From c482ca6da491bc48baa12b94fc3c589ffb54ae46 Mon Sep 17 00:00:00 2001 From: zhongjiawei Date: Fri, 30 Aug 2024 11:48:13 +0800 Subject: [PATCH] runc:sync some patches Signed-off-by: zhongjiawei --- git-commit | 2 +- ...0040-add-loongarch64-seccomp-support.patch | 150 ++++++++++++++++++ patch/0042-runc-fix-a-data-race.patch | 26 +++ ...pport-set-umask-through-native.umask.patch | 48 ++++++ runc.spec | 8 +- series.conf | 3 + 6 files changed, 235 insertions(+), 2 deletions(-) create mode 100644 patch/0040-add-loongarch64-seccomp-support.patch create mode 100644 patch/0042-runc-fix-a-data-race.patch create mode 100644 patch/0043-runc-do-not-support-set-umask-through-native.umask.patch diff --git a/git-commit b/git-commit index 9e80ce5..d2e1135 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -d40eb8bbaaf0365a8d2468625474125181b65c83 +b41140eddc29b390cf030de10de67c9878d50ae6 diff --git a/patch/0040-add-loongarch64-seccomp-support.patch b/patch/0040-add-loongarch64-seccomp-support.patch new file mode 100644 index 0000000..bfa9bee --- /dev/null +++ b/patch/0040-add-loongarch64-seccomp-support.patch @@ -0,0 +1,150 @@ +diff --git a/libcontainer/seccomp/config.go b/libcontainer/seccomp/config.go +index 2b15576..841f9d9 100644 +--- a/libcontainer/seccomp/config.go ++++ b/libcontainer/seccomp/config.go +@@ -69,6 +69,7 @@ var archs = map[string]string{ + "SCMP_ARCH_RISCV64": "riscv64", + "SCMP_ARCH_S390": "s390", + "SCMP_ARCH_S390X": "s390x", ++ "SCMP_ARCH_LOONGARCH64": "loong64", + } + + // KnownArchs returns the list of the known archs. +diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go +index 6376512..391c319 100644 +--- a/libcontainer/seccomp/patchbpf/enosys_linux.go ++++ b/libcontainer/seccomp/patchbpf/enosys_linux.go +@@ -75,6 +75,7 @@ const uint32_t C_AUDIT_ARCH_PPC64LE = AUDIT_ARCH_PPC64LE; + const uint32_t C_AUDIT_ARCH_S390 = AUDIT_ARCH_S390; + const uint32_t C_AUDIT_ARCH_S390X = AUDIT_ARCH_S390X; + const uint32_t C_AUDIT_ARCH_RISCV64 = AUDIT_ARCH_RISCV64; ++const uint32_t C_AUDIT_ARCH_LOONGARCH64 = AUDIT_ARCH_LOONGARCH64; + */ + import "C" + +@@ -212,6 +213,8 @@ func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) { + return nativeArch(C.C_AUDIT_ARCH_S390X), nil + case libseccomp.ArchRISCV64: + return nativeArch(C.C_AUDIT_ARCH_RISCV64), nil ++ case libseccomp.ArchLOONGARCH64: ++ return nativeArch(C.C_AUDIT_ARCH_LOONGARCH64), nil + default: + return invalidArch, fmt.Errorf("unknown architecture: %v", arch) + } +diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go +index e2d363a..a66fe35 100644 +--- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go ++++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go +@@ -105,6 +105,7 @@ var testArches = []string{ + "ppc64le", + "s390", + "s390x", ++ "loong64", + } + + func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string) { +diff --git a/libcontainer/system/syscall_linux_64.go b/libcontainer/system/syscall_linux_64.go +index 97f1ba0..5db345a 100644 +--- a/libcontainer/system/syscall_linux_64.go ++++ b/libcontainer/system/syscall_linux_64.go +@@ -1,6 +1,6 @@ + //go:build linux && (arm64 || amd64 || mips || mipsle || mips64 || mips64le || loong64 || ppc || ppc64 || ppc64le || riscv64 || s390x) + // +build linux +-// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le riscv64 s390x ++// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le riscv64 s390x loong64 + + package system + +diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +index 135f74a..e32af2f 100644 +--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go ++++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +@@ -643,6 +643,7 @@ const ( + ArchPARISC Arch = "SCMP_ARCH_PARISC" + ArchPARISC64 Arch = "SCMP_ARCH_PARISC64" + ArchRISCV64 Arch = "SCMP_ARCH_RISCV64" ++ ArchLOONGARCH64 Arch = "SCMP_ARCH_LOONGARCH64" + ) + + // LinuxSeccompAction taken upon Seccomp rule match +diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go +index 8dad12f..2552394 100644 +--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go ++++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go +@@ -174,6 +174,8 @@ const ( + ArchPARISC64 + // ArchRISCV64 represents RISCV64 + ArchRISCV64 ++ // ArchLOONGARCH64 represents 64-bit LoongArch System syscalls ++ ArchLOONGARCH64 + ) + + const ( +@@ -305,6 +307,8 @@ func GetArchFromString(arch string) (ScmpArch, error) { + return ArchPARISC64, nil + case "riscv64": + return ArchRISCV64, nil ++ case "loongarch64", "loong64": ++ return ArchLOONGARCH64, nil + default: + return ArchInvalid, fmt.Errorf("cannot convert unrecognized string %q", arch) + } +@@ -351,6 +355,8 @@ func (a ScmpArch) String() string { + return "parisc64" + case ArchRISCV64: + return "riscv64" ++ case ArchLOONGARCH64: ++ return "loong64" + case ArchNative: + return "native" + case ArchInvalid: +diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go +index df4dfb7..1997fb3 100644 +--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go ++++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go +@@ -68,6 +68,10 @@ const uint32_t C_ARCH_BAD = ARCH_BAD; + #define SCMP_ARCH_RISCV64 ARCH_BAD + #endif + ++#ifndef SCMP_ARCH_LOONGARCH64 ++#define SCMP_ARCH_LOONGARCH64 ARCH_BAD ++#endif ++ + const uint32_t C_ARCH_NATIVE = SCMP_ARCH_NATIVE; + const uint32_t C_ARCH_X86 = SCMP_ARCH_X86; + const uint32_t C_ARCH_X86_64 = SCMP_ARCH_X86_64; +@@ -88,6 +92,7 @@ const uint32_t C_ARCH_S390X = SCMP_ARCH_S390X; + const uint32_t C_ARCH_PARISC = SCMP_ARCH_PARISC; + const uint32_t C_ARCH_PARISC64 = SCMP_ARCH_PARISC64; + const uint32_t C_ARCH_RISCV64 = SCMP_ARCH_RISCV64; ++const uint32_t C_ARCH_LOONGARCH64 = SCMP_ARCH_LOONGARCH64; + + #ifndef SCMP_ACT_LOG + #define SCMP_ACT_LOG 0x7ffc0000U +@@ -291,7 +296,7 @@ const ( + scmpError C.int = -1 + // Comparison boundaries to check for architecture validity + archStart ScmpArch = ArchNative +- archEnd ScmpArch = ArchRISCV64 ++ archEnd ScmpArch = ArchLOONGARCH64 + // Comparison boundaries to check for action validity + actionStart ScmpAction = ActKillThread + actionEnd ScmpAction = ActKillProcess +@@ -551,6 +556,8 @@ func archFromNative(a C.uint32_t) (ScmpArch, error) { + return ArchPARISC64, nil + case C.C_ARCH_RISCV64: + return ArchRISCV64, nil ++ case C.C_ARCH_LOONGARCH64: ++ return ArchLOONGARCH64, nil + default: + return 0x0, fmt.Errorf("unrecognized architecture %#x", uint32(a)) + } +@@ -597,6 +604,8 @@ func (a ScmpArch) toNative() C.uint32_t { + return C.C_ARCH_PARISC64 + case ArchRISCV64: + return C.C_ARCH_RISCV64 ++ case ArchLOONGARCH64: ++ return C.C_ARCH_LOONGARCH64 + case ArchNative: + return C.C_ARCH_NATIVE + default: diff --git a/patch/0042-runc-fix-a-data-race.patch b/patch/0042-runc-fix-a-data-race.patch new file mode 100644 index 0000000..2a42c4f --- /dev/null +++ b/patch/0042-runc-fix-a-data-race.patch @@ -0,0 +1,26 @@ +From d1ef3ab619c7743d389fc882ec65df38d140fc08 Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Mon, 17 Jun 2024 23:22:39 +0800 +Subject: [PATCH] libct/config: fix a data race + +Reference:https://github.com/opencontainers/runc/commit/c342872276d4a3d5f662684115e282cbb20bf227 +--- + libcontainer/configs/config.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go +index f85ade3f..c9ecc3cb 100644 +--- a/libcontainer/configs/config.go ++++ b/libcontainer/configs/config.go +@@ -455,7 +455,7 @@ func (c Command) Run(s *specs.State) error { + return err + case <-timerCh: + cmd.Process.Kill() +- cmd.Wait() ++ <-errC + return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds()) + case <-timeAfter: + if c.Timeout != nil { +-- +2.33.0 + diff --git a/patch/0043-runc-do-not-support-set-umask-through-native.umask.patch b/patch/0043-runc-do-not-support-set-umask-through-native.umask.patch new file mode 100644 index 0000000..5528a6f --- /dev/null +++ b/patch/0043-runc-do-not-support-set-umask-through-native.umask.patch @@ -0,0 +1,48 @@ +From 19a4209a82132f930fe55cbb2255eb453b465e56 Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Thu, 11 Jul 2024 20:18:01 +0800 +Subject: [PATCH] runc:do not support set umask through native.umask + +Signed-off-by: zhongjiawei +--- + libcontainer/rootfs_linux.go | 6 ------ + libcontainer/setns_init_linux.go | 6 ------ + 2 files changed, 12 deletions(-) + +diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go +index c42e388..499d753 100644 +--- a/libcontainer/rootfs_linux.go ++++ b/libcontainer/rootfs_linux.go +@@ -192,12 +192,6 @@ func finalizeRootfs(config *configs.Config) (err error) { + } else { + unix.Umask(0o022) + } +- umask := utils.SearchLabels(config.Labels, "native.umask") +- if umask == "normal" { +- unix.Umask(0o022) +- } else { +- unix.Umask(0o027) +- } + return nil + } + +diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go +index f1dcab6..d8cdfdf 100644 +--- a/libcontainer/setns_init_linux.go ++++ b/libcontainer/setns_init_linux.go +@@ -56,12 +56,6 @@ func (l *linuxSetnsInit) Init() error { + return err + } + } +- umask := utils.SearchLabels(l.config.Config.Labels, "native.umask") +- if umask == "normal" { +- unix.Umask(0o022) +- } else { +- unix.Umask(0o027) +- } + if l.config.NoNewPrivileges { + if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil { + return err +-- +2.33.0 + diff --git a/runc.spec b/runc.spec index b45d882..0b8c43d 100644 --- a/runc.spec +++ b/runc.spec @@ -3,7 +3,7 @@ Name: runc Version: 1.1.8 -Release: 14 +Release: 15 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Fri Aug 30 2024 zhongjiawei - 1.1.8-15 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:sync some patches + * Fri May 24 2024 zhongjiawei - 1.1.8-14 - Type:CVE - CVE:CVE-2024-3154 diff --git a/series.conf b/series.conf index 681bf5b..9546ca3 100644 --- a/series.conf +++ b/series.conf @@ -36,3 +36,6 @@ patch/0036-runc-increase-the-number-of-cgroup-deletion-retries.patch patch/0037-runc-fix-CVE-2024-21626.patch patch/0038-runc-check-cmd-exist.patch patch/0039-runc-fix-CVE-2024-3154.patch +patch/0040-add-loongarch64-seccomp-support.patch +patch/0042-runc-fix-a-data-race.patch +patch/0043-runc-do-not-support-set-umask-through-native.umask.patch -- Gitee