mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-23 07:21:14 +02:00
app-emulation/runc: update to rc2 + 1.12.6 fixes
This matches the commit used by docker for 1.12.6 and contains the relevant changes from the deleted patch file
This commit is contained in:
Euan Kemp
parent
74d1202821
commit
074857a6e9
@ -1 +1 @@
|
|||||||
DIST runc-1.0.0_rc1_p20160615.tar.gz 535401 SHA256 196b78c6caf1a4c6257314b393381baffa7c82bb2690ac02a7b3d6cd6cfe7776 SHA512 0bf8ce3bb15caaf09214f23a411003fd5b660d291662ad513c3d944647a0fa9b270d18902706b7e6aa3c30eb0f676e73af46b8249d1e2484e1dc40d6ffd5a80d WHIRLPOOL 9d15d069e00fe38e2bbda84b477dc0cf9f3431d3587919a80164d550a6d882d8742a5c2a8cdb7645509dec8d55b545912c0287785d0ca7e79acc0a08eace6f47
|
DIST runc-1.0.0_rc2.tar.gz 550449 SHA256 638742c48426b9a3281aeb619e27513d972de228bdbd43b478baea99c186d491 SHA512 83a3d45efbb86d3d583b96062202b9e60121d250af2c0dd37d07fda574b642aa6f05e29cac6644ad3d624647400db694082e280383e41ca9f31dc0a33b87ed76 WHIRLPOOL 990a45739689db80bbeed43b0fd3a4ce4d0563ea833361b9112e750782313f19e638c4bfbd455f5dd1882d64c724dcf0213701322029c2c9f98f624863c744f3
|
||||||
|
|||||||
@ -1,112 +0,0 @@
|
|||||||
From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michael Crosby <crosbymichael@gmail.com>
|
|
||||||
Date: Wed, 7 Dec 2016 15:05:51 -0800
|
|
||||||
Subject: [PATCH] Set init processes as non-dumpable
|
|
||||||
|
|
||||||
This sets the init processes that join and setup the container's
|
|
||||||
namespaces as non-dumpable before they setns to the container's pid (or
|
|
||||||
any other ) namespace.
|
|
||||||
|
|
||||||
This settings is automatically reset to the default after the Exec in
|
|
||||||
the container so that it does not change functionality for the
|
|
||||||
applications that are running inside, just our init processes.
|
|
||||||
|
|
||||||
This prevents parent processes, the pid 1 of the container, to ptrace
|
|
||||||
the init process before it drops caps and other sets LSMs.
|
|
||||||
|
|
||||||
This patch also ensures that the stateDirFD being used is still closed
|
|
||||||
prior to exec, even though it is set as O_CLOEXEC, because of the order
|
|
||||||
in the kernel.
|
|
||||||
|
|
||||||
https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
|
|
||||||
|
|
||||||
The order during the exec syscall is that the process is set back to
|
|
||||||
dumpable before O_CLOEXEC are processed.
|
|
||||||
|
|
||||||
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
|
|
||||||
---
|
|
||||||
libcontainer/init_linux.go | 3 ++-
|
|
||||||
libcontainer/nsenter/nsexec.c | 5 +++++
|
|
||||||
libcontainer/setns_init_linux.go | 7 ++++++-
|
|
||||||
libcontainer/standard_init_linux.go | 3 +++
|
|
||||||
4 files changed, 16 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
|
|
||||||
index b1e6762..4043d51 100644
|
|
||||||
--- a/libcontainer/init_linux.go
|
|
||||||
+++ b/libcontainer/init_linux.go
|
|
||||||
@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error)
|
|
||||||
switch t {
|
|
||||||
case initSetns:
|
|
||||||
return &linuxSetnsInit{
|
|
||||||
- config: config,
|
|
||||||
+ config: config,
|
|
||||||
+ stateDirFD: stateDirFD,
|
|
||||||
}, nil
|
|
||||||
case initStandard:
|
|
||||||
return &linuxStandardInit{
|
|
||||||
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
|
|
||||||
index b93f827..4b5398b 100644
|
|
||||||
--- a/libcontainer/nsenter/nsexec.c
|
|
||||||
+++ b/libcontainer/nsenter/nsexec.c
|
|
||||||
@@ -362,6 +362,12 @@ void nsexec(void)
|
|
||||||
if (pipenum == -1)
|
|
||||||
return;
|
|
||||||
|
|
||||||
+ /* make the process non-dumpable */
|
|
||||||
+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
|
|
||||||
+ pr_perror("failed to set process as non-dumpable");
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
// Retrieve the netlink header
|
|
||||||
struct nlmsghdr nl_msg_hdr;
|
|
||||||
|
|
||||||
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
|
|
||||||
index 2a8f345..7f5f182 100644
|
|
||||||
--- a/libcontainer/setns_init_linux.go
|
|
||||||
+++ b/libcontainer/setns_init_linux.go
|
|
||||||
@@ -5,6 +5,7 @@ package libcontainer
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
+ "syscall"
|
|
||||||
|
|
||||||
"github.com/opencontainers/runc/libcontainer/apparmor"
|
|
||||||
"github.com/opencontainers/runc/libcontainer/keys"
|
|
||||||
@@ -16,7 +17,8 @@ import (
|
|
||||||
// linuxSetnsInit performs the container's initialization for running a new process
|
|
||||||
// inside an existing container.
|
|
||||||
type linuxSetnsInit struct {
|
|
||||||
- config *initConfig
|
|
||||||
+ config *initConfig
|
|
||||||
+ stateDirFD int
|
|
||||||
}
|
|
||||||
|
|
||||||
func (l *linuxSetnsInit) getSessionRingName() string {
|
|
||||||
@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error {
|
|
||||||
if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order
|
|
||||||
+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
|
|
||||||
+ syscall.Close(l.stateDirFD)
|
|
||||||
return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
|
|
||||||
}
|
|
||||||
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
|
|
||||||
index 2104f1a..6a65154 100644
|
|
||||||
--- a/libcontainer/standard_init_linux.go
|
|
||||||
+++ b/libcontainer/standard_init_linux.go
|
|
||||||
@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error {
|
|
||||||
return newSystemErrorWithCause(err, "init seccomp")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order
|
|
||||||
+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
|
|
||||||
+ syscall.Close(l.stateDirFD)
|
|
||||||
if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
|
|
||||||
return newSystemErrorWithCause(err, "exec user process")
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
||||||
@ -8,8 +8,8 @@ GITHUB_URI="github.com/opencontainers/runc"
|
|||||||
COREOS_GO_PACKAGE="${GITHUB_URI}"
|
COREOS_GO_PACKAGE="${GITHUB_URI}"
|
||||||
COREOS_GO_VERSION="go1.6"
|
COREOS_GO_VERSION="go1.6"
|
||||||
# the commit of runc that docker uses.
|
# the commit of runc that docker uses.
|
||||||
# see https://github.com/docker/docker/blob/v1.12.0/Dockerfile#L236
|
# see https://github.com/docker/docker/blob/v1.12.6/Dockerfile#L245
|
||||||
COMMIT_ID="cc29e3dded8e27ba8f65738f40d251c885030a28"
|
COMMIT_ID="50a19c6ff828c58e5dab13830bd3dacde268afe5"
|
||||||
|
|
||||||
inherit eutils flag-o-matic coreos-go-depend vcs-snapshot
|
inherit eutils flag-o-matic coreos-go-depend vcs-snapshot
|
||||||
|
|
||||||
@ -31,7 +31,6 @@ RDEPEND="
|
|||||||
|
|
||||||
src_prepare() {
|
src_prepare() {
|
||||||
epatch "${FILESDIR}/0001-Makefile-do-not-install-dependencies-of-target.patch"
|
epatch "${FILESDIR}/0001-Makefile-do-not-install-dependencies-of-target.patch"
|
||||||
epatch "${FILESDIR}/0002-Add-security-patches-for-runc.patch"
|
|
||||||
|
|
||||||
# Work around https://github.com/golang/go/issues/14669
|
# Work around https://github.com/golang/go/issues/14669
|
||||||
# Remove after updating to go1.7
|
# Remove after updating to go1.7
|
||||||
Loading…
x
Reference in New Issue
Block a user