app-emulation/docker-runc: adjust patches for 1.0.0-rc95

2025-08-20 05:51:18 +02:00 · 2021-05-20 13:42:52 +02:00 · 2021-05-20 13:42:52 +02:00 · 63031a2ebc
commit 63031a2ebc
parent b02b5cd0e6
2 changed files with 8 additions and 7 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch
@ -21,6 +21,7 @@ index 0ad68834..5100698a 100644
 			 * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
 			 * was broken, so we'll just do it the long way anyway.
 			 */
 			write_log(DEBUG, "unshare remaining namespace (except cgroupns)");
 -			if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
 +			uint32_t apply_cloneflags = config.cloneflags;
 +			if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
@ -28,7 +29,7 @@ index 0ad68834..5100698a 100644
 +			}
 +
 +			if (unshare(apply_cloneflags & ~CLONE_NEWCGROUP) < 0)
- 				bail("failed to unshare namespaces");
+ 				bail("failed to unshare remaining namespaces (except cgroupns)");
 			/*
@@ -841,6 +846,11 @@ void nsexec(void)
@ -40,6 +41,6 @@ index 0ad68834..5100698a 100644
 +					bail("unshare ipc failed");
 +			}
 +
- 			/* ... wait until our topmost parent has finished cgroup setup in p.manager.Apply() ... */
+ 			/*
- 			if (config.cloneflags & CLONE_NEWCGROUP) {
+ 			 * Wait until our topmost parent has finished cgroup setup in
- 				uint8_t value;
+ 			 * p.manager.Apply().
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch
@ -14,7 +14,7 @@ index 3b42f301..bace067d 100644
 --- a/libcontainer/configs/validate/validator.go
 +++ b/libcontainer/configs/validate/validator.go
@@ -8,7 +8,6 @@ import (
- 
+ 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/intelrdt"
 -	selinux "github.com/opencontainers/selinux/go-selinux"
@ -23,7 +23,7 @@ index 3b42f301..bace067d 100644
@@ -99,9 +98,6 @@ func (v *ConfigValidator) security(config *configs.Config) error {
 		!config.Namespaces.Contains(configs.NEWNS) {
- 		return fmt.Errorf("unable to restrict sys entries without a private MNT namespace")
+ 		return errors.New("unable to restrict sys entries without a private MNT namespace")
 	}
 -	if config.ProcessLabel != "" && !selinux.GetEnabled() {
 -		return errors.New("selinux label is specified in config, but selinux is disabled or not supported")
@ -45,7 +45,7 @@ index b05e7b60..ce50db14 100644
 	"github.com/pkg/errors"
@@ -388,9 +387,6 @@ func validateProcessSpec(spec *specs.Process) error {
 	if len(spec.Args) == 0 {
- 		return fmt.Errorf("args must not be empty")
+ 		return errors.New("args must not be empty")
 	}
 -	if spec.SelinuxLabel != "" && !selinux.GetEnabled() {
 -		return errors.New("selinux label is specified in config, but selinux is disabled or not supported")