v1.1.5 -- "囚われた屈辱は　反撃の嚆矢だ"

This is the fifth patch release in the 1.1.z series of runc, which fixes
three CVEs found in runc.

* CVE-2023-25809 is a vulnerability involving rootless containers where
  (under specific configurations), the container would have write access
  to the /sys/fs/cgroup/user.slice/... cgroup hierarchy. No other
  hierarchies on the host were affected. This vulnerability was
  discovered by Akihiro Suda.
   <GHSA-m8cg-xc2p-r3fc>

* CVE-2023-27561 was a regression which effectively re-introduced
  CVE-2019-19921. This bug was present from v1.0.0-rc95 to v1.1.4. This
  regression was discovered by @Beuc.
   <GHSA-vpvm-3wq2-2wvm>

* CVE-2023-28642 is a variant of the same bug and was fixed by the same
  patch. This variant of the above vulnerability was reported by Lei
  Wang.
   <GHSA-g2j6-57v7-gm8c>

In addition, the following other fixes are included in this release:

* Fix the inability to use `/dev/null` when inside a container. (opencontainers#3620)
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
  (a regression in 1.1.1). (opencontainers#3674, opencontainers#3731)
* Fix rare runc exec/enter unshare error on older kernels, including
  CentOS < 7.7. (opencontainers#3776)
* nsexec: Check for errors in `write_log()`. (opencontainers#3721)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Evan Phoenix <evan@phx.io>
 * Jaroslav Jindrak <dzejrou@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Mrunal Patel <mrunal@me.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>
 * Shengjing Zhu <zhsj@debian.org>
 * Tianon Gravi <admwiggin@gmail.com>

[Due to the security-critical nature of this release, it was released
without a direct vote but was agreed to by the required number of
maintainers.]

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.1.4 -- "If you look for perfection, you'll never be content."

This is the fourth patch release in the 1.1.z series of runc, primarily
fixing a regression introduced in 1.1.3 related to device rules. It also
fixes a few other bugs.

* Fix mounting via wrong proc fd. When the user and mount namespaces are
  used, and the bind mount is followed by the cgroup mount in the spec,
  the cgroup was mounted using the bind mount's mount fd. (opencontainers#3511)
* Switch `kill()` in `libcontainer/nsenter` to `sane_kill()`. (opencontainers#3536)
* Fix "permission denied" error from `runc run` on `noexec` fs. (opencontainers#3541)
* Fix failed exec after `systemctl daemon-reload`. Due to a regression
  in v1.1.3, the `DeviceAllow=char-pts rwm` rule was no longer added and
  was causing an error `open /dev/pts/0: operation not permitted:
  unknown` when systemd was reloaded. (opencontainers#3554)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * guodong <guodong9211@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Mrunal Patel <mrunal@me.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.1.3 -- "In the beginning there was nothing, which exploded."

This is the third release of the 1.1.z series of runc, and contains
various minor improvements and bugfixes.

 * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
   s390 and s390x. This solves the issue where syscalls the host kernel did not
   support would return `-EPERM` despite the existence of the `-ENOSYS` stub
   code (this was due to how s390x does syscall multiplexing). (opencontainers#3478)
 * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
   intended; this fix does not affect runc binary itself but is important for
   libcontainer users such as Kubernetes. (opencontainers#3476)
 * Inability to compile with recent clang due to an issue with duplicate
   constants in libseccomp-golang. (opencontainers#3477)
 * When using systemd cgroup driver, skip adding device paths that don't exist,
   to stop systemd from emitting warnings about those paths. (opencontainers#3504)
 * Socket activation was failing when more than 3 sockets were used. (opencontainers#3494)
 * Various CI fixes. (opencontainers#3472, opencontainers#3479)
 * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. (opencontainers#3493)
 * runc static binaries are now linked against libseccomp v2.5.4. (opencontainers#3481)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * CrazyMax <crazy-max@users.noreply.github.com>
 * Erik Sjölund <erik.sjolund@gmail.com>
 * Irwin D'Souza <dsouzai.gh@gmail.com>
 * Kang Chen <kongchen28@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.1.2 -- "I should think I’m going to be a perpetual student."

This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.

This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).

 * A bug was found in runc where runc exec --cap executed processes with
   non-empty inheritable Linux process capabilities, creating an atypical Linux
   environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and
   CVE-2022-29162.
 * `runc spec` no longer sets any inheritable capabilities in the created
   example OCI spec (`config.json`) file.

Thanks to all of the contributors who made this release possible:

* Aleksa Sarai <cyphar@cyphar.com>
* Kir Kolyshkin <kolyshkin@gmail.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

[GHSA-f3fp-gc8g-vw66]: GHSA-f3fp-gc8g-vw66

v1.1.1 -- "Violence is the last refuge of the incompetent."

This is the first stable release in the 1.1 branch, fixing a few issues
with runc 1.1.0.

Fixed:
* runc run/start can now run a container with read-only /dev in OCI spec,
  rather than error out. (opencontainers#3355)
* runc exec now ensures that --cgroup argument is a sub-cgroup. (opencontainers#3403)
* libcontainer systemd v2 manager no longer errors out if one of the files
  listed in /sys/kernel/cgroup/delegate do not exist in container's
  cgroup. (opencontainers#3387, opencontainers#3404)
* Loosen OCI spec validation to avoid bogus "Intel RDT is not supported"
  error. (opencontainers#3406)
* libcontainer/cgroups no longer panics in cgroup v1 managers if stat
  of /sys/fs/cgroup/unified returns an error other than ENOENT. (opencontainers#3435)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>
 * Markus Lehtonen <markus.lehtonen@intel.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

v1.1.0 -- "A plan depends as much upon execution as it does upon conc…

…ept."

This release only contains very minor changes from v1.1.0-rc.1 and is
the first release of the 1.1.y release series of runc.

Changed:
 * libcontainer will now refuse to build without the nsenter package being
   correctly compiled (specifically this requires CGO to be enabled). This
   should avoid folks accidentally creating broken runc binaries (and
   incorrectly importing our internal libraries into their projects). (opencontainers#3331)

Thanks to the following people who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.1.0~rc1 -- "He who controls the spice controls the universe."

This release is the first release candidate for the next minor release
following runc 1.0. It contains all of the bugfixes included in runc 1.0
patch releases (up to and including 1.0.3).

A fair few new features have been added, and several features have been
deprecated (with plans for removal in runc 1.2). At the moment we only
plan to do a single release candidate for runc 1.1, and once 1.1.0 is
released we will not continue updating the 1.0.z runc branch.

Deprecated:
 * runc run/start now warns if a new container cgroup is non-empty or frozen;
   this warning will become an error in runc 1.2. (opencontainers#3132, opencontainers#3223)
 * runc can only be built with Go 1.16 or later from this release onwards.
   (opencontainers#3100, opencontainers#3245)

Removed:
 * `cgroup.GetHugePageSizes` has been removed entirely, and been replaced with
   `cgroup.HugePageSizes` which is more efficient. (opencontainers#3234)
 * `intelrdt.GetIntelRdtPath` has been removed. Users who were using this
   function to get the intelrdt root should use the new `intelrdt.Root`
   instead. (opencontainers#2920, opencontainers#3239)

Added:
 * Add support for RDMA cgroup added in Linux 4.11. (opencontainers#2883)
 * runc exec now produces exit code of 255 when the exec failed.
   This may help in distinguishing between runc exec failures
   (such as invalid options, non-running container or non-existent
   binary etc.) and failures of the command being executed. (opencontainers#3073)
 * runc run: new `--keep` option to skip removal exited containers artefacts.
   This might be useful to check the state (e.g. of cgroup controllers) after
   the container hasexited. (opencontainers#2817, opencontainers#2825)
 * seccomp: add support for `SCMP_ACT_KILL_PROCESS` and `SCMP_ACT_KILL_THREAD`
   (the latter is just an alias for `SCMP_ACT_KILL`). (opencontainers#3204)
 * seccomp: add support for `SCMP_ACT_NOTIFY` (seccomp actions). This allows
   users to create sophisticated seccomp filters where syscalls can be
   efficiently emulated by privileged processes on the host. (opencontainers#2682)
 * checkpoint/restore: add an option (`--lsm-mount-context`) to set
   a different LSM mount context on restore. (opencontainers#3068)
 * runc releases are now cross-compiled for several architectures. Static
   builds for said architectures will be available for all future releases.
   (opencontainers#3197)
 * intelrdt: support ClosID parameter. (opencontainers#2920)
 * runc exec --cgroup: an option to specify a (non-top) in-container cgroup
   to use for the process being executed. (opencontainers#3040, opencontainers#3059)
 * cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
   machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
   run/exec now adds the container to the appropriate cgroup under it). (opencontainers#2087,
   opencontainers#3059)
 * sysctl: allow slashes in sysctl names, to better match `sysctl(8)`'s
   behaviour. (opencontainers#3254, opencontainers#3257)
 * mounts: add support for bind-mounts which are inaccessible after switching
   the user namespace. Note that this does not permit the container any
   additional access to the host filesystem, it simply allows containers to
   have bind-mounts configured for paths the user can access but have
   restrictive access control settings for other users. (opencontainers#2576)
 * Add support for recursive mount attributes using `mount_setattr(2)`. These
   have the same names as the proposed `mount(8)` options -- just prepend `r`
   to the option name (such as `rro`). (opencontainers#3272)
 * Add `runc features` subcommand to allow runc users to detect what features
   runc has been built with. This includes critical information such as
   supported mount flags, hook names, and so on. Note that the output of this
   command is subject to change and will not be considered stable until runc
   1.2 at the earliest. The runtime-spec specification for this feature is
   being developed in opencontainers/runtime-spec#1130. (opencontainers#3296)

Changed:
 * system: improve performance of `/proc/$pid/stat` parsing. (opencontainers#2696)
 * cgroup2: when `/sys/fs/cgroup` is configured as a read-write mount, change
   the ownership of certain cgroup control files (as per
   `/sys/kernel/cgroup/delegate`) to allow for proper deferral to the container
   process. (opencontainers#3057)
 * docs: series of improvements to man pages to make them easier to read and
   use. (opencontainers#3032)

Libcontainer API:
 * internal api: remove internal error types and handling system, switch to Go
   wrapped errors. (opencontainers#3033)
 * New configs.Cgroup structure fields (opencontainers#3177):
   * Systemd (whether to use systemd cgroup manager); and
   * Rootless (whether to use rootless cgroups).
 * New cgroups/manager package aiming to simplify cgroup manager instantiation.
   (opencontainers#3177)
 * All cgroup managers' instantiation methods now initialize cgroup paths and
   can return errors. This allows to use any cgroup manager method (e.g.
   Exists, Destroy, Set, GetStats) right after instantiation, which was not
   possible before (as paths were initialized in Apply only). (opencontainers#3178)

Fixed:
 * nsenter: do not try to close already-closed fds during container setup and
   bail on close(2) failures. (opencontainers#3058)
 * runc checkpoint/restore: fixed for containers with an external bind mount
   which destination is a symlink. (opencontainers#3047).
 * cgroup: improve openat2 handling for cgroup directory handle hardening.
   (opencontainers#3030)
 * `runc delete -f` now succeeds (rather than timing out) on a paused
   container. (opencontainers#3134)
 * runc run/start/exec now refuses a frozen cgroup (paused container in case of
   exec). Users can disable this using `--ignore-paused`. (opencontainers#3132, opencontainers#3223)
 * config: do not permit null bytes in mount fields. (opencontainers#3287)

Thanks to the following people who made this release possible:

 * Adrian Reber <areber@redhat.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Alban Crequy <alban@kinvolk.io>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Dave Chen <dave.chen@arm.com>
 * flouthoc <flouthoc.git@gmail.com>
 * Fraser Tweedale <ftweedal@redhat.com>
 * Itamar Holder <iholder@redhat.com>
 * Kailun Qin <kailun.qin@intel.com>
 * Kang Chen <kongchen28@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>
 * Liu Hua <weldonliu@tencent.com>
 * Maksim An <maksiman@microsoft.com>
 * Markus Lehtonen <markus.lehtonen@intel.com>
 * Mauricio Vásquez <mauricio@kinvolk.io>
 * Mengjiao Liu <mengjiao.liu@daocloud.io>
 * Mrunal Patel <mrunal@me.com>
 * Neil Johnson <najohnsn@gmail.com>
 * Odin Ugedal <odin@uged.al>
 * Piotr Resztak <piotr.resztak@gmail.com>
 * Qiang Huang <h.huangqiang@huawei.com>
 * Rodrigo Campos <rodrigo@kinvolk.io>
 * Sascha Grunert <sgrunert@redhat.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * Shengjing Zhu <zhsj@debian.org>
 * xiadanni <xiadanni1@huawei.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.0.3 -- "If you were waiting for the opportune moment, that was it."

This is the third stable release in the 1.0 branch, fixing a handful of medium
priority issues related to mounts and cgroups, as well as a potential security
vulnerability.

This release is expected to be the last point release in the 1.0 branch, as we
are planning to release runc 1.1 in the near future.

Security:
 * A potential vulnerability was discovered in runc (related to an internal
   usage of netlink), however upon further investigation we discovered that
   while this bug was exploitable on the master branch of runc, no released
   version of runc could be exploited using this bug. The exploit required
   being able to create a netlink attribute with a length that would overflow a
   uint16 but this was not possible in any released version of runc. For more
   information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.

   Due to an abundance of caution we decided to do an emergency release with
   this fix, but to reiterate *we do not believe this vulnerability was
   possible to exploit*. Thanks to Felix Wilhelm from Google Project Zero for
   discovering and reporting this vulnerability so quickly.

Bugfixes:
 * Fixed inability to start a container with read-write bind mount of a
   read-only fuse host mount (opencontainers#3292)
 * Fixed inability to start when read-only /dev in set in spec (opencontainers#3277)
 * Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2
   is used with older systemd (opencontainers#3297)
 * Fixed returning error from GetStats when hugetlb is unsupported (which causes
   excessive logging for kubernetes) (opencontainers#3295)
 * [CI only] Fixed criu 3.16 compatibility issue (opencontainers#3282)
 * [CI only] Add Go 1.17 to the testing matrix (opencontainers#3299)

Enhancements:
 * Improved an error message when dbus-user-session is not installed and
   rootless + cgroup2 + systemd are used (opencontainers#3212)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kailun Qin <kailun.qin@intel.com>
 * Kang Chen <kongchen28@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Odin Ugedal <odin@uged.al>
 * Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.0.2 -- "Given the right lever, you can move a planet."

This is a second stable release in 1.0 branch, fixing a few medium and
high priority issues, including one that affects Kubernetes' usage of
runc's libcontainer.

Bugfixes:

 * Fixed a failure to set CPU quota period in some cases on cgroup v1. (opencontainers#3115)
 * Fixed the inability to start a container with the "adding seccomp filter
   rule for syscall ..." error, caused by redundant seccomp rules (i.e. those
   that has action equal to the default one). Such redundant rules are now
   skipped. (opencontainers#3129)
 * Made release builds reproducible from now on. (opencontainers#3142)
 * Fixed a rare debug log race in runc init, which can result in occasional
   harmful "failed to decode ..." errors from runc run or exec. (opencontainers#3130)
 * Fixed the check in cgroup v1 systemd manager if a container needs to be
   frozen before Set, and add a setting to skip such freeze unconditionally.
   The previous fix for that issue, done in  runc 1.0.1, was not working.
   (opencontainers#3167)

Thanks to all of the contributors who made this release possible:

 * Adrian Reber <areber@redhat.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Mrunal Patel <mrunal@me.com>
 * Odin Ugedal <odin@uged.al>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.0.1 -- "If in doubt, Meriadoc, always follow your nose."

This is the first stable release in the 1.0 branch, fixing a few medium
and high priority issues with runc 1.0.0, including a few that affect
Kubernetes' usage of libcontainer.

Bugfixes:
 * Fixed occasional runc exec/run failure ("interrupted system call") on an
   Azure volume. (opencontainers#3074)
 * Fixed "unable to find groups ... token too long" error with /etc/group
   containing lines longer than 64K characters. (opencontainers#3079)
 * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
   frozen.  This is a regression in 1.0.0, not affecting runc itself but some
   of libcontainer users (e.g Kubernetes). (opencontainers#3085)
 * cgroupv2: bpf: Ignore inaccessible existing programs in case of
   permission error when handling replacement of existing bpf cgroup
   programs. This fixes a regression in 1.0.0, where some SELinux
   policies would block runc from being able to run entirely. (opencontainers#3087)
 * cgroup/systemd/v2: don't freeze cgroup on Set. (opencontainers#3092)
 * cgroup/systemd/v1: avoid unnecessary freeze on Set. (opencontainers#3093)

Thanks to all of the contributors who made this release possible:

 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Maksim An <maksiman@microsoft.com>
 * Mrunal Patel <mrunal@me.com>
 * Odin Ugedal <odin@uged.al>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>