Merge pull request #1055 from kinvolk/iaguis/remove-nnp-patch

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc95.ebuild

@@ -42,8 +42,6 @@ src_unpack() {
 
 PATCHES=(
 	"${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch"
-	"${FILESDIR}/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch"
-	"${FILESDIR}/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch"
 )
 
 src_compile() {

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch

@@ -1,58 +0,0 @@
-From 7264883458e7bdcd23152495ac141a24d17b8db9 Mon Sep 17 00:00:00 2001
-Message-Id: <7264883458e7bdcd23152495ac141a24d17b8db9.1564136934.git.dongsu@kinvolk.io>
-From: Dongsu Park <dongsu@kinvolk.io>
-Date: Fri, 26 Jul 2019 12:19:37 +0200
-Subject: [PATCH] temporarily disable selinux.GetEnabled() error checks
-
----
- libcontainer/configs/validate/validator.go | 4 ----
- utils_linux.go                             | 4 ----
- 2 files changed, 8 deletions(-)
-
-diff --git a/libcontainer/configs/validate/validator.go b/libcontainer/configs/validate/validator.go
-index 3b42f301..bace067d 100644
---- a/libcontainer/configs/validate/validator.go
-+++ b/libcontainer/configs/validate/validator.go
-@@ -8,7 +8,6 @@ import (
- 	"github.com/opencontainers/runc/libcontainer/cgroups"
- 	"github.com/opencontainers/runc/libcontainer/configs"
- 	"github.com/opencontainers/runc/libcontainer/intelrdt"
--	selinux "github.com/opencontainers/selinux/go-selinux"
- 	"golang.org/x/sys/unix"
- )
- 
-@@ -99,9 +98,6 @@ func (v *ConfigValidator) security(config *configs.Config) error {
- 		!config.Namespaces.Contains(configs.NEWNS) {
- 		return errors.New("unable to restrict sys entries without a private MNT namespace")
- 	}
--	if config.ProcessLabel != "" && !selinux.GetEnabled() {
--		return errors.New("selinux label is specified in config, but selinux is disabled or not supported")
--	}
- 
- 	return nil
- }
-diff --git a/utils_linux.go b/utils_linux.go
-index b05e7b60..ce50db14 100644
---- a/utils_linux.go
-+++ b/utils_linux.go
-@@ -17,7 +17,6 @@ import (
- 	"github.com/opencontainers/runc/libcontainer/specconv"
- 	"github.com/opencontainers/runc/libcontainer/utils"
- 	"github.com/opencontainers/runtime-spec/specs-go"
--	selinux "github.com/opencontainers/selinux/go-selinux"
- 
- 	"github.com/coreos/go-systemd/v22/activation"
- 	"github.com/pkg/errors"
-@@ -388,9 +387,6 @@ func validateProcessSpec(spec *specs.Process) error {
- 	if len(spec.Args) == 0 {
- 		return errors.New("args must not be empty")
- 	}
--	if spec.SelinuxLabel != "" && !selinux.GetEnabled() {
--		return errors.New("selinux label is specified in config, but selinux is disabled or not supported")
--	}
- 	return nil
- }
- 
--- 
-2.21.0
-

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch

@@ -1,55 +0,0 @@
-From 657e01b0d909cce33bc5176e5ef618e039ba187f Mon Sep 17 00:00:00 2001
-Message-Id: <657e01b0d909cce33bc5176e5ef618e039ba187f.1614603215.git.dongsu@kinvolk.io>
-From: Dongsu Park <dongsu@kinvolk.io>
-Date: Fri, 26 Feb 2021 15:51:04 +0100
-Subject: [PATCH] libcontainer: disable prctl with NoNewPrivileges
-
-Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able
-to make docker/runc work with "--security-opt=no-new-privileges".
-
-So far it has worked without disabling NoNewPrivileges until runc 1.0.0-rc92,
-which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however,
-the selinux build tag is now gone, so selinux is always enabled.
-That's why `docker run --security-opt=no-new-privileges` failed.
-
-Until we could figure out its real reason, let's temporarily disable
-NoNewPrivileges to make the CI pass.
-
----
- libcontainer/standard_init_linux.go | 13 -------------
- 1 file changed, 13 deletions(-)
-
-diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
-index 7ec506c4..fc4121a9 100644
---- a/libcontainer/standard_init_linux.go
-+++ b/libcontainer/standard_init_linux.go
-@@ -135,11 +135,6 @@ func (l *linuxStandardInit) Init() error {
- 	if err != nil {
- 		return errors.Wrap(err, "get pdeath signal")
- 	}
--	if l.config.NoNewPrivileges {
--		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
--			return errors.Wrap(err, "set nonewprivileges")
--		}
--	}
- 	// Tell our parent that we're ready to Execv. This must be done before the
- 	// Seccomp rules have been applied, because we need to be able to read and
- 	// write to a socket.
-@@ -199,14 +194,6 @@ func (l *linuxStandardInit) Init() error {
- 	// since been resolved.
- 	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
- 	unix.Close(l.fifoFd)
--	// Set seccomp as close to execve as possible, so as few syscalls take
--	// place afterward (reducing the amount of syscalls that users need to
--	// enable in their seccomp profiles).
--	if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
--		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
--			return newSystemErrorWithCause(err, "init seccomp")
--		}
--	}
- 
- 	s := l.config.SpecState
- 	s.Pid = unix.Getpid()
--- 
-2.29.2
-

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service

@@ -8,7 +8,6 @@ Requires=containerd.service docker.socket
 [Service]
 Type=notify
 EnvironmentFile=-/run/flannel/flannel_docker_opts.env
-Environment=DOCKER_SELINUX=--selinux-enabled=true
 
 # the default is not to use systemd for cgroups because the delegate issues still
 # exists and systemd currently does not support the cgroup feature set required