mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 02:16:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

app-emulation/docker-runc: adjust patches for 1.0.0-rc95

Browse Source
This commit is contained in:
Dongsu Park 2021-05-20 13:42:52 +02:00
parent b02b5cd0e6
commit 63031a2ebc
2 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch vendored
View File

@ -21,6 +21,7 @@ index 0ad68834..5100698a 100644
* some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
* was broken, so we'll just do it the long way anyway.
*/
write_log(DEBUG, "unshare remaining namespace (except cgroupns)");
- if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
+ uint32_t apply_cloneflags = config.cloneflags;
+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
@ -28,7 +29,7 @@ index 0ad68834..5100698a 100644
+ }
+
+ if (unshare(apply_cloneflags & ~CLONE_NEWCGROUP) < 0)
bail("failed to unshare namespaces");
bail("failed to unshare remaining namespaces (except cgroupns)");
/*
@@ -841,6 +846,11 @@ void nsexec(void)
@ -40,6 +41,6 @@ index 0ad68834..5100698a 100644
+ bail("unshare ipc failed");
+ }
+
/* ... wait until our topmost parent has finished cgroup setup in p.manager.Apply() ... */
if (config.cloneflags & CLONE_NEWCGROUP) {
uint8_t value;
/*
* Wait until our topmost parent has finished cgroup setup in
* p.manager.Apply().

6
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch vendored
View File

@ -14,7 +14,7 @@ index 3b42f301..bace067d 100644
--- a/libcontainer/configs/validate/validator.go
+++ b/libcontainer/configs/validate/validator.go
@@ -8,7 +8,6 @@ import (
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/intelrdt"
- selinux "github.com/opencontainers/selinux/go-selinux"
@ -23,7 +23,7 @@ index 3b42f301..bace067d 100644
@@ -99,9 +98,6 @@ func (v *ConfigValidator) security(config *configs.Config) error {
!config.Namespaces.Contains(configs.NEWNS) {
return fmt.Errorf("unable to restrict sys entries without a private MNT namespace")
return errors.New("unable to restrict sys entries without a private MNT namespace")
}
- if config.ProcessLabel != "" && !selinux.GetEnabled() {
- return errors.New("selinux label is specified in config, but selinux is disabled or not supported")
@ -45,7 +45,7 @@ index b05e7b60..ce50db14 100644
"github.com/pkg/errors"
@@ -388,9 +387,6 @@ func validateProcessSpec(spec *specs.Process) error {
if len(spec.Args) == 0 {
return fmt.Errorf("args must not be empty")
return errors.New("args must not be empty")
}
- if spec.SelinuxLabel != "" && !selinux.GetEnabled() {
- return errors.New("selinux label is specified in config, but selinux is disabled or not supported")