libcontainer: rename dmz -> exeseal

The "dmz" name was originally used because the libcontainer/dmz package housed the runc-dmz binary, but since we removed it in commit 871057d863 ("drop runc-dmz solution according to overlay solution") the name is an anachronism and we should just give it a more self-explanatory name. So, call it libcontainer/exeseal because the purpose of the package is to provide tools to seal /proc/self/exe against attackers. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-26 19:41:35 +08:00 · 2025-02-25 13:46:05 +11:00
parent ef9830a0bf
commit 559bd4ebdf
6 changed files with 14 additions and 14 deletions
--- a/contrib/cmd/memfd-bind/memfd-bind.go
+++ b/contrib/cmd/memfd-bind/memfd-bind.go
@@ -27,7 +27,7 @@ import (
 	"strings"
 	"time"

-	"github.com/opencontainers/runc/libcontainer/dmz"
+	"github.com/opencontainers/runc/libcontainer/exeseal"

 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
@@ -101,7 +101,7 @@ func cleanup(path string) error {
 	return nil
 }

-// memfdClone is a memfd-only implementation of dmz.CloneBinary.
+// memfdClone is a memfd-only implementation of exeseal.CloneBinary.
 func memfdClone(path string) (*os.File, error) {
 	binFile, err := os.Open(path)
 	if err != nil {
@@ -113,7 +113,7 @@ func memfdClone(path string) (*os.File, error) {
 		return nil, fmt.Errorf("checking %s size: %w", path, err)
 	}
 	size := stat.Size()
-	memfd, sealFn, err := dmz.Memfd("/proc/self/exe")
+	memfd, sealFn, err := exeseal.Memfd("/proc/self/exe")
 	if err != nil {
 		return nil, fmt.Errorf("creating memfd failed: %w", err)
 	}
@@ -126,7 +126,7 @@ func memfdClone(path string) (*os.File, error) {
 	if err := sealFn(&memfd); err != nil {
 		return nil, fmt.Errorf("could not seal fd: %w", err)
 	}
-	if !dmz.IsCloned(memfd) {
+	if !exeseal.IsCloned(memfd) {
 		return nil, fmt.Errorf("cloned memfd is not properly sealed")
 	}
 	return memfd, nil
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -22,7 +22,7 @@ import (

 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
-	"github.com/opencontainers/runc/libcontainer/dmz"
+	"github.com/opencontainers/runc/libcontainer/exeseal"
 	"github.com/opencontainers/runc/libcontainer/intelrdt"
 	"github.com/opencontainers/runc/libcontainer/system"
 	"github.com/opencontainers/runc/libcontainer/utils"
@@ -496,7 +496,7 @@ func (c *Container) newParentProcess(p *Process) (parentProcess, error) {
 		exePath string
 		safeExe *os.File
 	)
-	if dmz.IsSelfExeCloned() {
+	if exeseal.IsSelfExeCloned() {
 		// /proc/self/exe is already a cloned binary -- no need to do anything
 		logrus.Debug("skipping binary cloning -- /proc/self/exe is already cloned!")
 		// We don't need to use /proc/thread-self here because the exe mm of a
@@ -505,13 +505,13 @@ func (c *Container) newParentProcess(p *Process) (parentProcess, error) {
 		exePath = "/proc/self/exe"
 	} else {
 		var err error
-		safeExe, err = dmz.CloneSelfExe(c.stateDir)
+		safeExe, err = exeseal.CloneSelfExe(c.stateDir)
 		if err != nil {
 			return nil, fmt.Errorf("unable to create safe /proc/self/exe clone for runc init: %w", err)
 		}
 		exePath = "/proc/self/fd/" + strconv.Itoa(int(safeExe.Fd()))
 		p.clonedExes = append(p.clonedExes, safeExe)
-		logrus.Debug("runc-dmz: using /proc/self/exe clone") // used for tests
+		logrus.Debug("runc exeseal: using /proc/self/exe clone") // used for tests
 	}

 	cmd := exec.Command(exePath, "init")
--- a/libcontainer/exeseal/cloned_binary_linux.go
+++ b/libcontainer/exeseal/cloned_binary_linux.go
@@ -1,4 +1,4 @@
-package dmz
+package exeseal

 import (
 	"errors"
@@ -224,7 +224,7 @@ func CloneSelfExe(tmpDir string) (*os.File, error) {
 	// around ~60% overhead during container startup.
 	overlayFile, err := sealedOverlayfs("/proc/self/exe", tmpDir)
 	if err == nil {
-		logrus.Debug("runc-dmz: using overlayfs for sealed /proc/self/exe") // used for tests
+		logrus.Debug("runc exeseal: using overlayfs for sealed /proc/self/exe") // used for tests
 		return overlayFile, nil
 	}
 	logrus.WithError(err).Debugf("could not use overlayfs for /proc/self/exe sealing -- falling back to making a temporary copy")
--- a/libcontainer/exeseal/overlayfs_linux.go
+++ b/libcontainer/exeseal/overlayfs_linux.go
@@ -1,4 +1,4 @@
-package dmz
+package exeseal

 import (
 	"fmt"
--- a/libcontainer/process.go
+++ b/libcontainer/process.go
@@ -52,7 +52,7 @@ type Process struct {
 	// ExtraFiles specifies additional open files to be inherited by the process.
 	ExtraFiles []*os.File

-	// Open handles to cloned binaries -- see dmz.CloneSelfExe for more details.
+	// Open handles to cloned binaries -- see exeseal.CloneSelfExe for more details.
 	clonedExes []*os.File

 	// Initial size for the console.
--- a/tests/integration/run.bats
+++ b/tests/integration/run.bats
@@ -131,10 +131,10 @@ function teardown() {
 	runc --debug run test_hello
 	[ "$status" -eq 0 ]
 	[[ "$output" = *"Hello World"* ]]
-	[[ "$output" = *"runc-dmz: using /proc/self/exe clone"* ]]
+	[[ "$output" = *"runc exeseal: using /proc/self/exe clone"* ]]
 	# runc will use fsopen("overlay") if it can.
 	if can_fsopen overlay; then
-		[[ "$output" = *"runc-dmz: using overlayfs for sealed /proc/self/exe"* ]]
+		[[ "$output" = *"runc exeseal: using overlayfs for sealed /proc/self/exe"* ]]
 	fi
 }