runc-1:1.0.0-6.git75f8da7

- bump to v1.0.0-rc3 - built opencontainers/v1.0.0-rc3 commit 75f8da7 Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
2017-03-24 19:35:17 +05:30 · 2017-03-24 19:35:17 +05:30 · f46e0bb7d0
commit f46e0bb7d0
parent e4b1c7e75e
4 changed files with 21 additions and 128 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 /runc-04f275d.tar.gz
 /runc-47ea5c7.tar.gz
 /runc-c91b5be.tar.gz
 /runc-75f8da7.tar.gz
--- a/0001-Set-init-processes-as-non-dumpable.patch
+++ b/0001-Set-init-processes-as-non-dumpable.patch
@ -1,111 +0,0 @@
 From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001
 From: Michael Crosby <crosbymichael@gmail.com>
 Date: Wed, 7 Dec 2016 15:05:51 -0800
 Subject: [PATCH] Set init processes as non-dumpable
 This sets the init processes that join and setup the container's
 namespaces as non-dumpable before they setns to the container's pid (or
 any other ) namespace.
 This settings is automatically reset to the default after the Exec in
 the container so that it does not change functionality for the
 applications that are running inside, just our init processes.
 This prevents parent processes, the pid 1 of the container, to ptrace
 the init process before it drops caps and other sets LSMs.
 This patch also ensures that the stateDirFD being used is still closed
 prior to exec, even though it is set as O_CLOEXEC, because of the order
 in the kernel.
 https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
 The order during the exec syscall is that the process is set back to
 dumpable before O_CLOEXEC are processed.
 Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 ---
 libcontainer/init_linux.go          | 3 ++-
 libcontainer/nsenter/nsexec.c       | 5 +++++
 libcontainer/setns_init_linux.go    | 7 ++++++-
 libcontainer/standard_init_linux.go | 3 +++
 4 files changed, 16 insertions(+), 2 deletions(-)
 diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
 index b1e6762..4043d51 100644
 --- a/libcontainer/init_linux.go
 +++ b/libcontainer/init_linux.go
@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error)
 	switch t {
 	case initSetns:
 		return &linuxSetnsInit{
 -			config: config,
 +			config:     config,
 +			stateDirFD: stateDirFD,
 		}, nil
 	case initStandard:
 		return &linuxStandardInit{
 diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
 index b93f827..4b5398b 100644
 --- a/libcontainer/nsenter/nsexec.c
 +++ b/libcontainer/nsenter/nsexec.c
@@ -408,6 +408,11 @@ void nsexec(void)
 	if (pipenum == -1)
 		return;
 +	/* make the process non-dumpable */
 +	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
 +		bail("failed to set process as non-dumpable");
 +	}
 +
 	/* Parse all of the netlink configuration. */
 	nl_parse(pipenum, &config);
 diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
 index 2a8f345..7f5f182 100644
 --- a/libcontainer/setns_init_linux.go
 +++ b/libcontainer/setns_init_linux.go
@@ -5,6 +5,7 @@ package libcontainer
 import (
 	"fmt"
 	"os"
 +	"syscall"
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runc/libcontainer/keys"
@@ -16,7 +17,8 @@ import (
 // linuxSetnsInit performs the container's initialization for running a new process
 // inside an existing container.
 type linuxSetnsInit struct {
 -	config *initConfig
 +	config     *initConfig
 +	stateDirFD int
 }
 func (l *linuxSetnsInit) getSessionRingName() string {
@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error {
 	if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
 		return err
 	}
 +	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
 +	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
 +	syscall.Close(l.stateDirFD)
 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
 }
 diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
 index 2104f1a..6a65154 100644
 --- a/libcontainer/standard_init_linux.go
 +++ b/libcontainer/standard_init_linux.go
@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error {
 			return newSystemErrorWithCause(err, "init seccomp")
 		}
 	}
 +	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
 +	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
 +	syscall.Close(l.stateDirFD)
 	if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
 		return newSystemErrorWithCause(err, "exec user process")
 	}
 -- 
 2.11.0
--- a/runc.spec
+++ b/runc.spec
@ -26,27 +26,27 @@
 # https://github.com/opencontainers/runc
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path %{provider_prefix}
-%global commit c91b5bea4830a57eac7882d7455d59518cdf70ec
+%global git0 https://github.com/opencontainers/runc
-%global shortcommit %(c=%{commit}; echo ${c:0:7})
+%global commit0 75f8da7c889acc4509a0cf6f0d3a8f9584778375
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 Name: %{repo}
 %if 0%{?fedora} || 0%{?rhel} == 6
 Epoch: 1
 %endif
 Version: 1.0.0
-Release: 5.rc2.git%{shortcommit}%{?dist}.1
+Release: 6.git%{shortcommit0}%{?dist}.1
 Summary: CLI for running Open Containers
 License: ASL 2.0
-URL: https://%{provider_prefix}
+URL: %{git0}
-Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
+Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Patch0: 0001-Set-init-processes-as-non-dumpable.patch
 # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
 #ExclusiveArch: %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 %{arm}}
 ExclusiveArch: %{ix86} x86_64 %{arm} aarch64 ppc64le %{mips} s390x
 # If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
 BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
-
+BuildRequires: git
 BuildRequires: pkgconfig(libseccomp)
 BuildRequires: go-md2man
@ -168,18 +168,17 @@ providing packages with %{import_path} prefix.
 %endif
 %prep
-%setup -q -n %{repo}-%{commit}
+%autosetup -Sgit -n %{name}-%{commit0}
 %build
-mkdir -p src/github.com/opencontainers
+mkdir -p GOPATH
-ln -s ../../../ src/github.com/opencontainers/runc
+pushd GOPATH
-
+    mkdir -p src/%{provider}.%{provider_tld}/%{project}
-%if ! 0%{?with_bundled}
+    ln -s $(dirs +1 -l) src/%{import_path}
-export GOPATH=$(pwd):%{gopath}
+popd
 %else
 export GOPATH=$(pwd):$(pwd)/Godeps/_workspace:%{gopath}
 %endif
 pushd GOPATH/src/%{import_path}
 export GOPATH=%{gopath}:$(pwd)/GOPATH
 BUILDTAGS="seccomp selinux"
 %if ! 0%{?gobuild:1}
 %define gobuild() go build -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n')" -a -v -x %{**};
@ -297,6 +296,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath}
 %endif
 %changelog
 * Fri Mar 24 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1:1.0.0-6.git75f8da7
 - bump to v1.0.0-rc3
 - built opencontainers/v1.0.0-rc3 commit 75f8da7
 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.0-5.rc2.gitc91b5be.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (runc-c91b5be.tar.gz) = cfafaa9806e5304453b8f7137a507ab3a26a8efc3c87dcff77b72ad5eb9a5331b38bb8974b333b7026352cf5e6aa995fb5792af37078bff9be7c80a1d2cbf34d
+SHA512 (runc-75f8da7.tar.gz) = 8898a4c8c70fb409a0bf65436cc812ca3d190e1c206462ca9d4a1766a8abf7da61f3d219d83eb015167c146e04e8753e7da2c9cf0058bfdbe444bb5a3c2ca8df
`@ -1 +1 @@`
	`SHA512 (runc-c91b5be.tar.gz) = cfafaa9806e5304453b8f7137a507ab3a26a8efc3c87dcff77b72ad5eb9a5331b38bb8974b333b7026352cf5e6aa995fb5792af37078bff9be7c80a1d2cbf34d`	`SHA512 (runc-75f8da7.tar.gz) = 8898a4c8c70fb409a0bf65436cc812ca3d190e1c206462ca9d4a1766a8abf7da61f3d219d83eb015167c146e04e8753e7da2c9cf0058bfdbe444bb5a3c2ca8df`