From 1816ba0e27d84da9ca85f8e647dd0019ff718b40 Mon Sep 17 00:00:00 2001
From: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com>
Date: Feb 18 2020 23:18:30 +0000
Subject: update to 3.5.3-1.1


---

diff --git a/4974.patch b/4974.patch
deleted file mode 100644
index f0d9f89..0000000
--- a/4974.patch
+++ /dev/null
@@ -1,213 +0,0 @@
-From fd50472486365819fe95e164c4c67ecf0c5803b4 Mon Sep 17 00:00:00 2001
-From: Cedric Clerget <cedric.clerget@gmail.com>
-Date: Fri, 24 Jan 2020 15:52:08 +0100
-Subject: [PATCH] Fix a logic error when 'allow setuid = no' with a privileged
- installation was forced root user to always fallback to user namespace. Add
- CAP_SYS_ADMIN check for root user to automatically fallback to user namespace
- if the capability is missing.
-
----
- cmd/internal/cli/actions_linux.go     | 35 +++++++++++-----
- pkg/util/capabilities/process.go      | 58 +++++++++++++++++++++++++++
- pkg/util/capabilities/process_test.go | 51 +++++++++++++++++++++++
- 3 files changed, 134 insertions(+), 10 deletions(-)
- create mode 100644 pkg/util/capabilities/process.go
- create mode 100644 pkg/util/capabilities/process_test.go
-
-diff --git a/cmd/internal/cli/actions_linux.go b/cmd/internal/cli/actions_linux.go
-index 8cc823379e..1d68ae9876 100644
---- a/cmd/internal/cli/actions_linux.go
-+++ b/cmd/internal/cli/actions_linux.go
-@@ -33,9 +33,11 @@ import (
-	"github.com/sylabs/singularity/pkg/image/unpacker"
-	"github.com/sylabs/singularity/pkg/runtime/engine/config"
-	singularityConfig "github.com/sylabs/singularity/pkg/runtime/engine/singularity/config"
-+	"github.com/sylabs/singularity/pkg/util/capabilities"
-	"github.com/sylabs/singularity/pkg/util/crypt"
-	"github.com/sylabs/singularity/pkg/util/gpu"
-	"github.com/sylabs/singularity/pkg/util/namespaces"
-+	"golang.org/x/sys/unix"
- )
- 
- // EnsureRootPriv ensures that a command is executed with root privileges.
-@@ -216,23 +218,42 @@ func execStarter(cobraCmd *cobra.Command, image string, args []string, name stri
- 		engineConfig.SetImage(abspath)
- 	}
- 
-+	// privileged installation by default
- 	useSuid := true
- 
- 	// singularity was compiled with '--without-suid' option
- 	if buildcfg.SINGULARITY_SUID_INSTALL == 0 {
- 		useSuid = false
-+
-+		if !UserNamespace && uid != 0 {
-+			sylog.Verbosef("Unprivileged installation: using user namespace")
-+			UserNamespace = true
-+		}
- 	}
- 
- 	// use non privileged starter binary:
--	// - if we are the root user
--	// - if we are already running inside a user namespace
-+	// - if running as root
-+	// - if already running inside a user namespace
- 	// - if user namespace is requested
--	// - if 'allow setuid = no' is set in singularity.conf
-+	// - if running as user and 'allow setuid = no' is set in singularity.conf
- 	if uid == 0 || insideUserNs || UserNamespace || !engineConfig.File.AllowSetuid {
- 		useSuid = false
--		if buildcfg.SINGULARITY_SUID_INSTALL == 1 && !engineConfig.File.AllowSetuid {
-+
-+		// fallback to user namespace:
-+		// - for non root user with setuid installation and 'allow setuid = no'
-+		// - for root user without effective capability CAP_SYS_ADMIN
-+		if uid != 0 && buildcfg.SINGULARITY_SUID_INSTALL == 1 && !engineConfig.File.AllowSetuid {
- 			sylog.Verbosef("'allow setuid' set to 'no' by configuration, fallback to user namespace")
- 			UserNamespace = true
-+		} else if uid == 0 && !UserNamespace {
-+			caps, err := capabilities.GetProcessEffective()
-+			if err != nil {
-+				sylog.Fatalf("Could not get process effective capabilities: %s", err)
-+			}
-+			if caps&uint64(1<<unix.CAP_SYS_ADMIN) == 0 {
-+				sylog.Verbosef("Effective capability CAP_SYS_ADMIN is missing, fallback to user namespace")
-+				UserNamespace = true
-+			}
- 		}
- 	}
- 
-@@ -512,12 +533,6 @@ func execStarter(cobraCmd *cobra.Command, image string, args []string, name stri
- 	if IpcNamespace {
- 		generator.AddOrReplaceLinuxNamespace("ipc", "")
- 	}
--	if !UserNamespace && uid != 0 && buildcfg.SINGULARITY_SUID_INSTALL == 0 {
--		sylog.Verbosef("Unprivileged installation: using user namespace")
--		UserNamespace = true
--		useSuid = false
--	}
--
- 	if UserNamespace {
- 		generator.AddOrReplaceLinuxNamespace("user", "")
- 
-diff --git a/pkg/util/capabilities/process.go b/pkg/util/capabilities/process.go
-new file mode 100644
-index 0000000000..d3ab8feebb
---- /dev/null
-+++ b/pkg/util/capabilities/process.go
-@@ -0,0 +1,58 @@
-+// Copyright (c) 2020, Sylabs Inc. All rights reserved.
-+// This software is licensed under a 3-clause BSD license. Please consult the
-+// LICENSE.md file distributed with the sources of this project regarding your
-+// rights to use or distribute this software.
-+
-+package capabilities
-+
-+import (
-+	"fmt"
-+
-+	"golang.org/x/sys/unix"
-+)
-+
-+// getProcessCapabilities returns capabilities either effective,
-+// permitted or inheritable for the current process.
-+func getProcessCapabilities(capType string) (uint64, error) {
-+	var caps uint64
-+	var data [2]unix.CapUserData
-+	var header unix.CapUserHeader
-+
-+	header.Version = unix.LINUX_CAPABILITY_VERSION_3
-+
-+	if err := unix.Capget(&header, &data[0]); err != nil {
-+		return caps, fmt.Errorf("while getting capability: %s", err)
-+	}
-+
-+	switch capType {
-+	case Effective:
-+		caps = uint64(data[0].Effective)
-+		caps |= uint64(data[1].Effective) << 32
-+	case Permitted:
-+		caps = uint64(data[0].Permitted)
-+		caps |= uint64(data[1].Permitted) << 32
-+	case Inheritable:
-+		caps = uint64(data[0].Inheritable)
-+		caps |= uint64(data[1].Inheritable) << 32
-+	}
-+
-+	return caps, nil
-+}
-+
-+// GetProcessEffective returns effective capabilities for
-+// the current process.
-+func GetProcessEffective() (uint64, error) {
-+	return getProcessCapabilities(Effective)
-+}
-+
-+// GetProcessPermitted returns permitted capabilities for
-+// the current process.
-+func GetProcessPermitted() (uint64, error) {
-+	return getProcessCapabilities(Permitted)
-+}
-+
-+// GetProcessInheritable returns inheritable capabilities for
-+// the current process.
-+func GetProcessInheritable() (uint64, error) {
-+	return getProcessCapabilities(Inheritable)
-+}
-diff --git a/pkg/util/capabilities/process_test.go b/pkg/util/capabilities/process_test.go
-new file mode 100644
-index 0000000000..5aa9a7c8e0
---- /dev/null
-+++ b/pkg/util/capabilities/process_test.go
-@@ -0,0 +1,51 @@
-+// Copyright (c) 2020, Sylabs Inc. All rights reserved.
-+// This software is licensed under a 3-clause BSD license. Please consult the
-+// LICENSE.md file distributed with the sources of this project regarding your
-+// rights to use or distribute this software.
-+
-+package capabilities
-+
-+import (
-+	"runtime"
-+	"testing"
-+
-+	"github.com/sylabs/singularity/internal/pkg/test"
-+)
-+
-+func TestGetProcess(t *testing.T) {
-+	test.EnsurePrivilege(t)
-+
-+	runtime.LockOSThread()
-+	defer runtime.UnlockOSThread()
-+
-+	tests := []struct {
-+		name string
-+		fn   func() (uint64, error)
-+		cap  string
-+	}{
-+		{
-+			name: "effective",
-+			fn:   GetProcessEffective,
-+			cap:  "CAP_SYS_ADMIN",
-+		},
-+		{
-+			name: "permitted",
-+			fn:   GetProcessPermitted,
-+		},
-+		{
-+			name: "inheritable",
-+			fn:   GetProcessInheritable,
-+		},
-+	}
-+
-+	for _, tt := range tests {
-+		caps, err := tt.fn()
-+		if err != nil {
-+			t.Fatalf("unexpected error while getting process %s capabilities: %s", tt.name, err)
-+		}
-+		cap := Map[tt.cap]
-+		if tt.cap != "" && caps&uint64(1<<cap.Value) == 0 {
-+			t.Fatalf("%s capability %s missing", tt.name, tt.cap)
-+		}
-+	}
-+}
diff --git a/singularity.spec b/singularity.spec
index a36e51c..9196e98 100644
--- a/singularity.spec
+++ b/singularity.spec
@@ -29,17 +29,14 @@
 
 Summary: Application and environment virtualization
 Name: singularity
-Version: 3.5.2
-Release: 1.2%{?dist}
+Version: 3.5.3
+Release: 1.1%{?dist}
 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html
 License: BSD-3-Clause-LBNL
 URL: https://www.sylabs.io/singularity/
-Source: %{name}-3.5.2.tar.gz
-%if 0%{?el8}
+Source: %{name}-3.5.3.tar.gz
 # https://github.com/sylabs/singularity/pull/4769.patch
 Patch0: 4769.patch
-%endif
-Patch1: 4974.patch
 ExclusiveOS: linux
 # RPM_BUILD_ROOT wasn't being set ... for some reason
 %if "%{sles_version}" == "11"
@@ -104,7 +101,6 @@ cd $GOPATH/%{singgopath}
 %if 0%{?el8}
 patch -p1 <%{PATCH0}
 %endif
-patch -p1 <%{PATCH1}
 
 # Not all of these parameters currently have an effect, but they might be
 #  used someday.  They are the same parameters as in the configure macro.
@@ -135,7 +131,6 @@ cd $GOPATH/%{singgopath}/builddir
 
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
 make DESTDIR=$RPM_BUILD_ROOT install man
-chmod 644 $RPM_BUILD_ROOT%{_sysconfdir}/singularity/actions/*
 
 %if "%{suse_version}" == "11"
 %clean
@@ -157,11 +152,6 @@ chmod 644 $RPM_BUILD_ROOT%{_sysconfdir}/singularity/actions/*
 %config(noreplace) %{_sysconfdir}/singularity/cgroups/*
 %config(noreplace) %{_sysconfdir}/singularity/network/*
 %config(noreplace) %{_sysconfdir}/singularity/seccomp-profiles/*
-%attr(755, root, root) %{_sysconfdir}/singularity/actions/exec
-%attr(755, root, root) %{_sysconfdir}/singularity/actions/run
-%attr(755, root, root) %{_sysconfdir}/singularity/actions/shell
-%attr(755, root, root) %{_sysconfdir}/singularity/actions/start
-%attr(755, root, root) %{_sysconfdir}/singularity/actions/test
 %dir %{_sysconfdir}/bash_completion.d
 %{_sysconfdir}/bash_completion.d/*
 %dir %{_localstatedir}/singularity
@@ -171,6 +161,9 @@ chmod 644 $RPM_BUILD_ROOT%{_sysconfdir}/singularity/actions/*
 
 
 %changelog
+* Tue Feb 18 2020 Dave Dykstra <dwd@fedoraproject.org> - 3.5.3-1.1
+- Upgrade to upstream 3.5.3, keeping only patch #4768 on el8
+
 * Fri Jan 24 2020 Dave Dykstra <dwd@fedoraproject.org> - 3.5.2-1.2
 - Add patch for PR #4974.  Only the src rpm is being used, for
   building a --without-suid installation, so this won't be released
diff --git a/sources b/sources
index f3824d9..e8e7a1c 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (singularity-3.5.2.tar.gz) = 1c426839f7b45437700b08f8ed9cad5e920b2f77d215e3d865dfea7498d785b12351d3b34ea0f53335c5bd465c2cf2dfd417784900765241c58feae1960735a1
+SHA512 (singularity-3.5.3.tar.gz) = b8bb44539e78eaf74c1b97e5bae8fae1f390412456d76b573fffe2a90240b182db1aec60aee80715547c3edfbaa0607506e2727a575bc951223f9a7c3be0a97e