feat: support bottlerocket

Author: kr3v

compel/arch/arm/plugins/std/syscalls/syscall.def

@@ -92,6 +92,7 @@ get_robust_list			100	339	(int pid, struct robust_list_head **head_ptr, size_t *
 signalfd4			74	355	(int fd, k_rtsigset_t *mask, size_t sizemask, int flags)
 rt_tgsigqueueinfo		240	363	(pid_t tgid, pid_t pid, int sig, siginfo_t *info)
 vmsplice			75	343	(int fd, const struct iovec *iov, unsigned long nr_segs, unsigned int flags)
+pipe2				59	359	(int *fildes, int flags)
 timerfd_settime			86	353	(int ufd, int flags, const struct itimerspec *utmr, struct itimerspec *otmr)
 fanotify_init			262	367	(unsigned int flags, unsigned int event_f_flags)
 fanotify_mark			263	368	(int fanotify_fd, unsigned int flags, uint64_t mask, int dfd, const char *pathname)

compel/arch/x86/plugins/std/syscalls/syscall_64.tbl

@@ -97,6 +97,7 @@ __NR_vmsplice			278		sys_vmsplice		(int fd, const struct iovec *iov, unsigned lo
 __NR_fallocate			285		sys_fallocate		(int fd, int mode, loff_t offset, loff_t len)
 __NR_timerfd_settime		286		sys_timerfd_settime	(int ufd, int flags, const struct itimerspec *utmr, struct itimerspec *otmr)
 __NR_signalfd4			289		sys_signalfd		(int fd, k_rtsigset_t *mask, size_t sizemask, int flags)
+__NR_pipe2			293		sys_pipe2		(int *fildes, int flags)
 __NR_preadv			295		sys_preadv_raw		(int fd, struct iovec *iov, unsigned long nr, unsigned long pos_l, unsigned long pos_h)
 __NR_rt_tgsigqueueinfo		297		sys_rt_tgsigqueueinfo	(pid_t tgid, pid_t pid, int sig, siginfo_t *info)
 __NR_fanotify_init		300		sys_fanotify_init	(unsigned int flags, unsigned int event_f_flags)

contrib/castai/release/clear-bits.c

@@ -0,0 +1,35 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+
+int main(int argc, char *argv[]) {
+    if (argc != 2) {
+        fprintf(stderr, "Usage: %s <pid>\n", argv[0]);
+        fprintf(stderr, "Writes '4' to /proc/<pid>/clear_refs to clear soft-dirty bits\n");
+        return 1;
+    }
+
+    char path[64];
+    snprintf(path, sizeof(path), "/proc/%s/clear_refs", argv[1]);
+
+    int fd = open(path, O_WRONLY);
+    if (fd < 0) {
+        fprintf(stderr, "Failed to open %s: %s\n", path, strerror(errno));
+        return 1;
+    }
+
+    const char *val = "4\n";
+    ssize_t written = write(fd, val, 2);
+    if (written < 0) {
+        fprintf(stderr, "Failed to write to %s: %s\n", path, strerror(errno));
+        close(fd);
+        return 1;
+    }
+
+    close(fd);
+    return 0;
+}
+

contrib/castai/release/clear-refs-exec.go

@@ -0,0 +1,209 @@
+// clear-refs-exec.go
+//
+// A utility to clear soft-dirty bits for a containerized process by executing
+// clear_refs inside the container via crictl exec.
+//
+// Build: CGO_ENABLED=0 go build -ldflags="-s -w" -o clear-refs-exec clear-refs-exec.go
+
+package main
+
+import (
+	"bufio"
+	"flag"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+)
+
+func main() {
+	// Parse command-line flags
+	clearRefsBin := flag.String("clear-refs-bin", "/bin/clear_refs", "path to clear_refs binary inside container")
+	flag.Usage = func() {
+		fmt.Fprintf(os.Stderr, "Usage: %s [options] <root-ns-pid>\n\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "Clears soft-dirty bits for a container process via crictl exec.\n\n")
+		fmt.Fprintf(os.Stderr, "Options:\n")
+		flag.PrintDefaults()
+	}
+	flag.Parse()
+
+	if flag.NArg() != 1 {
+		flag.Usage()
+		os.Exit(1)
+	}
+
+	pid := flag.Arg(0)
+
+	// Validate PID is a number
+	if _, err := strconv.Atoi(pid); err != nil {
+		fmt.Fprintf(os.Stderr, "error: invalid PID %q: %v\n", pid, err)
+		os.Exit(1)
+	}
+
+	// Extract container ID from cgroup
+	containerID, err := getContainerID(pid)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "error: failed to get container ID: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Get the NSpid (PID in container namespace)
+	nspid, err := getNsPid(pid)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "error: failed to get NSpid: %v\n", err)
+		os.Exit(1)
+	}
+
+	fmt.Printf("Container ID: %s\n", containerID)
+	fmt.Printf("NSpid: %s\n", nspid)
+
+	// Execute clear_refs inside the container via crictl exec
+	if err := execClearRefs(containerID, *clearRefsBin, nspid); err != nil {
+		fmt.Fprintf(os.Stderr, "error: failed to execute clear_refs: %v\n", err)
+		os.Exit(1)
+	}
+
+	fmt.Println("Successfully cleared soft-dirty bits")
+}
+
+// getContainerID reads /proc/<pid>/cgroup and extracts the container ID.
+// Handles both standard kubepods format and cri-containerd scope format.
+func getContainerID(pid string) (string, error) {
+	cgroupPath := filepath.Join("/proc", pid, "cgroup")
+	file, err := os.Open(cgroupPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to open %s: %w", cgroupPath, err)
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		line := scanner.Text()
+		// cgroup line format: hierarchy-ID:controller-list:cgroup-path
+		// Example: 0::/kubepods/besteffort/pod<uuid>/<container_id>
+		parts := strings.SplitN(line, ":", 3)
+		if len(parts) < 3 {
+			continue
+		}
+
+		cgroupPathPart := parts[2]
+		if cgroupPathPart == "" || cgroupPathPart == "/" {
+			continue
+		}
+
+		// Try to extract container ID from the cgroup path
+		containerID := extractContainerID(cgroupPathPart)
+		if containerID != "" {
+			return containerID, nil
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return "", fmt.Errorf("failed to read %s: %w", cgroupPath, err)
+	}
+
+	return "", fmt.Errorf("could not find container ID in %s", cgroupPath)
+}
+
+// extractContainerID extracts the container ID from a cgroup path.
+// Handles formats like:
+//   - /kubepods/besteffort/pod<uuid>/<container_id>
+//   - /kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod<uuid>.slice/cri-containerd-<container_id>.scope
+func extractContainerID(cgroupPath string) string {
+	// Get the last component of the path
+	lastComponent := filepath.Base(cgroupPath)
+
+	// Handle cri-containerd scope format: cri-containerd-<container_id>.scope
+	if strings.HasPrefix(lastComponent, "cri-containerd-") && strings.HasSuffix(lastComponent, ".scope") {
+		// Remove "cri-containerd-" prefix and ".scope" suffix
+		id := strings.TrimPrefix(lastComponent, "cri-containerd-")
+		id = strings.TrimSuffix(id, ".scope")
+		if isValidContainerID(id) {
+			return id
+		}
+	}
+
+	// Handle docker format: docker-<container_id>.scope
+	if strings.HasPrefix(lastComponent, "docker-") && strings.HasSuffix(lastComponent, ".scope") {
+		id := strings.TrimPrefix(lastComponent, "docker-")
+		id = strings.TrimSuffix(id, ".scope")
+		if isValidContainerID(id) {
+			return id
+		}
+	}
+
+	// Handle plain container ID format (last path component is the container ID)
+	// Example: /kubepods/besteffort/pod<uuid>/<container_id>
+	if isValidContainerID(lastComponent) {
+		return lastComponent
+	}
+
+	return ""
+}
+
+// isValidContainerID checks if a string looks like a valid container ID.
+// Container IDs are typically 64 hex characters.
+func isValidContainerID(id string) bool {
+	if len(id) != 64 {
+		return false
+	}
+	for _, c := range id {
+		if !((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F')) {
+			return false
+		}
+	}
+	return true
+}
+
+// getNsPid reads /proc/<pid>/status and extracts the NSpid (PID in container namespace).
+// The NSpid line contains space-separated PIDs for each namespace level.
+// Example: "NSpid:  12345   1" where 12345 is root ns PID and 1 is container ns PID.
+func getNsPid(pid string) (string, error) {
+	statusPath := filepath.Join("/proc", pid, "status")
+	file, err := os.Open(statusPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to open %s: %w", statusPath, err)
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.HasPrefix(line, "NSpid:") {
+			// Remove "NSpid:" prefix and split by whitespace
+			nspidPart := strings.TrimPrefix(line, "NSpid:")
+			pids := strings.Fields(nspidPart)
+			if len(pids) == 0 {
+				return "", fmt.Errorf("NSpid line is empty in %s", statusPath)
+			}
+			// Return the last PID (innermost namespace)
+			return pids[len(pids)-1], nil
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return "", fmt.Errorf("failed to read %s: %w", statusPath, err)
+	}
+
+	return "", fmt.Errorf("NSpid not found in %s", statusPath)
+}
+
+// execClearRefs runs clear_refs inside the container via crictl exec.
+func execClearRefs(containerID, clearRefsBin, nspid string) error {
+	// Build the crictl exec command
+	cmd := exec.Command("crictl", "exec", containerID, clearRefsBin, nspid)
+
+	// Capture combined output for error reporting
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("crictl exec failed: %w\nOutput: %s", err, string(output))
+	}
+
+	if len(output) > 0 {
+		fmt.Printf("crictl exec output: %s\n", string(output))
+	}
+
+	return nil
+}

criu/cr-restore.c

@@ -1687,6 +1687,14 @@ static int __restore_task_with_children(void *_arg)
 			goto err;
 	}
 
+	/*
+	 * All children have finished premapping (forking barrier passed).
+	 * Convert PROT_EXEC VMAs from anonymous to memfd-backed so the
+	 * restorer's mprotect won't trigger SELinux execmem/execmod.
+	 */
+	if (finalize_exec_mappings(current))
+		goto err;
+
 	if (restore_one_task(vpid(current), ca->core))
 		goto err;
 
@@ -2517,7 +2525,7 @@ static unsigned long restorer_len;
 static int prepare_restorer_blob(void)
 {
 	/*
-	 * We map anonymous mapping, not mremap the restorer itself later.
+	 * We map anonymous memory, not mremap the restorer itself later.
 	 * Otherwise the restorer vma would be tied to criu binary which
 	 * in turn will lead to set-exe-file prctl to fail with EBUSY.
 	 */
@@ -2539,7 +2547,7 @@ static int prepare_restorer_blob(void)
 	 */
 	restorer_len = round_up(pbd.hdr.args_off, page_size());
 
-	restorer = mmap(NULL, restorer_len, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
+	restorer = mmap(NULL, restorer_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
 	if (restorer == MAP_FAILED) {
 		pr_perror("Can't map restorer code");
 		return -1;
@@ -2554,6 +2562,8 @@ static int remap_restorer_blob(void *addr)
 {
 	struct parasite_blob_desc pbd;
 	void *mem;
+	int fd;
+	ssize_t off, ret;
 
 	mem = mremap(restorer, restorer_len, restorer_len, MREMAP_FIXED | MREMAP_MAYMOVE, addr);
 	if (mem != addr) {
@@ -2570,6 +2580,49 @@ static int remap_restorer_blob(void *addr)
 	restorer_setup_c_header_desc(&pbd, true);
 	compel_relocs_apply(addr, addr, &pbd);
 
+	/*
+	 * To avoid SELinux execmem denials, back the restorer blob with a
+	 * memfd instead of anonymous memory. The kernel's
+	 * file_map_prot_check() requires process:execmem when:
+	 *   (PROT_EXEC) && (!file || IS_PRIVATE(inode) || (!shared && PROT_WRITE))
+	 *
+	 * Using MAP_SHARED on a memfd (file-backed, !IS_PRIVATE) makes the
+	 * !shared term false, so execmem is never checked. Instead SELinux
+	 * checks file:execute (which runtime_t has on Bottlerocket).
+	 *
+	 * Each restored process calls remap_restorer_blob() independently
+	 * with its own memfd, so MAP_SHARED pages are not shared across
+	 * the process tree.
+	 */
+	fd = memfd_create("restorer", 0);
+	if (fd < 0) {
+		pr_perror("Can't create memfd for restorer");
+		return -1;
+	}
+
+	if (ftruncate(fd, restorer_len)) {
+		pr_perror("Can't resize restorer memfd");
+		goto err;
+	}
+
+	for (off = 0; off < restorer_len; ) {
+		ret = write(fd, addr + off, restorer_len - off);
+		if (ret <= 0) {
+			pr_perror("Can't write restorer blob to memfd");
+			goto err;
+		}
+		off += ret;
+	}
+
+	mem = mmap(addr, restorer_len, PROT_READ | PROT_WRITE | PROT_EXEC,
+		   MAP_SHARED | MAP_FIXED, fd, 0);
+	if (mem != addr) {
+		pr_perror("Can't map restorer memfd");
+		goto err;
+	}
+
+	close(fd);
+
 	/*
 	 * Ensure the infected thread sees the updated code.
 	 *
@@ -2582,6 +2635,10 @@ static int remap_restorer_blob(void *addr)
 	__builtin___clear_cache(addr, addr + pbd.hdr.bsize);
 
 	return 0;
+
+err:
+	close(fd);
+	return -1;
 }
 
 static int validate_sched_parm(struct rst_sched_param *sp)

criu/filesystems.c

@@ -417,9 +417,8 @@ static int tmpfs_dump(struct mount_info *pm)
 		userns_pid = root_item->pid->real;
 
 	ret = cr_system_userns(fd, img_raw_fd(img), -1, "tar",
-			       (char *[]){ "tar", "--create", "--gzip", "--no-unquote", "--no-wildcards",
-					   "--one-file-system", "--check-links", "--preserve-permissions", "--sparse",
-					   "--numeric-owner", "--directory", "/proc/self/fd/0", ".", NULL },
+			       (char *[]){ "tar", "-czf", "-", "--numeric-owner",
+					   "-C", "/proc/self/fd/0", ".", NULL },
 			       0, userns_pid);
 
 	if (ret)
@@ -451,8 +450,7 @@ static int tmpfs_restore(struct mount_info *pm)
 	}
 
 	ret = cr_system(img_raw_fd(img), -1, -1, "tar",
-			(char *[]){ "tar", "--extract", "--gzip", "--no-unquote", "--no-wildcards", "--directory",
-				    service_mountpoint(pm), NULL },
+			(char *[]){ "tar", "-xzf", "-", "-C", service_mountpoint(pm), NULL },
 			0);
 	close_image(img);