diff --git a/containerd.spec b/containerd.spec index f2b85c8e867bc804464a1aa3b50fdb6f3193abe2..f72f117eabec092b3bcb68dc4718f59424dc26fd 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 320 +Release: 321 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -72,6 +72,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr %{_bindir}/ctr %changelog +* Fri Aug 2 2024 zhaoxiaohu - 1.2.0-321 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Fix seccomp: support "clone3" (return ENOSYS unless SYS_ADMIN is granted) + * Tue Jun 18 2024 panchenbo - 1.2.0-320 - Type:enhancement - ID:NA diff --git a/patch/0113-containerd-backport-seccomp-support-clone3-return-ENOSYS-unless-SYS_ADMIN-is-granted.patch b/patch/0113-containerd-backport-seccomp-support-clone3-return-ENOSYS-unless-SYS_ADMIN-is-granted.patch new file mode 100644 index 0000000000000000000000000000000000000000..9eacf78c6dfbca3e69174d234a682712af4c3201 --- /dev/null +++ b/patch/0113-containerd-backport-seccomp-support-clone3-return-ENOSYS-unless-SYS_ADMIN-is-granted.patch @@ -0,0 +1,64 @@ +From 8cfc05ec8d197556045f4d16bfc03663f53e9362 Mon Sep 17 00:00:00 2001 +From: zhaoxiaohu +Date: Fri, 2 Aug 2024 18:11:06 +0800 +Subject: [PATCH] seccomp: support "clone3" (return ENOSYS unless + SYS_ADMIN is granted) + +clone3 is explicitly requested to give ENOSYS instead of the default EPERM, when CAP_SYS_ADMIN is unset. +See moby/moby PR 42681 (thanks to berrange). + +Without this commit, rawhide image does not work: +```console +$ sudo ctr run --rm --net-host --seccomp registry.fedoraproject.org/fedora:rawhide foo /usr/bin/curl google.com +curl: (6) getaddrinfo() thread failed to start +``` + +Reference: https://github.com/containerd/containerd/commit/55923daa9f56c8a890875f1e111201d918b382e2 + +Signed-off-by: Akihiro Suda +Signed-off-by: chenguanqiao +Signed-off-by: yuwang +Signed-off-by: zhaoxiaohu +--- + contrib/seccomp/seccomp_default.go | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go +index 11b446a..8ec4fee 100644 +--- a/contrib/seccomp/seccomp_default.go ++++ b/contrib/seccomp/seccomp_default.go +@@ -48,6 +48,7 @@ func arches() []specs.Arch { + + // DefaultProfile defines the whitelist for the default seccomp profile. + func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { ++ nosys := uint(unix.ENOSYS) + syscalls := []specs.LinuxSyscall{ + { + Names: []string{ +@@ -459,6 +460,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { + Names: []string{ + "bpf", + "clone", ++ "clone3", + "fanotify_init", + "lookup_dcookie", + "mount", +@@ -575,6 +577,15 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp { + }, + }) + } ++ // clone3 is explicitly requested to give ENOSYS instead of the default EPERM, when CAP_SYS_ADMIN is unset ++ // https://github.com/moby/moby/pull/42681 ++ s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ ++ Names: []string{ ++ "clone3", ++ }, ++ Action: specs.ActErrno, ++ ErrnoRet: &nosys, ++ }) + } + + return s +-- +2.33.0 + diff --git a/series.conf b/series.conf index 81777d8d5acd394b0cd2078b4b53444685f3be8f..fa66acfe908a40662471fd6cd011f8ade3d3a61e 100644 --- a/series.conf +++ b/series.conf @@ -120,5 +120,6 @@ patch/0109-containerd-Backport-net-http-regenerate-h2_bundle.go.patch patch/0110-containerd-update-vendored-golang.org-x-net.patch patch/0111-containerd-disable-Transparent-HugePage-for-shim-pro.patch patch/0112-containerd-cio-FIFOSet.Close-check-if-FIFOSet-is-nill-to-preven.patch +patch/0113-containerd-backport-seccomp-support-clone3-return-ENOSYS-unless-SYS_ADMIN-is-granted.patch sw64_patch/3001-thp-add-support-sw_64.patch # end