Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package conmon for openSUSE:Factory checked in at 2021-09-26 21:48:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/conmon (Old) and /work/SRC/openSUSE:Factory/.conmon.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "conmon" Sun Sep 26 21:48:26 2021 rev:22 rq:921243 version:2.0.30 Changes: -------- --- /work/SRC/openSUSE:Factory/conmon/conmon.changes 2021-07-30 23:21:53.647655026 +0200 +++ /work/SRC/openSUSE:Factory/.conmon.new.1899/conmon.changes 2021-09-26 21:49:05.834806513 +0200 @@ -1,0 +2,10 @@ +Fri Sep 24 07:31:03 UTC 2021 - Paolo Stivanin <i...@paolostivanin.com> + +- Update to version 2.0.30: + * Remove unreachable code path + * exit: report if the exit command was killed + * exit: fix race zombie reaper + * conn_sock: allow watchdog messages through the notify socket proxy + * seccomp: add support for seccomp notify + +------------------------------------------------------------------- Old: ---- conmon-2.0.29.tar.xz New: ---- conmon-2.0.30.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ conmon.spec ++++++ --- /var/tmp/diff_new_pack.yfFIvm/_old 2021-09-26 21:49:06.282807012 +0200 +++ /var/tmp/diff_new_pack.yfFIvm/_new 2021-09-26 21:49:06.282807012 +0200 @@ -17,7 +17,7 @@ Name: conmon -Version: 2.0.29 +Version: 2.0.30 Release: 0 Summary: An OCI container runtime monitor License: Apache-2.0 @@ -25,7 +25,9 @@ URL: https://github.com/containers/conmon Source0: %{name}-%{version}.tar.xz BuildRequires: glib2-devel +BuildRequires: pkgconfig BuildRequires: golang(API) >= 1.16 +BuildRequires: pkgconfig(libseccomp) BuildRequires: pkgconfig(libsystemd) %description @@ -46,6 +48,6 @@ %license LICENSE %doc README.md %{_bindir}/%{name} -%{_mandir}/man8/conmon*.8* +%{_mandir}/man8/conmon*.8%{?ext_man} %changelog ++++++ _service ++++++ --- /var/tmp/diff_new_pack.yfFIvm/_old 2021-09-26 21:49:06.306807039 +0200 +++ /var/tmp/diff_new_pack.yfFIvm/_new 2021-09-26 21:49:06.310807043 +0200 @@ -4,7 +4,7 @@ <param name="scm">git</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">[v]?([^\+]+)(.*)</param> -<param name="revision">v2.0.29</param> +<param name="revision">v2.0.30</param> <param name="changesgenerate">enable</param> </service> <service name="recompress" mode="disabled"> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.yfFIvm/_old 2021-09-26 21:49:06.326807061 +0200 +++ /var/tmp/diff_new_pack.yfFIvm/_new 2021-09-26 21:49:06.326807061 +0200 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/containers/conmon</param> - <param name="changesrevision">7e6de6678f6ed8a18661e1d5721b81ccee293b9b</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">2792c16f4436f1887a7070d9ad99d9c29742f38a</param></service></servicedata> ++++++ conmon-2.0.29.tar.xz -> conmon-2.0.30.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/.cirrus.yml new/conmon-2.0.30/.cirrus.yml --- old/conmon-2.0.29/.cirrus.yml 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/.cirrus.yml 2021-09-21 22:13:00.000000000 +0200 @@ -23,17 +23,15 @@ FEDORA_NAME: "fedora-34" PRIOR_FEDORA_NAME: "fedora-33" UBUNTU_NAME: "ubuntu-2104" - PRIOR_UBUNTU_NAME: "ubuntu-2010" # VM Image built in containers/automation_images - IMAGE_SUFFIX: "c5032481331085312" + IMAGE_SUFFIX: "c6431352024203264" FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}" # Container FQIN's FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}" PRIOR_FEDORA_CONTAINER_FQIN: "quay.io/libpod/prior-fedora_podman:${IMAGE_SUFFIX}" UBUNTU_CONTAINER_FQIN: "quay.io/libpod/ubuntu_podman:${IMAGE_SUFFIX}" - PRIOR_UBUNTU_CONTAINER_FQIN: "quay.io/libpod/prior-ubuntu_podman:${IMAGE_SUFFIX}" # Only github users with write-access can define or use encrypted variables @@ -73,7 +71,7 @@ image: "${PRIOR_FEDORA_CONTAINER_FQIN}" script: - - dnf install -y rpm-build golang + - dnf install -y rpm-build golang libseccomp-devel - cd $CIRRUS_WORKING_DIR - make - make -f .rpmbuild/Makefile @@ -123,7 +121,7 @@ # the next line and file an issue with details about the failure. # allow_failures: true - timeout_in: '20m' + timeout_in: '240m' gce_instance: image_name: "${FEDORA_CACHE_IMAGE_NAME}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/.github/workflows/integration.yml new/conmon-2.0.30/.github/workflows/integration.yml --- old/conmon-2.0.29/.github/workflows/integration.yml 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/.github/workflows/integration.yml 2021-09-21 22:13:00.000000000 +0200 @@ -72,7 +72,7 @@ steps: - uses: actions/setup-go@v2 with: - go-version: '1.15' + go-version: '1.16' - uses: actions/checkout@v2 - uses: actions/cache@v2 with: @@ -81,6 +81,10 @@ ~/.cache/go-build key: go-integration-podman-${{ hashFiles('**/go.mod') }} restore-keys: go-integration-podman- + # https://github.com/actions/setup-go/issues/107 + - run: | + export PATH=${GOROOT}/bin:$PATH + go version - run: hack/github-actions-setup - name: Run Podman integration tests run: | @@ -97,7 +101,7 @@ steps: - uses: actions/setup-go@v2 with: - go-version: '1.15' + go-version: '1.16' - uses: actions/checkout@v2 - uses: actions/cache@v2 with: @@ -106,6 +110,10 @@ ~/.cache/go-build key: go-integration-podman-${{ hashFiles('**/go.mod') }} restore-keys: go-integration-podman- + # https://github.com/actions/setup-go/issues/107 + - run: | + export PATH=${GOROOT}/bin:$PATH + go version - run: hack/github-actions-setup - name: Run Podman system tests run: | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/.gitignore new/conmon-2.0.30/.gitignore --- old/conmon-2.0.29/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/conmon-2.0.30/.gitignore 2021-09-21 22:13:00.000000000 +0200 @@ -0,0 +1,58 @@ +# Prerequisites +*.d + +# Object files +*.o +*.ko +*.obj +*.elf + +# Linker output +*.ilk +*.map +*.exp + +# Precompiled Headers +*.gch +*.pch + +# Libraries +*.lib +*.a +*.la +*.lo + +# Shared objects (inc. Windows DLLs) +*.dll +*.so +*.so.* +*.dylib + +# Executables +/bin/conmon +*.exe +*.out +*.app +*.i*86 +*.x86_64 +*.hex + +# Debug files +*.dSYM/ +*.su +*.idb +*.pdb + +# Kernel Module Compile Results +*.cmd +.tmp_versions/ +modules.order +Module.symvers +Mkfile.old +dkms.conf + +bin/ + +vendor/ + +result diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/CODE-OF-CONDUCT.md new/conmon-2.0.30/CODE-OF-CONDUCT.md --- old/conmon-2.0.29/CODE-OF-CONDUCT.md 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/CODE-OF-CONDUCT.md 2021-09-21 22:13:00.000000000 +0200 @@ -1,3 +1,3 @@ ## The conmon Project Community Code of Conduct -The conmon Project follows the [Containers Community Code of Conduct](https://github.com/containers/common/blob/master/CODE-OF-CONDUCT.md). +The conmon Project follows the [Containers Community Code of Conduct](https://github.com/containers/common/blob/main/CODE-OF-CONDUCT.md). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/Makefile new/conmon-2.0.30/Makefile --- old/conmon-2.0.29/Makefile 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/Makefile 2021-09-21 22:13:00.000000000 +0200 @@ -6,7 +6,8 @@ PROJECT := github.com/containers/conmon PKG_CONFIG ?= pkg-config HEADERS := $(wildcard src/*.h) -OBJS := src/conmon.o src/cmsg.o src/ctr_logging.o src/utils.o src/cli.o src/globals.o src/cgroup.o src/conn_sock.o src/oom.o src/ctrl.o src/ctr_stdio.o src/parent_pipe_fd.o src/ctr_exit.o src/runtime_args.o src/close_fds.o + +OBJS := src/conmon.o src/cmsg.o src/ctr_logging.o src/utils.o src/cli.o src/globals.o src/cgroup.o src/conn_sock.o src/oom.o src/ctrl.o src/ctr_stdio.o src/parent_pipe_fd.o src/ctr_exit.o src/runtime_args.o src/close_fds.o src/seccomp_notify.o MAKEFILE_PATH := $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) @@ -14,7 +15,7 @@ all: git-vars bin bin/conmon git-vars: -ifeq ($(shell bash -c '[[ `command -v git` && `git rev-parse --git-dir 2>/dev/null` ]] && echo true'),true) +ifeq ($(shell bash -c '[[ `command -v git` && `git rev-parse --git-dir 2>/dev/null` ]] && echo 0'),0) $(eval COMMIT_NO :=$(shell git rev-parse HEAD 2> /dev/null || true)) $(eval GIT_COMMIT := $(if $(shell git status --porcelain --untracked-files=no),"${COMMIT_NO}-dirty","${COMMIT_NO}")) $(eval GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)) @@ -37,18 +38,23 @@ # "pkg-config --exists" will error if the package doesn't exist. Make can only compare # output of commands, so the echo commands are to allow pkg-config to error out, make to catch it, # and allow the compilation to complete. -ifeq ($(shell $(PKG_CONFIG) --exists libsystemd-journal && echo "0" || echo "1"), 0) +ifeq ($(shell $(PKG_CONFIG) --exists libsystemd-journal && echo "0"), 0) override LIBS += $(shell $(PKG_CONFIG) --libs libsystemd-journal) - override CFLAGS += $(shell $(PKG_CONFIG) --cflags libsystemd-journal) -D USE_JOURNALD=0 -else ifeq ($(shell $(PKG_CONFIG) --exists libsystemd && echo "0" || echo "1"), 0) + override CFLAGS += $(shell $(PKG_CONFIG) --cflags libsystemd-journal) -D USE_JOURNALD=1 +else ifeq ($(shell $(PKG_CONFIG) --exists libsystemd && echo "0"), 0) override LIBS += $(shell $(PKG_CONFIG) --libs libsystemd) - override CFLAGS += $(shell $(PKG_CONFIG) --cflags libsystemd) -D USE_JOURNALD=0 + override CFLAGS += $(shell $(PKG_CONFIG) --cflags libsystemd) -D USE_JOURNALD=1 +endif + +ifeq ($(shell hack/seccomp-notify.sh), 0) + override LIBS += $(shell $(PKG_CONFIG) --libs libseccomp) -ldl + override CFLAGS += $(shell $(PKG_CONFIG) --cflags libseccomp) -D USE_SECCOMP=1 endif # Update nix/nixpkgs.json its latest stable commit .PHONY: nixpkgs nixpkgs: - @nix run -f channel:nixos-20.09 nix-prefetch-git -c nix-prefetch-git \ + @nix run -f channel:nixpkgs-unstable nix-prefetch-git -c nix-prefetch-git \ --no-deepClone https://github.com/nixos/nixpkgs > nix/nixpkgs.json # Build statically linked binary diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/README.md new/conmon-2.0.30/README.md --- old/conmon-2.0.29/README.md 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/README.md 2021-09-21 22:13:00.000000000 +0200 @@ -46,6 +46,7 @@ git \ glib2-devel \ glibc-devel \ + libseccomp-devel \ make \ pkgconfig \ runc @@ -59,6 +60,7 @@ git \ libc6-dev \ libglib2.0-dev \ + libseccomp-dev \ pkg-config \ make \ runc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/SECURITY.md new/conmon-2.0.30/SECURITY.md --- old/conmon-2.0.29/SECURITY.md 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/SECURITY.md 2021-09-21 22:13:00.000000000 +0200 @@ -1,3 +1,3 @@ ## Security and Disclosure Information Policy for the conmon Project -The conmon Project follows the [Security and Disclosure Information Policy](https://github.com/containers/common/blob/master/SECURITY.md) for the Containers Projects. +The conmon Project follows the [Security and Disclosure Information Policy](https://github.com/containers/common/blob/main/SECURITY.md) for the Containers Projects. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/VERSION new/conmon-2.0.30/VERSION --- old/conmon-2.0.29/VERSION 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/VERSION 2021-09-21 22:13:00.000000000 +0200 @@ -1 +1 @@ -2.0.29 +2.0.30 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/contrib/cirrus/README.md new/conmon-2.0.30/contrib/cirrus/README.md --- old/conmon-2.0.29/contrib/cirrus/README.md 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/contrib/cirrus/README.md 1970-01-01 01:00:00.000000000 +0100 @@ -1,153 +0,0 @@ -# Cirrus-CI - -Similar to other integrated github CI/CD services, Cirrus utilizes a simple -YAML-based configuration/description file: ``.cirrus.yml``. Ref: https://cirrus-ci.org/ - - -## Workflow - -All tasks execute in parallel, unless there are conditions or dependencies -which alter this behavior. Within each task, each script executes in sequence, -so long as any previous script exited successfully. The overall state of each -task (pass or fail) is set based on the exit status of the last script to execute. - - -### ``integration`` Task - -1. After `gating` passes, spin up one VM per - `matrix: image_name` item. Once accessible, ``ssh`` - into each VM as the `root` user. - -2. ``setup_environment.sh``: Configure root's `.bash_profile` - for all subsequent scripts (each run in a new shell). Any - distribution-specific environment variables are also defined - here. For example, setting tags/flags to use compiling. - -5. ``integration_test.sh``: Execute integration-testing. This is - much more involved, and relies on access to external - resources like container images and code from other repositories. - Total execution time is capped at 2-hours (includes all the above) - but this script normally completes in less than an hour. - - -### ``cache_images`` Task - -1. When a PR is merged (``$CIRRUS_BRANCH`` == ``master``), run another - round of the ``integration`` task (above). - -2. After confirming the tests all pass post-merge, cirrus will - spin up a special VM capable of communicating with the GCE API. - Once accessible, it will ``ssh`` into the special VM and run - the following scripts. - -3. ``setup_environment.sh``: Same as the ``integration`` - Task (above). - -4. ``build_vm_images.sh``: Examine the merged PR's description on github. - If it contains the magic string ``***CIRRUS: REBUILD IMAGES***``, then - continue, otherwise display a message, take no further action, and - exit successfully. This prevents production of new VM images unless - they are called for, thereby saving the cost of needlessly storing them. - -5. If the magic string was found, utilize [the packer tool](http://packer.io/docs/) - to produce new VM images. Create new VMs starting from *base-images* (see below), - connect to them with ``ssh``, and perform the steps defined by the - ``conmon_images.yml`` file. - - 1. Copy the current state of the repository into ``/tmp/conmon``. - 2. Execute distribution-specific scripts to prepare the image for - use by the ``integration`` task (above). For example, - ``fedora_setup.sh``. - 3. If successful, shut down each VM and create a new GCE Image - named with the base image, and the commit sha of the merge. - -***Note:*** The ``.cirrus.yml`` file must be manually updated with the new -images names, then the change sent in via a secondary pull-request. This -ensures that all the ``integration`` tasks can pass with the new images, -before subjecting all future PRs to them. A workflow to automate this -process is described in comments at the end of the ``.cirrus.yml`` file. - - -### Base-images - -Base-images are VM disk-images specially prepared for executing as GCE VMs. -In particular, they run services on startup similar in purpose/function -as the standard 'cloud-init' services. - -* The google services are required for full support of ssh-key management - and GCE OAuth capabilities. Google provides native images in GCE - with services pre-installed, for many platforms. For example, - RHEL, CentOS, and Ubuntu. - -* Google does ***not*** provide any images for Fedora or Fedora Atomic - Host (as of 11/2018), nor do they provide a base-image prepared to - run packer for creating other images in the ``build_vm_images`` Task - (above). - -* Base images do not need to be produced often, but doing so completely - manually would be time-consuming and error-prone. Therefore a special - semi-automatic *Makefile* target is provided to assist with producing - all the base-images: ``conmon_base_images`` - -To produce new base-images, including an `image-builder-image` (used by -the ``cache_images`` Task) some input parameters are required: - - * ``GCP_PROJECT_ID``: The complete GCP project ID string e.g. foobar-12345 - identifying where the images will be stored. - - * ``GOOGLE_APPLICATION_CREDENTIALS``: A *JSON* file containing - credentials for a GCE service account. This can be [a service - account](https://cloud.google.com/docs/authentication/production#obtaining_and_providing_service_account_credentials_manually) - or [end-user - credentials](https://cloud.google.com/docs/authentication/end-user#creating_your_client_credentials] - - * CSV's of builders to use must be specified to ``PACKER_BUILDS`` - to limit the base-images produced. For example, - ``PACKER_BUILDS=fedora,image-builder-image``. - -The following process should be performed on a bare-metal CentOS 7 machine -with network access to GCE. Software dependencies can be obtained from -the ``packer/image-builder-image_base_setup.sh`` script. - -Alternatively, an existing image-builder-image may be used from within GCE. -However it must be created with elevated cloud privileges. For example, - -``` -$ alias pgcloud='sudo podman run -it --rm -e AS_ID=$UID - -e AS_USER=$USER -v /home/$USER:/home/$USER:z cevich/gcloud_centos:latest' - -$ URL=https://www.googleapis.com/auth -$ SCOPES=$URL/userinfo.email,$URL/compute,$URL/devstorage.full_control - -$ pgcloud compute instances create $USER-making-images \ - --image-family image-builder-image \ - --boot-disk-size "200GB" \ - --min-cpu-platform "Intel Haswell" \ - --machine-type n1-standard-2 \ - --scopes $SCOPES - -$ pgcloud compute ssh centos@$USER-making-images -... -``` - -When ready, change to the ``packer`` sub-directory, and run: - -``` -$ make conmon_base_images GCP_PROJECT_ID=<VALUE> \ - GOOGLE_APPLICATION_CREDENTIALS=<VALUE> \ - PACKER_BUILDS=<OPTIONAL> -``` - -Assuming this is successful (hence the semi-automatic part), packer will -produce a ``packer-manifest.json`` output file. This contains the base-image -names suitable for updating in ``.cirrus.yml``, `env` keys ``*_BASE_IMAGE``. - -On failure, it should be possible to determine the problem from the packer -output. The only exception is for the Fedora and FAH builds, which utilize -local qemu-kvm virtualisation. To observe the serial-port output from those -builds, set the ``TTYDEV`` parameter to your current device. For example: - -``` -$ make conmon_base_images ... TTYDEV=$(tty) - ... -``` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/contrib/cirrus/lib.sh new/conmon-2.0.30/contrib/cirrus/lib.sh --- old/conmon-2.0.29/contrib/cirrus/lib.sh 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/contrib/cirrus/lib.sh 2021-09-21 22:13:00.000000000 +0200 @@ -56,7 +56,7 @@ # shellcheck disable=SC2154 if [[ -z "$CIRRUS_BASE_SHA" ]] && [[ -z "$CIRRUS_TAG" ]] then # Operating on a branch, or under `get_ci_vm.sh` - CIRRUS_BASE_SHA=$(git rev-parse ${UPSTREAM_REMOTE:-origin}/master) + CIRRUS_BASE_SHA=$(git rev-parse ${UPSTREAM_REMOTE:-origin}/main) elif [[ -z "$CIRRUS_BASE_SHA" ]] then # Operating on a tag CIRRUS_BASE_SHA=$(git rev-parse HEAD) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/contrib/spec/conmon.spec.in new/conmon-2.0.30/contrib/spec/conmon.spec.in --- old/conmon-2.0.29/contrib/spec/conmon.spec.in 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/contrib/spec/conmon.spec.in 2021-09-21 22:13:00.000000000 +0200 @@ -22,6 +22,7 @@ BuildRequires: gcc BuildRequires: glib2-devel BuildRequires: glibc-devel +BuildRequires: libseccomp-devel BuildRequires: git # If go_compiler is not set to 1, there is no virtual provide. Use golang instead. BuildRequires: golang diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/hack/seccomp-notify.sh new/conmon-2.0.30/hack/seccomp-notify.sh --- old/conmon-2.0.29/hack/seccomp-notify.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/conmon-2.0.30/hack/seccomp-notify.sh 2021-09-21 22:13:00.000000000 +0200 @@ -0,0 +1,4 @@ +#!/bin/bash +if $(printf '#include <linux/seccomp.h>\nvoid main(){struct seccomp_notif_sizes s;}' | cc -x c - -o /dev/null 2> /dev/null && pkg-config --atleast-version 2.5.0 libseccomp); then + echo "0" +fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/meson.build new/conmon-2.0.30/meson.build --- old/conmon-2.0.29/meson.build 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/meson.build 2021-09-21 22:13:00.000000000 +0200 @@ -34,6 +34,7 @@ language : 'c') glib = dependency('glib-2.0') +libdl = cc.find_library('dl') executable('conmon', ['src/conmon.c', @@ -67,8 +68,10 @@ 'src/runtime_args.c', 'src/runtime_args.h', 'src/utils.c', - 'src/utils.h'], - dependencies : [glib], + 'src/utils.h', + 'src/seccomp_notify.c', + 'src/seccomp_notify.h'], + dependencies : [glib, libdl], install : true, install_dir : join_paths(get_option('libexecdir'), 'podman'), ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/nix/default-arm64.nix new/conmon-2.0.30/nix/default-arm64.nix --- old/conmon-2.0.29/nix/default-arm64.nix 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/nix/default-arm64.nix 2021-09-21 22:13:00.000000000 +0200 @@ -1,22 +1,17 @@ let + static = import ./static.nix; pkgs = (import ./nixpkgs.nix { - crossSystem = { - config = "aarch64-unknown-linux-gnu"; - }; + crossSystem = { config = "aarch64-unknown-linux-gnu"; }; overlays = [ (final: pkg: { pcre = (static pkg.pcre).overrideAttrs (x: { - configureFlags = x.configureFlags ++ [ - "--enable-static" - ]; + configureFlags = x.configureFlags ++ [ "--enable-static" ]; }); }) ]; config = { packageOverrides = pkg: { - autogen = (static pkg.autogen); - e2fsprogs = (static pkg.e2fsprogs); - libuv = (static pkg.libuv); + libseccomp = (static pkg.libseccomp); glib = (static pkg.glib).overrideAttrs (x: { outputs = [ "bin" "out" "dev" ]; mesonFlags = [ @@ -33,63 +28,9 @@ -i "$dev"/include/glib-2.0/gobject/gobjectnotifyqueue.c ''; }); - gnutls = (static pkg.gnutls).overrideAttrs (x: { - configureFlags = (x.configureFlags or [ ]) ++ [ - "--disable-non-suiteb-curves" - "--disable-openssl-compatibility" - "--disable-rpath" - "--enable-local-libopts" - "--without-p11-kit" - ]; - }); - systemd = (static pkg.systemd).overrideAttrs (x: { - outputs = [ "out" "dev" ]; - mesonFlags = x.mesonFlags ++ [ - "-Dstatic-libsystemd=true" - ]; - }); }; }; }); - - static = pkg: pkg.overrideAttrs (x: { - doCheck = false; - configureFlags = (x.configureFlags or [ ]) ++ [ - "--without-shared" - "--disable-shared" - ]; - dontDisableStatic = true; - enableSharedExecutables = false; - enableStatic = true; - }); - - self = with pkgs; stdenv.mkDerivation rec { - name = "conmon"; - src = ./..; - vendorSha256 = null; - doCheck = false; - enableParallelBuilding = true; - outputs = [ "out" ]; - nativeBuildInputs = with buildPackages; [ - bash - gitMinimal - pcre - pkg-config - which - ]; - buildInputs = [ glibc glibc.static glib ]; - prePatch = '' - export CFLAGS='-static -pthread' - export LDFLAGS='-s -w -static-libgcc -static' - export EXTRA_LDFLAGS='-s -w -linkmode external -extldflags "-static -lm"' - ''; - buildPhase = '' - patchShebangs . - make - ''; - installPhase = '' - install -Dm755 bin/conmon $out/bin/conmon - ''; - }; + self = import ./derivation.nix { inherit pkgs; }; in self diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/nix/default.nix new/conmon-2.0.30/nix/default.nix --- old/conmon-2.0.29/nix/default.nix 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/nix/default.nix 2021-09-21 22:13:00.000000000 +0200 @@ -1,19 +1,18 @@ { system ? builtins.currentSystem }: let + static = import ./static.nix; pkgs = (import ./nixpkgs.nix { - overlays = [(final: pkg: { - pcre = (static pkg.pcre).overrideAttrs(x: { - configureFlags = x.configureFlags ++ [ - "--enable-static" - ]; - }); - })]; + overlays = [ + (final: pkg: { + pcre = (static pkg.pcre).overrideAttrs (x: { + configureFlags = x.configureFlags ++ [ "--enable-static" ]; + }); + }) + ]; config = { packageOverrides = pkg: { - autogen = (static pkg.autogen); - e2fsprogs = (static pkg.e2fsprogs); - libuv = (static pkg.libuv); - glib = (static pkg.glib).overrideAttrs(x: { + libseccomp = (static pkg.libseccomp); + glib = (static pkg.glib).overrideAttrs (x: { outputs = [ "bin" "out" "dev" ]; mesonFlags = [ "-Ddefault_library=static" @@ -22,56 +21,9 @@ "-Dnls=disabled" ]; }); - gnutls = (static pkg.gnutls).overrideAttrs(x: { - configureFlags = (x.configureFlags or []) ++ [ - "--disable-non-suiteb-curves" - "--disable-openssl-compatibility" - "--disable-rpath" - "--enable-local-libopts" - "--without-p11-kit" - ]; - }); - systemd = (static pkg.systemd).overrideAttrs(x: { - outputs = [ "out" "dev" ]; - mesonFlags = x.mesonFlags ++ [ - "-Dstatic-libsystemd=true" - ]; - }); }; }; }); - - static = pkg: pkg.overrideAttrs(x: { - doCheck = false; - configureFlags = (x.configureFlags or []) ++ [ - "--without-shared" - "--disable-shared" - ]; - dontDisableStatic = true; - enableSharedExecutables = false; - enableStatic = true; - }); - - self = with pkgs; stdenv.mkDerivation rec { - name = "conmon"; - src = ./..; - vendorSha256 = null; - doCheck = false; - enableParallelBuilding = true; - outputs = [ "out" ]; - nativeBuildInputs = [ bash gitMinimal pcre pkg-config which ]; - buildInputs = [ glibc glibc.static glib ]; - prePatch = '' - export CFLAGS='-static -pthread' - export LDFLAGS='-s -w -static-libgcc -static' - export EXTRA_LDFLAGS='-s -w -linkmode external -extldflags "-static -lm"' - ''; - buildPhase = '' - patchShebangs . - make - ''; - installPhase = '' - install -Dm755 bin/conmon $out/bin/conmon - ''; - }; -in self + self = import ./derivation.nix { inherit pkgs; }; +in +self diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/nix/derivation.nix new/conmon-2.0.30/nix/derivation.nix --- old/conmon-2.0.29/nix/derivation.nix 1970-01-01 01:00:00.000000000 +0100 +++ new/conmon-2.0.30/nix/derivation.nix 2021-09-21 22:13:00.000000000 +0200 @@ -0,0 +1,34 @@ +{ pkgs }: +with pkgs; stdenv.mkDerivation rec { + name = "conmon"; + src = ./..; + vendorSha256 = null; + doCheck = false; + enableParallelBuilding = true; + outputs = [ "out" ]; + nativeBuildInputs = with buildPackages; [ + bash + gitMinimal + pkg-config + which + ]; + buildInputs = [ + glib + glibc + glibc.static + libseccomp + pcre + ]; + prePatch = '' + export CFLAGS='-static -pthread' + export LDFLAGS='-s -w -static-libgcc -static' + export EXTRA_LDFLAGS='-s -w -linkmode external -extldflags "-static -lm"' + ''; + buildPhase = '' + patchShebangs . + make + ''; + installPhase = '' + install -Dm755 bin/conmon $out/bin/conmon + ''; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/nix/nixpkgs.json new/conmon-2.0.30/nix/nixpkgs.json --- old/conmon-2.0.29/nix/nixpkgs.json 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/nix/nixpkgs.json 2021-09-21 22:13:00.000000000 +0200 @@ -1,9 +1,9 @@ { "url": "https://github.com/nixos/nixpkgs";, - "rev": "30c2fb65feaf1068b1c413a0b75470afd351c291", - "date": "2021-01-28T21:27:34-05:00", - "path": "/nix/store/zk71rlw37vg9hqc5j0vqi9x8qzb2ir0m-nixpkgs", - "sha256": "0b1y1lgzbagpgh9cvi9szkm162laifz0q2ss4pibns3j3gqpf5gl", + "rev": "15f5ec53d3a33a6d45c502fd8bae7e397fd1d3f6", + "date": "2021-07-29T08:45:37+02:00", + "path": "/nix/store/dalg8b7d1dv2bhvbk7bimzygfl4kmrzs-nixpkgs", + "sha256": "1npnxc86xzvzwliz028nf8a9c6qrbz6h08s23iaf4km51n3snsip", "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/nix/static.nix new/conmon-2.0.30/nix/static.nix --- old/conmon-2.0.29/nix/static.nix 1970-01-01 01:00:00.000000000 +0100 +++ new/conmon-2.0.30/nix/static.nix 2021-09-21 22:13:00.000000000 +0200 @@ -0,0 +1,10 @@ +pkg: pkg.overrideAttrs (x: { + doCheck = false; + configureFlags = (x.configureFlags or [ ]) ++ [ + "--without-shared" + "--disable-shared" + ]; + dontDisableStatic = true; + enableSharedExecutables = false; + enableStatic = true; +}) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/cli.c new/conmon-2.0.30/src/cli.c --- old/conmon-2.0.29/src/cli.c 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/src/cli.c 2021-09-21 22:13:00.000000000 +0200 @@ -50,6 +50,8 @@ gboolean opt_no_sync_log = FALSE; char *opt_sdnotify_socket = NULL; gboolean opt_full_attach_path = FALSE; +char *opt_seccomp_notify_socket = NULL; +char *opt_seccomp_notify_plugins = NULL; GOptionEntry opt_entries[] = { {"api-version", 0, 0, G_OPTION_ARG_NONE, &opt_api_version, "Conmon API version to use", NULL}, {"bundle", 'b', 0, G_OPTION_ARG_STRING, &opt_bundle_path, "Location of the OCI Bundle path", NULL}, @@ -100,6 +102,10 @@ {"version", 0, 0, G_OPTION_ARG_NONE, &opt_version, "Print the version and exit", NULL}, {"full-attach", 0, 0, G_OPTION_ARG_NONE, &opt_full_attach_path, "Don't truncate the path to the attach socket. This option causes conmon to ignore --socket-dir-path", NULL}, + {"seccomp-notify-socket", 0, 0, G_OPTION_ARG_STRING, &opt_seccomp_notify_socket, + "Path to the socket where the seccomp notification fd is received", NULL}, + {"seccomp-notify-plugins", 0, 0, G_OPTION_ARG_STRING, &opt_seccomp_notify_plugins, + "Plugins to use for managing the seccomp notifications", NULL}, {NULL, 0, 0, 0, NULL, NULL, NULL}}; @@ -150,6 +156,9 @@ if (opt_cuuid == NULL && (!opt_exec || opt_api_version >= 1)) nexit("Container UUID not provided. Use --cuuid"); + if (opt_seccomp_notify_plugins == NULL) + opt_seccomp_notify_plugins = getenv("CONMON_SECCOMP_NOTIFY_PLUGINS"); + if (opt_runtime_path == NULL) nexit("Runtime path not provided. Use --runtime"); if (access(opt_runtime_path, X_OK) < 0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/cli.h new/conmon-2.0.30/src/cli.h --- old/conmon-2.0.29/src/cli.h 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/src/cli.h 2021-09-21 22:13:00.000000000 +0200 @@ -43,6 +43,8 @@ extern gboolean opt_no_sync_log; extern gboolean opt_sync; extern char *opt_sdnotify_socket; +extern char *opt_seccomp_notify_socket; +extern char *opt_seccomp_notify_plugins; extern GOptionEntry opt_entries[]; extern gboolean opt_full_attach_path; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/conmon.c new/conmon-2.0.30/src/conmon.c --- old/conmon-2.0.29/src/conmon.c 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/src/conmon.c 2021-09-21 22:13:00.000000000 +0200 @@ -18,6 +18,7 @@ #include "parent_pipe_fd.h" #include "ctr_exit.h" #include "close_fds.h" +#include "seccomp_notify.h" #include "runtime_args.h" #include <sys/prctl.h> @@ -133,6 +134,7 @@ } _cleanup_free_ char *csname = NULL; + _cleanup_free_ char *seccomp_listener = NULL; int workerfd_stdin = -1; int workerfd_stdout = -1; int workerfd_stderr = -1; @@ -167,12 +169,16 @@ mainfd_stdout = fds[0]; workerfd_stdout = fds[1]; + } - /* now that we've set mainfd_stdout, we can register the ctrl_winsz_cb - * if we didn't set it here, we'd risk attempting to run ioctl on - * a negative fd, and fail to resize the window */ - if (winsz_fd_r >= 0) - g_unix_fd_add(winsz_fd_r, G_IO_IN, ctrl_winsz_cb, NULL); + if (opt_seccomp_notify_socket != NULL) { +#ifdef USE_SECCOMP + pexit("seccomp support not present"); +#else + if (opt_seccomp_notify_plugins == NULL) + pexit("seccomp notify socket specified without any plugin"); + seccomp_listener = setup_seccomp_socket(opt_seccomp_notify_socket); +#endif } /* We always create a stderr pipe, because that way we can capture @@ -319,6 +325,9 @@ if (workerfd_stderr > -1) close(workerfd_stderr); + if (seccomp_listener != NULL) + g_unix_fd_add(seccomp_socket_fd, G_IO_IN, seccomp_accept_cb, csname); + if (csname != NULL) { g_unix_fd_add(console_socket_fd, G_IO_IN, terminal_accept_cb, csname); /* Process any SIGCHLD we may have missed before the signal handler was in place. */ @@ -492,6 +501,8 @@ if (!g_file_set_contents(exit_file_path, status_str, -1, &err)) nexitf("Failed to write %s to exit file: %s", status_str, err->message); } + if (seccomp_listener != NULL) + unlink(seccomp_listener); /* Send the command exec exit code back to the parent */ if (opt_exec && sync_pipe_fd >= 0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/conn_sock.c new/conmon-2.0.30/src/conn_sock.c --- old/conmon-2.0.29/src/conn_sock.c 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/src/conn_sock.c 2021-09-21 22:13:00.000000000 +0200 @@ -6,6 +6,7 @@ #include "config.h" #include "cli.h" // opt_stdin +#include <libgen.h> #include <stdbool.h> #include <sys/socket.h> #include <unistd.h> @@ -25,6 +26,7 @@ static char *bind_unix_socket(char *socket_relative_name, int sock_type, mode_t perms, struct remote_sock_s *remote_sock, gboolean use_full_attach_path); static char *socket_parent_dir(gboolean use_full_attach_path, size_t desired_len); +static char *setup_socket(int *fd, const char *path); /* Since our socket handling is abstract now, handling is based on sock_type, so we can pass around a structure that contains everything we need to handle I/O. Callbacks used to handle IO, for example, and whether this @@ -72,38 +74,79 @@ }; /* External */ + char *setup_console_socket(void) { + return setup_socket(&console_socket_fd, NULL); +} + +char *setup_seccomp_socket(const char *socket) +{ + return setup_socket(&seccomp_socket_fd, socket); +} + +static char *setup_socket(int *fd, const char *path) +{ struct sockaddr_un addr = {0}; - _cleanup_free_ const char *tmpdir = g_get_tmp_dir(); - char *csname = g_build_filename(tmpdir, "conmon-term.XXXXXX", NULL); - /* - * Generate a temporary name. Is this unsafe? Probably, but we can - * replace it with a rename(2) setup if necessary. - */ + char *csname = NULL; + _cleanup_close_ int sfd = -1; - int unusedfd = g_mkstemp(csname); - if (unusedfd < 0) - pexit("Failed to generate random path for console-socket"); - close(unusedfd); + if (path != NULL) { + _cleanup_free_ char *dname_buf = NULL; + _cleanup_free_ char *bname_buf = NULL; + char *dname = NULL, *bname = NULL; + + csname = strdup(path); + dname_buf = strdup(path); + bname_buf = strdup(path); + if (csname == NULL || dname_buf == NULL || bname_buf == NULL) { + pexit("Failed to allocate memory"); + return NULL; + } + dname = dirname(dname_buf); + if (dname == NULL) + pexitf("Cannot get dirname for %s", csname); + + sfd = open(dname, O_CREAT | O_PATH, 0600); + if (sfd < 0) + pexit("Failed to create file for console-socket"); + + bname = basename(bname_buf); + if (bname == NULL) + pexitf("Cannot get basename for %s", csname); - addr.sun_family = AF_UNIX; - strncpy(addr.sun_path, csname, sizeof(addr.sun_path) - 1); + snprintf(addr.sun_path, sizeof(addr.sun_path) - 1, "/proc/self/fd/%d/%s", sfd, bname); + } else { + _cleanup_free_ const char *tmpdir = g_get_tmp_dir(); + csname = g_build_filename(tmpdir, "conmon-term.XXXXXX", NULL); + /* + * Generate a temporary name. Is this unsafe? Probably, but we can + * replace it with a rename(2) setup if necessary. + */ + int unusedfd = g_mkstemp(csname); + if (unusedfd < 0) + pexit("Failed to generate random path for console-socket"); + close(unusedfd); + /* XXX: This should be handled with a rename(2). */ + if (unlink(csname) < 0) + pexit("Failed to unlink temporary random path"); + + strncpy(addr.sun_path, csname, sizeof(addr.sun_path) - 1); + } + + addr.sun_family = AF_UNIX; ninfof("addr{sun_family=AF_UNIX, sun_path=%s}", addr.sun_path); /* Bind to the console socket path. */ - console_socket_fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); - if (console_socket_fd < 0) - pexit("Failed to create console-socket"); - if (fchmod(console_socket_fd, 0700)) + *fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); + if (*fd < 0) + pexit("Failed to create socket"); + if (fchmod(*fd, 0700)) pexit("Failed to change console-socket permissions"); - /* XXX: This should be handled with a rename(2). */ - if (unlink(csname) < 0) - pexit("Failed to unlink temporary random path"); - if (bind(console_socket_fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) + if (bind(*fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) pexit("Failed to bind to console-socket"); - if (listen(console_socket_fd, 128) < 0) + if (listen(*fd, 128) < 0) pexit("Failed to listen on console-socket"); return csname; @@ -331,6 +374,9 @@ if (strstr(sock->buf, "READY=1")) { strncpy(sock->buf, "READY=1", 8); sock->remaining = 7; + } else if (strstr(sock->buf, "WATCHDOG=1")) { + strncpy(sock->buf, "WATCHDOG=1", 11); + sock->remaining = 10; } else { sock->remaining = 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/conn_sock.h new/conmon-2.0.30/src/conn_sock.h --- old/conmon-2.0.29/src/conn_sock.h 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/src/conn_sock.h 2021-09-21 22:13:00.000000000 +0200 @@ -48,6 +48,7 @@ }; char *setup_console_socket(void); +char *setup_seccomp_socket(const char *socket); char *setup_attach_socket(void); void setup_notify_socket(char *); void schedule_main_stdin_write(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/ctr_exit.c new/conmon-2.0.30/src/ctr_exit.c --- old/conmon-2.0.29/src/ctr_exit.c 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/src/ctr_exit.c 2021-09-21 22:13:00.000000000 +0200 @@ -133,12 +133,6 @@ void do_exit_command() { - /* even though we've already registered reap_children, - * atexit() runs functions in reverse, so we need to - * manually call here. Repeated calls will not cause trouble - */ - reap_children(); - if (sync_pipe_fd > 0) { close(sync_pipe_fd); sync_pipe_fd = -1; @@ -156,9 +150,18 @@ if (exit_pid) { int ret, exit_status = 0; - do - ret = waitpid(exit_pid, &exit_status, 0); - while (ret < 0 && errno == EINTR); + /* + * Make sure to cleanup any zombie process that the container runtime + * could have left around. + */ + do { + int tmp; + + exit_status = 0; + ret = waitpid(-1, &tmp, 0); + if (ret == exit_pid) + exit_status = get_exit_status(tmp); + } while ((ret < 0 && errno == EINTR) || ret > 0); if (exit_status) _exit(exit_status); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/ctrl.c new/conmon-2.0.30/src/ctrl.c --- old/conmon-2.0.29/src/ctrl.c 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/src/ctrl.c 2021-09-21 22:13:00.000000000 +0200 @@ -8,6 +8,7 @@ #include "conn_sock.h" #include "cmsg.h" #include "cli.h" // opt_bundle_path +#include "seccomp_notify.h" #include <sys/ioctl.h> #include <sys/socket.h> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/globals.c new/conmon-2.0.30/src/globals.c --- old/conmon-2.0.29/src/globals.c 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/src/globals.c 2021-09-21 22:13:00.000000000 +0200 @@ -9,6 +9,7 @@ int attach_socket_fd = -1; int console_socket_fd = -1; +int seccomp_socket_fd = -1; int terminal_ctrl_fd = -1; int inotify_fd = -1; int winsz_fd_w = -1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/globals.h new/conmon-2.0.30/src/globals.h --- old/conmon-2.0.29/src/globals.h 2021-06-02 18:20:07.000000000 +0200 +++ new/conmon-2.0.30/src/globals.h 2021-09-21 22:13:00.000000000 +0200 @@ -14,6 +14,7 @@ extern int attach_socket_fd; extern int console_socket_fd; +extern int seccomp_socket_fd; extern int terminal_ctrl_fd; extern int inotify_fd; extern int winsz_fd_w; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/seccomp_notify.c new/conmon-2.0.30/src/seccomp_notify.c --- old/conmon-2.0.29/src/seccomp_notify.c 1970-01-01 01:00:00.000000000 +0100 +++ new/conmon-2.0.30/src/seccomp_notify.c 2021-09-21 22:13:00.000000000 +0200 @@ -0,0 +1,309 @@ +#define _GNU_SOURCE +#if __STDC_VERSION__ >= 199901L +/* C99 or later */ +#else +#error conmon.c requires C99 or later +#endif + +#include <errno.h> +#include <seccomp.h> +#include <sys/ioctl.h> +#include <linux/seccomp.h> +#include <sys/sysmacros.h> +#include <dlfcn.h> +#include <sys/wait.h> +#include <sys/mount.h> +#include <signal.h> +#include <sys/socket.h> + +#include "cli.h" // opt_bundle_path +#include "utils.h" +#include "cmsg.h" +#include "seccomp_notify.h" + +#ifdef USE_SECCOMP + +#ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE +#define SECCOMP_USER_NOTIF_FLAG_CONTINUE (1UL << 0) +#endif + +static struct seccomp_notify_context_s *seccomp_notify_ctx; + +struct plugin { + void *handle; + void *opaque; + run_oci_seccomp_notify_handle_request_cb handle_request_cb; +}; + +struct seccomp_notify_context_s { + struct plugin *plugins; + size_t n_plugins; + + struct seccomp_notif_resp *sresp; + struct seccomp_notif *sreq; + struct seccomp_notif_sizes sizes; +}; + +static inline void *xmalloc0(size_t size); +static void cleanup_seccomp_plugins(); + +static int seccomp_syscall(unsigned int op, unsigned int flags, void *args); + +gboolean seccomp_cb(int fd, GIOCondition condition, G_GNUC_UNUSED gpointer user_data) +{ + if (condition & G_IO_IN) { + if (seccomp_notify_ctx == NULL) + return G_SOURCE_REMOVE; + + int ret = seccomp_notify_plugins_event(seccomp_notify_ctx, fd); + return ret == 0 ? G_SOURCE_CONTINUE : G_SOURCE_REMOVE; + } + return G_SOURCE_CONTINUE; +} + +gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data) +{ + ninfof("about to accept from seccomp_socket_fd: %d", fd); + int connfd = accept4(fd, NULL, NULL, SOCK_CLOEXEC); + if (connfd < 0) { + nwarn("Failed to accept console-socket connection"); + return G_SOURCE_CONTINUE; + } + + struct file_t listener = recvfd(connfd); + close(connfd); + + _cleanup_free_ char *oci_config_path = g_strdup_printf("%s/config.json", opt_bundle_path); + if (oci_config_path == NULL) { + nwarn("Failed to allocate memory"); + return G_SOURCE_CONTINUE; + } + + struct seccomp_notify_conf_s conf = { + .runtime_root_path = NULL, + .name = opt_name, + .bundle_path = opt_bundle_path, + .oci_config_path = oci_config_path, + }; + int ret = seccomp_notify_plugins_load(&seccomp_notify_ctx, opt_seccomp_notify_plugins, &conf); + if (ret < 0) { + nwarn("Failed to initialize seccomp notify plugins"); + return G_SOURCE_CONTINUE; + } + + g_unix_set_fd_nonblocking(listener.fd, TRUE, NULL); + g_unix_fd_add(listener.fd, G_IO_IN | G_IO_HUP, seccomp_cb, NULL); + atexit(cleanup_seccomp_plugins); + + return G_SOURCE_CONTINUE; +} + +int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const char *plugins, struct seccomp_notify_conf_s *conf) +{ + cleanup_seccomp_notify_context struct seccomp_notify_context_s *ctx = xmalloc0(sizeof *ctx); + _cleanup_free_ char *b = NULL; + char *it, *saveptr; + size_t s; + + if (seccomp_syscall(SECCOMP_GET_NOTIF_SIZES, 0, &ctx->sizes) < 0) { + pexit("Failed to get notifications size"); + return -1; + } + + ctx->sreq = xmalloc0(ctx->sizes.seccomp_notif); + ctx->sresp = xmalloc0(ctx->sizes.seccomp_notif_resp); + + ctx->n_plugins = 1; + for (it = b; it; it = strchr(it, ':')) + ctx->n_plugins++; + + ctx->plugins = xmalloc0(sizeof(struct plugin) * (ctx->n_plugins + 1)); + + b = strdup(plugins); + if (b == NULL) { + pexit("Failed to strdup"); + return -1; + } + for (s = 0, it = strtok_r(b, ":", &saveptr); it; s++, it = strtok_r(NULL, ":", &saveptr)) { + run_oci_seccomp_notify_plugin_version_cb version_cb; + run_oci_seccomp_notify_start_cb start_cb; + void *opq = NULL; + + ctx->plugins[s].handle = dlopen(it, RTLD_NOW); + if (ctx->plugins[s].handle == NULL) { + pexitf("cannot load `%s`: %s", it, dlerror()); + return -1; + } + + version_cb = (run_oci_seccomp_notify_plugin_version_cb)dlsym(ctx->plugins[s].handle, "run_oci_seccomp_notify_version"); + if (version_cb != NULL) { + int version; + + version = version_cb(); + if (version != 1) { + pexitf("invalid version supported by the plugin `%s`", it); + return -1; + } + } + + ctx->plugins[s].handle_request_cb = + (run_oci_seccomp_notify_handle_request_cb)dlsym(ctx->plugins[s].handle, "run_oci_seccomp_notify_handle_request"); + if (ctx->plugins[s].handle_request_cb == NULL) { + pexitf("plugin `%s` doesn't export `run_oci_seccomp_notify_handle_request`", it); + return -1; + } + + start_cb = (run_oci_seccomp_notify_start_cb)dlsym(ctx->plugins[s].handle, "run_oci_seccomp_notify_start"); + if (start_cb) { + int ret; + + ret = start_cb(&opq, conf, sizeof(*conf)); + if (ret != 0) { + pexitf("error loading `%s`", it); + return -1; + } + } + ctx->plugins[s].opaque = opq; + } + + /* Change ownership. */ + *out = ctx; + ctx = NULL; + return 0; +} + +int seccomp_notify_plugins_event(struct seccomp_notify_context_s *ctx, int seccomp_fd) +{ + size_t i; + int ret; + bool handled = false; + + memset(ctx->sreq, 0, ctx->sizes.seccomp_notif); + memset(ctx->sresp, 0, ctx->sizes.seccomp_notif_resp); + + ret = ioctl(seccomp_fd, SECCOMP_IOCTL_NOTIF_RECV, ctx->sreq); + if (ret < 0) { + if (errno == ENOENT) + return 0; + nwarnf("Failed to read notification from %d", seccomp_fd); + return -1; + } + + for (i = 0; i < ctx->n_plugins; i++) { + if (ctx->plugins[i].handle_request_cb) { + int resp_handled = 0; + int ret; + + ret = ctx->plugins[i].handle_request_cb(ctx->plugins[i].opaque, &ctx->sizes, ctx->sreq, ctx->sresp, seccomp_fd, + &resp_handled); + if (ret != 0) { + nwarnf("Failed to handle seccomp notification from fd %d", seccomp_fd); + return -1; + } + + switch (resp_handled) { + case RUN_OCI_SECCOMP_NOTIFY_HANDLE_NOT_HANDLED: + break; + + case RUN_OCI_SECCOMP_NOTIFY_HANDLE_SEND_RESPONSE: + handled = true; + break; + + /* The plugin will take care of it. */ + case RUN_OCI_SECCOMP_NOTIFY_HANDLE_DELAYED_RESPONSE: + return 0; + + case RUN_OCI_SECCOMP_NOTIFY_HANDLE_SEND_RESPONSE_AND_CONTINUE: + ctx->sresp->flags |= SECCOMP_USER_NOTIF_FLAG_CONTINUE; + handled = true; + break; + + default: + pexitf("Unknown handler action specified %d", handled); + return -1; + } + } + } + + /* No plugin could handle the request. */ + if (!handled) { + ctx->sresp->error = -ENOTSUP; + ctx->sresp->flags = 0; + } + + ctx->sresp->id = ctx->sreq->id; + ret = ioctl(seccomp_fd, SECCOMP_IOCTL_NOTIF_SEND, ctx->sresp); + if (ret < 0) { + if (errno == ENOENT) + return 0; + nwarnf("Failed to send seccomp notification on fd %d", seccomp_fd); + return -errno; + } + return 0; +} + +int seccomp_notify_plugins_free(struct seccomp_notify_context_s *ctx) +{ + size_t i; + + if (ctx == NULL) { + nwarnf("Invalid seccomp notification context"); + return -1; + } + + free(ctx->sreq); + free(ctx->sresp); + + for (i = 0; i < ctx->n_plugins; i++) { + if (ctx->plugins && ctx->plugins[i].handle) { + run_oci_seccomp_notify_stop_cb cb; + + cb = (run_oci_seccomp_notify_stop_cb)dlsym(ctx->plugins[i].handle, "run_oci_seccomp_notify_stop"); + if (cb) + cb(ctx->plugins[i].opaque); + dlclose(ctx->plugins[i].handle); + } + } + + free(ctx); + + return 0; +} + +static void cleanup_seccomp_plugins() +{ + if (seccomp_notify_ctx) { + seccomp_notify_plugins_free(seccomp_notify_ctx); + seccomp_notify_ctx = NULL; + } +} + +void cleanup_seccomp_notify_pluginsp(void *p) +{ + struct seccomp_notify_context_s **pp = p; + if (*pp) { + seccomp_notify_plugins_free(*pp); + *pp = NULL; + } +} + +static inline void *xmalloc0(size_t size) +{ + void *res = calloc(1, size); + if (res == NULL) + pexitf("calloc"); + return res; +} + +static int seccomp_syscall(unsigned int op, unsigned int flags, void *args) +{ + errno = 0; + return syscall(__NR_seccomp, op, flags, args); +} +#else +gboolean seccomp_accept_cb(G_GNUC_UNUSED int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data) +{ + pexit("seccomp support not available"); + return G_SOURCE_REMOVE; +} +#endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/seccomp_notify.h new/conmon-2.0.30/src/seccomp_notify.h --- old/conmon-2.0.29/src/seccomp_notify.h 1970-01-01 01:00:00.000000000 +0100 +++ new/conmon-2.0.30/src/seccomp_notify.h 2021-09-21 22:13:00.000000000 +0200 @@ -0,0 +1,21 @@ +#ifndef SECCOMP_NOTIFY_H +#define SECCOMP_NOTIFY_H + +#include "seccomp_notify_plugin.h" + +#ifdef USE_SECCOMP + +struct seccomp_notify_context_s; + +gboolean seccomp_cb(int fd, GIOCondition condition, G_GNUC_UNUSED gpointer user_data); + +int seccomp_notify_plugins_load(struct seccomp_notify_context_s **out, const char *plugins, struct seccomp_notify_conf_s *conf); +int seccomp_notify_plugins_event(struct seccomp_notify_context_s *ctx, int seccomp_fd); +int seccomp_notify_plugins_free(struct seccomp_notify_context_s *ctx); + +#define cleanup_seccomp_notify_context __attribute__((cleanup(cleanup_seccomp_notify_pluginsp))) +void cleanup_seccomp_notify_pluginsp(void *p); + +#endif // USE_SECCOMP +gboolean seccomp_accept_cb(int fd, G_GNUC_UNUSED GIOCondition condition, G_GNUC_UNUSED gpointer user_data); +#endif // SECCOMP_NOTIFY_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/src/seccomp_notify_plugin.h new/conmon-2.0.30/src/seccomp_notify_plugin.h --- old/conmon-2.0.29/src/seccomp_notify_plugin.h 1970-01-01 01:00:00.000000000 +0100 +++ new/conmon-2.0.30/src/seccomp_notify_plugin.h 2021-09-21 22:13:00.000000000 +0200 @@ -0,0 +1,43 @@ +#ifndef SECCOMP_NOTIFY_PLUGIN_H + +#include <linux/seccomp.h> + +#ifdef USE_SECCOMP + +struct seccomp_notify_conf_s { + const char *runtime_root_path; + const char *name; + const char *bundle_path; + const char *oci_config_path; +}; + +/* The plugin doesn't know how to handle the request. */ +#define RUN_OCI_SECCOMP_NOTIFY_HANDLE_NOT_HANDLED 0 +/* The plugin filled the response and it is ready to write. */ +#define RUN_OCI_SECCOMP_NOTIFY_HANDLE_SEND_RESPONSE 1 +/* The plugin will handle the request and write directly to the fd. */ +#define RUN_OCI_SECCOMP_NOTIFY_HANDLE_DELAYED_RESPONSE 2 +/* Specify SECCOMP_USER_NOTIF_FLAG_CONTINUE in the flags. */ +#define RUN_OCI_SECCOMP_NOTIFY_HANDLE_SEND_RESPONSE_AND_CONTINUE 3 + +/* Configure the plugin. Return an opaque pointer that will be used for successive calls. */ +typedef int (*run_oci_seccomp_notify_start_cb)(void **opaque, struct seccomp_notify_conf_s *conf, size_t size_configuration); + +/* Try to handle a single request. It MUST be defined. + HANDLED specifies how the request was handled by the plugin: + 0: not handled, try next plugin or return ENOTSUP if it is the last plugin. + RUN_OCI_SECCOMP_NOTIFY_HANDLE_SEND_RESPONSE: sresp filled and ready to be notified to seccomp. + RUN_OCI_SECCOMP_NOTIFY_HANDLE_DELAYED_RESPONSE: the notification will be handled internally by the plugin and forwarded to seccomp_fd. It + is useful for asynchronous handling. +*/ +typedef int (*run_oci_seccomp_notify_handle_request_cb)(void *opaque, struct seccomp_notif_sizes *sizes, struct seccomp_notif *sreq, + struct seccomp_notif_resp *sresp, int seccomp_fd, int *handled); + +/* Stop the plugin. The opaque value is the return value from run_oci_seccomp_notify_start. */ +typedef int (*run_oci_seccomp_notify_stop_cb)(void *opaque); + +/* Retrieve the API version used by the plugin. It MUST return 1. */ +typedef int (*run_oci_seccomp_notify_plugin_version_cb)(); + +#endif // USE_SECCOMP +#endif // SECCOMP_NOTIFY_PLUGIN_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/tools/vendor/github.com/cpuguy83/go-md2man/.gitignore new/conmon-2.0.30/tools/vendor/github.com/cpuguy83/go-md2man/.gitignore --- old/conmon-2.0.29/tools/vendor/github.com/cpuguy83/go-md2man/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/conmon-2.0.30/tools/vendor/github.com/cpuguy83/go-md2man/.gitignore 2021-09-21 22:13:00.000000000 +0200 @@ -0,0 +1,2 @@ +go-md2man +bin diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/conmon-2.0.29/tools/vendor/github.com/russross/blackfriday/.gitignore new/conmon-2.0.30/tools/vendor/github.com/russross/blackfriday/.gitignore --- old/conmon-2.0.29/tools/vendor/github.com/russross/blackfriday/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/conmon-2.0.30/tools/vendor/github.com/russross/blackfriday/.gitignore 2021-09-21 22:13:00.000000000 +0200 @@ -0,0 +1,8 @@ +*.out +*.swp +*.8 +*.6 +_obj +_test* +markdown +tags
