mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-05-04 11:51:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2557 from flatcar/runc-1.1.5-main

Browse Source 
Upgrade Runc in main from 1.1.4 to 1.1.5
This commit is contained in:
Dongsu Park 2023-04-12 08:57:20 +02:00 committed by GitHub
commit 5b3be7c4c8
7 changed files with 21 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild vendored
View File

@ -29,7 +29,7 @@ SLOT="0"
IUSE="+btrfs hardened"
DEPEND="btrfs? ( sys-fs/btrfs-progs )"
RDEPEND="~app-emulation/docker-runc-1.1.4
RDEPEND="~app-emulation/docker-runc-1.1.5
sys-libs/libseccomp"
S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}

2
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest vendored
View File

@ -1 +1 @@
DIST docker-runc-1.1.4.tar.gz 2337285 BLAKE2B b82beac54eb07cf0a657af910201fcff05579d7311bef9d07df1fc8b60fac2b9560b250366193f0f84319ced66bc3f1a1af1bb8a57233187e7ef77a7799b55e7 SHA512 c6665265369af843550181fe44217d0e4f5c3b019c47359bfe9db94dcbd1866c05756b09adea905437bbff8bcfd2b6b02185ca4e7f1d62ed3bf177118308e41a
DIST docker-runc-1.1.5.tar.gz 2337543 BLAKE2B ed2aed98c4e8fcfe7040772df9e090e38a95355bcfa2948030866b83b8097794df9e0ebe2bb1a99f5c63a6d5300493d67493018957f6116ee07d66872f87bef3 SHA512 8a4cde9a8aaa5e1f75ec6731b18f56aa34ab969246f4a8d6ebfea5d100b0c113553bec49f29b851129d371a13c803c1e86425779eb8d498dba588c63d2a2ac57

4
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.4.ebuild → sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.5.ebuild vendored
View File

@ -8,7 +8,7 @@ COREOS_GO_PACKAGE="${GITHUB_URI}"
COREOS_GO_VERSION="go1.18"
# the commit of runc that docker uses.
# see https://github.com/docker/docker-ce/blob/v19.03.15/components/engine/hack/dockerfile/install/runc.installer#L4
COMMIT_ID="81a44cf162f4409cc6ff656e2433b87321bf8a7a"
COMMIT_ID="4ef48971e5d827018b74876a06e32ab7636f0a26"
inherit eutils flag-o-matic coreos-go vcs-snapshot
@ -55,7 +55,7 @@ src_compile() {
)
GOPATH="${WORKDIR}/${P}" emake BUILDTAGS="${options[*]}" \
VERSION=1.1.4+dev.docker-20.10 \
VERSION=1.1.5+dev.docker-20.10 \
COMMIT="${COMMIT_ID}"
}

28
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch vendored
View File

@ -9,38 +9,38 @@ root. This allows us to apply the container SELinux label
to mqueue.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
(dpark: Adjust the logic according to the new code of v1.1.5)
Signed-off-by: Dongsu Park <dpark@linux.microsoft.com>
---
libcontainer/nsenter/nsexec.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
index 0ad68834..5100698a 100644
index 2d224bab..4865261f 100644
--- a/libcontainer/nsenter/nsexec.c
+++ b/libcontainer/nsenter/nsexec.c
@@ -719,7 +719,12 @@ void nsexec(void)
@@ -1241,7 +1241,12 @@ void nsexec(void)
* some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
* was broken, so we'll just do it the long way anyway.
*/
write_log(DEBUG, "unshare remaining namespace (except cgroupns)");
- if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
- try_unshare(config.cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
+ uint32_t apply_cloneflags = config.cloneflags;
+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
+ apply_cloneflags &= ~CLONE_NEWIPC;
+ }
+
+ if (unshare(apply_cloneflags & ~CLONE_NEWCGROUP) < 0)
bail("failed to unshare remaining namespaces (except cgroupns)");
+ try_unshare(apply_cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
/*
@@ -841,6 +846,11 @@ void nsexec(void)
bail("setgroups failed");
/* Ask our parent to send the mount sources fds. */
if (config.mountsources) {
@@ -1362,6 +1367,10 @@ void nsexec(void)
try_unshare(CLONE_NEWCGROUP, "cgroup namespace");
}
+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
+ if (unshare(CLONE_NEWIPC) < 0)
+ bail("unshare ipc failed");
+ try_unshare(CLONE_NEWIPC, "ipc namespace");
+ }
+
/*
* Wait until our topmost parent has finished cgroup setup in
* p.manager.Apply().
write_log(DEBUG, "signal completion to stage-0");
s = SYNC_CHILD_FINISH;
if (write(syncfd, &s, sizeof(s)) != sizeof(s))

2
sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild vendored
View File

@ -15,7 +15,7 @@ RDEPEND="
~app-emulation/docker-cli-20.10.23
~app-emulation/containerd-1.6.19
~app-emulation/docker-proxy-0.8.0_p20210525
~app-emulation/docker-runc-1.1.4
~app-emulation/docker-runc-1.1.5
=dev-libs/libltdl-2.4.7
~sys-process/tini-0.19.0
"

1
sdk_container/src/third_party/coreos-overlay/changelog/security/2023-04-11-runc-1.1.5.md vendored Normal file
View File

@ -0,0 +1 @@
- runc ([CVE-2023-25809](https://nvd.nist.gov/vuln/detail/CVE-2023-25809), [CVE-2023-27561](https://nvd.nist.gov/vuln/detail/CVE-2023-27561), [CVE-2023-28642](https://nvd.nist.gov/vuln/detail/CVE-2023-28642))

1
sdk_container/src/third_party/coreos-overlay/changelog/updates/2023-03-30-runc-1.1.5-update.md vendored Normal file
View File

@ -0,0 +1 @@
- runc ([1.1.5](https://github.com/opencontainers/runc/releases/tag/v1.1.5))