How, dear sir, did you cross the flood? By not stopping, friend, and by not
straining I crossed the flood.
Fixed
The -ENOSYS seccomp stub is now always generated for the native
architecture that runc is running on. This is needed to work around some
arguably specification-incompliant behaviour from Docker on architectures
such as ppc64le, where the allowed architecture list is set to null. This
ensures that we always generate at least one -ENOSYS stub for the native
architecture even with these weird configs. (#4391)
On a system with older kernel, reading /proc/self/mountinfo may skip some
entries, as a consequence runc may not properly set mount propagation,
causing container mounts leak onto the host mount namespace. (#2404, #4425)
Removed
In order to fix performance issues in the "lightweight" bindfd protection
against CVE-2019-5736, the temporary ro bind-mount of /proc/self/exe
has been removed. runc now creates a binary copy in all cases. (#4392, #2532)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/opencontainers/runc from 1.1.14 to 1.1.15.
Changelog
Sourced from github.com/opencontainers/runc's changelog.
Commits
bc20cb4VERSION: release 1.1.152790485CHANGELOG: Remove empty changed lineed38aeaMerge pull request #4425 from kolyshkin/1.1-fix-mount-leak65aa700[1.1] runc run: fix mount leaka4cebd3Merge pull request #4423 from rata/1-1-fix-CI719e2bcincrease memory.max in cgroups.bats3216d3bmerge #4391 into opencontainers/runc:release-1.1bd671b6Merge pull request #4392 from cyphar/1.1-remove-bindfd614ce12[1.1] nsenter: cloned_binary: remove bindfd logic entirely618e149[1.1] seccomp: patchbpf: always include native architecture in stubDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show