Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

features: implement returning potentiallyUnsafeConfigAnnotations list #4217

Merged
merged 1 commit into from
Mar 25, 2024
Merged

features: implement returning potentiallyUnsafeConfigAnnotations list #4217

merged 1 commit into from
Mar 25, 2024

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda added this to the 1.2.0 milestone Mar 9, 2024
cyphar
cyphar approved these changes Mar 11, 2024
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

features.go
@@ -64,6 +64,11 @@ var featuresCommand = cli.Command{
},
},
},
PotentiallyUnsafeConfigAnnotations: []string{
"bundle",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I totally forgot about this internal annotation. We should probably see if we can remove it...

(I suspect we also always override it, so it's technically not unsafe but it's better to be safe than sorry.)

@AkihiroSuda AkihiroSuda requested review from kolyshkin and a team March 12, 2024 04:28
@AkihiroSuda
Copy link
Member Author

ping @opencontainers/runc-maintainers

@lifubang lifubang merged commit 3db0871 into opencontainers:main Mar 25, 2024
45 checks passed
@AkihiroSuda AkihiroSuda mentioned this pull request Mar 25, 2024
Merged
@GoVulnBot GoVulnBot mentioned this pull request Apr 26, 2024
Closed
@johanbrandhorst
Copy link

Could this fix get backported to 1.1.x so security minded users aren't force to use a release candidate?

@johanbrandhorst johanbrandhorst mentioned this pull request Apr 29, 2024
Merged
@AkihiroSuda
Copy link
Member Author

For runc v1.1 we do not plan to bump up the spec version, so I'd suggest to use a hard-coded list

@AkihiroSuda
Copy link
Member Author

Linking:

This PR is misunderstood to fix the GHSA, but it actually does not, as the vuln is not on runc side.
Users need to update CRI-O, not runc.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@cyphar cyphar cyphar approved these changes

@lifubang lifubang lifubang approved these changes

@kolyshkin kolyshkin Awaiting requested review from kolyshkin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.2.0
Development

Successfully merging this pull request may close these issues.
4 participants
@AkihiroSuda @johanbrandhorst @lifubang @cyphar