mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-13 16:06:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

app-emulation/docker-runc: fix build error for 1.1.5

Browse Source 
Now that nsexec() makes use of a new wrapper try_unshare(), the
third-party patch for delaying unshare of ipc namespace should make
use of that as well. Otherwise the build will not work.
This commit is contained in:
Dongsu Park 2023-04-11 17:04:23 +09:00
parent cf928a0d65
commit 218cbf26f6
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch vendored
View File

@ -9,38 +9,38 @@ root. This allows us to apply the container SELinux label
to mqueue. to mqueue.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com> Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
(dpark: Adjust the logic according to the new code of v1.1.5)
Signed-off-by: Dongsu Park <dpark@linux.microsoft.com>
--- ---
libcontainer/nsenter/nsexec.c | 12 +++++++++++- libcontainer/nsenter/nsexec.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-) 1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
index 0ad68834..5100698a 100644 index 2d224bab..4865261f 100644
--- a/libcontainer/nsenter/nsexec.c --- a/libcontainer/nsenter/nsexec.c
+++ b/libcontainer/nsenter/nsexec.c +++ b/libcontainer/nsenter/nsexec.c
@@ -719,7 +719,12 @@ void nsexec(void) @@ -1241,7 +1241,12 @@ void nsexec(void)
* some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID) * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
* was broken, so we'll just do it the long way anyway. * was broken, so we'll just do it the long way anyway.
*/ */
write_log(DEBUG, "unshare remaining namespace (except cgroupns)"); - try_unshare(config.cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
- if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
+ uint32_t apply_cloneflags = config.cloneflags; + uint32_t apply_cloneflags = config.cloneflags;
+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) { + if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
+ apply_cloneflags &= ~CLONE_NEWIPC; + apply_cloneflags &= ~CLONE_NEWIPC;
+ } + }
+ +
+ if (unshare(apply_cloneflags & ~CLONE_NEWCGROUP) < 0) + try_unshare(apply_cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
bail("failed to unshare remaining namespaces (except cgroupns)");
/* /* Ask our parent to send the mount sources fds. */
@@ -841,6 +846,11 @@ void nsexec(void) if (config.mountsources) {
bail("setgroups failed"); @@ -1362,6 +1367,10 @@ void nsexec(void)
try_unshare(CLONE_NEWCGROUP, "cgroup namespace");
} }
+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) { + if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
+ if (unshare(CLONE_NEWIPC) < 0) + try_unshare(CLONE_NEWIPC, "ipc namespace");
+ bail("unshare ipc failed");
+ } + }
+ +
/* write_log(DEBUG, "signal completion to stage-0");
* Wait until our topmost parent has finished cgroup setup in s = SYNC_CHILD_FINISH;
* p.manager.Apply(). if (write(syncfd, &s, sizeof(s)) != sizeof(s))