Skip to content

@cyphar cyphar released this Mar 28, 2019 · 6 commits to master since this release

WARNING: There is a regression in this release for old kernels, which we are working on fixing in #2031.

Due to CVE-2019-5736, we had to do another -rc release so users can update. We
hope to be able to release 1.0.0 in the near future (there is still an
outstanding spec-compliance issue with OCI hooks which we need to resolve
first).

This also updates runc to a vendored commit of the runtime-spec rather than a
full release, which will hopefully be rectified with runc 1.0.0. #k

Security:

  • Mitigate CVE-2019-5736. This is an updated version of the patch series sent
    out on openwall and we encourage users to update. #1982 #1984

    NOTE: This mitigation WILL NOT WORK if you run untrusted containers with
    host uid 0 and give them CAP_SYS_ADMIN (the protection operates through a
    hidden read-only bind-mount which can be re-mounted by CAP_SYS_ADMIN
    privileged users).

    Put simply -- we consider granting CAP_SYS_ADMIN to untrusted containers
    without user namespaces to be fundamentally insecure, as such we do not
    consider this to be a security issue
    .

    If you want an additional host-level mitigation, use chattr +i on the
    host file to ensure containers without CAP_LINUX_IMMUTABLE cannot write to
    it -- even with CAP_SYS_ADMIN. But as above, if you give
    CAP_LINUX_IMMUTABLE to a container you will have problems.

    An alternative is to bind-mount a sealed memfd copy of the runc binary over
    the binary (runc will detect this and will not attempt further mitigation,
    because sealed memfds are fundamentally unmodifiable) but this requires
    more in-depth work by administrators.

  • There appear to be production users of --no-pivot-root, which is something
    that we absolutely recommend against and do not consider to be a secure
    configuration
    -- since pivot_root(2) has many security properties that are
    not possible to provide with just chroot(2).

    However, a specific issue was discovered which we decided to mitigate in
    order to avoid production users being exploited by it. This security issue
    is not elligible for a CVE because it requires an insecure configuration
    (--no-pivot-root). #1962

Features:

  • Add intelrdt support for MBA to runc (a new intelrdt feature available in
    Linux 4.18+). #1919
  • Add support for specifying a CRIU configuration file for checkpoint/restore
    (which makes use of a new org.criu.config annotation). #1933 #1964
  • Add support for "runc exec --preserve-fds". #1995
  • Added support for SELinux labeling of keyrings. #2012

Fixes:

  • Correct handling of "runc kill" when a container is stopped or paused.
    #1934 #1943
  • Error out if built with nokmem and kmemcg limits were requested. #1939
  • Update check-config.sh to be in line with Docker's. #1942
  • Improve handling of kmem and the systemd cgroup driver. #1960
  • Improve resilience of adding setns tasks to cgroups. #1950
  • Remove (broken) detection of .scope for systemd. #1978
  • Fix console hanging with preserve-fds, where not enough fds have actually
    been provided to runc (which is a very common mistake when using
    --preserve-fds). #2000
  • Create bind-mounts when restoring. #1968
  • Fix regression of zombie "runc init" processes. #2023

Thanks to all of the contributors that made this release possible:

With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have
both decided to give up their maintainership. Thanks for all of your
contributions over the years, and good luck with your future endeavours!

Signed-off-by: Aleksa Sarai asarai@suse.de

Assets 7
You can’t perform that action at this time.