vendor: bump runc to 1.1.1

Release notes:
  https://github.com/opencontainers/runc/releases/tag/v1.1.1

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

go.mod

@@ -63,7 +63,7 @@ require (
 	github.com/mvdan/xurls v1.1.0
 	github.com/onsi/ginkgo v1.14.0
 	github.com/onsi/gomega v1.10.1
-	github.com/opencontainers/runc v1.1.0
+	github.com/opencontainers/runc v1.1.1
 	github.com/opencontainers/selinux v1.10.0
 	github.com/pkg/errors v0.9.1
 	github.com/pmezard/go-difflib v1.0.0
@@ -337,7 +337,7 @@ replace (
 	github.com/onsi/gomega => github.com/onsi/gomega v1.10.1
 	github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2
-	github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.0
+	github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.1
 	github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.10.0
 	github.com/opentracing/opentracing-go => github.com/opentracing/opentracing-go v1.1.0

go.sum

@@ -343,8 +343,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8=
+github.com/opencontainers/runc v1.1.1 h1:PJ9DSs2sVwE0iVr++pAHE6QkS9tzcVWozlPifdwMgrU=
-github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
+github.com/opencontainers/runc v1.1.1/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK99DRLDhyU=

vendor/github.com/opencontainers/runc/libcontainer/README.md

@@ -1,6 +1,6 @@
 # libcontainer
 
-[![GoDoc](https://godoc.org/github.com/opencontainers/runc/libcontainer?status.svg)](https://godoc.org/github.com/opencontainers/runc/libcontainer)
+[![Go Reference](https://pkg.go.dev/badge/github.com/opencontainers/runc/libcontainer.svg)](https://pkg.go.dev/github.com/opencontainers/runc/libcontainer)
 
 Libcontainer provides a native Go implementation for creating containers
 with namespaces, cgroups, capabilities, and filesystem access controls.

vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/v2.go

@@ -2,6 +2,7 @@ package systemd
 
 import (
 	"bufio"
+	"errors"
 	"fmt"
 	"math"
 	"os"
@@ -292,6 +293,12 @@ func (m *unifiedManager) Apply(pid int) error {
 	}
 
 	if c.OwnerUID != nil {
+		// The directory itself must be chowned.
+		err := os.Chown(m.path, *c.OwnerUID, -1)
+		if err != nil {
+			return err
+		}
+
 		filesToChown, err := cgroupFilesToChown()
 		if err != nil {
 			return err
@@ -299,7 +306,8 @@ func (m *unifiedManager) Apply(pid int) error {
 
 		for _, v := range filesToChown {
 			err := os.Chown(m.path+"/"+v, *c.OwnerUID, -1)
-			if err != nil {
+			// Some files might not be present.
+			if err != nil && !errors.Is(err, os.ErrNotExist) {
 				return err
 			}
 		}
@@ -312,11 +320,15 @@ func (m *unifiedManager) Apply(pid int) error {
 // uid in /sys/kernel/cgroup/delegate.  If the file is not present
 // (Linux < 4.15), use the initial values mentioned in cgroups(7).
 func cgroupFilesToChown() ([]string, error) {
-	filesToChown := []string{"."} // the directory itself must be chowned
 	const cgroupDelegateFile = "/sys/kernel/cgroup/delegate"
+
 	f, err := os.Open(cgroupDelegateFile)
-	if err == nil {
+	if err != nil {
+		return []string{"cgroup.procs", "cgroup.subtree_control", "cgroup.threads"}, nil
+	}
 	defer f.Close()
+
+	filesToChown := []string{}
 	scanner := bufio.NewScanner(f)
 	for scanner.Scan() {
 		filesToChown = append(filesToChown, scanner.Text())
@@ -324,9 +336,7 @@ func cgroupFilesToChown() ([]string, error) {
 	if err := scanner.Err(); err != nil {
 		return nil, fmt.Errorf("error reading %s: %w", cgroupDelegateFile, err)
 	}
-	} else {
+
-		filesToChown = append(filesToChown, "cgroup.procs", "cgroup.subtree_control", "cgroup.threads")
-	}
 	return filesToChown, nil
 }
 

vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go

@@ -55,12 +55,12 @@ func IsCgroup2HybridMode() bool {
 		var st unix.Statfs_t
 		err := unix.Statfs(hybridMountpoint, &st)
 		if err != nil {
-			if os.IsNotExist(err) {
-				// ignore the "not found" error
 			isHybrid = false
-				return
+			if !os.IsNotExist(err) {
+				// Report unexpected errors.
+				logrus.WithError(err).Debugf("statfs(%q) failed", hybridMountpoint)
 			}
-			panic(fmt.Sprintf("cannot statfs cgroup root: %s", err))
+			return
 		}
 		isHybrid = st.Type == unix.CGROUP2_SUPER_MAGIC
 	})

vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go

@@ -229,10 +229,6 @@ func (v *ConfigValidator) sysctl(config *configs.Config) error {
 
 func (v *ConfigValidator) intelrdt(config *configs.Config) error {
 	if config.IntelRdt != nil {
-		if !intelrdt.IsCATEnabled() && !intelrdt.IsMBAEnabled() {
-			return errors.New("intelRdt is specified in config, but Intel RDT is not supported or enabled")
-		}
-
 		if config.IntelRdt.ClosID == "." || config.IntelRdt.ClosID == ".." || strings.Contains(config.IntelRdt.ClosID, "/") {
 			return fmt.Errorf("invalid intelRdt.ClosID %q", config.IntelRdt.ClosID)
 		}

vendor/github.com/opencontainers/runc/libcontainer/container_linux.go

@@ -636,7 +636,11 @@ func (c *linuxContainer) newSetnsProcess(p *Process, cmd *exec.Cmd, messageSockP
 			// cgroup v1: using the same path for all controllers.
 			// cgroup v2: the only possible way.
 			for k := range proc.cgroupPaths {
-				proc.cgroupPaths[k] = path.Join(proc.cgroupPaths[k], add)
+				subPath := path.Join(proc.cgroupPaths[k], add)
+				if !strings.HasPrefix(subPath, proc.cgroupPaths[k]) {
+					return nil, fmt.Errorf("%s is not a sub cgroup path", add)
+				}
+				proc.cgroupPaths[k] = subPath
 			}
 			// cgroup v2: do not try to join init process's cgroup
 			// as a fallback (see (*setnsProcess).start).
@@ -645,7 +649,11 @@ func (c *linuxContainer) newSetnsProcess(p *Process, cmd *exec.Cmd, messageSockP
 			// Per-controller paths.
 			for ctrl, add := range p.SubCgroupPaths {
 				if val, ok := proc.cgroupPaths[ctrl]; ok {
-					proc.cgroupPaths[ctrl] = path.Join(val, add)
+					subPath := path.Join(val, add)
+					if !strings.HasPrefix(subPath, val) {
+						return nil, fmt.Errorf("%s is not a sub cgroup path", add)
+					}
+					proc.cgroupPaths[ctrl] = subPath
 				} else {
 					return nil, fmt.Errorf("unknown controller %s in SubCgroupPaths", ctrl)
 				}

vendor/github.com/opencontainers/runc/libcontainer/init_linux.go

@@ -8,7 +8,6 @@ import (
 	"io"
 	"net"
 	"os"
-	"strconv"
 	"strings"
 	"unsafe"
 
@@ -406,40 +405,36 @@ func fixStdioPermissions(u *user.ExecUser) error {
 	if err := unix.Stat("/dev/null", &null); err != nil {
 		return &os.PathError{Op: "stat", Path: "/dev/null", Err: err}
 	}
-	for _, fd := range []uintptr{
+	for _, file := range []*os.File{os.Stdin, os.Stdout, os.Stderr} {
-		os.Stdin.Fd(),
-		os.Stderr.Fd(),
-		os.Stdout.Fd(),
-	} {
 		var s unix.Stat_t
-		if err := unix.Fstat(int(fd), &s); err != nil {
+		if err := unix.Fstat(int(file.Fd()), &s); err != nil {
-			return &os.PathError{Op: "fstat", Path: "fd " + strconv.Itoa(int(fd)), Err: err}
+			return &os.PathError{Op: "fstat", Path: file.Name(), Err: err}
 		}
 
-		// Skip chown of /dev/null if it was used as one of the STDIO fds.
+		// Skip chown if uid is already the one we want.
-		if s.Rdev == null.Rdev {
+		if int(s.Uid) == u.Uid {
 			continue
 		}
 
-		// We only change the uid owner (as it is possible for the mount to
+		// We only change the uid (as it is possible for the mount to
 		// prefer a different gid, and there's no reason for us to change it).
 		// The reason why we don't just leave the default uid=X mount setup is
 		// that users expect to be able to actually use their console. Without
 		// this code, you couldn't effectively run as a non-root user inside a
 		// container and also have a console set up.
-		if err := unix.Fchown(int(fd), u.Uid, int(s.Gid)); err != nil {
+		if err := file.Chown(u.Uid, int(s.Gid)); err != nil {
 			// If we've hit an EINVAL then s.Gid isn't mapped in the user
 			// namespace. If we've hit an EPERM then the inode's current owner
 			// is not mapped in our user namespace (in particular,
-			// privileged_wrt_inode_uidgid() has failed). In either case, we
+			// privileged_wrt_inode_uidgid() has failed). Read-only
-			// are in a configuration where it's better for us to just not
+			// /dev can result in EROFS error. In any case, it's
-			// touch the stdio rather than bail at this point.
+			// better for us to just not touch the stdio rather
+			// than bail at this point.
 
-			// nolint:errorlint // unix errors are bare
+			if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) || errors.Is(err, unix.EROFS) {
-			if err == unix.EINVAL || err == unix.EPERM {
 				continue
 			}
-			return &os.PathError{Op: "fchown", Path: "fd " + strconv.Itoa(int(fd)), Err: err}
+			return err
 		}
 	}
 	return nil

vendor/modules.txt

@@ -596,7 +596,7 @@ github.com/onsi/gomega/matchers/support/goraph/util
 github.com/onsi/gomega/types
 # github.com/opencontainers/go-digest v1.0.0 => github.com/opencontainers/go-digest v1.0.0
 github.com/opencontainers/go-digest
-# github.com/opencontainers/runc v1.1.0 => github.com/opencontainers/runc v1.1.0
+# github.com/opencontainers/runc v1.1.1 => github.com/opencontainers/runc v1.1.1
 ## explicit
 github.com/opencontainers/runc/libcontainer
 github.com/opencontainers/runc/libcontainer/apparmor
@@ -2615,7 +2615,7 @@ sigs.k8s.io/yaml
 # github.com/onsi/gomega => github.com/onsi/gomega v1.10.1
 # github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.0
 # github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2
-# github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.0
+# github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.1
 # github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 # github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.10.0
 # github.com/opentracing/opentracing-go => github.com/opentracing/opentracing-go v1.1.0