Bump github.com/opencontainers/runc from 1.2.1 to 1.2.4 in /v2 in the go_modules group across 1 directory

[dependabot]

Bumps the go_modules group with 1 update in the /v2 directory: github.com/opencontainers/runc.

Updates github.com/opencontainers/runc from 1.2.1 to 1.2.4

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.4 -- "Христос се роди!"

This is the fourth patch release of the 1.2.z release branch of runc. It includes a fix for a regression introduced in 1.2.0 related to the default device list.

• Re-add tun/tap devices to built-in allowed devices lists.

  In runc 1.2.0 we removed these devices from the default allow-list (which were added seemingly by accident early in Docker's history) as a precaution in order to try to reduce the attack surface of device inodes available to most containers (#3468). At the time we thought that the vast majority of users using tun/tap would already be specifying what devices they need (such as by using --device with Docker/Podman) as opposed to doing the mknod manually, and thus there would've been no user-visible change.

  Unfortunately, it seems that this regressed a noticeable number of users (and not all higher-level tools provide easy ways to specify devices to allow) and so this change needed to be reverted. Users that do not need these devices are recommended to explicitly disable them by adding deny rules in their container configuration. (#4555, #4556)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.4] - 2025-01-07

Христос се роди!

Fixed

• Re-add tun/tap devices to built-in allowed devices lists.

  In runc 1.2.0 we removed these devices from the default allow-list (which were added seemingly by accident early in Docker's history) as a precaution in order to try to reduce the attack surface of device inodes available to most containers (#3468). At the time we thought that the vast majority of users using tun/tap would already be specifying what devices they need (such as by using --device with Docker/Podman) as opposed to doing the mknod manually, and thus there would've been no user-visible change.

  Unfortunately, it seems that this regressed a noticeable number of users (and not all higher-level tools provide easy ways to specify devices to allow) and so this change needed to be reverted. Users that do not need these devices are recommended to explicitly disable them by adding deny rules in their container configuration. (#4555, #4556)

[1.2.3] - 2024-12-12

Winter is not a season, it's a celebration.

Fixed

• Fixed a regression in use of securejoin.MkdirAll, where multiple runc processes racing to create the same mountpoint in a shared rootfs would result in spurious EEXIST errors. In particular, this regression caused issues with BuildKit. (#4543, #4550)
• Fixed a regression in eBPF support for pre-5.6 kernels after upgrading Cilium's eBPF library version to 0.16 in runc. (#3008, #4551)

[1.2.2] - 2024-11-15

Specialization is for insects.

Fixed

• Fixed the failure of runc delete on a rootless container with no dedicated cgroup on a system with read-only /sys/fs/cgroup mount. This is a regression in runc 1.2.0, causing a failure when using rootless buildkit. (#4518, #4531)
• Using runc on a system where /run/runc and /usr/bin are on different filesystems no longer results in harmless but annoying messages ("overlayfs: "xino" feature enabled using 3 upper inode bits") appearing in the kernel log. (#4508, #4530)

Changed

• Better memfd-bind documentation. (#4530)
• CI: bump Fedora 40 -> 41. (#4528)

Commits

• 6c52b3f VERSION: release v1.2.4
• 5243eba Merge pull request #4556 from cyphar/1.2-readd-tuntap
• 33ed43b [1.2] Re-add tun/tap to default device rules
• 2dec17d Merge pull request #4554 from kolyshkin/1.2-4553
• e9c9dad keyring: update @​kolyshkin key expiry
• d4534b2 merge #4552 into opencontainers/runc:release-1.2
• b01ffa0 VERSION: back to development
• 0d37cfd VERSION: release v1.2.3
• a640df5 Merge pull request #4550 from cyphar/1.2-racing-mkdirall
• fceb5ef Merge pull request #4551 from cyphar/1.2-ebf-enotsup
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign sherine-k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[aguidirh]

/hold