app-emulation/kubernetes: update to 1.30.3
BUG=b/353887397
TEST=presubmit
RELEASE_NOTE=Updated app-emulation/kubernetes to 1.30.3.
Change-Id: Idcca17552951f558eb66ed7c7e141db20e94a6b8
Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/78400
Reviewed-by: Kevin Berry <kpberry@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
diff --git a/project-lakitu/app-emulation/kubernetes/Manifest b/project-lakitu/app-emulation/kubernetes/Manifest
index 51a4d41..a229d1e 100644
--- a/project-lakitu/app-emulation/kubernetes/Manifest
+++ b/project-lakitu/app-emulation/kubernetes/Manifest
@@ -1 +1 @@
-DIST kubernetes-1.29.7.tar.gz 41180322 BLAKE2B bb107378b6879a87186f9366ec372a1e88a5231609deffd82c72d94af6835e38f261b7116199c5bf734b2f4e0fc1c8f6a6e63e97b1563a5642440ab76a74ba8f SHA512 bce18d12164704f4d55d7566737bdff8305c5613af7a8df4b49cfa5f90f6b51f879159c4da7fbe436fdf7c4fcf5331f3f35e63f8dbc4c833559e6e2b1a61d08f
+DIST kubernetes-1.30.3.tar.gz 39587795 BLAKE2B ba6d819866247dd0d26cb014857d238075dc6beb9cfacfc4ecaccab9d88c4295189309d62e4856c0f4f6c57762b14bfa16fb6bd96548cb88f69dd350e00dbf59 SHA512 303c823f74ccc5c1685ec16ba3de9dbbe9614ddf19e279e43ee392a4ef04ee68400a3e0c2a839d6a3f43712fab426084037ed871e3e4caafe8b37999fd83b73a
diff --git a/project-lakitu/app-emulation/kubernetes/files/runc-1.1.7-fix-CVE-2024-21626.patch b/project-lakitu/app-emulation/kubernetes/files/runc-1.1.7-fix-CVE-2024-21626.patch
deleted file mode 100644
index 7bcb0a3..0000000
--- a/project-lakitu/app-emulation/kubernetes/files/runc-1.1.7-fix-CVE-2024-21626.patch
+++ /dev/null
@@ -1,400 +0,0 @@
-diff --git a/libcontainer/cgroups/file.go b/libcontainer/cgroups/file.go
-index 0cdaf747849f..0c186ba21117 100644
---- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go
-+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go
-@@ -76,16 +76,16 @@ var (
- // TestMode is set to true by unit tests that need "fake" cgroupfs.
- TestMode bool
-
-- cgroupFd int = -1
-- prepOnce sync.Once
-- prepErr error
-- resolveFlags uint64
-+ cgroupRootHandle *os.File
-+ prepOnce sync.Once
-+ prepErr error
-+ resolveFlags uint64
- )
-
- func prepareOpenat2() error {
- prepOnce.Do(func() {
- fd, err := unix.Openat2(-1, cgroupfsDir, &unix.OpenHow{
-- Flags: unix.O_DIRECTORY | unix.O_PATH,
-+ Flags: unix.O_DIRECTORY | unix.O_PATH | unix.O_CLOEXEC,
- })
- if err != nil {
- prepErr = &os.PathError{Op: "openat2", Path: cgroupfsDir, Err: err}
-@@ -96,15 +96,16 @@ func prepareOpenat2() error {
- }
- return
- }
-+ file := os.NewFile(uintptr(fd), cgroupfsDir)
-+
- var st unix.Statfs_t
-- if err = unix.Fstatfs(fd, &st); err != nil {
-+ if err := unix.Fstatfs(int(file.Fd()), &st); err != nil {
- prepErr = &os.PathError{Op: "statfs", Path: cgroupfsDir, Err: err}
- logrus.Warnf("falling back to securejoin: %s", prepErr)
- return
- }
-
-- cgroupFd = fd
--
-+ cgroupRootHandle = file
- resolveFlags = unix.RESOLVE_BENEATH | unix.RESOLVE_NO_MAGICLINKS
- if st.Type == unix.CGROUP2_SUPER_MAGIC {
- // cgroupv2 has a single mountpoint and no "cpu,cpuacct" symlinks
-@@ -131,7 +132,7 @@ func openFile(dir, file string, flags int) (*os.File, error) {
- return openFallback(path, flags, mode)
- }
-
-- fd, err := unix.Openat2(cgroupFd, relPath,
-+ fd, err := unix.Openat2(int(cgroupRootHandle.Fd()), relPath,
- &unix.OpenHow{
- Resolve: resolveFlags,
- Flags: uint64(flags) | unix.O_CLOEXEC,
-@@ -139,20 +140,20 @@ func openFile(dir, file string, flags int) (*os.File, error) {
- })
- if err != nil {
- err = &os.PathError{Op: "openat2", Path: path, Err: err}
-- // Check if cgroupFd is still opened to cgroupfsDir
-+ // Check if cgroupRootHandle is still opened to cgroupfsDir
- // (happens when this package is incorrectly used
- // across the chroot/pivot_root/mntns boundary, or
- // when /sys/fs/cgroup is remounted).
- //
- // TODO: if such usage will ever be common, amend this
-- // to reopen cgroupFd and retry openat2.
-- fdStr := strconv.Itoa(cgroupFd)
-+ // to reopen cgroupRootHandle and retry openat2.
-+ fdStr := strconv.Itoa(int(cgroupRootHandle.Fd()))
- fdDest, _ := os.Readlink("/proc/self/fd/" + fdStr)
- if fdDest != cgroupfsDir {
-- // Wrap the error so it is clear that cgroupFd
-+ // Wrap the error so it is clear that cgroupRootHandle
- // is opened to an unexpected/wrong directory.
-- err = fmt.Errorf("cgroupFd %s unexpectedly opened to %s != %s: %w",
-- fdStr, fdDest, cgroupfsDir, err)
-+ err = fmt.Errorf("cgroupRootHandle %d unexpectedly opened to %s != %s: %w",
-+ cgroupRootHandle.Fd(), fdDest, cgroupfsDir, err)
- }
- return nil, err
- }
-diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/paths.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/paths.go
-index 1092331b25d8..2cb970a3d55b 100644
---- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/paths.go
-+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/paths.go
-@@ -83,6 +83,7 @@ func tryDefaultCgroupRoot() string {
- if err != nil {
- return ""
- }
-+ defer dir.Close()
- names, err := dir.Readdirnames(1)
- if err != nil {
- return ""
-diff --git a/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
-index dd61dfd3c90c..c0d4d6e6f6f9 100644
---- a/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
-+++ b/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
-@@ -351,6 +351,15 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
- }()
- }
-
-+ // Before starting "runc init", mark all non-stdio open files as O_CLOEXEC
-+ // to make sure we don't leak any files into "runc init". Any files to be
-+ // passed to "runc init" throuhg ExtraFiles will get dup2'd by the Go
-+ // runtime and thus their O_CLOEXEC flag will be cleared. This is some
-+ // additional protection against attacks like CVE-2024-21626, by making
-+ // sure we never leak files to "runc init" we didn't intend to.
-+ if err := utils.CloseExecFrom(3); err != nil {
-+ return fmt.Errorf("unable to mark non-stdio fds as cloexec: %w", err)
-+ }
- if err := parent.start(); err != nil {
- return fmt.Errorf("unable to start container process: %w", err)
- }
-diff --git a/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go
-index 2e4c59353c83..23899817ce92 100644
---- a/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go
-+++ b/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go
-@@ -8,6 +8,7 @@ import (
- "io"
- "net"
- "os"
-+ "path/filepath"
- "strings"
- "unsafe"
-
-@@ -135,6 +136,32 @@ func populateProcessEnvironment(env []string) error {
- return nil
- }
-
-+// verifyCwd ensures that the current directory is actually inside the mount
-+// namespace root of the current process.
-+func verifyCwd() error {
-+ // getcwd(2) on Linux detects if cwd is outside of the rootfs of the
-+ // current mount namespace root, and in that case prefixes "(unreachable)"
-+ // to the returned string. glibc's getcwd(3) and Go's Getwd() both detect
-+ // when this happens and return ENOENT rather than returning a non-absolute
-+ // path. In both cases we can therefore easily detect if we have an invalid
-+ // cwd by checking the return value of getcwd(3). See getcwd(3) for more
-+ // details, and CVE-2024-21626 for the security issue that motivated this
-+ // check.
-+ //
-+ // We have to use unix.Getwd() here because os.Getwd() has a workaround for
-+ // $PWD which involves doing stat(.), which can fail if the current
-+ // directory is inaccessible to the container process.
-+ if wd, err := unix.Getwd(); err == unix.ENOENT {
-+ return errors.New("current working directory is outside of container mount namespace root -- possible container breakout detected")
-+ } else if err != nil {
-+ return fmt.Errorf("failed to verify if current working directory is safe: %w", err)
-+ } else if !filepath.IsAbs(wd) {
-+ // We shouldn't ever hit this, but check just in case.
-+ return fmt.Errorf("current working directory is not absolute -- possible container breakout detected: cwd is %q", wd)
-+ }
-+ return nil
-+}
-+
- // finalizeNamespace drops the caps, sets the correct user
- // and working dir, and closes any leaked file descriptors
- // before executing the command inside the namespace
-@@ -193,6 +220,10 @@ func finalizeNamespace(config *initConfig) error {
- return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %w", config.Cwd, err)
- }
- }
-+ // Make sure our final working directory is inside the container.
-+ if err := verifyCwd(); err != nil {
-+ return err
-+ }
- if err := system.ClearKeepCaps(); err != nil {
- return fmt.Errorf("unable to clear keep caps: %w", err)
- }
-diff --git a/vendor/github.com/opencontainers/runc/libcontainer/logs/logs.go b/vendor/github.com/opencontainers/runc/libcontainer/logs/logs.go
-index 95deb0d6ca7a..349a18ed3839 100644
---- a/vendor/github.com/opencontainers/runc/libcontainer/logs/logs.go
-+++ b/vendor/github.com/opencontainers/runc/libcontainer/logs/logs.go
-@@ -4,10 +4,19 @@ import (
- "bufio"
- "encoding/json"
- "io"
-+ "os"
-
- "github.com/sirupsen/logrus"
- )
-
-+// IsLogrusFd returns whether the provided fd matches the one that logrus is
-+// currently outputting to. This should only ever be called by UnsafeCloseFrom
-+// from `runc init`.
-+func IsLogrusFd(fd uintptr) bool {
-+ file, ok := logrus.StandardLogger().Out.(*os.File)
-+ return ok && file.Fd() == fd
-+}
-+
- func ForwardLogs(logPipe io.ReadCloser) chan error {
- done := make(chan error, 1)
- s := bufio.NewScanner(logPipe)
-diff --git a/vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
-index 09ab552b3d12..d1bb12273c04 100644
---- a/vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
-+++ b/vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
-@@ -4,6 +4,7 @@ import (
- "errors"
- "fmt"
- "os"
-+ "os/exec"
- "strconv"
-
- "github.com/opencontainers/selinux/go-selinux"
-@@ -14,6 +15,7 @@ import (
- "github.com/opencontainers/runc/libcontainer/keys"
- "github.com/opencontainers/runc/libcontainer/seccomp"
- "github.com/opencontainers/runc/libcontainer/system"
-+ "github.com/opencontainers/runc/libcontainer/utils"
- )
-
- // linuxSetnsInit performs the container's initialization for running a new process
-@@ -82,6 +84,21 @@ func (l *linuxSetnsInit) Init() error {
- if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
- return err
- }
-+
-+ // Check for the arg before waiting to make sure it exists and it is
-+ // returned as a create time error.
-+ name, err := exec.LookPath(l.config.Args[0])
-+ if err != nil {
-+ return err
-+ }
-+ // exec.LookPath in Go < 1.20 might return no error for an executable
-+ // residing on a file system mounted with noexec flag, so perform this
-+ // extra check now while we can still return a proper error.
-+ // TODO: remove this once go < 1.20 is not supported.
-+ if err := eaccess(name); err != nil {
-+ return &os.PathError{Op: "eaccess", Path: name, Err: err}
-+ }
-+
- // Set seccomp as close to execve as possible, so as few syscalls take
- // place afterward (reducing the amount of syscalls that users need to
- // enable in their seccomp profiles).
-@@ -101,5 +118,23 @@ func (l *linuxSetnsInit) Init() error {
- return &os.PathError{Op: "close log pipe", Path: "fd " + strconv.Itoa(l.logFd), Err: err}
- }
-
-- return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
-+ // Close all file descriptors we are not passing to the container. This is
-+ // necessary because the execve target could use internal runc fds as the
-+ // execve path, potentially giving access to binary files from the host
-+ // (which can then be opened by container processes, leading to container
-+ // escapes). Note that because this operation will close any open file
-+ // descriptors that are referenced by (*os.File) handles from underneath
-+ // the Go runtime, we must not do any file operations after this point
-+ // (otherwise the (*os.File) finaliser could close the wrong file). See
-+ // CVE-2024-21626 for more information as to why this protection is
-+ // necessary.
-+ //
-+ // This is not needed for runc-dmz, because the extra execve(2) step means
-+ // that all O_CLOEXEC file descriptors have already been closed and thus
-+ // the second execve(2) from runc-dmz cannot access internal file
-+ // descriptors from runc.
-+ if err := utils.UnsafeCloseFrom(l.config.PassedFilesCount + 3); err != nil {
-+ return err
-+ }
-+ return system.Exec(name, l.config.Args[0:], os.Environ())
- }
-diff --git a/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
-index c09a7bed30ea..d1d94352f93d 100644
---- a/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
-+++ b/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
-@@ -17,6 +17,7 @@ import (
- "github.com/opencontainers/runc/libcontainer/keys"
- "github.com/opencontainers/runc/libcontainer/seccomp"
- "github.com/opencontainers/runc/libcontainer/system"
-+ "github.com/opencontainers/runc/libcontainer/utils"
- )
-
- type linuxStandardInit struct {
-@@ -258,5 +259,23 @@ func (l *linuxStandardInit) Init() error {
- return err
- }
-
-+ // Close all file descriptors we are not passing to the container. This is
-+ // necessary because the execve target could use internal runc fds as the
-+ // execve path, potentially giving access to binary files from the host
-+ // (which can then be opened by container processes, leading to container
-+ // escapes). Note that because this operation will close any open file
-+ // descriptors that are referenced by (*os.File) handles from underneath
-+ // the Go runtime, we must not do any file operations after this point
-+ // (otherwise the (*os.File) finaliser could close the wrong file). See
-+ // CVE-2024-21626 for more information as to why this protection is
-+ // necessary.
-+ //
-+ // This is not needed for runc-dmz, because the extra execve(2) step means
-+ // that all O_CLOEXEC file descriptors have already been closed and thus
-+ // the second execve(2) from runc-dmz cannot access internal file
-+ // descriptors from runc.
-+ if err := utils.UnsafeCloseFrom(l.config.PassedFilesCount + 3); err != nil {
-+ return err
-+ }
- return system.Exec(name, l.config.Args[0:], os.Environ())
- }
-diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
-index 220d0b439379..15533df1f2b2 100644
---- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
-+++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
-@@ -7,8 +7,11 @@ import (
- "fmt"
- "os"
- "strconv"
-+ _ "unsafe" // for go:linkname
-
- "golang.org/x/sys/unix"
-+
-+ "github.com/opencontainers/runc/libcontainer/logs"
- )
-
- // EnsureProcHandle returns whether or not the given file handle is on procfs.
-@@ -23,9 +26,11 @@ func EnsureProcHandle(fh *os.File) error {
- return nil
- }
-
--// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for
--// the process (except for those below the given fd value).
--func CloseExecFrom(minFd int) error {
-+type fdFunc func(fd int)
-+
-+// fdRangeFrom calls the passed fdFunc for each file descriptor that is open in
-+// the current process.
-+func fdRangeFrom(minFd int, fn fdFunc) error {
- fdDir, err := os.Open("/proc/self/fd")
- if err != nil {
- return err
-@@ -50,15 +55,66 @@ func CloseExecFrom(minFd int) error {
- if fd < minFd {
- continue
- }
-- // Intentionally ignore errors from unix.CloseOnExec -- the cases where
-- // this might fail are basically file descriptors that have already
-- // been closed (including and especially the one that was created when
-- // os.ReadDir did the "opendir" syscall).
-- unix.CloseOnExec(fd)
-+ // Ignore the file descriptor we used for readdir, as it will be closed
-+ // when we return.
-+ if uintptr(fd) == fdDir.Fd() {
-+ continue
-+ }
-+ // Run the closure.
-+ fn(fd)
- }
- return nil
- }
-
-+// CloseExecFrom sets the O_CLOEXEC flag on all file descriptors greater or
-+// equal to minFd in the current process.
-+func CloseExecFrom(minFd int) error {
-+ return fdRangeFrom(minFd, unix.CloseOnExec)
-+}
-+
-+//go:linkname runtime_IsPollDescriptor internal/poll.IsPollDescriptor
-+
-+// In order to make sure we do not close the internal epoll descriptors the Go
-+// runtime uses, we need to ensure that we skip descriptors that match
-+// "internal/poll".IsPollDescriptor. Yes, this is a Go runtime internal thing,
-+// unfortunately there's no other way to be sure we're only keeping the file
-+// descriptors the Go runtime needs. Hopefully nothing blows up doing this...
-+func runtime_IsPollDescriptor(fd uintptr) bool
-+
-+// UnsafeCloseFrom closes all file descriptors greater or equal to minFd in the
-+// current process, except for those critical to Go's runtime (such as the
-+// netpoll management descriptors).
-+//
-+// NOTE: That this function is incredibly dangerous to use in most Go code, as
-+// closing file descriptors from underneath *os.File handles can lead to very
-+// bad behaviour (the closed file descriptor can be re-used and then any
-+// *os.File operations would apply to the wrong file). This function is only
-+// intended to be called from the last stage of runc init.
-+func UnsafeCloseFrom(minFd int) error {
-+ // We must not close some file descriptors.
-+ return fdRangeFrom(minFd, func(fd int) {
-+ if runtime_IsPollDescriptor(uintptr(fd)) {
-+ // These are the Go runtimes internal netpoll file descriptors.
-+ // These file descriptors are operated on deep in the Go scheduler,
-+ // and closing those files from underneath Go can result in panics.
-+ // There is no issue with keeping them because they are not
-+ // executable and are not useful to an attacker anyway. Also we
-+ // don't have any choice.
-+ return
-+ }
-+ if logs.IsLogrusFd(uintptr(fd)) {
-+ // Do not close the logrus output fd. We cannot exec a pipe, and
-+ // the contents are quite limited (very little attacker control,
-+ // JSON-encoded) making shellcode attacks unlikely.
-+ return
-+ }
-+ // There's nothing we can do about errors from close(2), and the
-+ // only likely error to be seen is EBADF which indicates the fd was
-+ // already closed (in which case, we got what we wanted).
-+ _ = unix.Close(fd)
-+ })
-+}
-+
- // NewSockPair returns a new unix socket pair
- func NewSockPair(name string) (parent *os.File, child *os.File, err error) {
- fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0)
diff --git a/project-lakitu/app-emulation/kubernetes/kubernetes-1.29.7-r1.ebuild b/project-lakitu/app-emulation/kubernetes/kubernetes-1.29.7-r1.ebuild
deleted file mode 120000
index cc5bea5..0000000
--- a/project-lakitu/app-emulation/kubernetes/kubernetes-1.29.7-r1.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-kubernetes-1.29.7.ebuild
\ No newline at end of file
diff --git a/project-lakitu/app-emulation/kubernetes/kubernetes-1.30.3-r1.ebuild b/project-lakitu/app-emulation/kubernetes/kubernetes-1.30.3-r1.ebuild
new file mode 120000
index 0000000..6ff6269
--- /dev/null
+++ b/project-lakitu/app-emulation/kubernetes/kubernetes-1.30.3-r1.ebuild
@@ -0,0 +1 @@
+kubernetes-1.30.3.ebuild
\ No newline at end of file
diff --git a/project-lakitu/app-emulation/kubernetes/kubernetes-1.29.7.ebuild b/project-lakitu/app-emulation/kubernetes/kubernetes-1.30.3.ebuild
similarity index 97%
rename from project-lakitu/app-emulation/kubernetes/kubernetes-1.29.7.ebuild
rename to project-lakitu/app-emulation/kubernetes/kubernetes-1.30.3.ebuild
index d2d5460..4f018dd 100644
--- a/project-lakitu/app-emulation/kubernetes/kubernetes-1.29.7.ebuild
+++ b/project-lakitu/app-emulation/kubernetes/kubernetes-1.30.3.ebuild
@@ -65,7 +65,6 @@
}
PATCHES=(
- "${FILESDIR}/runc-1.1.7-fix-CVE-2024-21626.patch"
)
src_compile() {