[runc] Initial integration (#5287)

* [teleport] Initial integration

* Minor update to run tests again

* Remove debugging things

* Removed an unfinished file

* Small nit

* Added maintainers

* Update Dockerfile

* Update build.sh

* Update project.yaml

* Updated licenses

Co-authored-by: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com>

projects/runc/Dockerfile

@@ -0,0 +1,24 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder
+RUN git clone --depth 1 https://github.com/opencontainers/runc
+COPY build.sh \
+     id_map_fuzzer.go \
+     user_fuzzer.go \
+     configs_fuzzer.go \
+     $SRC/
+WORKDIR $SRC/runc

projects/runc/build.sh

@@ -0,0 +1,25 @@
+#!/bin/bash -eu
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+mv $SRC/id_map_fuzzer.go $SRC/runc/libcontainer/system/
+compile_go_fuzzer ./libcontainer/system Fuzz id_map_fuzzer linux
+
+mv $SRC/user_fuzzer.go $SRC/runc/libcontainer/user
+compile_go_fuzzer ./libcontainer/user Fuzz user_fuzzer
+
+mv $SRC/configs_fuzzer.go $SRC/runc/libcontainer/configs
+compile_go_fuzzer ./libcontainer/configs Fuzz configs_fuzzer

projects/runc/configs_fuzzer.go

@@ -0,0 +1,35 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package configs
+
+import(
+	"fmt"
+)
+
+
+func Fuzz(data []byte) int {
+	hookNameList := []string {"prestart",
+				  "createRuntime",
+				  "createContainer",
+				  "startContainer",
+				  "poststart"}
+
+	for _, hookName := range hookNameList {
+		hooks := Hooks{}
+		_ = hooks.UnmarshalJSON([]byte(fmt.Sprintf(`{"%s" :[%s]}`, hookName, data)))
+	}
+	return 1
+}

projects/runc/id_map_fuzzer.go

@@ -0,0 +1,28 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package system
+
+import (
+	"strings"
+	"github.com/opencontainers/runc/libcontainer/user"
+)
+
+
+func Fuzz(data []byte) int {
+	uidmap, _ := user.ParseIDMap(strings.NewReader(string(data)))
+	_ = UIDMapInUserNS(uidmap)
+	return 1
+}

projects/runc/project.yaml

@@ -0,0 +1,16 @@
+homepage: "https://github.com/opencontainers/runc"
+main_repo: "https://github.com/opencontainers/runc"
+primary_contact: "cyphar@cyphar.com"
+auto_ccs:
+  - "adam@adalogics.com"
+  - "michael@docker.com"
+  - "mpatel@redhat.com"
+  - "dqminh89@gmail.com"
+  - "h.huangqiang@huawei.com"
+  - "akihiro.suda.cz@hco.ntt.co.jp"
+  - "kolyshkin@gmail.com"
+language: go
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address

projects/runc/user_fuzzer.go

@@ -0,0 +1,58 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package user
+
+import (
+	"strings"
+	"io"
+)
+
+
+func IsDivisbleBy(n int, divisibleby int) bool {
+	return (n % divisibleby) == 0
+}
+
+func Fuzz(data []byte) int {
+	if len(data)==0 {
+		return -1
+	}
+	divisible := IsDivisbleBy(len(data), 5)
+	if divisible==false {
+		return -1
+	}
+
+	var divided [][]byte
+
+	chunkSize := len(data)/5
+
+	for i := 0; i < len(data); i += chunkSize {
+	    end := i + chunkSize
+
+	    divided = append(divided, data[i:end])
+	}
+
+	_, _ = ParsePasswdFilter(strings.NewReader(string(divided[0])), nil)
+
+	var passwd, group io.Reader
+
+	group = strings.NewReader(string(divided[1]))
+	_, _ = GetAdditionalGroups([]string{string(divided[2])}, group)
+
+
+	passwd = strings.NewReader(string(divided[3]))
+	_, _ = GetExecUser(string(divided[4]), nil, passwd, group)
+	return 1
+}