@@ -83,10 +83,11 @@ google.golang.org/grpc                              f495f5b15ae7ccda3b38c53a1bfc

 # the containerd project first, and update both after that is merged.

 # This commit does not need to match RUNC_COMMIT as it is used for helper

 # packages but should be newer or equal.

-github.com/opencontainers/runc                      67169a9d43456ff0d5ae12b967acb8e366e2f181 # v1.0.0-rc91-48-g67169a9d

-github.com/opencontainers/runtime-spec              237cc4f519e2e8f9b235bacccfa8ef5a84df2875 # v1.0.3-0.20200520003142-237cc4f519e2

+github.com/opencontainers/runc                      ff819c7e9184c13b7c2607fe6c30ae19403a7aff # v1.0.0-rc92

+github.com/opencontainers/runtime-spec              4d89ac9fbff6c455f46a5bb59c6b1bb7184a5e43 # v1.0.3-0.20200728170252-4d89ac9fbff6

 github.com/opencontainers/image-spec                d60099175f88c47cd379c4738d158884749ed235 # v1.0.1

 github.com/seccomp/libseccomp-golang                689e3c1541a84461afc49c1c87352a6cedf72e9c # v0.9.1

+github.com/cyphar/filepath-securejoin               a261ee33d7a517f054effbf451841abaafe3e0fd # v0.2.2

 # go-systemd v17 is required by github.com/coreos/pkg/capnslog/journald_formatter.go

 github.com/coreos/go-systemd                        39ca1b05acc7ad1220e09f133283b8859a8b71ab # v17

new file mode 100644

@@ -0,0 +1,28 @@

+Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.

+Copyright (C) 2017 SUSE LLC. All rights reserved.

+

+Redistribution and use in source and binary forms, with or without

+modification, are permitted provided that the following conditions are

+met:

+

+   * Redistributions of source code must retain the above copyright

+notice, this list of conditions and the following disclaimer.

+   * Redistributions in binary form must reproduce the above

+copyright notice, this list of conditions and the following disclaimer

+in the documentation and/or other materials provided with the

+distribution.

+   * Neither the name of Google Inc. nor the names of its

+contributors may be used to endorse or promote products derived from

+this software without specific prior written permission.

+

+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

new file mode 100644

@@ -0,0 +1,65 @@

+## `filepath-securejoin` ##

+

+[![Build Status](https://travis-ci.org/cyphar/filepath-securejoin.svg?branch=master)](https://travis-ci.org/cyphar/filepath-securejoin)

+

+An implementation of `SecureJoin`, a [candidate for inclusion in the Go

+standard library][go#20126]. The purpose of this function is to be a "secure"

+alternative to `filepath.Join`, and in particular it provides certain

+guarantees that are not provided by `filepath.Join`.

+

+This is the function prototype:

+

+```go

+func SecureJoin(root, unsafePath string) (string, error)

+```

+

+This library **guarantees** the following:

+

+* If no error is set, the resulting string **must** be a child path of

+  `SecureJoin` and will not contain any symlink path components (they will all

+  be expanded).

+

+* When expanding symlinks, all symlink path components **must** be resolved

+  relative to the provided root. In particular, this can be considered a

+  userspace implementation of how `chroot(2)` operates on file paths. Note that

+  these symlinks will **not** be expanded lexically (`filepath.Clean` is not

+  called on the input before processing).

+

+* Non-existant path components are unaffected by `SecureJoin` (similar to

+  `filepath.EvalSymlinks`'s semantics).

+

+* The returned path will always be `filepath.Clean`ed and thus not contain any

+  `..` components.

+

+A (trivial) implementation of this function on GNU/Linux systems could be done

+with the following (note that this requires root privileges and is far more

+opaque than the implementation in this library, and also requires that

+`readlink` is inside the `root` path):

+

+```go

+package securejoin

+

+import (

+	"os/exec"

+	"path/filepath"

+)

+

+func SecureJoin(root, unsafePath string) (string, error) {

+	unsafePath = string(filepath.Separator) + unsafePath

+	cmd := exec.Command("chroot", root,

+		"readlink", "--canonicalize-missing", "--no-newline", unsafePath)

+	output, err := cmd.CombinedOutput()

+	if err != nil {

+		return "", err

+	}

+	expanded := string(output)

+	return filepath.Join(root, expanded), nil

+}

+```

+

+[go#20126]: https://github.com/golang/go/issues/20126

+

+### License ###

+

+The license of this project is the same as Go, which is a BSD 3-clause license

+available in the `LICENSE` file.

new file mode 100644

@@ -0,0 +1,134 @@

+// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.

+// Copyright (C) 2017 SUSE LLC. All rights reserved.

+// Use of this source code is governed by a BSD-style

+// license that can be found in the LICENSE file.

+

+// Package securejoin is an implementation of the hopefully-soon-to-be-included

+// SecureJoin helper that is meant to be part of the "path/filepath" package.

+// The purpose of this project is to provide a PoC implementation to make the

+// SecureJoin proposal (https://github.com/golang/go/issues/20126) more

+// tangible.

+package securejoin

+

+import (

+	"bytes"

+	"os"

+	"path/filepath"

+	"strings"

+	"syscall"

+

+	"github.com/pkg/errors"

+)

+

+// ErrSymlinkLoop is returned by SecureJoinVFS when too many symlinks have been

+// evaluated in attempting to securely join the two given paths.

+var ErrSymlinkLoop = errors.Wrap(syscall.ELOOP, "secure join")

+

+// IsNotExist tells you if err is an error that implies that either the path

+// accessed does not exist (or path components don't exist). This is

+// effectively a more broad version of os.IsNotExist.

+func IsNotExist(err error) bool {

+	// If it's a bone-fide ENOENT just bail.

+	if os.IsNotExist(errors.Cause(err)) {

+		return true

+	}

+

+	// Check that it's not actually an ENOTDIR, which in some cases is a more

+	// convoluted case of ENOENT (usually involving weird paths).

+	var errno error

+	switch err := errors.Cause(err).(type) {

+	case *os.PathError:

+		errno = err.Err

+	case *os.LinkError:

+		errno = err.Err

+	case *os.SyscallError:

+		errno = err.Err

+	}

+	return errno == syscall.ENOTDIR || errno == syscall.ENOENT

+}

+

+// SecureJoinVFS joins the two given path components (similar to Join) except

+// that the returned path is guaranteed to be scoped inside the provided root

+// path (when evaluated). Any symbolic links in the path are evaluated with the

+// given root treated as the root of the filesystem, similar to a chroot. The

+// filesystem state is evaluated through the given VFS interface (if nil, the

+// standard os.* family of functions are used).

+//

+// Note that the guarantees provided by this function only apply if the path

+// components in the returned string are not modified (in other words are not

+// replaced with symlinks on the filesystem) after this function has returned.

+// Such a symlink race is necessarily out-of-scope of SecureJoin.

+func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) {

+	// Use the os.* VFS implementation if none was specified.

+	if vfs == nil {

+		vfs = osVFS{}

+	}

+

+	var path bytes.Buffer

+	n := 0

+	for unsafePath != "" {

+		if n > 255 {

+			return "", ErrSymlinkLoop

+		}

+

+		// Next path component, p.

+		i := strings.IndexRune(unsafePath, filepath.Separator)

+		var p string

+		if i == -1 {

+			p, unsafePath = unsafePath, ""

+		} else {

+			p, unsafePath = unsafePath[:i], unsafePath[i+1:]

+		}

+

+		// Create a cleaned path, using the lexical semantics of /../a, to

+		// create a "scoped" path component which can safely be joined to fullP

+		// for evaluation. At this point, path.String() doesn't contain any

+		// symlink components.

+		cleanP := filepath.Clean(string(filepath.Separator) + path.String() + p)

+		if cleanP == string(filepath.Separator) {

+			path.Reset()

+			continue

+		}

+		fullP := filepath.Clean(root + cleanP)

+

+		// Figure out whether the path is a symlink.

+		fi, err := vfs.Lstat(fullP)

+		if err != nil && !IsNotExist(err) {

+			return "", err

+		}

+		// Treat non-existent path components the same as non-symlinks (we

+		// can't do any better here).

+		if IsNotExist(err) || fi.Mode()&os.ModeSymlink == 0 {

+			path.WriteString(p)

+			path.WriteRune(filepath.Separator)

+			continue

+		}

+

+		// Only increment when we actually dereference a link.

+		n++

+

+		// It's a symlink, expand it by prepending it to the yet-unparsed path.

+		dest, err := vfs.Readlink(fullP)

+		if err != nil {

+			return "", err

+		}

+		// Absolute symlinks reset any work we've already done.

+		if filepath.IsAbs(dest) {

+			path.Reset()

+		}

+		unsafePath = dest + string(filepath.Separator) + unsafePath

+	}

+

+	// We have to clean path.String() here because it may contain '..'

+	// components that are entirely lexical, but would be misleading otherwise.

+	// And finally do a final clean to ensure that root is also lexically

+	// clean.

+	fullP := filepath.Clean(string(filepath.Separator) + path.String())

+	return filepath.Clean(root + fullP), nil

+}

+

+// SecureJoin is a wrapper around SecureJoinVFS that just uses the os.* library

+// of functions as the VFS. If in doubt, use this function over SecureJoinVFS.

+func SecureJoin(root, unsafePath string) (string, error) {

+	return SecureJoinVFS(root, unsafePath, nil)

+}

new file mode 100644

@@ -0,0 +1 @@

+github.com/pkg/errors v0.8.0

new file mode 100644

@@ -0,0 +1,41 @@

+// Copyright (C) 2017 SUSE LLC. All rights reserved.

+// Use of this source code is governed by a BSD-style

+// license that can be found in the LICENSE file.

+

+package securejoin

+

+import "os"

+

+// In future this should be moved into a separate package, because now there

+// are several projects (umoci and go-mtree) that are using this sort of

+// interface.

+

+// VFS is the minimal interface necessary to use SecureJoinVFS. A nil VFS is

+// equivalent to using the standard os.* family of functions. This is mainly

+// used for the purposes of mock testing, but also can be used to otherwise use

+// SecureJoin with VFS-like system.

+type VFS interface {

+	// Lstat returns a FileInfo describing the named file. If the file is a

+	// symbolic link, the returned FileInfo describes the symbolic link. Lstat

+	// makes no attempt to follow the link. These semantics are identical to

+	// os.Lstat.

+	Lstat(name string) (os.FileInfo, error)

+

+	// Readlink returns the destination of the named symbolic link. These

+	// semantics are identical to os.Readlink.

+	Readlink(name string) (string, error)

+}

+

+// osVFS is the "nil" VFS, in that it just passes everything through to the os

+// module.

+type osVFS struct{}

+

+// Lstat returns a FileInfo describing the named file. If the file is a

+// symbolic link, the returned FileInfo describes the symbolic link. Lstat

+// makes no attempt to follow the link. These semantics are identical to

+// os.Lstat.

+func (o osVFS) Lstat(name string) (os.FileInfo, error) { return os.Lstat(name) }

+

+// Readlink returns the destination of the named symbolic link. These

+// semantics are identical to os.Readlink.

+func (o osVFS) Readlink(name string) (string, error) { return os.Readlink(name) }

@@ -3,18 +3,18 @@ module github.com/opencontainers/runc

 go 1.14

 require (

-	github.com/checkpoint-restore/go-criu/v4 v4.0.2

+	github.com/checkpoint-restore/go-criu/v4 v4.1.0

 	github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775

 	github.com/containerd/console v1.0.0

-	github.com/coreos/go-systemd/v22 v22.0.0

+	github.com/coreos/go-systemd/v22 v22.1.0

 	github.com/cyphar/filepath-securejoin v0.2.2

 	github.com/docker/go-units v0.4.0

 	github.com/godbus/dbus/v5 v5.0.3

-	github.com/golang/protobuf v1.3.5

+	github.com/golang/protobuf v1.4.2

 	github.com/moby/sys/mountinfo v0.1.3

-	github.com/mrunalp/fileutils v0.0.0-20171103030105-7d4729fb3618

-	github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2

-	github.com/opencontainers/selinux v1.5.1

+	github.com/mrunalp/fileutils v0.0.0-20200520151820-abd8a0e76976

+	github.com/opencontainers/runtime-spec v1.0.3-0.20200728170252-4d89ac9fbff6

+	github.com/opencontainers/selinux v1.6.0

 	github.com/pkg/errors v0.9.1

 	github.com/seccomp/libseccomp-golang v0.9.1

 	github.com/sirupsen/logrus v1.6.0

@@ -22,5 +22,5 @@ require (

 	// NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092

 	github.com/urfave/cli v1.22.1

 	github.com/vishvananda/netlink v1.1.0

-	golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775

+	golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1

 )

@@ -8,6 +8,10 @@ import (

 	"os"

 	"path/filepath"

 	"strings"

+	"syscall"

+

+	securejoin "github.com/cyphar/filepath-securejoin"

+	"golang.org/x/sys/unix"

 )

 // Code in this source file are specific to cgroup v1,

@@ -15,6 +19,7 @@ import (

 const (

 	CgroupNamePrefix = "name="

+	defaultPrefix    = "/sys/fs/cgroup"

 )

 var (

@@ -43,11 +48,59 @@ func IsNotFound(err error) bool {

 	return ok

 }

+func tryDefaultPath(cgroupPath, subsystem string) string {

+	if !strings.HasPrefix(defaultPrefix, cgroupPath) {

+		return ""

+	}

+

+	// remove possible prefix

+	subsystem = strings.TrimPrefix(subsystem, CgroupNamePrefix)

+

+	// Make sure we're still under defaultPrefix, and resolve

+	// a possible symlink (like cpu -> cpu,cpuacct).

+	path, err := securejoin.SecureJoin(defaultPrefix, subsystem)

+	if err != nil {

+		return ""

+	}

+

+	// (1) path should be a directory.

+	st, err := os.Lstat(path)

+	if err != nil || !st.IsDir() {

+		return ""

+	}

+

+	// (2) path should be a mount point.

+	pst, err := os.Lstat(filepath.Dir(path))

+	if err != nil {

+		return ""

+	}

+

+	if st.Sys().(*syscall.Stat_t).Dev == pst.Sys().(*syscall.Stat_t).Dev {

+		// parent dir has the same dev -- path is not a mount point

+		return ""

+	}

+

+	// (3) path should have 'cgroup' fs type.

+	fst := unix.Statfs_t{}

+	err = unix.Statfs(path, &fst)

+	if err != nil || fst.Type != unix.CGROUP_SUPER_MAGIC {

+		return ""

+	}

+

+	return path

+}

+

 // https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt

 func FindCgroupMountpoint(cgroupPath, subsystem string) (string, error) {

 	if IsCgroup2UnifiedMode() {

 		return "", errUnified

 	}

+

+	// Avoid parsing mountinfo by trying the default path first, if possible.

+	if path := tryDefaultPath(cgroupPath, subsystem); path != "" {

+		return path, nil

+	}

+

 	mnt, _, err := FindCgroupMountpointAndRoot(cgroupPath, subsystem)

 	return mnt, err

 }

@@ -57,9 +110,7 @@ func FindCgroupMountpointAndRoot(cgroupPath, subsystem string) (string, string,

 		return "", "", errUnified

 	}

-	// We are not using mount.GetMounts() because it's super-inefficient,

-	// parsing it directly sped up x10 times because of not using Sscanf.

-	// It was one of two major performance drawbacks in container start.

+	// Avoid parsing mountinfo by checking if subsystem is valid/available.

 	if !isSubsystemAvailable(subsystem) {

 		return "", "", NewNotFoundError(subsystem)

 	}

@@ -239,15 +239,6 @@ const (

 	Poststop = "poststop"

 )

-// TODO move this to runtime-spec

-// See: https://github.com/opencontainers/runtime-spec/pull/1046

-const (

-	Creating = "creating"

-	Created  = "created"

-	Running  = "running"

-	Stopped  = "stopped"

-)

-

 type Capabilities struct {

 	// Bounding is the set of capabilities checked by the kernel.

 	Bounding []string

@@ -90,7 +90,7 @@ type User struct {

 	// GID is the group id.

 	GID uint32 `json:"gid" platform:"linux,solaris"`

 	// Umask is the umask for the init process.

-	Umask uint32 `json:"umask,omitempty" platform:"linux,solaris"`

+	Umask *uint32 `json:"umask,omitempty" platform:"linux,solaris"`

 	// AdditionalGids are additional group ids set for the container's process.

 	AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"`

 	// Username is the user name.

@@ -635,12 +635,13 @@ type LinuxSeccompAction string

 // Define actions for Seccomp rules

 const (

-	ActKill  LinuxSeccompAction = "SCMP_ACT_KILL"

-	ActTrap  LinuxSeccompAction = "SCMP_ACT_TRAP"

-	ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO"

-	ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE"

-	ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW"

-	ActLog   LinuxSeccompAction = "SCMP_ACT_LOG"

+	ActKill        LinuxSeccompAction = "SCMP_ACT_KILL"

+	ActKillProcess LinuxSeccompAction = "SCMP_ACT_KILL_PROCESS"

+	ActTrap        LinuxSeccompAction = "SCMP_ACT_TRAP"

+	ActErrno       LinuxSeccompAction = "SCMP_ACT_ERRNO"

+	ActTrace       LinuxSeccompAction = "SCMP_ACT_TRACE"

+	ActAllow       LinuxSeccompAction = "SCMP_ACT_ALLOW"

+	ActLog         LinuxSeccompAction = "SCMP_ACT_LOG"

 )

 // LinuxSeccompOperator used to match syscall arguments in Seccomp

@@ -1,5 +1,23 @@

 package specs

+// ContainerState represents the state of a container.

+type ContainerState string

+

+const (

+	// StateCreating indicates that the container is being created

+	StateCreating ContainerState  = "creating"

+

+	// StateCreated indicates that the runtime has finished the create operation

+	StateCreated ContainerState  = "created"

+

+	// StateRunning indicates that the container process has executed the

+	// user-specified program but has not exited

+	StateRunning ContainerState  = "running"

+

+	// StateStopped indicates that the container process has exited

+	StateStopped ContainerState  = "stopped"

+)

+

 // State holds information about the runtime state of the container.

 type State struct {

 	// Version is the version of the specification that is supported.

@@ -7,7 +25,7 @@ type State struct {

 	// ID is the container ID

 	ID string `json:"id"`

 	// Status is the runtime status of the container.

-	Status string `json:"status"`

+	Status ContainerState `json:"status"`

 	// Pid is the process ID for the container process.

 	Pid int `json:"pid,omitempty"`

 	// Bundle is the path to the container's bundle directory.