Merge pull request #6147 from containers/renovate/github.com-opencontainers-runc-1.x

fix(deps): update module github.com/opencontainers/runc to v1.3.0
2025-04-30 14:44:23 +00:00 · 2025-04-30 14:44:23 +00:00 · 8e43db65ca
parent f91b3f70fe 9ac03e6bf9
commit 8e43db65ca
9 changed files with 47 additions and 201 deletions
--- a/go.mod
+++ b/go.mod
@ -23,9 +23,10 @@ require (
 	github.com/moby/buildkit v0.21.1
 	github.com/moby/sys/capability v0.4.0
 	github.com/moby/sys/userns v0.1.0
 	github.com/opencontainers/cgroups v0.0.1
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
-	github.com/opencontainers/runc v1.2.6
+	github.com/opencontainers/runc v1.3.0
 	github.com/opencontainers/runtime-spec v1.2.1
 	github.com/opencontainers/runtime-tools v0.9.1-0.20250303011046-260e151b8552
 	github.com/opencontainers/selinux v1.12.0
@ -119,7 +120,6 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/cgroups v0.0.1 // indirect
 	github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
--- a/go.sum
+++ b/go.sum
@ -278,8 +278,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/opencontainers/runc v1.2.6 h1:P7Hqg40bsMvQGCS4S7DJYhUZOISMLJOB2iGX5COWiPk=
+github.com/opencontainers/runc v1.3.0 h1:cvP7xbEvD0QQAs0nZKLzkVog2OPZhI/V2w3WmTmUSXI=
-github.com/opencontainers/runc v1.2.6/go.mod h1:dOQeFo29xZKBNeRBI0B19mJtfHv68YgCTh1X+YphA+4=
+github.com/opencontainers/runc v1.3.0/go.mod h1:9wbWt42gV+KRxKRVVugNP6D5+PQciRbenB4fLVsqGPs=
 github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
 github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20250303011046-260e151b8552 h1:CkXngT0nixZqQUPDVfwVs3GiuhfTqCMk0V+OoHpxIvA=
--- a/pkg/parse/parse_unix.go
+++ b/pkg/parse/parse_unix.go
@ -8,6 +8,7 @@ import (
 	"path/filepath"
 	"github.com/containers/buildah/define"
 	"github.com/opencontainers/cgroups/devices/config"
 	"github.com/opencontainers/runc/libcontainer/devices"
 )
@ -47,7 +48,7 @@ func DeviceFromPath(device string) (define.ContainerDevices, error) {
 	}
 	for _, d := range srcDevices {
 		d.Path = filepath.Join(dst, filepath.Base(d.Path))
-		d.Permissions = devices.Permissions(permissions)
+		d.Permissions = config.Permissions(permissions)
 		device := define.BuildahDevice{Device: *d, Source: src, Destination: dst}
 		devs = append(devs, device)
 	}
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go
@ -1,174 +0,0 @@
 package devices
 import (
 	"fmt"
 	"os"
 	"strconv"
 )
 const (
 	Wildcard = -1
 )
 type Device struct {
 	Rule
 	// Path to the device.
 	Path string `json:"path"`
 	// FileMode permission bits for the device.
 	FileMode os.FileMode `json:"file_mode"`
 	// Uid of the device.
 	Uid uint32 `json:"uid"`
 	// Gid of the device.
 	Gid uint32 `json:"gid"`
 }
 // Permissions is a cgroupv1-style string to represent device access. It
 // has to be a string for backward compatibility reasons, hence why it has
 // methods to do set operations.
 type Permissions string
 const (
 	deviceRead uint = (1 << iota)
 	deviceWrite
 	deviceMknod
 )
 func (p Permissions) toSet() uint {
 	var set uint
 	for _, perm := range p {
 		switch perm {
 		case 'r':
 			set |= deviceRead
 		case 'w':
 			set |= deviceWrite
 		case 'm':
 			set |= deviceMknod
 		}
 	}
 	return set
 }
 func fromSet(set uint) Permissions {
 	var perm string
 	if set&deviceRead == deviceRead {
 		perm += "r"
 	}
 	if set&deviceWrite == deviceWrite {
 		perm += "w"
 	}
 	if set&deviceMknod == deviceMknod {
 		perm += "m"
 	}
 	return Permissions(perm)
 }
 // Union returns the union of the two sets of Permissions.
 func (p Permissions) Union(o Permissions) Permissions {
 	lhs := p.toSet()
 	rhs := o.toSet()
 	return fromSet(lhs | rhs)
 }
 // Difference returns the set difference of the two sets of Permissions.
 // In set notation, A.Difference(B) gives you A\B.
 func (p Permissions) Difference(o Permissions) Permissions {
 	lhs := p.toSet()
 	rhs := o.toSet()
 	return fromSet(lhs &^ rhs)
 }
 // Intersection computes the intersection of the two sets of Permissions.
 func (p Permissions) Intersection(o Permissions) Permissions {
 	lhs := p.toSet()
 	rhs := o.toSet()
 	return fromSet(lhs & rhs)
 }
 // IsEmpty returns whether the set of permissions in a Permissions is
 // empty.
 func (p Permissions) IsEmpty() bool {
 	return p == Permissions("")
 }
 // IsValid returns whether the set of permissions is a subset of valid
 // permissions (namely, {r,w,m}).
 func (p Permissions) IsValid() bool {
 	return p == fromSet(p.toSet())
 }
 type Type rune
 const (
 	WildcardDevice Type = 'a'
 	BlockDevice    Type = 'b'
 	CharDevice     Type = 'c' // or 'u'
 	FifoDevice     Type = 'p'
 )
 func (t Type) IsValid() bool {
 	switch t {
 	case WildcardDevice, BlockDevice, CharDevice, FifoDevice:
 		return true
 	default:
 		return false
 	}
 }
 func (t Type) CanMknod() bool {
 	switch t {
 	case BlockDevice, CharDevice, FifoDevice:
 		return true
 	default:
 		return false
 	}
 }
 func (t Type) CanCgroup() bool {
 	switch t {
 	case WildcardDevice, BlockDevice, CharDevice:
 		return true
 	default:
 		return false
 	}
 }
 type Rule struct {
 	// Type of device ('c' for char, 'b' for block). If set to 'a', this rule
 	// acts as a wildcard and all fields other than Allow are ignored.
 	Type Type `json:"type"`
 	// Major is the device's major number.
 	Major int64 `json:"major"`
 	// Minor is the device's minor number.
 	Minor int64 `json:"minor"`
 	// Permissions is the set of permissions that this rule applies to (in the
 	// cgroupv1 format -- any combination of "rwm").
 	Permissions Permissions `json:"permissions"`
 	// Allow specifies whether this rule is allowed.
 	Allow bool `json:"allow"`
 }
 func (d *Rule) CgroupString() string {
 	var (
 		major = strconv.FormatInt(d.Major, 10)
 		minor = strconv.FormatInt(d.Minor, 10)
 	)
 	if d.Major == Wildcard {
 		major = "*"
 	}
 	if d.Minor == Wildcard {
 		minor = "*"
 	}
 	return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions)
 }
 func (d *Rule) Mkdev() (uint64, error) {
 	return mkDev(d)
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/device_deprecated.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/device_deprecated.go
@ -0,0 +1,20 @@
 package devices
 import "github.com/opencontainers/cgroups/devices/config"
 // Deprecated: use [github.com/opencontainers/cgroups/devices/config].
 const (
 	Wildcard       = config.Wildcard
 	WildcardDevice = config.WildcardDevice
 	BlockDevice    = config.BlockDevice
 	CharDevice     = config.CharDevice
 	FifoDevice     = config.FifoDevice
 )
 // Deprecated: use [github.com/opencontainers/cgroups/devices/config].
 type (
 	Device      = config.Device
 	Permissions = config.Permissions
 	Type        = config.Type
 	Rule        = config.Rule
 )
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go
@ -19,13 +19,6 @@ var (
 	osReadDir = os.ReadDir
 )
 func mkDev(d *Rule) (uint64, error) {
 	if d.Major == Wildcard || d.Minor == Wildcard {
 		return 0, errors.New("cannot mkdev() device with wildcards")
 	}
 	return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
 }
 // DeviceFromPath takes the path to a device and its cgroup_permissions (which
 // cannot be easily queried) to look up the information about a linux device
 // and returns that information as a Device struct.
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go
@ -50,19 +50,19 @@ func CleanPath(path string) string {
 	// Ensure that all paths are cleaned (especially problematic ones like
 	// "/../../../../../" which can cause lots of issues).
-	path = filepath.Clean(path)
+
 	if filepath.IsAbs(path) {
 		return filepath.Clean(path)
 	}
 	// If the path isn't absolute, we need to do more processing to fix paths
 	// such as "../../../../<etc>/some/path". We also shouldn't convert absolute
 	// paths to relative ones.
-	if !filepath.IsAbs(path) {
+	path = filepath.Clean(string(os.PathSeparator) + path)
-		path = filepath.Clean(string(os.PathSeparator) + path)
+	// This can't fail, as (by definition) all paths are relative to root.
-		// This can't fail, as (by definition) all paths are relative to root.
+	path, _ = filepath.Rel(string(os.PathSeparator), path)
 		path, _ = filepath.Rel(string(os.PathSeparator), path)
 	}
-	// Clean the path again for good measure.
+	return path
 	return filepath.Clean(path)
 }
 // stripRoot returns the passed path, stripping the root path if it was
@ -77,7 +77,7 @@ func stripRoot(root, path string) string {
 		path = "/"
 	case root == "/":
 		// do nothing
-	case strings.HasPrefix(path, root+"/"):
+	default:
 		path = strings.TrimPrefix(path, root+"/")
 	}
 	return CleanPath("/" + path)
@ -88,8 +88,8 @@ func stripRoot(root, path string) string {
 func SearchLabels(labels []string, key string) (string, bool) {
 	key += "="
 	for _, s := range labels {
-		if strings.HasPrefix(s, key) {
+		if val, ok := strings.CutPrefix(s, key); ok {
-			return s[len(key):], true
+			return val, true
 		}
 	}
 	return "", false
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
@ -102,8 +102,14 @@ func fdRangeFrom(minFd int, fn fdFunc) error {
 func CloseExecFrom(minFd int) error {
 	// Use close_range(CLOSE_RANGE_CLOEXEC) if possible.
 	if haveCloseRangeCloexec() {
-		err := unix.CloseRange(uint(minFd), math.MaxUint, unix.CLOSE_RANGE_CLOEXEC)
+		err := unix.CloseRange(uint(minFd), math.MaxInt32, unix.CLOSE_RANGE_CLOEXEC)
-		return os.NewSyscallError("close_range", err)
+		if err == nil {
 			return nil
 		}
 		logrus.Debugf("close_range failed, closing range one at a time (error: %v)", err)
 		// If close_range fails, we fall back to the standard loop.
 	}
 	// Otherwise, fall back to the standard loop.
 	return fdRangeFrom(minFd, unix.CloseOnExec)
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -576,8 +576,8 @@ github.com/opencontainers/go-digest
 ## explicit; go 1.18
 github.com/opencontainers/image-spec/specs-go
 github.com/opencontainers/image-spec/specs-go/v1
-# github.com/opencontainers/runc v1.2.6
+# github.com/opencontainers/runc v1.3.0
-## explicit; go 1.22
+## explicit; go 1.23.0
 github.com/opencontainers/runc/libcontainer/apparmor
 github.com/opencontainers/runc/libcontainer/devices
 github.com/opencontainers/runc/libcontainer/utils