From b966faf70a419c2d01b55c8442994bf2268b09f1 Mon Sep 17 00:00:00 2001
From: Flatcar Buildbot <buildbot@flatcar-linux.org>
Date: Thu, 4 Feb 2021 07:55:42 +0000
Subject: [PATCH 1/3] app-emulation: Upgrade Runc 1.0.0_rc92 to 1.0.0_rc93

---
 .../app-emulation/containerd/containerd-9999.ebuild         | 2 +-
 .../coreos-overlay/app-emulation/docker-runc/Manifest       | 2 +-
 ...runc-1.0.0_rc92.ebuild => docker-runc-1.0.0_rc93.ebuild} | 6 +++---
 .../coreos-overlay/app-emulation/docker/docker-9999.ebuild  | 2 +-
 .../coreos-overlay/app-torcx/docker/docker-19.03.ebuild     | 2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/{docker-runc-1.0.0_rc92.ebuild => docker-runc-1.0.0_rc93.ebuild} (92%)

diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild
index 96ddc07898..d7970325d7 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild
@@ -29,7 +29,7 @@ SLOT="0"
 IUSE="+btrfs hardened"
 
 DEPEND="btrfs? ( sys-fs/btrfs-progs )"
-RDEPEND="~app-emulation/docker-runc-1.0.0_rc92
+RDEPEND="~app-emulation/docker-runc-1.0.0_rc93
 	sys-libs/libseccomp"
 
 S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
index 1c5718f315..c766b937d6 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest
@@ -1,2 +1,2 @@
 DIST docker-runc-1.0.0_rc2_p136.tar.gz 561705 BLAKE2B 4dd5dc689db1ac632bf10a5060f5681c7e44716caf8d3730683aad9df29c7b2628fa9e7253d86d87e9dfd7d27b545713154fa0f2984ca52908b16ab089be5646 SHA512 6052b95042082c3345caf25d3646f47b82c151ff3aca2ca4510dbf72ee80056d8c4077f2a1b48a9f4178c41185835ff51461e52ad47969534ea6febf7cac74f1
-DIST docker-runc-1.0.0_rc92.tar.gz 2063336 BLAKE2B ca28d520107ddf66f4657ab6b7c61f40a0d1e0eb9b926412cdc49ba40100de1487fdc89c756b703b6fafd66a6a8f730e1abeb39383c0a968f5240952e3831193 SHA512 ed3bd916656b6d5d2aa8c799a4e960b0986bf0925a837ee3d29cf970f0844030ba9786f9deb462cce921c423977a44cbfbe7bce6ed4ec2247e66951c9ac5466c
+DIST docker-runc-1.0.0_rc93.tar.gz 2134218 BLAKE2B 95a35d3a60027545700d2c1983bf9e8b6adbdb1b5c1a0e1af0c2a023b49b67991a1b8135ead511f32c66f12992f008172281106f162224db93a052deb3330e5e SHA512 658c28d10f49fd3db4944eecf33772bf0eefab7af4f0c71917f7d660a29152d723fbbb13c1681efd5c3f5f6fb87705733d212b092a3e2b9b26d8506c32482523
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc92.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild
similarity index 92%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc92.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild
index f33b139565..f2f62290b8 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc92.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild
@@ -11,8 +11,8 @@ COREOS_GO_VERSION="go1.13"
 # Update the patch number when this commit is changed (i.e. the _p in the ebuild).
 # The patch version is arbitrarily the number of commits since the tag version
 # specified in the ebuild name. For example:
-# $ git log --oneline v1.0.0-rc92..${COMMIT_ID} | wc -l
-COMMIT_ID="3d68c79de7184b0eba97946d4f478736f46bf207"
+# $ git log --oneline v1.0.0-rc93..${COMMIT_ID} | wc -l
+COMMIT_ID="c0eb97855bea6ac7ded4bd6050a108d12f662418"
 
 inherit eutils flag-o-matic coreos-go vcs-snapshot
 
@@ -60,7 +60,7 @@ src_compile() {
 	)
 
 	GOPATH="${WORKDIR}/${P}" emake BUILDTAGS="${options[*]}" \
-		VERSION=1.0.0-rc92+dev.docker-19.03 \
+		VERSION=1.0.0-rc93+dev.docker-19.03 \
 		COMMIT="${COMMIT_ID}"
 }
 
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
index 1bb9b337f8..7e9354c4e0 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
@@ -65,7 +65,7 @@ RDEPEND="
 	>=app-arch/xz-utils-4.9
 	dev-libs/libltdl
 	~app-emulation/containerd-1.1.2
-	~app-emulation/docker-runc-1.0.0_rc92[apparmor?,seccomp?]
+	~app-emulation/docker-runc-1.0.0_rc93[apparmor?,seccomp?]
 	~app-emulation/docker-proxy-0.8.0_p20180709
 	container-init? ( >=sys-process/tini-0.18.0 )
 "
diff --git a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-19.03.ebuild b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-19.03.ebuild
index 9d627767c8..e06c3cfd58 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-19.03.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-19.03.ebuild
@@ -14,7 +14,7 @@ RDEPEND="
 	~app-emulation/docker-19.03.15
 	~app-emulation/containerd-1.4.3
   ~app-emulation/docker-proxy-0.8.0_p20180709
-	~app-emulation/docker-runc-1.0.0_rc92
+	~app-emulation/docker-runc-1.0.0_rc93
 	=dev-libs/libltdl-2.4.6
 	=sys-process/tini-0.18.0
 "

From 3d6a652669f747a6fd54b5937de4ed5167a463fe Mon Sep 17 00:00:00 2001
From: Dongsu Park <dongsu@kinvolk.io>
Date: Fri, 5 Feb 2021 12:08:29 +0100
Subject: [PATCH 2/3] app-emulation/docker-runc: adjust Flatcar patch for
 1.0.0-rc93

A Flatcar patch for docker-runc cannot be applied to 1.0.0-rc93.
We need to adjust to build docker-runc 1.0.0-rc93.
---
 ...01-temporarily-disable-selinux.GetEnabled-error-checks.patch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch
index 886ab1f635..0f7756cf18 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch
@@ -18,9 +18,9 @@ index 3b42f301..bace067d 100644
  	"github.com/opencontainers/runc/libcontainer/configs"
  	"github.com/opencontainers/runc/libcontainer/intelrdt"
 -	selinux "github.com/opencontainers/selinux/go-selinux"
+ 	"golang.org/x/sys/unix"
  )
  
- type Validator interface {
 @@ -99,9 +98,6 @@ func (v *ConfigValidator) security(config *configs.Config) error {
  		!config.Namespaces.Contains(configs.NEWNS) {
  		return fmt.Errorf("unable to restrict sys entries without a private MNT namespace")

From 18630b721889b940bb05d0d79eee3ed91b2236f3 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dongsu@kinvolk.io>
Date: Mon, 1 Mar 2021 14:01:48 +0100
Subject: [PATCH 3/3] app-emulation/docker-runc: disable NoNewPrivileges
 options

Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able
to make docker/runc work with "--security-opt=no-new-privileges".

So far it has worked without disabling NoNewPrivileges until runc
1.0.0-rc92,
which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however,
the selinux build tag is now gone, so selinux is always enabled.
That's why `docker run --security-opt=no-new-privileges` failed.

Until we could figure out its real reason, let's temporarily disable
NoNewPrivilges to make the CI pass.
---
 .../docker-runc/docker-runc-1.0.0_rc93.ebuild |  3 +-
 ...ble-selinux.GetEnabled-error-checks.patch} |  0
 ...r-disable-prctl-with-NoNewPrivileges.patch | 55 +++++++++++++++++++
 3 files changed, 57 insertions(+), 1 deletion(-)
 rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/{0001-temporarily-disable-selinux.GetEnabled-error-checks.patch => 0002-temporarily-disable-selinux.GetEnabled-error-checks.patch} (100%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild
index f2f62290b8..d7dcdea583 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild
@@ -42,7 +42,8 @@ src_unpack() {
 
 PATCHES=(
 	"${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch"
-	"${FILESDIR}/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch"
+	"${FILESDIR}/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch"
+	"${FILESDIR}/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch"
 )
 
 src_compile() {
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch
new file mode 100644
index 0000000000..b720280147
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch
@@ -0,0 +1,55 @@
+From 657e01b0d909cce33bc5176e5ef618e039ba187f Mon Sep 17 00:00:00 2001
+Message-Id: <657e01b0d909cce33bc5176e5ef618e039ba187f.1614603215.git.dongsu@kinvolk.io>
+From: Dongsu Park <dongsu@kinvolk.io>
+Date: Fri, 26 Feb 2021 15:51:04 +0100
+Subject: [PATCH] libcontainer: disable prctl with NoNewPrivileges
+
+Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able
+to make docker/runc work with "--security-opt=no-new-privileges".
+
+So far it has worked without disabling NoNewPrivileges until runc 1.0.0-rc92,
+which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however,
+the selinux build tag is now gone, so selinux is always enabled.
+That's why `docker run --security-opt=no-new-privileges` failed.
+
+Until we could figure out its real reason, let's temporarily disable
+NoNewPrivileges to make the CI pass.
+
+---
+ libcontainer/standard_init_linux.go | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
+index 7ec506c4..fc4121a9 100644
+--- a/libcontainer/standard_init_linux.go
++++ b/libcontainer/standard_init_linux.go
+@@ -135,11 +135,6 @@ func (l *linuxStandardInit) Init() error {
+ 	if err != nil {
+ 		return errors.Wrap(err, "get pdeath signal")
+ 	}
+-	if l.config.NoNewPrivileges {
+-		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+-			return errors.Wrap(err, "set nonewprivileges")
+-		}
+-	}
+ 	// Tell our parent that we're ready to Execv. This must be done before the
+ 	// Seccomp rules have been applied, because we need to be able to read and
+ 	// write to a socket.
+@@ -199,14 +194,6 @@ func (l *linuxStandardInit) Init() error {
+ 	// since been resolved.
+ 	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
+ 	unix.Close(l.fifoFd)
+-	// Set seccomp as close to execve as possible, so as few syscalls take
+-	// place afterward (reducing the amount of syscalls that users need to
+-	// enable in their seccomp profiles).
+-	if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
+-		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
+-			return newSystemErrorWithCause(err, "init seccomp")
+-		}
+-	}
+ 
+ 	s := l.config.SpecState
+ 	s.Pid = unix.Getpid()
+-- 
+2.29.2
+