This repository has been archived by the owner on Jun 11, 2020. It is now read-only.
forked from opencontainers/runc
-
Notifications
You must be signed in to change notification settings - Fork 30
[17.06 backport] update libseccomp golang #13
Merged
thaJeztah
merged 8 commits into
docker-archive:17.06
from
kolyshkin:17.06_backport_update_libseccomp_golang
Sep 5, 2019
Merged
[17.06 backport] update libseccomp golang #13
thaJeztah
merged 8 commits into
docker-archive:17.06
from
kolyshkin:17.06_backport_update_libseccomp_golang
Sep 5, 2019
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Syscall argument handling was bugged in previous releases. Per-argument match rules were handled with OR logic when they should have used AND logic. The updated version of the bindings resolves this issue. As a side effect, the minimum supported version of Libseccomp has been raised from v2.1.0 to v2.2.0. Signed-off-by: Matthew Heon <[email protected]> (cherry picked from commit 03a5a74) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Matthew Heon <[email protected]> (cherry picked from commit bbc847a) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Matthew Heon <[email protected]> (cherry picked from commit 472fa3d) Signed-off-by: Sebastiaan van Stijn <[email protected]>
`tip` should point to 1.10 already ? (or soon-ish) Signed-off-by: Vincent Demeester <[email protected]> (cherry picked from commit ab0a6dd) Signed-off-by: Kir Kolyshkin <[email protected]>
libapparmor is integrated in libcontainer using cgo but is only used to call a single function: aa_change_onexec. It turns out this function is simple enough (writing a string to a file in /proc/<n>/attr/...) to be re-implemented locally in libcontainer in plain Go. This allows to drop the dependency on libapparmor and the corresponding cgo integration. Fixes opencontainers#1674 Signed-off-by: Tobias Klauser <[email protected]> (cherry picked from commit db093f6) Signed-off-by: Kir Kolyshkin <[email protected]> Conflicts: - minor conflict in .travis.yml due to missing go get lines
Signed-off-by: Andrei Vagin <[email protected]> (cherry picked from commit fe03957) Signed-off-by: Kir Kolyshkin <[email protected]>
This also remove jessie-backport version of libseccomp and just use stretch bundled version Signed-off-by: Daniel Dao <[email protected]> (cherry picked from commit 121c7b4) Signed-off-by: Kir Kolyshkin <[email protected]> Conflicts: - Dockerfile: minor conflict due to different go version (1.8.0 vs 1.8)
Signed-off-by: Harald Nordgren <[email protected]> (cherry picked from commit 630fb5b) Signed-off-by: Kir Kolyshkin <[email protected]>
thaJeztah
approved these changes
Sep 5, 2019
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
All green! Let me merge this one |
hooray
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a continuation of #12 with a few more commits on top, mostly trying to fix Travis CI and update Golang to 1.10+
closes #12
addresses ENGCORE-866
backport of opencontainers#1424 for 17.06
A bug in Seccomp filter handling was recently identified in Moby related to handling of syscall arguments in Seccomp filters (moby/moby#32714). The bug was in the libseccomp-golang bindings, and has been fixed there. This PR updates the bindings to include this fix, and provides integration tests to catch regressions in this behavior.
The minimum supported version of libseccomp is bumped from v2.1.0 to v2.2.0 by associated changes to the bindings. Support for v2.1.0 was never very good (some features had to be gated off because of a library bug), though it is still the version provided by a few major distributions. If this change is contentious, I can see about backing out the changes that require v2.2.0.
This fixes CVE-2017-18367 - Multiple syscall arguments were incorrectly combined with logical-OR, instead of logical-AND