Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

Use os/file Chown method instead of bare unix.Fchown as it already have
access to underlying fd, and produces nice-looking errors. This allows
us to remove our error wrapping and some linter annotations.

We still use unix.Fstat since os.Stat access to os-specific fields
like uid/gid is not very straightforward. The only change here is to use
file name (rather than fd) in the error text.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b7fdb68)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Since we already called fstat, we know the current file uid. In case it
is the same as the one we want it to be, there's no point in trying
chown.

Remove the specific /dev/null check, as the above also covers it
(comparing /dev/null uid with itself is true).

This also fixes runc exec with read-only /dev for root user.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 18c4760)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

In case of a read-only /dev, it's better to move on and let whatever is
run in a container to handle any possible errors.

This solves runc exec for a user with read-only /dev.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 146c8c0)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.1] Fix working with read-only /dev

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 01f00e1)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.1] runc exec --cgroup: ensure the path is a sub-cgroup path

Apparently, not all files listed in /sys/kernel/cgroup/delegate must
exist in every cgroup, so we should ignore ENOENT.

Dot not ignore ENOENT on the directory itself though.

Change cgroupFilesToChown to not return ".", and refactor it to not do
any dynamic slice appending in case we're using the default built-in
list of files.

Fixes: 35d20c4
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 8c04b98)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.1] libct/cg/sd/v2: fix ENOENT on cgroup delegation

Don't require CAT or MBA because we don't detect those correctly (we
don't support L2 or L3DATA/L3CODE for example, and in the future
possibly even more). With plain "ClosId mode" we don't really care: we
assign the container to a pre-configured CLOS without trying to do
anything smarter.

Moreover, this was a duplicate/redundant check anyway, as for CAT and
MBA there is another specific sanity check that is done if L3 or MB
is specified in the config.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
(cherry picked from commit 1d5c331)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.1] configs/validate: looser validation for RDT

In case statfs("/sys/fs/cgroup/unified") fails with any error other
than ENOENT, current code panics. As IsCgroup2HybridMode is called from
libcontainer/cgroups/fs's init function, this means that any user of
libcontainer may panic during initialization, which is ugly.

Avoid panicking; instead, do not enable hybrid hierarchy support and
report the error (under debug level, not to confuse anyone).

Basically, replace the panic with "turn off hybrid mode support"
(which makes total sense since we were unable to statfs its root).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[release-1.1] libct/cg: IsCgroup2HybridMode: don't panic

What used to be godoc.org is now pkg.go.dev, and while the old URLs
still work, they might be broken in the future.

Updated badges are generated via https://pkg.go.dev/badge/

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f309a69)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 3618079)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.1] Fix badges

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit a9cc993)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

[1.1] add centos-stream-9

This also includes the backport of commit e4d23d5,
fixing a minor formatting issue.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>