Bump runc for CVE-2019-16884

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2019-09-26 10:09:42 -04:00
parent 4509efc303
commit 95dbbdc8c1
10 changed files with 54 additions and 36 deletions
--- a/vendor/github.com/opencontainers/runc/libcontainer/README.md
+++ b/vendor/github.com/opencontainers/runc/libcontainer/README.md
@@ -261,6 +261,7 @@ process := &libcontainer.Process{
 	Stdin:  os.Stdin,
 	Stdout: os.Stdout,
 	Stderr: os.Stderr,
+	Init:   true,
 }

 err := container.Run(process)
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/blkio_device.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/blkio_device.go
@@ -59,3 +59,8 @@ func NewThrottleDevice(major, minor int64, rate uint64) *ThrottleDevice {
 func (td *ThrottleDevice) String() string {
 	return fmt.Sprintf("%d:%d %d", td.Major, td.Minor, td.Rate)
 }
+
+// StringName formats the struct to be writable to the cgroup specific file
+func (td *ThrottleDevice) StringName(name string) string {
+	return fmt.Sprintf("%d:%d %s=%d", td.Major, td.Minor, name, td.Rate)
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
@@ -119,4 +119,12 @@ type Resources struct {

 	// Set class identifier for container's network packets
 	NetClsClassid uint32 `json:"net_cls_classid_u"`
+
+	// Used on cgroups v2:
+
+	// CpuWeight sets a proportional bandwidth limit.
+	CpuWeight uint64 `json:"cpu_weight"`
+
+	// CpuMax sets she maximum bandwidth limit (format: max period).
+	CpuMax string `json:"cpu_max"`
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go
@@ -1,3 +1,5 @@
+// +build !linux
+
 package configs

 // TODO Windows: This can ultimately be entirely factored out on Windows as
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
@@ -7,11 +7,11 @@ import (
 	"path/filepath"

 	"github.com/opencontainers/runc/libcontainer/configs"
-
 	"golang.org/x/sys/unix"
 )

 var (
+	// ErrNotADevice denotes that a file is not a valid linux device.
 	ErrNotADevice = errors.New("not a device node")
 )

@@ -21,7 +21,8 @@ var (
 	ioutilReadDir = ioutil.ReadDir
 )

-// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the information about a linux device and return that information as a Device struct.
+// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the
+// information about a linux device and return that information as a Device struct.
 func DeviceFromPath(path, permissions string) (*configs.Device, error) {
 	var stat unix.Stat_t
 	err := unixLstat(path, &stat)
@@ -60,25 +61,29 @@ func DeviceFromPath(path, permissions string) (*configs.Device, error) {
 	}, nil
 }

+// HostDevices returns all devices that can be found under /dev directory.
 func HostDevices() ([]*configs.Device, error) {
-	return getDevices("/dev")
+	return GetDevices("/dev")
 }

-func getDevices(path string) ([]*configs.Device, error) {
+// GetDevices recursively traverses a directory specified by path
+// and returns all devices found there.
+func GetDevices(path string) ([]*configs.Device, error) {
 	files, err := ioutilReadDir(path)
 	if err != nil {
 		return nil, err
 	}
-	out := []*configs.Device{}
+	var out []*configs.Device
 	for _, f := range files {
 		switch {
 		case f.IsDir():
 			switch f.Name() {
 			// ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825
-			case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts":
+			// ".udev" added to address https://github.com/opencontainers/runc/issues/2093
+			case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts", ".udev":
 				continue
 			default:
-				sub, err := getDevices(filepath.Join(path, f.Name()))
+				sub, err := GetDevices(filepath.Join(path, f.Name()))
 				if err != nil {
 					return nil, err
 				}
--- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_unsupported.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_unsupported.go
@@ -1,5 +1,3 @@
 // +build !linux !cgo

 package nsenter
-
-import "C"
--- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c
+++ b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c
@@ -50,9 +50,6 @@ enum sync_t {
 #define JUMP_CHILD  0xA0
 #define JUMP_INIT   0xA1

-/* JSON buffer. */
-#define JSON_MAX 4096
-
 /* Assume the stack grows down, so arguments should be above it. */
 struct clone_t {
 	/*
@@ -148,11 +145,11 @@ static void write_log_with_info(const char *level, const char *function, int lin

 	va_start(args, format);
 	if (vsnprintf(message, sizeof(message), format, args) < 0)
-		return;
-	va_end(args);
+		goto done;

-	if (dprintf(logfd, "{\"level\":\"%s\", \"msg\": \"%s:%d %s\"}\n", level, function, line, message) < 0)
-		return;
+	dprintf(logfd, "{\"level\":\"%s\", \"msg\": \"%s:%d %s\"}\n", level, function, line, message);
+done:
+	va_end(args);
 }

 #define write_log(level, fmt, ...) \
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go
@@ -1,5 +1,5 @@
 // +build linux
-// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le s390x
+// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le riscv64 s390x

 package system