags uint8 - _ [4]uint8 + Log2_data_unit_size uint8 + _ [3]uint8 Master_key_identifier [16]uint8 } @@ -455,60 +456,63 @@ type Ucred struct { } type TCPInfo struct { - State uint8 - Ca_state uint8 - Retransmits uint8 - Probes uint8 - Backoff uint8 - Options uint8 - Rto uint32 - Ato uint32 - Snd_mss uint32 - Rcv_mss uint32 - Unacked uint32 - Sacked uint32 - Lost uint32 - Retrans uint32 - Fackets uint32 - Last_data_sent uint32 - Last_ack_sent uint32 - Last_data_recv uint32 - Last_ack_recv uint32 - Pmtu uint32 - Rcv_ssthresh uint32 - Rtt uint32 - Rttvar uint32 - Snd_ssthresh uint32 - Snd_cwnd uint32 - Advmss uint32 - Reordering uint32 - Rcv_rtt uint32 - Rcv_space uint32 - Total_retrans uint32 - Pacing_rate uint64 - Max_pacing_rate uint64 - Bytes_acked uint64 - Bytes_received uint64 - Segs_out uint32 - Segs_in uint32 - Notsent_bytes uint32 - Min_rtt uint32 - Data_segs_in uint32 - Data_segs_out uint32 - Delivery_rate uint64 - Busy_time uint64 - Rwnd_limited uint64 - Sndbuf_limited uint64 - Delivered uint32 - Delivered_ce uint32 - Bytes_sent uint64 - Bytes_retrans uint64 - Dsack_dups uint32 - Reord_seen uint32 - Rcv_ooopack uint32 - Snd_wnd uint32 - Rcv_wnd uint32 - Rehash uint32 + State uint8 + Ca_state uint8 + Retransmits uint8 + Probes uint8 + Backoff uint8 + Options uint8 + Rto uint32 + Ato uint32 + Snd_mss uint32 + Rcv_mss uint32 + Unacked uint32 + Sacked uint32 + Lost uint32 + Retrans uint32 + Fackets uint32 + Last_data_sent uint32 + Last_ack_sent uint32 + Last_data_recv uint32 + Last_ack_recv uint32 + Pmtu uint32 + Rcv_ssthresh uint32 + Rtt uint32 + Rttvar uint32 + Snd_ssthresh uint32 + Snd_cwnd uint32 + Advmss uint32 + Reordering uint32 + Rcv_rtt uint32 + Rcv_space uint32 + Total_retrans uint32 + Pacing_rate uint64 + Max_pacing_rate uint64 + Bytes_acked uint64 + Bytes_received uint64 + Segs_out uint32 + Segs_in uint32 + Notsent_bytes uint32 + Min_rtt uint32 + Data_segs_in uint32 + Data_segs_out uint32 + Delivery_rate uint64 + Busy_time uint64 + Rwnd_limited uint64 + Sndbuf_limited uint64 + Delivered uint32 + Delivered_ce uint32 + Bytes_sent uint64 + Bytes_retrans uint64 + Dsack_dups uint32 + Reord_seen uint32 + Rcv_ooopack uint32 + Snd_wnd uint32 + Rcv_wnd uint32 + Rehash uint32 + Total_rto uint16 + Total_rto_recoveries uint16 + Total_rto_time uint32 } type CanFilter struct { @@ -551,7 +555,7 @@ const ( SizeofIPv6MTUInfo = 0x20 SizeofICMPv6Filter = 0x20 SizeofUcred = 0xc - SizeofTCPInfo = 0xf0 + SizeofTCPInfo = 0xf8 SizeofCanFilter = 0x8 SizeofTCPRepairOpt = 0x8 ) @@ -3399,7 +3403,7 @@ const ( DEVLINK_PORT_FN_ATTR_STATE = 0x2 DEVLINK_PORT_FN_ATTR_OPSTATE = 0x3 DEVLINK_PORT_FN_ATTR_CAPS = 0x4 - DEVLINK_PORT_FUNCTION_ATTR_MAX = 0x4 + DEVLINK_PORT_FUNCTION_ATTR_MAX = 0x5 ) type FsverityDigest struct { @@ -4183,7 +4187,8 @@ const ( ) type LandlockRulesetAttr struct { - Access_fs uint64 + Access_fs uint64 + Access_net uint64 } type LandlockPathBeneathAttr struct { @@ -5134,7 +5139,7 @@ const ( NL80211_FREQUENCY_ATTR_GO_CONCURRENT = 0xf NL80211_FREQUENCY_ATTR_INDOOR_ONLY = 0xe NL80211_FREQUENCY_ATTR_IR_CONCURRENT = 0xf - NL80211_FREQUENCY_ATTR_MAX = 0x1b + NL80211_FREQUENCY_ATTR_MAX = 0x1c NL80211_FREQUENCY_ATTR_MAX_TX_POWER = 0x6 NL80211_FREQUENCY_ATTR_NO_10MHZ = 0x11 NL80211_FREQUENCY_ATTR_NO_160MHZ = 0xc @@ -5547,7 +5552,7 @@ const ( NL80211_REGDOM_TYPE_CUSTOM_WORLD = 0x2 NL80211_REGDOM_TYPE_INTERSECTION = 0x3 NL80211_REGDOM_TYPE_WORLD = 0x1 - NL80211_REG_RULE_ATTR_MAX = 0x7 + NL80211_REG_RULE_ATTR_MAX = 0x8 NL80211_REKEY_DATA_AKM = 0x4 NL80211_REKEY_DATA_KCK = 0x2 NL80211_REKEY_DATA_KEK = 0x1 diff --git a/vendor/golang.org/x/sys/windows/env_windows.go b/vendor/golang.org/x/sys/windows/env_windows.go index b8ad1925068..d4577a42388 100644 --- a/vendor/golang.org/x/sys/windows/env_windows.go +++ b/vendor/golang.org/x/sys/windows/env_windows.go @@ -37,14 +37,17 @@ func (token Token) Environ(inheritExisting bool) (env []string, err error) { return nil, err } defer DestroyEnvironmentBlock(block) - blockp := unsafe.Pointer(block) - for { - entry := UTF16PtrToString((*uint16)(blockp)) - if len(entry) == 0 { - break + size := unsafe.Sizeof(*block) + for *block != 0 { + // find NUL terminator + end := unsafe.Pointer(block) + for *(*uint16)(end) != 0 { + end = unsafe.Add(end, size) } - env = append(env, entry) - blockp = unsafe.Add(blockp, 2*(len(entry)+1)) + + entry := unsafe.Slice(block, (uintptr(end)-uintptr(unsafe.Pointer(block)))/size) + env = append(env, UTF16ToString(entry)) + block = (*uint16)(unsafe.Add(end, size)) } return env, nil } diff --git a/vendor/golang.org/x/sys/windows/syscall_windows.go b/vendor/golang.org/x/sys/windows/syscall_windows.go index ffb8708ccf8..6395a031d45 100644 --- a/vendor/golang.org/x/sys/windows/syscall_windows.go +++ b/vendor/golang.org/x/sys/windows/syscall_windows.go @@ -125,8 +125,7 @@ func UTF16PtrToString(p *uint16) string { for ptr := unsafe.Pointer(p); *(*uint16)(ptr) != 0; n++ { ptr = unsafe.Pointer(uintptr(ptr) + unsafe.Sizeof(*p)) } - - return string(utf16.Decode(unsafe.Slice(p, n))) + return UTF16ToString(unsafe.Slice(p, n)) } func Getpagesize() int { return 4096 } diff --git a/vendor/modules.txt b/vendor/modules.txt index 3c039ca8b57..7faabc28a10 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -14,7 +14,7 @@ github.com/cilium/ebpf/internal/sysenc github.com/cilium/ebpf/internal/tracefs github.com/cilium/ebpf/internal/unix github.com/cilium/ebpf/link -# github.com/containerd/console v1.0.3 +# github.com/containerd/console v1.0.4 ## explicit; go 1.13 github.com/containerd/console # github.com/coreos/go-systemd/v22 v22.5.0 @@ -79,10 +79,10 @@ github.com/vishvananda/netns golang.org/x/exp/constraints golang.org/x/exp/maps golang.org/x/exp/slices -# golang.org/x/net v0.19.0 +# golang.org/x/net v0.21.0 ## explicit; go 1.18 golang.org/x/net/bpf -# golang.org/x/sys v0.16.0 +# golang.org/x/sys v0.17.0 ## explicit; go 1.18 golang.org/x/sys/execabs golang.org/x/sys/unix