From ec3a02ebcdae82bda23cee5057e4874bb3bf3aba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jun 2026 21:38:50 +0000 Subject: [PATCH] build(deps): Bump github.com/opencontainers/runc from 1.4.2 to 1.4.3 Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.4.2 to 1.4.3. - [Release notes](https://github.com/opencontainers/runc/releases) - [Changelog](https://github.com/opencontainers/runc/blob/main/CHANGELOG.md) - [Commits](https://github.com/opencontainers/runc/compare/v1.4.2...v1.4.3) --- updated-dependencies: - dependency-name: github.com/opencontainers/runc dependency-version: 1.4.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 +- .../runc/internal/pathrs/mkdirall.go | 18 ++++-- .../internal/pathrs/mkdirall_pathrslite.go | 15 ++--- .../runc/internal/pathrs/root_pathrslite.go | 55 +++++++++++++++++-- vendor/modules.txt | 2 +- 6 files changed, 71 insertions(+), 25 deletions(-) diff --git a/go.mod b/go.mod index 09731f407..2c082bb19 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/moby/sys/reexec v0.1.0 github.com/moby/sys/symlink v0.3.0 github.com/opencontainers/cgroups v0.0.6 - github.com/opencontainers/runc v1.4.2 + github.com/opencontainers/runc v1.4.3 github.com/opencontainers/runtime-spec v1.3.0 github.com/pelletier/go-toml v1.9.5 github.com/prometheus/procfs v0.19.2 diff --git a/go.sum b/go.sum index 0c1e4e5bc..40eb0bf76 100644 --- a/go.sum +++ b/go.sum @@ -58,8 +58,8 @@ github.com/onsi/gomega v1.34.0 h1:eSSPsPNp6ZpsG8X1OVmOTxig+CblTc4AxpPBykhe2Os= github.com/onsi/gomega v1.34.0/go.mod h1:MIKI8c+f+QLWk+hxbePD4i0LMJSExPaZOVfkoex4cAo= github.com/opencontainers/cgroups v0.0.6 h1:tfZFWTIIGaUUFImTyuTg+Mr5x8XRiSdZESgEBW7UxuI= github.com/opencontainers/cgroups v0.0.6/go.mod h1:oWVzJsKK0gG9SCRBfTpnn16WcGEqDI8PAcpMGbqWxcs= -github.com/opencontainers/runc v1.4.2 h1:/AEjjXuVH9lTRl9ZyUFQj7oWBM7Xv00qFV6Vx9q5N3o= -github.com/opencontainers/runc v1.4.2/go.mod h1:ufk5PTTsy5pnGBAvTh50e+eqGk01pYH2YcVxh557Qlk= +github.com/opencontainers/runc v1.4.3 h1:/bq84roxG30xEICkFodXzMEVQFs7kzo4lCiZME1uKxI= +github.com/opencontainers/runc v1.4.3/go.mod h1:ufk5PTTsy5pnGBAvTh50e+eqGk01pYH2YcVxh557Qlk= github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg= github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.9.1-0.20251114084447-edf4cb3d2116 h1:tAKu3NkKWZYpqBSOJKwTxT1wIGueiF7gcmcNgr5pNTY= diff --git a/vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall.go b/vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall.go index 3a896f484..31cc08579 100644 --- a/vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall.go +++ b/vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall.go @@ -24,6 +24,14 @@ import ( "path/filepath" ) +func splitPath(path string) (dirPath, filename string, err error) { + dirPath, filename = filepath.Split(path) + if filepath.Join("/", filename) == "/" { + return "", "", fmt.Errorf("root subpath %q has bad trailing component %q", path, filename) + } + return dirPath, filename, nil +} + // MkdirAllParentInRoot is like [MkdirAllInRoot] except that it only creates // the parent directory of the target path, returning the trailing component so // the caller has more flexibility around constructing the final inode. @@ -31,19 +39,19 @@ import ( // Callers need to be very careful operating on the trailing path, as trivial // mistakes like following symlinks can cause security bugs. Most people // should probably just use [MkdirAllInRoot] or [CreateInRoot]. -func MkdirAllParentInRoot(root, unsafePath string, mode os.FileMode) (*os.File, string, error) { +func MkdirAllParentInRoot(root *os.File, unsafePath string, mode os.FileMode) (*os.File, string, error) { // MkdirAllInRoot also does hallucinateUnsafePath, but we need to do it // here first because when we split unsafePath into (dir, file) components // we want to be doing so with the hallucinated path (so that trailing // dangling symlinks are treated correctly). - unsafePath, err := hallucinateUnsafePath(root, unsafePath) + unsafePath, err := hallucinateUnsafePath(root.Name(), unsafePath) if err != nil { return nil, "", fmt.Errorf("failed to construct hallucinated target path: %w", err) } - dirPath, filename := filepath.Split(unsafePath) - if filepath.Join("/", filename) == "/" { - return nil, "", fmt.Errorf("create parent dir in root subpath %q has bad trailing component %q", unsafePath, filename) + dirPath, filename, err := splitPath(unsafePath) + if err != nil { + return nil, "", fmt.Errorf("split path %q for mkdir parent: %w", unsafePath, err) } dirFd, err := MkdirAllInRoot(root, dirPath, mode) diff --git a/vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall_pathrslite.go b/vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall_pathrslite.go index c2578e051..0a6f25ebd 100644 --- a/vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall_pathrslite.go +++ b/vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall_pathrslite.go @@ -24,12 +24,11 @@ import ( "github.com/cyphar/filepath-securejoin/pathrs-lite" "github.com/sirupsen/logrus" - "golang.org/x/sys/unix" ) // MkdirAllInRoot attempts to make // -// path, _ := securejoin.SecureJoin(root, unsafePath) +// path, _ := securejoin.SecureJoin(root.Name(), unsafePath) // os.MkdirAll(path, mode) // os.Open(path) // @@ -48,8 +47,8 @@ import ( // handling if unsafePath has already been scoped within the rootfs (this is // needed for a lot of runc callers and fixing this would require reworking a // lot of path logic). -func MkdirAllInRoot(root, unsafePath string, mode os.FileMode) (*os.File, error) { - unsafePath, err := hallucinateUnsafePath(root, unsafePath) +func MkdirAllInRoot(root *os.File, unsafePath string, mode os.FileMode) (*os.File, error) { + unsafePath, err := hallucinateUnsafePath(root.Name(), unsafePath) if err != nil { return nil, fmt.Errorf("failed to construct hallucinated target path: %w", err) } @@ -67,13 +66,7 @@ func MkdirAllInRoot(root, unsafePath string, mode os.FileMode) (*os.File, error) mode &= 0o1777 } - rootDir, err := os.OpenFile(root, unix.O_DIRECTORY|unix.O_CLOEXEC, 0) - if err != nil { - return nil, fmt.Errorf("open root handle: %w", err) - } - defer rootDir.Close() - return retryEAGAIN(func() (*os.File, error) { - return pathrs.MkdirAllHandle(rootDir, unsafePath, mode) + return pathrs.MkdirAllHandle(root, unsafePath, mode) }) } diff --git a/vendor/github.com/opencontainers/runc/internal/pathrs/root_pathrslite.go b/vendor/github.com/opencontainers/runc/internal/pathrs/root_pathrslite.go index 51db77440..fc5114a85 100644 --- a/vendor/github.com/opencontainers/runc/internal/pathrs/root_pathrslite.go +++ b/vendor/github.com/opencontainers/runc/internal/pathrs/root_pathrslite.go @@ -19,7 +19,9 @@ package pathrs import ( + "fmt" "os" + "path/filepath" "github.com/cyphar/filepath-securejoin/pathrs-lite" "golang.org/x/sys/unix" @@ -28,11 +30,11 @@ import ( ) // OpenInRoot opens the given path inside the root with the provided flags. It -// is effectively shorthand for [securejoin.OpenInRoot] followed by +// is effectively shorthand for [securejoin.OpenatInRoot] followed by // [securejoin.Reopen]. -func OpenInRoot(root, subpath string, flags int) (*os.File, error) { +func OpenInRoot(root *os.File, subpath string, flags int) (*os.File, error) { handle, err := retryEAGAIN(func() (*os.File, error) { - return pathrs.OpenInRoot(root, subpath) + return pathrs.OpenatInRoot(root, subpath) }) if err != nil { return nil, err @@ -47,7 +49,7 @@ func OpenInRoot(root, subpath string, flags int) (*os.File, error) { // open(O_CREAT|O_NOFOLLOW) semantics. If you want the creation to use O_EXCL, // include it in the passed flags. The fileMode argument uses unix.* mode bits, // *not* os.FileMode. -func CreateInRoot(root, subpath string, flags int, fileMode uint32) (*os.File, error) { +func CreateInRoot(root *os.File, subpath string, flags int, fileMode uint32) (*os.File, error) { dirFd, filename, err := MkdirAllParentInRoot(root, subpath, 0o755) if err != nil { return nil, err @@ -63,5 +65,48 @@ func CreateInRoot(root, subpath string, flags int, fileMode uint32) (*os.File, e if err != nil { return nil, err } - return os.NewFile(uintptr(fd), root+"/"+subpath), nil + return os.NewFile(uintptr(fd), root.Name()+"/"+subpath), nil +} + +// UnlinkInRoot deletes the inode specified at the given subpath. If you pass +// [unix.AT_REMOVEDIR] it will remove directories, otherwise it will remove +// non-directory inodes. +func UnlinkInRoot(root *os.File, subpath string, flags int) error { + dirPath, filename, err := splitPath(subpath) + if err != nil { + return fmt.Errorf("split path %q for unlink: %w", subpath, err) + } + + dirFd := root + if filepath.Join("/", dirPath) != "/" { + newDirFd, err := OpenInRoot(root, dirPath, unix.O_DIRECTORY|unix.O_PATH) + if err != nil { + return fmt.Errorf("failed to open parent directory %q for unlink: %w", dirPath, err) + } + dirFd = newDirFd + defer dirFd.Close() + } + + err = unix.Unlinkat(int(dirFd.Fd()), filename, flags) + if err != nil { + err = &os.PathError{Op: "unlinkat", Path: dirFd.Name() + "/" + filename, Err: err} + } + return err +} + +// SymlinkInRoot creates a symlink inside a root with the given target (as well +// as creating any missing parent directories). If the subpath already exists, +// an error is returned. +func SymlinkInRoot(linktarget string, root *os.File, subpath string) error { + dirFd, filename, err := MkdirAllParentInRoot(root, subpath, 0o755) + if err != nil { + return err + } + defer dirFd.Close() + + err = unix.Symlinkat(linktarget, int(dirFd.Fd()), filename) + if err != nil { + err = &os.PathError{Op: "symlinkat", Path: dirFd.Name() + "/" + filename, Err: err} + } + return err } diff --git a/vendor/modules.txt b/vendor/modules.txt index 6799bb55c..4edea0b9b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -78,7 +78,7 @@ github.com/moby/sys/symlink # github.com/opencontainers/cgroups v0.0.6 ## explicit; go 1.23.0 github.com/opencontainers/cgroups/devices/config -# github.com/opencontainers/runc v1.4.2 +# github.com/opencontainers/runc v1.4.3 ## explicit; go 1.24.0 github.com/opencontainers/runc/internal/linux github.com/opencontainers/runc/internal/pathrs