1.15

What's Changed

• fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY.
• linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run.
• release: build s390x binaries using musl libc.
• features: add support for potentiallyUnsafeConfigAnnotations.
• handlers: add option to load wasi-nn plugin for wasmedge.
• linux: fix "harden chdir()" security measure. The previous check was not correct.
• crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits.

New Contributors

• @Ecordonnier made their first contribution in #1448
• @martinetd made their first contribution in #1456

Full Changelog: 1.14.4...1.15

1.14.4

• linux: fix mount of file with recursive flags. Do not assume it is a directory, but check the source type.
• new build for s390x

1.14.3

• follow up for 1.14.2. Drop the version check for each command.

1.14.2

• drop check for OCI version. A recent bump in the OCI runtime specs caused crun to fail with every config file. Just drop the check since it doesn't add any value.

1.14.1

• there was recently a security vulnerability (CVE-2024-21626) in runc
  that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
  outside the container rootfs. While crun is not affected directly,
  harden chdir by validating that we are still inside the container
  rootfs.
• container: attempt to close all the files before execv(2).
  if we leak any fd, it prevents execv to gain access to files outside
  the container rootfs through /proc/self/fd/$fd.
• fix a regression caused by 1.14 when installing the ebpf filter on a
  kernel older than 5.11.
• cgroup, systemd: fix segfault if the resources block is not specified.

1.14

• build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
• cpuset: don't clobber parent cgroup value when writing the cpuset value.
• linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process, allowing file permissions to be set as specified in the OCI configuration.
• ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.

1.13

• src: use O_CLOEXEC for all open/openat calls
• cgroup v1: use "max" when pids limit < 0.
• improve error message when idmap mount fails because the underlying file system has no support for it.
• libcrun: fix compilation when building without libseccomp and libcap.
• fix relative idmapped mount when using the custom annotation.

1.12

• add new WebAssembly handler: spin.
• systemd: fallback to system bus if session bus is not available.
• configure the cpu rt and cpuset controllers before joining them to avoid running temporarily the workload on the wrong cpus.
• preconfigure the cpuset with required resources instead of using the parent's set. This prevents needless churn in the kernel as it tracks which CPUs have load balancing disabled.
• try attr//* before the attr/* files. Writes to the attr/* files may fail if apparmor is not the first "major" LSM in the list of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor).

1.11.2

• fix a regression caused by 1.11.1 where the process crashes if there are no CPU limits configured on cgroup v1.
• fix error code check for the ptsname_r function.

1.11.1

• force a remount operation with bind mounts from the host to correctly set all the mount flags.