From 002197d5b1cf6eca221edf0965ab14e05b9bfcd2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 18 Mar 2025 08:39:18 +0000
Subject: [PATCH] Bump github.com/opencontainers/runc from 1.2.5 to 1.2.6
Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.2.5 to 1.2.6.
- [Release notes](https://github.com/opencontainers/runc/releases)
- [Changelog](https://github.com/opencontainers/runc/blob/v1.2.6/CHANGELOG.md)
- [Commits](https://github.com/opencontainers/runc/compare/v1.2.5...v1.2.6)
---
updated-dependencies:
- dependency-name: github.com/opencontainers/runc
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
---
go.mod | 3 +-
go.sum | 7 +--
.../libcontainer/dmz/cloned_binary_linux.go | 8 +++-
.../runc/libcontainer/system/linux.go | 45 -------------------
.../runc/libcontainer/utils/cmsg.go | 22 +++++++--
vendor/modules.txt | 4 +-
6 files changed, 34 insertions(+), 55 deletions(-)
diff --git a/go.mod b/go.mod
index 3f98372c..f87e6779 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
github.com/NVIDIA/go-nvlib v0.7.1
github.com/NVIDIA/go-nvml v0.12.4-1
github.com/moby/sys/symlink v0.3.0
- github.com/opencontainers/runc v1.2.5
+ github.com/opencontainers/runc v1.2.6
github.com/opencontainers/runtime-spec v1.2.1
github.com/pelletier/go-toml v1.9.5
github.com/sirupsen/logrus v1.9.3
@@ -28,6 +28,7 @@ require (
github.com/kr/pretty v0.3.1 // indirect
github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
+ github.com/rogpeppe/go-internal v1.11.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
diff --git a/go.sum b/go.sum
index ec099d40..748a177d 100644
--- a/go.sum
+++ b/go.sum
@@ -33,8 +33,8 @@ github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34
github.com/moby/sys/symlink v0.3.0 h1:GZX89mEZ9u53f97npBy4Rc3vJKj7JBDj/PN2I22GrNU=
github.com/moby/sys/symlink v0.3.0/go.mod h1:3eNdhduHmYPcgsJtZXW1W4XUJdZGBIkttZ8xKqPUJq0=
github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/opencontainers/runc v1.2.5 h1:8KAkq3Wrem8bApgOHyhRI/8IeLXIfmZ6Qaw6DNSLnA4=
-github.com/opencontainers/runc v1.2.5/go.mod h1:dOQeFo29xZKBNeRBI0B19mJtfHv68YgCTh1X+YphA+4=
+github.com/opencontainers/runc v1.2.6 h1:P7Hqg40bsMvQGCS4S7DJYhUZOISMLJOB2iGX5COWiPk=
+github.com/opencontainers/runc v1.2.6/go.mod h1:dOQeFo29xZKBNeRBI0B19mJtfHv68YgCTh1X+YphA+4=
github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
@@ -48,8 +48,9 @@ github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/dmz/cloned_binary_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/dmz/cloned_binary_linux.go
index 1c034e4e..02916e50 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/dmz/cloned_binary_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/dmz/cloned_binary_linux.go
@@ -47,11 +47,15 @@ func sealMemfd(f **os.File) error {
// errors because they are not needed and we want to continue
// to work on older kernels.
fd := (*f).Fd()
- // F_SEAL_FUTURE_WRITE -- Linux 5.1
- _, _ = unix.FcntlInt(fd, unix.F_ADD_SEALS, unix.F_SEAL_FUTURE_WRITE)
+
+ // Skip F_SEAL_FUTURE_WRITE, it is not needed because we alreadu use the
+ // stronger F_SEAL_WRITE (and is buggy on Linux <5.5 -- see kernel commit
+ // 05d351102dbe and <https://github.com/opencontainers/runc/pull/4640>).
+
// F_SEAL_EXEC -- Linux 6.3
const F_SEAL_EXEC = 0x20 //nolint:revive // this matches the unix.* name
_, _ = unix.FcntlInt(fd, unix.F_ADD_SEALS, F_SEAL_EXEC)
+
// Apply all original memfd seals.
_, err := unix.FcntlInt(fd, unix.F_ADD_SEALS, baseMemfdSeals)
return os.NewSyscallError("fcntl(F_ADD_SEALS)", err)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
index 7bbf92a3..e8ce0eca 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
@@ -6,8 +6,6 @@ import (
"fmt"
"io"
"os"
- "strconv"
- "syscall"
"unsafe"
"github.com/sirupsen/logrus"
@@ -43,49 +41,6 @@ func Exec(cmd string, args []string, env []string) error {
}
}
-func execveat(fd uintptr, pathname string, args []string, env []string, flags int) error {
- pathnamep, err := syscall.BytePtrFromString(pathname)
- if err != nil {
- return err
- }
-
- argvp, err := syscall.SlicePtrFromStrings(args)
- if err != nil {
- return err
- }
-
- envp, err := syscall.SlicePtrFromStrings(env)
- if err != nil {
- return err
- }
-
- _, _, errno := syscall.Syscall6(
- unix.SYS_EXECVEAT,
- fd,
- uintptr(unsafe.Pointer(pathnamep)),
- uintptr(unsafe.Pointer(&argvp[0])),
- uintptr(unsafe.Pointer(&envp[0])),
- uintptr(flags),
- 0,
- )
- return errno
-}
-
-func Fexecve(fd uintptr, args []string, env []string) error {
- var err error
- for {
- err = execveat(fd, "", args, env, unix.AT_EMPTY_PATH)
- if err != unix.EINTR { // nolint:errorlint // unix errors are bare
- break
- }
- }
- if err == unix.ENOSYS { // nolint:errorlint // unix errors are bare
- // Fallback to classic /proc/self/fd/... exec.
- return Exec("/proc/self/fd/"+strconv.Itoa(int(fd)), args, env)
- }
- return os.NewSyscallError("execveat", err)
-}
-
func SetParentDeathSignal(sig uintptr) error {
if err := unix.Prctl(unix.PR_SET_PDEATHSIG, sig, 0, 0, 0); err != nil {
return err
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go
index 2edd1417..3aca5bda 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go
@@ -42,9 +42,20 @@ func RecvFile(socket *os.File) (_ *os.File, Err error) {
oob := make([]byte, oobSpace)
sockfd := socket.Fd()
- n, oobn, _, _, err := unix.Recvmsg(int(sockfd), name, oob, unix.MSG_CMSG_CLOEXEC)
+ var (
+ n, oobn int
+ err error
+ )
+
+ for {
+ n, oobn, _, _, err = unix.Recvmsg(int(sockfd), name, oob, unix.MSG_CMSG_CLOEXEC)
+ if err != unix.EINTR { //nolint:errorlint // unix errors are bare
+ break
+ }
+ }
+
if err != nil {
- return nil, err
+ return nil, os.NewSyscallError("recvmsg", err)
}
if n >= MaxNameLen || oobn != oobSpace {
return nil, fmt.Errorf("recvfile: incorrect number of bytes read (n=%d oobn=%d)", n, oobn)
@@ -115,5 +126,10 @@ func SendFile(socket *os.File, file *os.File) error {
// SendRawFd sends a specific file descriptor over the given AF_UNIX socket.
func SendRawFd(socket *os.File, msg string, fd uintptr) error {
oob := unix.UnixRights(int(fd))
- return unix.Sendmsg(int(socket.Fd()), []byte(msg), oob, nil, 0)
+ for {
+ err := unix.Sendmsg(int(socket.Fd()), []byte(msg), oob, nil, 0)
+ if err != unix.EINTR { //nolint:errorlint // unix errors are bare
+ return os.NewSyscallError("sendmsg", err)
+ }
+ }
}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 316de900..30113e8b 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -34,7 +34,7 @@ github.com/google/uuid
# github.com/moby/sys/symlink v0.3.0
## explicit; go 1.17
github.com/moby/sys/symlink
-# github.com/opencontainers/runc v1.2.5
+# github.com/opencontainers/runc v1.2.6
## explicit; go 1.22
github.com/opencontainers/runc/libcontainer/dmz
github.com/opencontainers/runc/libcontainer/system
@@ -53,6 +53,8 @@ github.com/pelletier/go-toml
# github.com/pmezard/go-difflib v1.0.0
## explicit
github.com/pmezard/go-difflib/difflib
+# github.com/rogpeppe/go-internal v1.11.0
+## explicit; go 1.19
# github.com/russross/blackfriday/v2 v2.1.0
## explicit
github.com/russross/blackfriday/v2