1.14.1

• there was recently a security vulnerability (CVE-2024-21626) in runc
  that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
  outside the container rootfs. While crun is not affected directly,
  harden chdir by validating that we are still inside the container
  rootfs.
• container: attempt to close all the files before execv(2).
  if we leak any fd, it prevents execv to gain access to files outside
  the container rootfs through /proc/self/fd/$fd.
• fix a regression caused by 1.14 when installing the ebpf filter on a
  kernel older than 5.11.
• cgroup, systemd: fix segfault if the resources block is not specified.

1.14

• build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
• cpuset: don't clobber parent cgroup value when writing the cpuset value.
• linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process, allowing file permissions to be set as specified in the OCI configuration.
• ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.

1.13

• src: use O_CLOEXEC for all open/openat calls
• cgroup v1: use "max" when pids limit < 0.
• improve error message when idmap mount fails because the underlying file system has no support for it.
• libcrun: fix compilation when building without libseccomp and libcap.
• fix relative idmapped mount when using the custom annotation.

1.12

• add new WebAssembly handler: spin.
• systemd: fallback to system bus if session bus is not available.
• configure the cpu rt and cpuset controllers before joining them to avoid running temporarily the workload on the wrong cpus.
• preconfigure the cpuset with required resources instead of using the parent's set. This prevents needless churn in the kernel as it tracks which CPUs have load balancing disabled.
• try attr//* before the attr/* files. Writes to the attr/* files may fail if apparmor is not the first "major" LSM in the list of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor).

1.11.2

• fix a regression caused by 1.11.1 where the process crashes if there are no CPU limits configured on cgroup v1.
• fix error code check for the ptsname_r function.

1.11.1

• force a remount operation with bind mounts from the host to correctly set all the mount flags.

1.11

• cgroup: honor cpu burst.
• systemd: set CPUQuota and CPUPeriod on the scope cgroup.
• linux: append tmpfs mode if missing for mounts. This is the same behavior of runc.
• cgroup: always use the user session for rootless.

1.10

• support for Intel Resource Director Technology (RDT).
• new mount option "copy-symlink". When provided for a mount, if the source is a symlink, then it is copied in the container instead of attempting a mount.
• linux: open mounts before setgroups if in a userns. This solves a problem where a directory that was previously accessible to the user, become inaccessible after setgroups causing the bind mount to fail.

1.9.2

• cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels do that automatically, but new kernels remember the affinity that was set before the cgroup move, so we need to reset it in order to honor the cpuset configuration.

1.9.1

• utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6 that always refuses chmod on a symlink.
• build: fix build on CentOS 7
• linux: add new fallback when mount fails with EBUSY, so that there is not an additional tmpfs mount if not needed.
• utils: improve error message when a directory cannot be created as a component of the path is already existing as a non directory.