Bump github.com/opencontainers/runc from 1.2.5 to 1.2.6

Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.2.5 to 1.2.6. - [Release notes](https://github.com/opencontainers/runc/releases) - [Changelog](https://github.com/opencontainers/runc/blob/v1.2.6/CHANGELOG.md) - [Commits](https://github.com/opencontainers/runc/compare/v1.2.5...v1.2.6) --- updated-dependencies: - dependency-name: github.com/opencontainers/runc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2025-06-26 18:18:24 +00:00 · 2025-03-18 08:39:18 +00:00
parent a72050442e
commit 002197d5b1
6 changed files with 34 additions and 55 deletions
--- a/vendor/github.com/opencontainers/runc/libcontainer/dmz/cloned_binary_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/dmz/cloned_binary_linux.go
@@ -47,11 +47,15 @@ func sealMemfd(f **os.File) error {
 	// errors because they are not needed and we want to continue
 	// to work on older kernels.
 	fd := (*f).Fd()
-	// F_SEAL_FUTURE_WRITE -- Linux 5.1
-	_, _ = unix.FcntlInt(fd, unix.F_ADD_SEALS, unix.F_SEAL_FUTURE_WRITE)
+
+	// Skip F_SEAL_FUTURE_WRITE, it is not needed because we alreadu use the
+	// stronger F_SEAL_WRITE (and is buggy on Linux <5.5 -- see kernel commit
+	// 05d351102dbe and <https://github.com/opencontainers/runc/pull/4640>).
+
 	// F_SEAL_EXEC -- Linux 6.3
 	const F_SEAL_EXEC = 0x20 //nolint:revive // this matches the unix.* name
 	_, _ = unix.FcntlInt(fd, unix.F_ADD_SEALS, F_SEAL_EXEC)
+
 	// Apply all original memfd seals.
 	_, err := unix.FcntlInt(fd, unix.F_ADD_SEALS, baseMemfdSeals)
 	return os.NewSyscallError("fcntl(F_ADD_SEALS)", err)
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
@@ -6,8 +6,6 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"strconv"
-	"syscall"
 	"unsafe"

 	"github.com/sirupsen/logrus"
@@ -43,49 +41,6 @@ func Exec(cmd string, args []string, env []string) error {
 	}
 }

-func execveat(fd uintptr, pathname string, args []string, env []string, flags int) error {
-	pathnamep, err := syscall.BytePtrFromString(pathname)
-	if err != nil {
-		return err
-	}
-
-	argvp, err := syscall.SlicePtrFromStrings(args)
-	if err != nil {
-		return err
-	}
-
-	envp, err := syscall.SlicePtrFromStrings(env)
-	if err != nil {
-		return err
-	}
-
-	_, _, errno := syscall.Syscall6(
-		unix.SYS_EXECVEAT,
-		fd,
-		uintptr(unsafe.Pointer(pathnamep)),
-		uintptr(unsafe.Pointer(&argvp[0])),
-		uintptr(unsafe.Pointer(&envp[0])),
-		uintptr(flags),
-		0,
-	)
-	return errno
-}
-
-func Fexecve(fd uintptr, args []string, env []string) error {
-	var err error
-	for {
-		err = execveat(fd, "", args, env, unix.AT_EMPTY_PATH)
-		if err != unix.EINTR { // nolint:errorlint // unix errors are bare
-			break
-		}
-	}
-	if err == unix.ENOSYS { // nolint:errorlint // unix errors are bare
-		// Fallback to classic /proc/self/fd/... exec.
-		return Exec("/proc/self/fd/"+strconv.Itoa(int(fd)), args, env)
-	}
-	return os.NewSyscallError("execveat", err)
-}
-
 func SetParentDeathSignal(sig uintptr) error {
 	if err := unix.Prctl(unix.PR_SET_PDEATHSIG, sig, 0, 0, 0); err != nil {
 		return err
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go
@@ -42,9 +42,20 @@ func RecvFile(socket *os.File) (_ *os.File, Err error) {
 	oob := make([]byte, oobSpace)

 	sockfd := socket.Fd()
-	n, oobn, _, _, err := unix.Recvmsg(int(sockfd), name, oob, unix.MSG_CMSG_CLOEXEC)
+	var (
+		n, oobn int
+		err     error
+	)
+
+	for {
+		n, oobn, _, _, err = unix.Recvmsg(int(sockfd), name, oob, unix.MSG_CMSG_CLOEXEC)
+		if err != unix.EINTR { //nolint:errorlint // unix errors are bare
+			break
+		}
+	}
+
 	if err != nil {
-		return nil, err
+		return nil, os.NewSyscallError("recvmsg", err)
 	}
 	if n >= MaxNameLen || oobn != oobSpace {
 		return nil, fmt.Errorf("recvfile: incorrect number of bytes read (n=%d oobn=%d)", n, oobn)
@@ -115,5 +126,10 @@ func SendFile(socket *os.File, file *os.File) error {
 // SendRawFd sends a specific file descriptor over the given AF_UNIX socket.
 func SendRawFd(socket *os.File, msg string, fd uintptr) error {
 	oob := unix.UnixRights(int(fd))
-	return unix.Sendmsg(int(socket.Fd()), []byte(msg), oob, nil, 0)
+	for {
+		err := unix.Sendmsg(int(socket.Fd()), []byte(msg), oob, nil, 0)
+		if err != unix.EINTR { //nolint:errorlint // unix errors are bare
+			return os.NewSyscallError("sendmsg", err)
+		}
+	}
 }
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -34,7 +34,7 @@ github.com/google/uuid
 # github.com/moby/sys/symlink v0.3.0
 ## explicit; go 1.17
 github.com/moby/sys/symlink
-# github.com/opencontainers/runc v1.2.5
+# github.com/opencontainers/runc v1.2.6
 ## explicit; go 1.22
 github.com/opencontainers/runc/libcontainer/dmz
 github.com/opencontainers/runc/libcontainer/system
@@ -53,6 +53,8 @@ github.com/pelletier/go-toml
 # github.com/pmezard/go-difflib v1.0.0
 ## explicit
 github.com/pmezard/go-difflib/difflib
+# github.com/rogpeppe/go-internal v1.11.0
+## explicit; go 1.19
 # github.com/russross/blackfriday/v2 v2.1.0
 ## explicit
 github.com/russross/blackfriday/v2