From 074857a6e9d211f4951504436ac484712e46e6e1 Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Wed, 11 Jan 2017 16:08:08 -0800 Subject: [PATCH] app-emulation/runc: update to rc2 + 1.12.6 fixes This matches the commit used by docker for 1.12.6 and contains the relevant changes from the deleted patch file --- .../app-emulation/runc/Manifest | 2 +- .../0002-Add-security-patches-for-runc.patch | 112 ------------------ ...615-r4.ebuild => runc-1.0.0_rc2-r2.ebuild} | 5 +- 3 files changed, 3 insertions(+), 116 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Add-security-patches-for-runc.patch rename sdk_container/src/third_party/coreos-overlay/app-emulation/runc/{runc-1.0.0_rc1_p20160615-r4.ebuild => runc-1.0.0_rc2-r2.ebuild} (85%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest index 6f96bd8062..9c9a5c0937 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest @@ -1 +1 @@ -DIST runc-1.0.0_rc1_p20160615.tar.gz 535401 SHA256 196b78c6caf1a4c6257314b393381baffa7c82bb2690ac02a7b3d6cd6cfe7776 SHA512 0bf8ce3bb15caaf09214f23a411003fd5b660d291662ad513c3d944647a0fa9b270d18902706b7e6aa3c30eb0f676e73af46b8249d1e2484e1dc40d6ffd5a80d WHIRLPOOL 9d15d069e00fe38e2bbda84b477dc0cf9f3431d3587919a80164d550a6d882d8742a5c2a8cdb7645509dec8d55b545912c0287785d0ca7e79acc0a08eace6f47 +DIST runc-1.0.0_rc2.tar.gz 550449 SHA256 638742c48426b9a3281aeb619e27513d972de228bdbd43b478baea99c186d491 SHA512 83a3d45efbb86d3d583b96062202b9e60121d250af2c0dd37d07fda574b642aa6f05e29cac6644ad3d624647400db694082e280383e41ca9f31dc0a33b87ed76 WHIRLPOOL 990a45739689db80bbeed43b0fd3a4ce4d0563ea833361b9112e750782313f19e638c4bfbd455f5dd1882d64c724dcf0213701322029c2c9f98f624863c744f3 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Add-security-patches-for-runc.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Add-security-patches-for-runc.patch deleted file mode 100644 index fe0abf0dc7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Add-security-patches-for-runc.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001 -From: Michael Crosby -Date: Wed, 7 Dec 2016 15:05:51 -0800 -Subject: [PATCH] Set init processes as non-dumpable - -This sets the init processes that join and setup the container's -namespaces as non-dumpable before they setns to the container's pid (or -any other ) namespace. - -This settings is automatically reset to the default after the Exec in -the container so that it does not change functionality for the -applications that are running inside, just our init processes. - -This prevents parent processes, the pid 1 of the container, to ptrace -the init process before it drops caps and other sets LSMs. - -This patch also ensures that the stateDirFD being used is still closed -prior to exec, even though it is set as O_CLOEXEC, because of the order -in the kernel. - -https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 - -The order during the exec syscall is that the process is set back to -dumpable before O_CLOEXEC are processed. - -Signed-off-by: Michael Crosby ---- - libcontainer/init_linux.go | 3 ++- - libcontainer/nsenter/nsexec.c | 5 +++++ - libcontainer/setns_init_linux.go | 7 ++++++- - libcontainer/standard_init_linux.go | 3 +++ - 4 files changed, 16 insertions(+), 2 deletions(-) - -diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go -index b1e6762..4043d51 100644 ---- a/libcontainer/init_linux.go -+++ b/libcontainer/init_linux.go -@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error) - switch t { - case initSetns: - return &linuxSetnsInit{ -- config: config, -+ config: config, -+ stateDirFD: stateDirFD, - }, nil - case initStandard: - return &linuxStandardInit{ -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index b93f827..4b5398b 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -362,6 +362,12 @@ void nsexec(void) - if (pipenum == -1) - return; - -+ /* make the process non-dumpable */ -+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { -+ pr_perror("failed to set process as non-dumpable"); -+ exit(1); -+ } -+ - // Retrieve the netlink header - struct nlmsghdr nl_msg_hdr; - -diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go -index 2a8f345..7f5f182 100644 ---- a/libcontainer/setns_init_linux.go -+++ b/libcontainer/setns_init_linux.go -@@ -5,6 +5,7 @@ package libcontainer - import ( - "fmt" - "os" -+ "syscall" - - "github.com/opencontainers/runc/libcontainer/apparmor" - "github.com/opencontainers/runc/libcontainer/keys" -@@ -16,7 +17,8 @@ import ( - // linuxSetnsInit performs the container's initialization for running a new process - // inside an existing container. - type linuxSetnsInit struct { -- config *initConfig -+ config *initConfig -+ stateDirFD int - } - - func (l *linuxSetnsInit) getSessionRingName() string { -@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error { - if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil { - return err - } -+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order -+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 -+ syscall.Close(l.stateDirFD) - return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ()) - } -diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go -index 2104f1a..6a65154 100644 ---- a/libcontainer/standard_init_linux.go -+++ b/libcontainer/standard_init_linux.go -@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error { - return newSystemErrorWithCause(err, "init seccomp") - } - } -+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order -+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 -+ syscall.Close(l.stateDirFD) - if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil { - return newSystemErrorWithCause(err, "exec user process") - } --- -2.11.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc1_p20160615-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2-r2.ebuild similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc1_p20160615-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2-r2.ebuild index d24e0ca791..005aba01ff 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc1_p20160615-r4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2-r2.ebuild @@ -8,8 +8,8 @@ GITHUB_URI="github.com/opencontainers/runc" COREOS_GO_PACKAGE="${GITHUB_URI}" COREOS_GO_VERSION="go1.6" # the commit of runc that docker uses. -# see https://github.com/docker/docker/blob/v1.12.0/Dockerfile#L236 -COMMIT_ID="cc29e3dded8e27ba8f65738f40d251c885030a28" +# see https://github.com/docker/docker/blob/v1.12.6/Dockerfile#L245 +COMMIT_ID="50a19c6ff828c58e5dab13830bd3dacde268afe5" inherit eutils flag-o-matic coreos-go-depend vcs-snapshot @@ -31,7 +31,6 @@ RDEPEND=" src_prepare() { epatch "${FILESDIR}/0001-Makefile-do-not-install-dependencies-of-target.patch" - epatch "${FILESDIR}/0002-Add-security-patches-for-runc.patch" # Work around https://github.com/golang/go/issues/14669 # Remove after updating to go1.7