!22 runc:build security options

From: @Vanient Reviewed-by: @jing-rui,@caihaomin Signed-off-by: @caihaomin
2021-03-18 15:13:19 +08:00 · 2021-03-18 15:13:19 +08:00 · d166469c4b
commit d166469c4b
parent 8f2504f874 2f6befc1d9
6 changed files with 200 additions and 2 deletions
--- a/0125-runc-compile-option-compliance.patch
+++ b/0125-runc-compile-option-compliance.patch
@ -0,0 +1,38 @@
+From d7e62b082d564d0ac1e58257f34d25082e58c3cf Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Thu, 18 Mar 2021 11:17:13 +0800
+Subject: [PATCH] runc: compile option compliance
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ Makefile | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 43d15bf..fcf34ea 100644
+--- a/Makefile
+++ b/Makefile
+@@ -39,10 +39,17 @@ recvtty: contrib/cmd/recvtty/recvtty
+ contrib/cmd/recvtty/recvtty: $(SOURCES)
+ 	go build -i -ldflags " -buildid=IdByIsula ${BEP_FLAG} -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -tags "$(BUILDTAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
+ 
+LD_FLAGS='-w -buildid=none -tmpdir=/tmp/bep-runc -linkmode=external -extldflags=-Wl,-z,relro,-z,now \
+          -X main.gitCommit=${COMMIT} -X main.version=${VERSION}'
+
+ static: $(SOURCES)
+-	mkdir -p ${BEP_DIR}
+-	CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -buildid=IdByIsula -extldflags -static  ${BEP_FLAG}  -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o runc .
+-	CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -buildid=IdByIsula -extldflags -static  ${BEP_FLAG}  -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
+	rm -rf /tmp/bep-runc && mkdir /tmp/bep-runc
+	CGO_ENABLED=1 \
+	CGO_CFLAGS="-fstack-protector-strong -fPIE" \
+	CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
+	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+	go build -buildmode=pie -i -tags "$(BUILDTAGS) cgo static_build" -ldflags '-extldflags=-static' -ldflags $(LD_FLAGS) -o runc .
+ 
+ release:
+ 	@flag_list=(seccomp selinux apparmor static); \
+-- 
+1.8.3.1
+
--- a/2
+++ b/2
@ -1 +1 @@
-b41f69f2326e31c3868ea78abbd046217a43868f
+115f07e6a16508a63b98f4f375e285607822b8a8
--- a/patch/0121-runc-add-cpu-and-memory-info-when-print-cgroup-info.patch
+++ b/patch/0121-runc-add-cpu-and-memory-info-when-print-cgroup-info.patch
@ -0,0 +1,70 @@
+From 0fe280f25568a5700f9ac388b1434b344e1d1fab Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Mon, 4 Jan 2021 20:00:26 +0800
+Subject: [PATCH] runc: add cpu and memory info when print cgroup info
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ libcontainer/container_linux.go     |  4 ++--
+ libcontainer/standard_init_linux.go | 23 +++++++++++++----------
+ 2 files changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
+index 9b25183..7319286 100644
+--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
+@@ -310,10 +310,10 @@ func (c *linuxContainer) start(process *Process) error {
+ 		return newSystemErrorWithCause(err, "creating new parent process")
+ 	}
+ 	if err := parent.start(); err != nil {
+-		printFilesInfo(c.config.Cgroups.Path)
+		printCgroupInfo(c.config.Cgroups.Path)
+ 		// terminate the process to ensure that it properly is reaped.
+ 		if err := parent.terminate(); err != nil {
+-			logrus.Warn(err)
+			logrus.Warnf("parent process terminate error: %v", err)
+ 		}
+ 		return newSystemErrorWithCause(err, "starting container process")
+ 	}
+diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
+index 96901ef..b985180 100644
+--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
+@@ -215,21 +215,24 @@ func (l *linuxStandardInit) Init() error {
+ 	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
+ 	syscall.Close(l.stateDirFD)
+ 	if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
+-		printMemoryInfo()
+-		printFilesInfo("")
+		printCgroupInfo("")
+ 		return newSystemErrorWithCause(err, "exec user process")
+ 	}
+ 	return nil
+ }
+ 
+-func printMemoryInfo() {
+-	printFileContent("/proc/meminfo")
+-	printFileContent("/sys/fs/cgroup/memory/memory.stat")
+-}
+-
+-func printFilesInfo(path string) {
+-	printFileContent(filepath.Join("/sys/fs/cgroup/files", path, "/files.limit"))
+-	printFileContent(filepath.Join("/sys/fs/cgroup/files", path, "/files.usage"))
+func printCgroupInfo(path string) {
+	infoFileList := []string{
+		"/proc/meminfo",
+		"/sys/fs/cgroup/memory/memory.stat",
+		filepath.Join("/sys/fs/cgroup/files", path, "/files.limit"),
+		filepath.Join("/sys/fs/cgroup/files", path, "/files.usage"),
+		filepath.Join("/sys/fs/cgroup/memory", path, "/memory.stat"),
+		filepath.Join("/sys/fs/cgroup/cpu", path, "/cpu.stat"),
+	}
+	for _, file := range infoFileList {
+		printFileContent(file)
+	}
+ }
+ 
+ func printFileContent(path string) {
+-- 
+1.8.3.1
+
--- a/patch/0124-runc-fix-freezing-race.patch
+++ b/patch/0124-runc-fix-freezing-race.patch
@ -0,0 +1,69 @@
+From 943822abaa0aee51985384912292589ae1e34622 Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Thu, 4 Feb 2021 16:26:49 +0800
+Subject: [PATCH] runc: fix freezing race
+
+runc kill blocks in freezer.Set, freezer.state keeps in freezing,
+because new process is creating during freeze.
+
+Upstream:https://github.com/opencontainers/runc/pull/2774
+         https://github.com/opencontainers/runc/pull/2791
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ libcontainer/cgroups/fs/freezer.go | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/libcontainer/cgroups/fs/freezer.go b/libcontainer/cgroups/fs/freezer.go
+index 5ab3c02..40f70c1 100644
+--- a/libcontainer/cgroups/fs/freezer.go
+++ b/libcontainer/cgroups/fs/freezer.go
+@@ -3,6 +3,7 @@
+ package fs
+ 
+ import (
+	"errors"
+ 	"fmt"
+ 	"strings"
+ 	"time"
+@@ -28,24 +29,32 @@ func (s *FreezerGroup) Apply(d *cgroupData) error {
+ 
+ func (s *FreezerGroup) Set(path string, cgroup *configs.Cgroup) error {
+ 	switch cgroup.Resources.Freezer {
+-	case configs.Frozen, configs.Thawed:
+-		for {
+	case configs.Frozen:
+		for i := 0; i < 1000; i++ {
+			if i%50 == 49 {
+				writeFile(path, "freezer.state", string(configs.Thawed))
+				time.Sleep(10 * time.Millisecond)
+			}
+ 			// In case this loop does not exit because it doesn't get the expected
+ 			// state, let's write again this state, hoping it's going to be properly
+ 			// set this time. Otherwise, this loop could run infinitely, waiting for
+ 			// a state change that would never happen.
+-			if err := writeFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil {
+			if err := writeFile(path, "freezer.state", string(configs.Frozen)); err != nil {
+ 				return err
+ 			}
+ 			state, err := readFile(path, "freezer.state")
+ 			if err != nil {
+ 				return err
+ 			}
+-			if strings.TrimSpace(state) == string(cgroup.Resources.Freezer) {
+-				break
+			if strings.TrimSpace(state) == string(configs.Frozen) {
+				return nil
+ 			}
+ 			time.Sleep(1 * time.Millisecond)
+ 		}
+		writeFile(path, "freezer.state", string(configs.Thawed))
+		return errors.New("unable to freeze")
+	case configs.Thawed:
+		return writeFile(path, "freezer.state", string(configs.Thawed))
+ 	case configs.Undefined:
+ 		return nil
+ 	default:
+-- 
+1.8.3.1
+
--- a/runc-openeuler.spec
+++ b/runc-openeuler.spec
@ -1,8 +1,10 @@
+#needsrootforbuild
 %global _bindir /usr/local/bin
+%global debug_package %{nil}

 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 110
+Release: 112
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.

 License: ASL 2.0
@ -38,6 +40,7 @@ ln -sf `pwd` .gopath/src/github.com/opencontainers/runc
 cd .gopath/src/github.com/opencontainers/runc
 make BUILDTAGS="seccomp selinux" static 
 rm -rf .gopath
+strip runc

 install -d $RPM_BUILD_ROOT/%{_bindir}
 install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
@ -49,5 +52,19 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc

 %changelog
+* Thu Mar 18 2021 xiadanni<xiadanni1@huawei.com> - 1.0.0.rc3-112
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:build security option
+
+* Thu Mar 18 2021 xiadanni<xiadanni1@huawei.com> - 1.0.0.rc3-111
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:sync bugfix, include
+       1. add cpu and memory info when print cgroup info
+       2. fix freezing race
+
 * Fri Dec 11 2020 yangyanchao <yangyanchao6@huawei.com> - 1.0.0.rc-110
 - add symbol in sys to support riscv
--- a/series.conf
+++ b/series.conf
@ -120,3 +120,7 @@
 0120-runc-fix-permission-denied.patch
 0121-runc-add-sys-symbol-to-support-riscv.patch
 0122-runc-add-riscv-on-existing-files.patch
+0121-runc-add-cpu-and-memory-info-when-print-cgroup-info.patch
+0124-runc-fix-freezing-race.patch
+0125-runc-compile-option-compliance.patch
+#end