diff --git a/.gitignore b/.gitignore index 3560535..34e4076 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /runc-04f275d.tar.gz /runc-47ea5c7.tar.gz /runc-c91b5be.tar.gz +/runc-75f8da7.tar.gz diff --git a/0001-Set-init-processes-as-non-dumpable.patch b/0001-Set-init-processes-as-non-dumpable.patch deleted file mode 100644 index 937ba38..0000000 --- a/0001-Set-init-processes-as-non-dumpable.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001 -From: Michael Crosby -Date: Wed, 7 Dec 2016 15:05:51 -0800 -Subject: [PATCH] Set init processes as non-dumpable - -This sets the init processes that join and setup the container's -namespaces as non-dumpable before they setns to the container's pid (or -any other ) namespace. - -This settings is automatically reset to the default after the Exec in -the container so that it does not change functionality for the -applications that are running inside, just our init processes. - -This prevents parent processes, the pid 1 of the container, to ptrace -the init process before it drops caps and other sets LSMs. - -This patch also ensures that the stateDirFD being used is still closed -prior to exec, even though it is set as O_CLOEXEC, because of the order -in the kernel. - -https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 - -The order during the exec syscall is that the process is set back to -dumpable before O_CLOEXEC are processed. - -Signed-off-by: Michael Crosby ---- - libcontainer/init_linux.go | 3 ++- - libcontainer/nsenter/nsexec.c | 5 +++++ - libcontainer/setns_init_linux.go | 7 ++++++- - libcontainer/standard_init_linux.go | 3 +++ - 4 files changed, 16 insertions(+), 2 deletions(-) - -diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go -index b1e6762..4043d51 100644 ---- a/libcontainer/init_linux.go -+++ b/libcontainer/init_linux.go -@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error) - switch t { - case initSetns: - return &linuxSetnsInit{ -- config: config, -+ config: config, -+ stateDirFD: stateDirFD, - }, nil - case initStandard: - return &linuxStandardInit{ -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index b93f827..4b5398b 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -408,6 +408,11 @@ void nsexec(void) - if (pipenum == -1) - return; - -+ /* make the process non-dumpable */ -+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { -+ bail("failed to set process as non-dumpable"); -+ } -+ - /* Parse all of the netlink configuration. */ - nl_parse(pipenum, &config); - -diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go -index 2a8f345..7f5f182 100644 ---- a/libcontainer/setns_init_linux.go -+++ b/libcontainer/setns_init_linux.go -@@ -5,6 +5,7 @@ package libcontainer - import ( - "fmt" - "os" -+ "syscall" - - "github.com/opencontainers/runc/libcontainer/apparmor" - "github.com/opencontainers/runc/libcontainer/keys" -@@ -16,7 +17,8 @@ import ( - // linuxSetnsInit performs the container's initialization for running a new process - // inside an existing container. - type linuxSetnsInit struct { -- config *initConfig -+ config *initConfig -+ stateDirFD int - } - - func (l *linuxSetnsInit) getSessionRingName() string { -@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error { - if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil { - return err - } -+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order -+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 -+ syscall.Close(l.stateDirFD) - return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ()) - } -diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go -index 2104f1a..6a65154 100644 ---- a/libcontainer/standard_init_linux.go -+++ b/libcontainer/standard_init_linux.go -@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error { - return newSystemErrorWithCause(err, "init seccomp") - } - } -+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order -+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 -+ syscall.Close(l.stateDirFD) - if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil { - return newSystemErrorWithCause(err, "exec user process") - } --- -2.11.0 - diff --git a/runc.spec b/runc.spec index 8c7a25c..e6a53e9 100644 --- a/runc.spec +++ b/runc.spec @@ -26,27 +26,27 @@ # https://github.com/opencontainers/runc %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} %global import_path %{provider_prefix} -%global commit c91b5bea4830a57eac7882d7455d59518cdf70ec -%global shortcommit %(c=%{commit}; echo ${c:0:7}) +%global git0 https://github.com/opencontainers/runc +%global commit0 75f8da7c889acc4509a0cf6f0d3a8f9584778375 +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Name: %{repo} %if 0%{?fedora} || 0%{?rhel} == 6 Epoch: 1 %endif Version: 1.0.0 -Release: 5.rc2.git%{shortcommit}%{?dist}.1 +Release: 6.git%{shortcommit0}%{?dist}.1 Summary: CLI for running Open Containers License: ASL 2.0 -URL: https://%{provider_prefix} -Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz -Patch0: 0001-Set-init-processes-as-non-dumpable.patch +URL: %{git0} +Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required #ExclusiveArch: %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 %{arm}} ExclusiveArch: %{ix86} x86_64 %{arm} aarch64 ppc64le %{mips} s390x # If go_compiler is not set to 1, there is no virtual provide. Use golang instead. BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} - +BuildRequires: git BuildRequires: pkgconfig(libseccomp) BuildRequires: go-md2man @@ -168,18 +168,17 @@ providing packages with %{import_path} prefix. %endif %prep -%setup -q -n %{repo}-%{commit} +%autosetup -Sgit -n %{name}-%{commit0} %build -mkdir -p src/github.com/opencontainers -ln -s ../../../ src/github.com/opencontainers/runc - -%if ! 0%{?with_bundled} -export GOPATH=$(pwd):%{gopath} -%else -export GOPATH=$(pwd):$(pwd)/Godeps/_workspace:%{gopath} -%endif - +mkdir -p GOPATH +pushd GOPATH + mkdir -p src/%{provider}.%{provider_tld}/%{project} + ln -s $(dirs +1 -l) src/%{import_path} +popd + +pushd GOPATH/src/%{import_path} +export GOPATH=%{gopath}:$(pwd)/GOPATH BUILDTAGS="seccomp selinux" %if ! 0%{?gobuild:1} %define gobuild() go build -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n')" -a -v -x %{**}; @@ -297,6 +296,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath} %endif %changelog +* Fri Mar 24 2017 Lokesh Mandvekar - 1:1.0.0-6.git75f8da7 +- bump to v1.0.0-rc3 +- built opencontainers/v1.0.0-rc3 commit 75f8da7 + * Sat Feb 11 2017 Fedora Release Engineering - 1:1.0.0-5.rc2.gitc91b5be.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild diff --git a/sources b/sources index 44062ab..46d0646 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (runc-c91b5be.tar.gz) = cfafaa9806e5304453b8f7137a507ab3a26a8efc3c87dcff77b72ad5eb9a5331b38bb8974b333b7026352cf5e6aa995fb5792af37078bff9be7c80a1d2cbf34d +SHA512 (runc-75f8da7.tar.gz) = 8898a4c8c70fb409a0bf65436cc812ca3d190e1c206462ca9d4a1766a8abf7da61f3d219d83eb015167c146e04e8753e7da2c9cf0058bfdbe444bb5a3c2ca8df