Bump to runc v1.3.3 - CVE-2025-52881

Bump to runc v1.3.3 to address CVE-2025-52881

Fixes: https://issues.redhat.com/browse/RHEL-126638

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>

vendor/github.com/opencontainers/runc/internal/pathrs/doc.go

@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+ * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2024-2025 SUSE LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Package pathrs provides wrappers around filepath-securejoin to add the
+// minimum set of features needed from libpathrs that are not provided by
+// filepath-securejoin, with the eventual goal being that these can be used to
+// ease the transition by converting them stubs when enabling libpathrs builds.
+package pathrs

vendor/github.com/opencontainers/runc/internal/pathrs/mkdirall_pathrslite.go

@@ -0,0 +1,99 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+ * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2024-2025 SUSE LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package pathrs
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// MkdirAllInRootOpen attempts to make
+//
+//	path, _ := securejoin.SecureJoin(root, unsafePath)
+//	os.MkdirAll(path, mode)
+//	os.Open(path)
+//
+// safer against attacks where components in the path are changed between
+// SecureJoin returning and MkdirAll (or Open) being called. In particular, we
+// try to detect any symlink components in the path while we are doing the
+// MkdirAll.
+//
+// NOTE: If unsafePath is a subpath of root, we assume that you have already
+// called SecureJoin and so we use the provided path verbatim without resolving
+// any symlinks (this is done in a way that avoids symlink-exchange races).
+// This means that the path also must not contain ".." elements, otherwise an
+// error will occur.
+//
+// This uses (pathrs-lite).MkdirAllHandle under the hood, but it has special
+// handling if unsafePath has already been scoped within the rootfs (this is
+// needed for a lot of runc callers and fixing this would require reworking a
+// lot of path logic).
+func MkdirAllInRootOpen(root, unsafePath string, mode os.FileMode) (*os.File, error) {
+	// If the path is already "within" the root, get the path relative to the
+	// root and use that as the unsafe path. This is necessary because a lot of
+	// MkdirAllInRootOpen callers have already done SecureJoin, and refactoring
+	// all of them to stop using these SecureJoin'd paths would require a fair
+	// amount of work.
+	// TODO(cyphar): Do the refactor to libpathrs once it's ready.
+	if IsLexicallyInRoot(root, unsafePath) {
+		subPath, err := filepath.Rel(root, unsafePath)
+		if err != nil {
+			return nil, err
+		}
+		unsafePath = subPath
+	}
+
+	// Check for any silly mode bits.
+	if mode&^0o7777 != 0 {
+		return nil, fmt.Errorf("tried to include non-mode bits in MkdirAll mode: 0o%.3o", mode)
+	}
+	// Linux (and thus os.MkdirAll) silently ignores the suid and sgid bits if
+	// passed. While it would make sense to return an error in that case (since
+	// the user has asked for a mode that won't be applied), for compatibility
+	// reasons we have to ignore these bits.
+	if ignoredBits := mode &^ 0o1777; ignoredBits != 0 {
+		logrus.Warnf("MkdirAll called with no-op mode bits that are ignored by Linux: 0o%.3o", ignoredBits)
+		mode &= 0o1777
+	}
+
+	rootDir, err := os.OpenFile(root, unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return nil, fmt.Errorf("open root handle: %w", err)
+	}
+	defer rootDir.Close()
+
+	return retryEAGAIN(func() (*os.File, error) {
+		return pathrs.MkdirAllHandle(rootDir, unsafePath, mode)
+	})
+}
+
+// MkdirAllInRoot is a wrapper around MkdirAllInRootOpen which closes the
+// returned handle, for callers that don't need to use it.
+func MkdirAllInRoot(root, unsafePath string, mode os.FileMode) error {
+	f, err := MkdirAllInRootOpen(root, unsafePath, mode)
+	if err == nil {
+		_ = f.Close()
+	}
+	return err
+}

vendor/github.com/opencontainers/runc/internal/pathrs/path.go

@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+ * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2024-2025 SUSE LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package pathrs
+
+import (
+	"strings"
+)
+
+// IsLexicallyInRoot is shorthand for strings.HasPrefix(path+"/", root+"/"),
+// but properly handling the case where path or root have a "/" suffix.
+//
+// NOTE: The return value only make sense if the path is already mostly cleaned
+// (i.e., doesn't contain "..", ".", nor unneeded "/"s).
+func IsLexicallyInRoot(root, path string) bool {
+	root = strings.TrimRight(root, "/")
+	path = strings.TrimRight(path, "/")
+	return strings.HasPrefix(path+"/", root+"/")
+}

vendor/github.com/opencontainers/runc/internal/pathrs/procfs_pathrslite.go

@@ -0,0 +1,108 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+ * Copyright (C) 2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2025 SUSE LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package pathrs
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
+)
+
+func procOpenReopen(openFn func(subpath string) (*os.File, error), subpath string, flags int) (*os.File, error) {
+	handle, err := retryEAGAIN(func() (*os.File, error) {
+		return openFn(subpath)
+	})
+	if err != nil {
+		return nil, err
+	}
+	defer handle.Close()
+
+	f, err := Reopen(handle, flags)
+	if err != nil {
+		return nil, fmt.Errorf("reopen %s: %w", handle.Name(), err)
+	}
+	return f, nil
+}
+
+// ProcSelfOpen is a wrapper around [procfs.Handle.OpenSelf] and
+// [pathrs.Reopen], to let you one-shot open a procfs file with the given
+// flags.
+func ProcSelfOpen(subpath string, flags int) (*os.File, error) {
+	proc, err := retryEAGAIN(procfs.OpenProcRoot)
+	if err != nil {
+		return nil, err
+	}
+	defer proc.Close()
+	return procOpenReopen(proc.OpenSelf, subpath, flags)
+}
+
+// ProcPidOpen is a wrapper around [procfs.Handle.OpenPid] and [pathrs.Reopen],
+// to let you one-shot open a procfs file with the given flags.
+func ProcPidOpen(pid int, subpath string, flags int) (*os.File, error) {
+	proc, err := retryEAGAIN(procfs.OpenProcRoot)
+	if err != nil {
+		return nil, err
+	}
+	defer proc.Close()
+	return procOpenReopen(func(subpath string) (*os.File, error) {
+		return proc.OpenPid(pid, subpath)
+	}, subpath, flags)
+}
+
+// ProcThreadSelfOpen is a wrapper around [procfs.Handle.OpenThreadSelf] and
+// [pathrs.Reopen], to let you one-shot open a procfs file with the given
+// flags. The returned [procfs.ProcThreadSelfCloser] needs the same handling as
+// when using pathrs-lite.
+func ProcThreadSelfOpen(subpath string, flags int) (_ *os.File, _ procfs.ProcThreadSelfCloser, Err error) {
+	proc, err := retryEAGAIN(procfs.OpenProcRoot)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer proc.Close()
+
+	handle, closer, err := retryEAGAIN2(func() (*os.File, procfs.ProcThreadSelfCloser, error) {
+		return proc.OpenThreadSelf(subpath)
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+	if closer != nil {
+		defer func() {
+			if Err != nil {
+				closer()
+			}
+		}()
+	}
+	defer handle.Close()
+
+	f, err := Reopen(handle, flags)
+	if err != nil {
+		return nil, nil, fmt.Errorf("reopen %s: %w", handle.Name(), err)
+	}
+	return f, closer, nil
+}
+
+// Reopen is a wrapper around pathrs.Reopen.
+func Reopen(file *os.File, flags int) (*os.File, error) {
+	return retryEAGAIN(func() (*os.File, error) {
+		return pathrs.Reopen(file, flags)
+	})
+}

vendor/github.com/opencontainers/runc/internal/pathrs/retry.go

@@ -0,0 +1,66 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+ * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2024-2025 SUSE LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package pathrs
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"golang.org/x/sys/unix"
+)
+
+// Based on >50k tests running "runc run" on a 16-core system with very heavy
+// rename(2) load, the single longest latency caused by -EAGAIN retries was
+// ~800us (with the vast majority being closer to 400us). So, a 2ms limit
+// should give more than enough headroom for any real system in practice.
+const retryDeadline = 2 * time.Millisecond
+
+// retryEAGAIN is a top-level retry loop for pathrs to try to returning
+// spurious errors in most normal user cases when using openat2 (libpathrs
+// itself does up to 128 retries already, but this method takes a
+// wallclock-deadline approach to simply retry until a timer elapses).
+func retryEAGAIN[T any](fn func() (T, error)) (T, error) {
+	deadline := time.After(retryDeadline)
+	for {
+		v, err := fn()
+		if !errors.Is(err, unix.EAGAIN) {
+			return v, err
+		}
+		select {
+		case <-deadline:
+			return *new(T), fmt.Errorf("%v retry deadline exceeded: %w", retryDeadline, err)
+		default:
+			// retry
+		}
+	}
+}
+
+// retryEAGAIN2 is like retryEAGAIN except it returns two values.
+func retryEAGAIN2[T1, T2 any](fn func() (T1, T2, error)) (T1, T2, error) {
+	type ret struct {
+		v1 T1
+		v2 T2
+	}
+	v, err := retryEAGAIN(func() (ret, error) {
+		v1, v2, err := fn()
+		return ret{v1: v1, v2: v2}, err
+	})
+	return v.v1, v.v2, err
+}

vendor/github.com/opencontainers/runc/internal/pathrs/root_pathrslite.go

@@ -0,0 +1,72 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+ * Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2024-2025 SUSE LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package pathrs
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite"
+	"golang.org/x/sys/unix"
+)
+
+// OpenInRoot opens the given path inside the root with the provided flags. It
+// is effectively shorthand for [securejoin.OpenInRoot] followed by
+// [securejoin.Reopen].
+func OpenInRoot(root, subpath string, flags int) (*os.File, error) {
+	handle, err := retryEAGAIN(func() (*os.File, error) {
+		return pathrs.OpenInRoot(root, subpath)
+	})
+	if err != nil {
+		return nil, err
+	}
+	defer handle.Close()
+
+	return Reopen(handle, flags)
+}
+
+// CreateInRoot creates a new file inside a root (as well as any missing parent
+// directories) and returns a handle to said file. This effectively has
+// open(O_CREAT|O_NOFOLLOW) semantics. If you want the creation to use O_EXCL,
+// include it in the passed flags. The fileMode argument uses unix.* mode bits,
+// *not* os.FileMode.
+func CreateInRoot(root, subpath string, flags int, fileMode uint32) (*os.File, error) {
+	dir, filename := filepath.Split(subpath)
+	if filepath.Join("/", filename) == "/" {
+		return nil, fmt.Errorf("create in root subpath %q has bad trailing component %q", subpath, filename)
+	}
+
+	dirFd, err := MkdirAllInRootOpen(root, dir, 0o755)
+	if err != nil {
+		return nil, err
+	}
+	defer dirFd.Close()
+
+	// We know that the filename does not have any "/" components, and that
+	// dirFd is inside the root. O_NOFOLLOW will stop us from following
+	// trailing symlinks, so this is safe to do. libpathrs's Root::create_file
+	// works the same way.
+	flags |= unix.O_CREAT | unix.O_NOFOLLOW
+	fd, err := unix.Openat(int(dirFd.Fd()), filename, flags, fileMode)
+	if err != nil {
+		return nil, err
+	}
+	return os.NewFile(uintptr(fd), root+"/"+subpath), nil
+}