diff --git a/go.mod b/go.mod index 16927c5e9..663014ad6 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ replace ( // TODO: when bumping to containerd 2.0, remove these pins github.com/Microsoft/hcsshim => github.com/Microsoft/hcsshim v0.11.7 github.com/containerd/go-runc => github.com/containerd/go-runc v1.0.0 - github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.15 + github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.14 ) require ( diff --git a/go.sum b/go.sum index 8f4335a6f..2ddafaafd 100644 --- a/go.sum +++ b/go.sum @@ -1560,8 +1560,8 @@ github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6 github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= -github.com/opencontainers/runc v1.1.15 h1:QMmSU2q1YUg3iOJX11phnaDi2A5/zhx4BR6h+XZ1DMA= -github.com/opencontainers/runc v1.1.15/go.mod h1:E4C2z+7BxR7GHXp0hAY53mek+x49X1LjPNeMTfRGvOA= +github.com/opencontainers/runc v1.1.14 h1:rgSuzbmgz5DUJjeSnw337TxDbRuqjs6iqQck/2weR6w= +github.com/opencontainers/runc v1.1.14/go.mod h1:E4C2z+7BxR7GHXp0hAY53mek+x49X1LjPNeMTfRGvOA= github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= diff --git a/vendor/code.cloudfoundry.org/garden/container.go b/vendor/code.cloudfoundry.org/garden/container.go index babf3bfbd..0508b9772 100644 --- a/vendor/code.cloudfoundry.org/garden/container.go +++ b/vendor/code.cloudfoundry.org/garden/container.go @@ -176,8 +176,8 @@ type TTYSpec struct { } type WindowSize struct { - Columns uint16 `json:"columns,omitempty"` - Rows uint16 `json:"rows,omitempty"` + Columns int `json:"columns,omitempty"` + Rows int `json:"rows,omitempty"` } type ProcessIO struct { diff --git a/vendor/code.cloudfoundry.org/idmapper/idmapping.go b/vendor/code.cloudfoundry.org/idmapper/idmapping.go index 9a5e4c5c9..87e6c3ec3 100644 --- a/vendor/code.cloudfoundry.org/idmapper/idmapping.go +++ b/vendor/code.cloudfoundry.org/idmapper/idmapping.go @@ -11,7 +11,7 @@ type MappingList []specs.LinuxIDMapping func (m MappingList) Map(id int) int { for _, m := range m { - if delta := int(int64(id) - int64(m.ContainerID)); delta < int(m.Size) { + if delta := id - int(m.ContainerID); delta < int(m.Size) { return int(m.HostID) + delta } } diff --git a/vendor/github.com/opencontainers/runc/CHANGELOG.md b/vendor/github.com/opencontainers/runc/CHANGELOG.md index 24296cfba..d7bef610b 100644 --- a/vendor/github.com/opencontainers/runc/CHANGELOG.md +++ b/vendor/github.com/opencontainers/runc/CHANGELOG.md @@ -6,31 +6,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased 1.1.z] -## [1.1.15] - 2024-10-07 - -> How, dear sir, did you cross the flood? By not stopping, friend, and by not -> straining I crossed the flood. - -### Fixed - - * The `-ENOSYS` seccomp stub is now always generated for the native - architecture that `runc` is running on. This is needed to work around some - arguably specification-incompliant behaviour from Docker on architectures - such as ppc64le, where the allowed architecture list is set to `null`. This - ensures that we always generate at least one `-ENOSYS` stub for the native - architecture even with these weird configs. (#4391) - * On a system with older kernel, reading `/proc/self/mountinfo` may skip some - entries, as a consequence runc may not properly set mount propagation, - causing container mounts leak onto the host mount namespace. (#2404, #4425) - -### Removed - - * In order to fix performance issues in the "lightweight" bindfd protection - against [CVE-2019-5736], the temporary `ro` bind-mount of `/proc/self/exe` - has been removed. runc now creates a binary copy in all cases. (#4392, #2532) - -[CVE-2019-5736]: https://www.openwall.com/lists/oss-security/2019/02/11/2 - ## [1.1.14] - 2024-09-03 > 年を取っていいことは、驚かなくなることね。 @@ -53,6 +28,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 (#4370, #4382) * rootfs: consolidate mountpoint creation logic. (#4359) +### Changed + ## [1.1.13] - 2024-06-13 > There is no certainty in the world. This is the only certainty I have. @@ -585,8 +562,7 @@ implementation (libcontainer) is *not* covered by this policy. [1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1 -[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.15...release-1.1 -[1.1.15]: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15 +[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.14...release-1.1 [1.1.14]: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14 [1.1.13]: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13 [1.1.12]: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12 diff --git a/vendor/github.com/opencontainers/runc/VERSION b/vendor/github.com/opencontainers/runc/VERSION index 645377eea..e9bc14996 100644 --- a/vendor/github.com/opencontainers/runc/VERSION +++ b/vendor/github.com/opencontainers/runc/VERSION @@ -1 +1 @@ -1.1.15 +1.1.14 diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c index 565748b13..d1b2d4c54 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c +++ b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c @@ -396,6 +396,61 @@ static int seal_execfd(int *fd, int fdtype) return -1; } +static int try_bindfd(void) +{ + int fd, ret = -1; + char template[PATH_MAX] = { 0 }; + char *prefix = getenv("_LIBCONTAINER_STATEDIR"); + + if (!prefix || *prefix != '/') + prefix = "/tmp"; + if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0) + return ret; + + /* + * We need somewhere to mount it, mounting anything over /proc/self is a + * BAD idea on the host -- even if we do it temporarily. + */ + fd = mkstemp(template); + if (fd < 0) + return ret; + close(fd); + + /* + * For obvious reasons this won't work in rootless mode because we haven't + * created a userns+mntns -- but getting that to work will be a bit + * complicated and it's only worth doing if someone actually needs it. + */ + ret = -EPERM; + if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0) + goto out; + if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0) + goto out_umount; + + /* Get read-only handle that we're sure can't be made read-write. */ + ret = open(template, O_PATH | O_CLOEXEC); + +out_umount: + /* + * Make sure the MNT_DETACH works, otherwise we could get remounted + * read-write and that would be quite bad (the fd would be made read-write + * too, invalidating the protection). + */ + if (umount2(template, MNT_DETACH) < 0) { + if (ret >= 0) + close(ret); + ret = -ENOTRECOVERABLE; + } + +out: + /* + * We don't care about unlink errors, the worst that happens is that + * there's an empty file left around in STATEDIR. + */ + unlink(template); + return ret; +} + static ssize_t fd_to_fd(int outfd, int infd) { ssize_t total = 0; @@ -430,6 +485,18 @@ static int clone_binary(void) size_t sent = 0; int fdtype = EFD_NONE; + /* + * Before we resort to copying, let's try creating an ro-binfd in one shot + * by getting a handle for a read-only bind-mount of the execfd. + */ + execfd = try_bindfd(); + if (execfd >= 0) + return execfd; + + /* + * Dammit, that didn't work -- time to copy the binary to a safe place we + * can seal the contents. + */ execfd = make_execfd(&fdtype); if (execfd < 0 || fdtype == EFD_NONE) return -ENOTRECOVERABLE; diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go index 04ec6d7e4..78b6998c3 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go @@ -801,33 +801,54 @@ func mknodDevice(dest string, node *devices.Device) error { return os.Chown(dest, int(node.Uid), int(node.Gid)) } -// rootfsParentMountPrivate ensures rootfs parent mount is private. -// This is needed for two reasons: -// - pivot_root() will fail if parent mount is shared; -// - when we bind mount rootfs, if its parent is not private, the new mount -// will propagate (leak!) to parent namespace and we don't want that. -func rootfsParentMountPrivate(path string) error { - var err error - // Assuming path is absolute and clean (this is checked in - // libcontainer/validate). Any error other than EINVAL means we failed, - // and EINVAL means this is not a mount point, so traverse up until we - // find one. - for { - err = unix.Mount("", path, "", unix.MS_PRIVATE, "") - if err == nil { - return nil +// Get the parent mount point of directory passed in as argument. Also return +// optional fields. +func getParentMount(rootfs string) (string, string, error) { + mi, err := mountinfo.GetMounts(mountinfo.ParentsFilter(rootfs)) + if err != nil { + return "", "", err + } + if len(mi) < 1 { + return "", "", fmt.Errorf("could not find parent mount of %s", rootfs) + } + + // find the longest mount point + var idx, maxlen int + for i := range mi { + if len(mi[i].Mountpoint) > maxlen { + maxlen = len(mi[i].Mountpoint) + idx = i } - if err != unix.EINVAL || path == "/" { //nolint:errorlint // unix errors are bare + } + return mi[idx].Mountpoint, mi[idx].Optional, nil +} + +// Make parent mount private if it was shared +func rootfsParentMountPrivate(rootfs string) error { + sharedMount := false + + parentMount, optionalOpts, err := getParentMount(rootfs) + if err != nil { + return err + } + + optsSplit := strings.Split(optionalOpts, " ") + for _, opt := range optsSplit { + if strings.HasPrefix(opt, "shared:") { + sharedMount = true break } - path = filepath.Dir(path) } - return &mountError{ - op: "remount-private", - target: path, - flags: unix.MS_PRIVATE, - err: err, + + // Make parent mount PRIVATE if it was shared. It is needed for two + // reasons. First of all pivot_root() will fail if parent mount is + // shared. Secondly when we bind mount rootfs it will propagate to + // parent namespace and we don't want that to happen. + if sharedMount { + return mount("", parentMount, "", "", unix.MS_PRIVATE, "") } + + return nil } func prepareRoot(config *configs.Config) error { @@ -839,6 +860,9 @@ func prepareRoot(config *configs.Config) error { return err } + // Make parent mount private to make sure following bind mount does + // not propagate in other namespaces. Also it will help with kernel + // check pass in pivot_root. (IS_SHARED(new_mnt->mnt_parent)) if err := rootfsParentMountPrivate(config.Rootfs); err != nil { return err } diff --git a/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go index d459ba879..efe6dca58 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go @@ -164,11 +164,11 @@ func disassembleFilter(filter *libseccomp.ScmpFilter) ([]bpf.Instruction, error) return program, nil } -type linuxAuditArch uint32 +type nativeArch uint32 -const invalidArch linuxAuditArch = 0 +const invalidArch nativeArch = 0 -func scmpArchToAuditArch(arch libseccomp.ScmpArch) (linuxAuditArch, error) { +func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) { switch arch { case libseccomp.ArchNative: // Convert to actual native architecture. @@ -176,89 +176,85 @@ func scmpArchToAuditArch(arch libseccomp.ScmpArch) (linuxAuditArch, error) { if err != nil { return invalidArch, fmt.Errorf("unable to get native arch: %w", err) } - return scmpArchToAuditArch(arch) + return archToNative(arch) case libseccomp.ArchX86: - return linuxAuditArch(C.C_AUDIT_ARCH_I386), nil + return nativeArch(C.C_AUDIT_ARCH_I386), nil case libseccomp.ArchAMD64, libseccomp.ArchX32: // NOTE: x32 is treated like x86_64 except all x32 syscalls have the // 30th bit of the syscall number set to indicate that it's not a // normal x86_64 syscall. - return linuxAuditArch(C.C_AUDIT_ARCH_X86_64), nil + return nativeArch(C.C_AUDIT_ARCH_X86_64), nil case libseccomp.ArchARM: - return linuxAuditArch(C.C_AUDIT_ARCH_ARM), nil + return nativeArch(C.C_AUDIT_ARCH_ARM), nil case libseccomp.ArchARM64: - return linuxAuditArch(C.C_AUDIT_ARCH_AARCH64), nil + return nativeArch(C.C_AUDIT_ARCH_AARCH64), nil case libseccomp.ArchMIPS: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPS), nil + return nativeArch(C.C_AUDIT_ARCH_MIPS), nil case libseccomp.ArchMIPS64: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPS64), nil + return nativeArch(C.C_AUDIT_ARCH_MIPS64), nil case libseccomp.ArchMIPS64N32: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPS64N32), nil + return nativeArch(C.C_AUDIT_ARCH_MIPS64N32), nil case libseccomp.ArchMIPSEL: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL), nil + return nativeArch(C.C_AUDIT_ARCH_MIPSEL), nil case libseccomp.ArchMIPSEL64: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL64), nil + return nativeArch(C.C_AUDIT_ARCH_MIPSEL64), nil case libseccomp.ArchMIPSEL64N32: - return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL64N32), nil + return nativeArch(C.C_AUDIT_ARCH_MIPSEL64N32), nil case libseccomp.ArchPPC: - return linuxAuditArch(C.C_AUDIT_ARCH_PPC), nil + return nativeArch(C.C_AUDIT_ARCH_PPC), nil case libseccomp.ArchPPC64: - return linuxAuditArch(C.C_AUDIT_ARCH_PPC64), nil + return nativeArch(C.C_AUDIT_ARCH_PPC64), nil case libseccomp.ArchPPC64LE: - return linuxAuditArch(C.C_AUDIT_ARCH_PPC64LE), nil + return nativeArch(C.C_AUDIT_ARCH_PPC64LE), nil case libseccomp.ArchS390: - return linuxAuditArch(C.C_AUDIT_ARCH_S390), nil + return nativeArch(C.C_AUDIT_ARCH_S390), nil case libseccomp.ArchS390X: - return linuxAuditArch(C.C_AUDIT_ARCH_S390X), nil + return nativeArch(C.C_AUDIT_ARCH_S390X), nil case libseccomp.ArchRISCV64: - return linuxAuditArch(C.C_AUDIT_ARCH_RISCV64), nil + return nativeArch(C.C_AUDIT_ARCH_RISCV64), nil default: return invalidArch, fmt.Errorf("unknown architecture: %v", arch) } } -type lastSyscallMap map[linuxAuditArch]map[libseccomp.ScmpArch]libseccomp.ScmpSyscall +type lastSyscallMap map[nativeArch]map[libseccomp.ScmpArch]libseccomp.ScmpSyscall // Figure out largest syscall number referenced in the filter for each // architecture. We will be generating code based on the native architecture // representation, but SCMP_ARCH_X32 means we have to track cases where the // same architecture has different largest syscalls based on the mode. func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) { - scmpArchs := make(map[libseccomp.ScmpArch]struct{}) + lastSyscalls := make(lastSyscallMap) + // Only loop over architectures which are present in the filter. Any other + // architectures will get the libseccomp bad architecture action anyway. for _, ociArch := range config.Architectures { arch, err := libseccomp.GetArchFromString(ociArch) if err != nil { return nil, fmt.Errorf("unable to validate seccomp architecture: %w", err) } - scmpArchs[arch] = struct{}{} - } - // On architectures like ppc64le, Docker inexplicably doesn't include the - // native architecture in the architecture list which results in no - // architectures being present in the list at all (rendering the ENOSYS - // stub a no-op). So, always include the native architecture. - if nativeScmpArch, err := libseccomp.GetNativeArch(); err != nil { - return nil, fmt.Errorf("unable to get native arch: %w", err) - } else if _, ok := scmpArchs[nativeScmpArch]; !ok { - logrus.Debugf("seccomp: adding implied native architecture %v to config set", nativeScmpArch) - scmpArchs[nativeScmpArch] = struct{}{} - } - logrus.Debugf("seccomp: configured architecture set: %s", scmpArchs) - // Only loop over architectures which are present in the filter. Any other - // architectures will get the libseccomp bad architecture action anyway. - lastSyscalls := make(lastSyscallMap) - for arch := range scmpArchs { - auditArch, err := scmpArchToAuditArch(arch) + // Map native architecture to a real architecture value to avoid + // doubling-up the lastSyscall mapping. + if arch == libseccomp.ArchNative { + nativeArch, err := libseccomp.GetNativeArch() + if err != nil { + return nil, fmt.Errorf("unable to get native architecture: %w", err) + } + arch = nativeArch + } + + // Figure out native architecture representation of the architecture. + nativeArch, err := archToNative(arch) if err != nil { return nil, fmt.Errorf("cannot map architecture %v to AUDIT_ARCH_ constant: %w", arch, err) } - if _, ok := lastSyscalls[auditArch]; !ok { - lastSyscalls[auditArch] = map[libseccomp.ScmpArch]libseccomp.ScmpSyscall{} + if _, ok := lastSyscalls[nativeArch]; !ok { + lastSyscalls[nativeArch] = map[libseccomp.ScmpArch]libseccomp.ScmpSyscall{} } - if _, ok := lastSyscalls[auditArch][arch]; ok { + if _, ok := lastSyscalls[nativeArch][arch]; ok { // Because of ArchNative we may hit the same entry multiple times. - // Just skip it if we've seen this (linuxAuditArch, ScmpArch) + // Just skip it if we've seen this (nativeArch, ScmpArch) // combination before. continue } @@ -276,11 +272,10 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) { } } if largestSyscall != 0 { - logrus.Debugf("seccomp: largest syscall number for arch %v is %v", arch, largestSyscall) - lastSyscalls[auditArch][arch] = largestSyscall + lastSyscalls[nativeArch][arch] = largestSyscall } else { - logrus.Warnf("could not find any syscalls for arch %v", arch) - delete(lastSyscalls[auditArch], arch) + logrus.Warnf("could not find any syscalls for arch %s", ociArch) + delete(lastSyscalls[nativeArch], arch) } } return lastSyscalls, nil @@ -298,10 +293,10 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) { // close_range(2) which were added out-of-order in the syscall table between // kernel releases. func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) { - // A jump-table for each linuxAuditArch used to generate the initial + // A jump-table for each nativeArch used to generate the initial // conditional jumps -- measured from the *END* of the program so they // remain valid after prepending to the tail. - archJumpTable := map[linuxAuditArch]uint32{} + archJumpTable := map[nativeArch]uint32{} // Generate our own -ENOSYS rules for each architecture. They have to be // generated in reverse (prepended to the tail of the program) because the @@ -314,7 +309,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) } // Generate the syscall -ENOSYS rules. - for auditArch, maxSyscalls := range lastSyscalls { + for nativeArch, maxSyscalls := range lastSyscalls { // The number of instructions from the tail of this section which need // to be jumped in order to reach the -ENOSYS return. If the section // does not jump, it will fall through to the actual filter. @@ -395,7 +390,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // If we're on x86 we need to add a check for x32 and if we're in // the wrong mode we jump over the section. - if uint32(auditArch) == uint32(C.C_AUDIT_ARCH_X86_64) { + if uint32(nativeArch) == uint32(C.C_AUDIT_ARCH_X86_64) { // Generate a prefix to check the mode. switch scmpArch { case libseccomp.ArchAMD64: @@ -424,8 +419,8 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) section = append(section, sectionTail...) case 2: // x32 and x86_64 are a unique case, we can't handle any others. - if uint32(auditArch) != uint32(C.C_AUDIT_ARCH_X86_64) { - return nil, fmt.Errorf("unknown architecture overlap on native arch %#x", auditArch) + if uint32(nativeArch) != uint32(C.C_AUDIT_ARCH_X86_64) { + return nil, fmt.Errorf("unknown architecture overlap on native arch %#x", nativeArch) } x32sysno, ok := maxSyscalls[libseccomp.ArchX32] @@ -502,7 +497,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) programTail = append(section, programTail...) // Update jump table. - archJumpTable[auditArch] = uint32(len(programTail)) + archJumpTable[nativeArch] = uint32(len(programTail)) } // Add a dummy "jump to filter" for any architecture we might miss below. @@ -522,9 +517,9 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // architectures based on how large the jumps are going to be, or // re-sort the candidate architectures each time to make sure that we // pick the largest jump which is going to be smaller than 255. - for auditArch := range lastSyscalls { + for nativeArch := range lastSyscalls { // We jump forwards but the jump table is calculated from the *END*. - jump := uint32(len(programTail)) - archJumpTable[auditArch] + jump := uint32(len(programTail)) - archJumpTable[nativeArch] // Same routine as above -- this is a basic jeq check, complicated // slightly if it turns out that we need to do a long jump. @@ -533,7 +528,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // jeq [arch],[jump] bpf.JumpIf{ Cond: bpf.JumpEqual, - Val: uint32(auditArch), + Val: uint32(nativeArch), SkipTrue: uint8(jump), }, }, programTail...) @@ -542,7 +537,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) // jne [arch],1 bpf.JumpIf{ Cond: bpf.JumpNotEqual, - Val: uint32(auditArch), + Val: uint32(nativeArch), SkipTrue: 1, }, // ja [jump] diff --git a/vendor/modules.txt b/vendor/modules.txt index fb262a799..1707eec5a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -766,7 +766,7 @@ github.com/opencontainers/go-digest/digestset github.com/opencontainers/image-spec/identity github.com/opencontainers/image-spec/specs-go github.com/opencontainers/image-spec/specs-go/v1 -# github.com/opencontainers/runc v1.2.1 => github.com/opencontainers/runc v1.1.15 +# github.com/opencontainers/runc v1.2.1 => github.com/opencontainers/runc v1.1.14 ## explicit; go 1.18 github.com/opencontainers/runc github.com/opencontainers/runc/libcontainer @@ -1330,7 +1330,7 @@ tags.cncf.io/container-device-interface/pkg/parser tags.cncf.io/container-device-interface/specs-go # github.com/Microsoft/hcsshim => github.com/Microsoft/hcsshim v0.11.7 # github.com/containerd/go-runc => github.com/containerd/go-runc v1.0.0 -# github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.15 +# github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.14 # code.cloudfoundry.org/garden => ../garden # code.cloudfoundry.org/grootfs => ../grootfs # code.cloudfoundry.org/idmapper => ../idmapper