diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch index ea8c589c08..dba875395f 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch @@ -21,6 +21,7 @@ index 0ad68834..5100698a 100644 * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID) * was broken, so we'll just do it the long way anyway. */ + write_log(DEBUG, "unshare remaining namespace (except cgroupns)"); - if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0) + uint32_t apply_cloneflags = config.cloneflags; + if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) { @@ -28,7 +29,7 @@ index 0ad68834..5100698a 100644 + } + + if (unshare(apply_cloneflags & ~CLONE_NEWCGROUP) < 0) - bail("failed to unshare namespaces"); + bail("failed to unshare remaining namespaces (except cgroupns)"); /* @@ -841,6 +846,11 @@ void nsexec(void) @@ -40,6 +41,6 @@ index 0ad68834..5100698a 100644 + bail("unshare ipc failed"); + } + - /* ... wait until our topmost parent has finished cgroup setup in p.manager.Apply() ... */ - if (config.cloneflags & CLONE_NEWCGROUP) { - uint8_t value; + /* + * Wait until our topmost parent has finished cgroup setup in + * p.manager.Apply(). diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch index 0f7756cf18..d6f5abdbb0 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch @@ -14,7 +14,7 @@ index 3b42f301..bace067d 100644 --- a/libcontainer/configs/validate/validator.go +++ b/libcontainer/configs/validate/validator.go @@ -8,7 +8,6 @@ import ( - + "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/intelrdt" - selinux "github.com/opencontainers/selinux/go-selinux" @@ -23,7 +23,7 @@ index 3b42f301..bace067d 100644 @@ -99,9 +98,6 @@ func (v *ConfigValidator) security(config *configs.Config) error { !config.Namespaces.Contains(configs.NEWNS) { - return fmt.Errorf("unable to restrict sys entries without a private MNT namespace") + return errors.New("unable to restrict sys entries without a private MNT namespace") } - if config.ProcessLabel != "" && !selinux.GetEnabled() { - return errors.New("selinux label is specified in config, but selinux is disabled or not supported") @@ -45,7 +45,7 @@ index b05e7b60..ce50db14 100644 "github.com/pkg/errors" @@ -388,9 +387,6 @@ func validateProcessSpec(spec *specs.Process) error { if len(spec.Args) == 0 { - return fmt.Errorf("args must not be empty") + return errors.New("args must not be empty") } - if spec.SelinuxLabel != "" && !selinux.GetEnabled() { - return errors.New("selinux label is specified in config, but selinux is disabled or not supported")