Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[1.1.15] - 2024-10-07
Fixed
-ENOSYS
seccomp stub is now always generated for the nativearchitecture that
runc
is running on. This is needed to work around somearguably specification-incompliant behaviour from Docker on architectures
such as ppc64le, where the allowed architecture list is set to
null
. Thisensures that we always generate at least one
-ENOSYS
stub for the nativearchitecture even with these weird configs. ([1.1] seccomp: patchbpf: always include native architecture in stub #4391)
/proc/self/mountinfo
may skip someentries, as a consequence runc may not properly set mount propagation,
causing container mounts leak onto the host mount namespace. (runc has problems due to leaked mount information #2404, [1.1] runc run: fix mount leak #4425)
Removed
against CVE-2019-5736, the temporary
ro
bind-mount of/proc/self/exe
has been removed. runc now creates a binary copy in all cases. ([1.1] nsenter: cloned_binary: remove bindfd logic entirely #4392, too many mount/umount syscalls #2532)
I'd like to create a 1.1.15 release including the change to remove the bindfd logic (already backported :)), as that is causing us quite some pain. I'm of course fine if we release earlier than that date, in fact that would be great :)
I'll be on PTO starting today and coming back next week. Feel free to either push to this branch to amend any changes (maintainers can push to that branch on my behalf IIUC), otherwise I can address the changes early next week.