cyphar released this
Mar 28, 2019
· 2 commits to master since this release
WARNING: There is a regression in this release for old kernels, which we are working on fixing in #2031.
Due to CVE-2019-5736, we had to do another -rc release so users can update. We hope to be able to release 1.0.0 in the near future (there is still an outstanding spec-compliance issue with OCI hooks which we need to resolve first).
This also updates runc to a vendored commit of the runtime-spec rather than a full release, which will hopefully be rectified with runc 1.0.0. #k
Mitigate CVE-2019-5736. This is an updated version of the patch series sent out on openwall and we encourage users to update. #1982 #1984
NOTE: This mitigation WILL NOT WORK if you run untrusted containers with host uid 0 and give them CAP_SYS_ADMIN (the protection operates through a hidden read-only bind-mount which can be re-mounted by CAP_SYS_ADMIN privileged users).
Put simply -- we consider granting CAP_SYS_ADMIN to untrusted containers without user namespaces to be fundamentally insecure, as such we do not consider this to be a security issue.
If you want an additional host-level mitigation, use chattr +i on the host file to ensure containers without CAP_LINUX_IMMUTABLE cannot write to it -- even with CAP_SYS_ADMIN. But as above, if you give CAP_LINUX_IMMUTABLE to a container you will have problems.
An alternative is to bind-mount a sealed memfd copy of the runc binary over the binary (runc will detect this and will not attempt further mitigation, because sealed memfds are fundamentally unmodifiable) but this requires more in-depth work by administrators.
There appear to be production users of --no-pivot-root, which is something that we absolutely recommend against and do not consider to be a secure configuration -- since pivot_root(2) has many security properties that are not possible to provide with just chroot(2).
However, a specific issue was discovered which we decided to mitigate in order to avoid production users being exploited by it. This security issue is not elligible for a CVE because it requires an insecure configuration (--no-pivot-root). #1962
Thanks to all of the contributors that made this release possible:
With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have both decided to give up their maintainership. Thanks for all of your contributions over the years, and good luck with your future endeavours!
Signed-off-by: Aleksa Sarai email@example.com
cyphar released this
Nov 22, 2018
· 4 commits to master since this release
This is the final feature release of runc before 1.0, rather than 1.0 itself. The reason for tihs is that, during the preparations for this release (which was originally meant to be 1.0) it was brought up that there were several spec-compliance problems. One of these was related to hook ordering, and upon trying to fix them it turns out that many users (notably the NVIDIA OCI hooks) make use of our incorrect hook ordering. Many of the proposed solutions to this problem all require a lot of time and co-ordination, and thus would stall this release indefinitely.
So, the idea is to have an intermediate release which will mark a freeze-on-everything-except-spec-compliance-bugs. No other changes will be included pre-1.0 (aside from security patches obviously).
Fixes (for spec violations):
cyphar released this
Feb 27, 2018
· 48 commits to master since this release
This is planned to be the final -rc release of runc. While we really haven't followed the rules for release candidates (with huge features introduced each release, and with massive gaps between releases) the hope is that once we've release 1.0.0 we will be much more liberal with releases in future. Let's see how that pans out. :P
Delay seccomp application as late as possible, to reduce the syscall footprint of runc on profiles. #1569
Fix --read-only containers with user namespaces, which would previously fail under Docker because of privilege problems when trying to do the read-only remount. #1572
Switch away from stateDirFd entirely. This is an improvement over the protections we added for CVE-2016-9962, and protects against many other possible container escape bugs. #1570
Handle races between "runc start" and "runc delete" over the exec FIFO correctly, and avoid blocking "runc start" indefinitely. #1698
Correctly generate seccomp profiles that place requirements on syscall arguments, as well as multi-argument restrictions. #1616 #1424
Prospective patch for remounting of old-root during pivot_root. This is intended to solve one of the many "mount leak" bugs that have been popping up recently -- caused by lots of container churn and host mounts being pinned during container setup. #1500
Fix "runc exec" on big-endian architectures. #1727
Correct systemd slice expansion to work with cAdvisor. #1722
Fix races against systemd cgroup scope creation. #1683
Do not wait for signalled processes if libcontainer is running in a process that is a subreaper. #1678
Remove dependency on libapparmor entirely, and just use /proc/$pid/attr directly. #1675
Improvements to our integration tests. #1661 #1629 #1528
Handle systemd's quirky CPUQuotaPerSecUSec handling in fractions-of-a-percent edge-cases. #1651
Remove docker/docker import in runc by moving the package to runc. #1644
Switch from docker's pkg/symlink to cyphar/filepath-securejoin. #1622
Enable integration and unit tests on arm64. #1642 #1640
Add /proc/scsi to masked paths (mirror of Docker's CVE-2017-16539). #1641
Add several tests for specconv. #1626 #1619
Add more extensive tests for terminal handling. #1357
Always write freezer state during retry-loop, to avoid an indefinite hang when new tasks are spawned in the container. #1610
Create cwd when it doesn't exist in the container. #1604
Set initial console size based on process spec, to avoid SIGWINCH races where initial console size is completely wrong. #1275
Small fixes for static builds. #1579 #1577
Use epoll for PTY IO, to avoid issues with systemd's SAK protections. #1455
Update state.json after a "runc update". #1558
Switch to umoci's release scripts, to use a more "standardised" and distribution-friendly release scheme. Several makefile-fixes included as well. #1554 #1542 #1555
Reap "runc:[1:CHILD]" to avoid intermediate zombies building up. #1506
Use CRIU's RPC to check the version. #1535
Always save own namespace paths rather than the path given during start-up, to avoid issues where the path disappears afterwards. #1477
Fix that we incorrectly set the owners of devices. This is still (subtly) broken in user namespaces, but will be fixed in a future version. #1743
Lots of other miscellaneous fixes and cleanups, many of which were written by first-time contributors. Thanks for contributing, and welcome to the project! #1729 #1724 #1695 #1685 #1703 #1699 #1682 #1665 #1667 #1669 #1654 #1664 #1660 #1645 #1640 #1621 #1607 #1206 #1615 #1614 #1453 #1613 #1600 #1599 #1598 #1597 #1593 #1586 #1588 #1587 #1589 #1575 #1578 #1573 #1561 #1560 #1559 #1556 #1551 #1553 #1548 #1544 #1545 #1537
Vote: +5 -0 #2 Signed-off-by: Aleksa Sarai firstname.lastname@example.org
+5 -0 #2