From 47dfa2024fe1a464969efea062c9704014859946 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 29 Oct 2024 16:54:20 -0700 Subject: [PATCH 1/3] script/check-config.sh: add OVERLAY_FS check While this is used by the majority of upper container runtimes, it was not needed for runc itself. Since commit 515f09f7 runc uses overlay, too, so let's add a check for this. Signed-off-by: Kir Kolyshkin (cherry picked from commit ee1bced18cefdc0d4a1c0063754281b4f9d933b3) Signed-off-by: Kir Kolyshkin --- script/check-config.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/script/check-config.sh b/script/check-config.sh index c71ee72f2a7..504c3e52c3d 100755 --- a/script/check-config.sh +++ b/script/check-config.sh @@ -241,6 +241,9 @@ flags=( # required for bind-mounting /dev/mqueue into containers POSIX_MQUEUE + + # Most containers use overlayfs, and now runc itself uses it. + OVERLAY_FS ) check_flags "${flags[@]}" From b798594cf9f304879bcfe037039aabcdf950220b Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 29 Oct 2024 16:57:42 -0700 Subject: [PATCH 2/3] libct: fix a comment There is a typo in the comment (ClonedBinary should be CloneBinary), and the code has changed a bit since then, and it makes more sense to refer to CloneSelfExe now. Signed-off-by: Kir Kolyshkin (cherry picked from commit 8cc7375447916fbe0bda2e770223933277588831) Signed-off-by: Kir Kolyshkin --- libcontainer/process.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcontainer/process.go b/libcontainer/process.go index 3663c7e0dd2..114b3f2b6cb 100644 --- a/libcontainer/process.go +++ b/libcontainer/process.go @@ -49,7 +49,7 @@ type Process struct { // ExtraFiles specifies additional open files to be inherited by the container ExtraFiles []*os.File - // open handles to cloned binaries -- see dmz.ClonedBinary for more details + // open handles to cloned binaries -- see dmz.CloneSelfExe for more details clonedExes []*os.File // Initial sizings for the console From 258cd8b64be46246f43e2865417c300876c36639 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 29 Oct 2024 17:11:56 -0700 Subject: [PATCH 3/3] libct: rm obsoleted comment This was added by commit f2f16213e when runc-dmz was still a thing. Signed-off-by: Kir Kolyshkin (cherry picked from commit 5586d7caa1bed366065d2a610e839007575e822e) Signed-off-by: Kir Kolyshkin --- libcontainer/setns_init_linux.go | 5 ----- libcontainer/standard_init_linux.go | 5 ----- 2 files changed, 10 deletions(-) diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go index e03ab634b2d..92c6ef77030 100644 --- a/libcontainer/setns_init_linux.go +++ b/libcontainer/setns_init_linux.go @@ -150,11 +150,6 @@ func (l *linuxSetnsInit) Init() error { // (otherwise the (*os.File) finaliser could close the wrong file). See // CVE-2024-21626 for more information as to why this protection is // necessary. - // - // This is not needed for runc-dmz, because the extra execve(2) step means - // that all O_CLOEXEC file descriptors have already been closed and thus - // the second execve(2) from runc-dmz cannot access internal file - // descriptors from runc. if err := utils.UnsafeCloseFrom(l.config.PassedFilesCount + 3); err != nil { return err } diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go index 4631f249ee2..9f7fa45d533 100644 --- a/libcontainer/standard_init_linux.go +++ b/libcontainer/standard_init_linux.go @@ -284,11 +284,6 @@ func (l *linuxStandardInit) Init() error { // (otherwise the (*os.File) finaliser could close the wrong file). See // CVE-2024-21626 for more information as to why this protection is // necessary. - // - // This is not needed for runc-dmz, because the extra execve(2) step means - // that all O_CLOEXEC file descriptors have already been closed and thus - // the second execve(2) from runc-dmz cannot access internal file - // descriptors from runc. if err := utils.UnsafeCloseFrom(l.config.PassedFilesCount + 3); err != nil { return err }