Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package crun for openSUSE:Factory checked in at 2024-11-08 11:56:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/crun (Old) and /work/SRC/openSUSE:Factory/.crun.new.2017 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crun" Fri Nov 8 11:56:12 2024 rev:26 rq:1222067 version:1.18.2 Changes: -------- --- /work/SRC/openSUSE:Factory/crun/crun.changes 2024-10-29 14:32:14.450283983 +0100 +++ /work/SRC/openSUSE:Factory/.crun.new.2017/crun.changes 2024-11-08 11:58:49.876089409 +0100 @@ -1,0 +2,6 @@ +Tue Nov 5 07:14:16 UTC 2024 - Madhankumar Chellamuthu <madhankumar.chellamu...@suse.com> + +- Update to crun v1.18.2 Upstream changelog is available from + <https://github.com/containers/crun/releases/tag/1.18.2> + +------------------------------------------------------------------- Old: ---- crun-1.18.tar.gz crun-1.18.tar.gz.asc New: ---- crun-1.18.2.tar.gz crun-1.18.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ crun.spec ++++++ --- /var/tmp/diff_new_pack.TrlEWA/_old 2024-11-08 11:58:50.384110595 +0100 +++ /var/tmp/diff_new_pack.TrlEWA/_new 2024-11-08 11:58:50.388110762 +0100 @@ -27,7 +27,7 @@ %endif Name: crun -Version: 1.18 +Version: 1.18.2 Release: 0 Summary: OCI runtime written in C License: GPL-2.0-or-later ++++++ crun-1.18.tar.gz -> crun-1.18.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.18/.tarball-git-version.h new/crun-1.18.2/.tarball-git-version.h --- old/crun-1.18/.tarball-git-version.h 2024-10-22 14:42:52.000000000 +0200 +++ new/crun-1.18.2/.tarball-git-version.h 2024-10-31 17:29:12.000000000 +0100 @@ -1,4 +1,4 @@ /* autogenerated. */ #ifndef GIT_VERSION -# define GIT_VERSION "8656b2548509fcc69ea7e8823a870564360a57a1" +# define GIT_VERSION "00ab38af875ddd0d1a8226addda52e1de18339b5" #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.18/.tarball-version new/crun-1.18.2/.tarball-version --- old/crun-1.18/.tarball-version 2024-10-22 14:42:52.000000000 +0200 +++ new/crun-1.18.2/.tarball-version 2024-10-31 17:29:12.000000000 +0100 @@ -1 +1 @@ -1.18 +1.18.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.18/NEWS new/crun-1.18.2/NEWS --- old/crun-1.18/NEWS 2024-10-22 14:24:17.000000000 +0200 +++ new/crun-1.18.2/NEWS 2024-10-31 17:28:16.000000000 +0100 @@ -1,3 +1,16 @@ +* crun-1.18.2 + +- cgroup, systemd: fix a regression when a configuration file includes only one + default rule. + +* crun-1.18.1 + +- cgroup: deprecate cgroup v1. +- cgroup: fix regression setting up the devices cgroup on cgroup v1. +- cgroup: fix regression and work again with the default Docker devices + configuration on systemd. +- linux: fix setting up user namespace when newuidmap/newgidmap are not available. + * crun-1.18 - cgroup: support running without a sub-cgroup with systemd. Use the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.18/configure new/crun-1.18.2/configure --- old/crun-1.18/configure 2024-10-22 14:42:27.000000000 +0200 +++ new/crun-1.18.2/configure 2024-10-31 17:28:48.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for crun 1.18. +# Generated by GNU Autoconf 2.69 for crun 1.18.2. # # Report bugs to <giuse...@scrivano.org>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='crun' PACKAGE_TARNAME='crun' -PACKAGE_VERSION='1.18' -PACKAGE_STRING='crun 1.18' +PACKAGE_VERSION='1.18.2' +PACKAGE_STRING='crun 1.18.2' PACKAGE_BUGREPORT='giuse...@scrivano.org' PACKAGE_URL='' @@ -1433,7 +1433,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures crun 1.18 to adapt to many kinds of systems. +\`configure' configures crun 1.18.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1504,7 +1504,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of crun 1.18:";; + short | recursive ) echo "Configuration of crun 1.18.2:";; esac cat <<\_ACEOF @@ -1664,7 +1664,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -crun configure 1.18 +crun configure 1.18.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2270,7 +2270,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by crun $as_me 1.18, which was +It was created by crun $as_me 1.18.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -12123,7 +12123,7 @@ # Define the identity of the package. PACKAGE='crun' - VERSION='1.18' + VERSION='1.18.2' cat >>confdefs.h <<_ACEOF @@ -16665,7 +16665,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by crun $as_me 1.18, which was +This file was extended by crun $as_me 1.18.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16731,7 +16731,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -crun config.status 1.18 +crun config.status 1.18.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.18/crun.1 new/crun-1.18.2/crun.1 --- old/crun-1.18/crun.1 2024-10-22 14:24:17.000000000 +0200 +++ new/crun-1.18.2/crun.1 2024-10-30 11:46:38.000000000 +0100 @@ -834,6 +834,11 @@ is automatically added starting with ID 1. +.SH CGROUP v1 +.PP +Support for cgroup v1 is deprecated and will be removed in a future release. + + .SH CGROUP v2 .PP \fBNote\fP: cgroup v2 does not yet support control of realtime processes and diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.18/crun.1.md new/crun-1.18.2/crun.1.md --- old/crun-1.18/crun.1.md 2024-10-22 14:24:17.000000000 +0200 +++ new/crun-1.18.2/crun.1.md 2024-10-30 11:46:38.000000000 +0100 @@ -664,6 +664,10 @@ additional id specified in the files `/etc/subuid` and `/etc/subgid` is automatically added starting with ID 1. +# CGROUP v1 + +Support for cgroup v1 is deprecated and will be removed in a future release. + # CGROUP v2 **Note**: cgroup v2 does not yet support control of realtime processes and diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.18/src/libcrun/cgroup-systemd.c new/crun-1.18.2/src/libcrun/cgroup-systemd.c --- old/crun-1.18/src/libcrun/cgroup-systemd.c 2024-10-22 14:24:17.000000000 +0200 +++ new/crun-1.18.2/src/libcrun/cgroup-systemd.c 2024-10-31 17:28:16.000000000 +0100 @@ -50,6 +50,8 @@ # define SYSTEMD_MISSING_PROPERTIES_DIR ".cache/systemd-missing-properties" +# define IS_WILDCARD(x) (x <= 0) + static int register_missing_property_from_message (const char *state_dir, const char *message, libcrun_error_t *err) { @@ -1150,8 +1152,6 @@ char device[64]; int sd_err; -# define IS_WILDCARD(x) (x <= 0) - if (IS_WILDCARD (major) && ! IS_WILDCARD (minor)) { libcrun_warning ("devices rule with wildcard for major is not supported and it is ignored with systemd"); @@ -1169,10 +1169,161 @@ if (UNLIKELY (sd_err < 0)) return crun_make_error (err, -sd_err, "sd-bus message append DeviceAllow `%s` with access `%s`", device, access); -# undef IS_WILDCARD return 0; } +# define MODE_R 1 +# define MODE_W 2 +# define MODE_M 4 + +static int +access_to_mode (const char *access, libcrun_error_t *err) +{ + int mode = 0; + + while (access && *access) + { + int c = *access++; + + switch (c) + { + case 'r': + mode |= MODE_R; + break; + + case 'w': + mode |= MODE_W; + break; + + case 'm': + mode |= MODE_M; + break; + + default: + return crun_make_error (err, 0, "unknown access string specified: `%c`", c); + } + } + return mode; +} + +/* check if the type b is included in type a. */ +static bool +has_same_type (const char *a, const char *b) +{ + bool a_all = a == NULL || strcmp (a, "a") == 0; + if (b == NULL || strcmp (b, "a") == 0) + return a_all; + + return a_all || strcmp (a, b) == 0; +} + +/* check if there is already another "deny rule" specified before that already blocks the + * device DEVICES[n]. */ +static int +is_deny_rule_redundant (runtime_spec_schema_defs_linux_device_cgroup **devices, size_t n, libcrun_error_t *err) +{ + size_t i; + int req_mode; + +# define CMP_DEV_NUM(a, b) ((a) == (b) || IS_WILDCARD (a) || IS_WILDCARD (b)) + + req_mode = access_to_mode (devices[n]->access, err); + if (UNLIKELY (req_mode < 0)) + return req_mode; + + for (i = n; i > 0; i--) + { + size_t current_rule = i - 1; + int mode; + + if (! CMP_DEV_NUM (devices[n]->minor, devices[current_rule]->minor)) + continue; + if (! CMP_DEV_NUM (devices[n]->major, devices[current_rule]->major)) + continue; + + if (! has_same_type (devices[n]->type, devices[current_rule]->type) + && has_same_type ("a", devices[current_rule]->type)) + continue; + + mode = access_to_mode (devices[i]->access, err); + if (UNLIKELY (mode < 0)) + return mode; + + if (devices[current_rule]->allow && (mode & req_mode)) + return 0; + + req_mode &= ! mode; + + /* no more access bits to validate. */ + if (req_mode == 0) + return 1; + } + + return 0; +# undef CMP_DEV_NUM +} + +static size_t +find_first_rule_no_default (runtime_spec_schema_defs_linux_device_cgroup **devices, size_t n) +{ + size_t i; + + if (n == 0) + return 1; + + /* Find the first rule that is after the last "block all". */ + for (i = n - 1; i-- > 0;) + { + if ((is_empty_string (devices[i]->type) || strcmp (devices[i]->type, "a") == 0) + && IS_WILDCARD (devices[i]->major) + && IS_WILDCARD (devices[i]->minor) + && (! devices[i]->allow)) + return i + 1; + } + + /* If there is not a default rule, the skip to the first rule that is not a deny rule. */ + for (i = 0; i < n; i++) + if (devices[i]->allow) + return i; + + /* All blocked. Move at the end of the array and rely on the default block all devices rule. */ + return n + 1; +} + +static bool +has_allow_all (runtime_spec_schema_defs_linux_device_cgroup **devices, size_t n) +{ +# define DEV_TYPE_BLOCK 1 +# define DEV_TYPE_CHAR 2 + int remaining = DEV_TYPE_BLOCK | DEV_TYPE_CHAR; + size_t i; + + for (i = 0; i < n; i++) + { + size_t current_rule = n - i - 1; + if (! devices[current_rule]->allow) + return false; + + if (IS_WILDCARD (devices[current_rule]->major) && IS_WILDCARD (devices[current_rule]->minor)) + { + if (is_empty_string (devices[current_rule]->type) || strcmp (devices[current_rule]->type, "a") == 0) + return true; + + if (strcmp (devices[current_rule]->type, "c") == 0) + remaining &= ~DEV_TYPE_CHAR; + else if (strcmp (devices[current_rule]->type, "b") == 0) + remaining &= ~DEV_TYPE_BLOCK; + + if (remaining == 0) + return true; + } + } +# undef DEV_TYPE_BLOCK +# undef DEV_TYPE_CHAR + + return false; +} + static int append_devices (sd_bus_message *m, runtime_spec_schema_config_linux_resources *resources, @@ -1182,18 +1333,13 @@ int ret, sd_err; size_t i; + if (has_allow_all (resources->devices, resources->devices_len)) + return 0; + sd_err = sd_bus_message_append (m, "(sv)", "DevicePolicy", "s", "strict"); if (UNLIKELY (sd_err < 0)) return crun_make_error (err, -sd_err, "sd-bus message append DevicePolicy"); - sd_err = sd_bus_message_append (m, "(sv)", "DeviceAllow", "a(ss)", 0); - if (UNLIKELY (sd_err < 0)) - return crun_make_error (err, -sd_err, "sd-bus message append DeviceAllow"); - - sd_err = sd_bus_message_append (m, "(sv)", "DeviceAllow", "a(ss)", 0); - if (UNLIKELY (sd_err < 0)) - return crun_make_error (err, -sd_err, "sd-bus message append DeviceAllow"); - for (i = 0; default_devices[i].type; i++) { ret = append_device_allow (m, default_devices[i].type, default_devices[i].major, default_devices[i].minor, default_devices[i].access, err); @@ -1204,16 +1350,22 @@ if (resources == NULL) return 0; - for (i = 0; i < resources->devices_len; i++) + for (i = find_first_rule_no_default (resources->devices, resources->devices_len); i < resources->devices_len; i++) { runtime_spec_schema_defs_linux_device_cgroup *d = resources->devices[i]; char type; if (! d->allow) { - /* Ignore the default rule. */ - if (d->major == 0 && d->major == 0) + int redundant; + + redundant = is_deny_rule_redundant (resources->devices, i, err); + if (UNLIKELY (redundant < 0)) + return redundant; + + if (redundant) continue; + return crun_make_error (err, 0, "systemd does not support deny rules for devices"); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.18/src/libcrun/container.c new/crun-1.18.2/src/libcrun/container.c --- old/crun-1.18/src/libcrun/container.c 2024-10-22 14:24:17.000000000 +0200 +++ new/crun-1.18.2/src/libcrun/container.c 2024-10-30 11:46:38.000000000 +0100 @@ -2365,6 +2365,14 @@ struct libcrun_dirfd_s cgroup_dirfd_s; struct libcrun_seccomp_gen_ctx_s seccomp_gen_ctx; const char *seccomp_bpf_data = find_annotation (container, "run.oci.seccomp_bpf_data"); + int cgroup_mode; + + cgroup_mode = libcrun_get_cgroup_mode (err); + if (UNLIKELY (cgroup_mode < 0)) + return cgroup_mode; + + if (cgroup_mode != CGROUP_MODE_UNIFIED) + libcrun_warning ("cgroup v1 is deprecated and will be removed in a future release. Use cgroup v2"); if (def->hooks && (def->hooks->prestart_len || def->hooks->poststart_len || def->hooks->create_runtime_len diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.18/src/libcrun/linux.c new/crun-1.18.2/src/libcrun/linux.c --- old/crun-1.18/src/libcrun/linux.c 2024-10-22 14:24:17.000000000 +0200 +++ new/crun-1.18.2/src/libcrun/linux.c 2024-10-30 11:46:38.000000000 +0100 @@ -2873,17 +2873,18 @@ } static int -uidgidmap_helper (char *helper, pid_t pid, char *map_file, libcrun_error_t *err) +uidgidmap_helper (char *helper, pid_t pid, const char *map_file, libcrun_error_t *err) { #define MAX_ARGS 20 char pid_fmt[16]; char *args[MAX_ARGS + 1]; char *next; + cleanup_free char *map_file_copy = xstrdup (map_file); size_t nargs = 0; args[nargs++] = helper; sprintf (pid_fmt, "%d", pid); args[nargs++] = pid_fmt; - next = map_file; + next = map_file_copy; while (nargs < MAX_ARGS) { char *p = strsep (&next, " \n"); @@ -2897,13 +2898,13 @@ } static int -newgidmap (pid_t pid, char *map_file, libcrun_error_t *err) +newgidmap (pid_t pid, const char *map_file, libcrun_error_t *err) { return uidgidmap_helper ("newgidmap", pid, map_file, err); } static int -newuidmap (pid_t pid, char *map_file, libcrun_error_t *err) +newuidmap (pid_t pid, const char *map_file, libcrun_error_t *err) { return uidgidmap_helper ("newuidmap", pid, map_file, err); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.18/src/libcrun/utils.c new/crun-1.18.2/src/libcrun/utils.c --- old/crun-1.18/src/libcrun/utils.c 2024-10-22 14:24:17.000000000 +0200 +++ new/crun-1.18.2/src/libcrun/utils.c 2024-10-30 11:46:38.000000000 +0100 @@ -1930,7 +1930,7 @@ it = "."; len = snprintf (path, PATH_MAX, "%s/%s", it, executable_path); - if (len == PATH_MAX) + if (len >= PATH_MAX) continue; ret = check_access (path);
