diff --git a/.gitignore b/.gitignore
index 32283ba..ac15d58 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/runc-dc9208a.tar.gz
+SOURCES/v1.0.0-rc92.tar.gz
diff --git a/.runc.metadata b/.runc.metadata
index 39b6b73..85883d8 100644
--- a/.runc.metadata
+++ b/.runc.metadata
@@ -1 +1 @@
-32859590dea35b77eed012c388d97fc12fdfdb93 SOURCES/runc-dc9208a.tar.gz
+b5571f41bcc85be33a56122a30cb1a241476a8d1 SOURCES/v1.0.0-rc92.tar.gz
diff --git a/SOURCES/1807.patch b/SOURCES/1807.patch
deleted file mode 100644
index 6d415f0..0000000
--- a/SOURCES/1807.patch
+++ /dev/null
@@ -1,278 +0,0 @@
-From 3d99c51e1b38a440804a55c9f314f62cc50b8902 Mon Sep 17 00:00:00 2001
-From: Giuseppe Scrivano <gscrivan@redhat.com>
-Date: Fri, 25 May 2018 18:04:06 +0200
-Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create
-
-if NOTIFY_SOCKET is used, do not block the main runc process waiting
-for events on the notify socket. Bind mount the parent directory of
-the notify socket, so that "start" can create the socket and it is
-still accessible from the container.
-
-Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
----
- notify_socket.go | 112 ++++++++++++++++++++++++++++++++++-------------
- signals.go | 4 +-
- start.go | 13 +++++-
- utils_linux.go | 12 ++++-
- 4 files changed, 105 insertions(+), 36 deletions(-)
-
-diff --git a/notify_socket.go b/notify_socket.go
-index e7453c62..d961453a 100644
---- a/notify_socket.go
-+++ b/notify_socket.go
-@@ -7,11 +7,13 @@ import (
- "fmt"
- "net"
- "os"
-+ "path"
- "path/filepath"
-+ "strconv"
-+ "time"
-
-+ "github.com/opencontainers/runc/libcontainer"
- "github.com/opencontainers/runtime-spec/specs-go"
--
-- "github.com/sirupsen/logrus"
- "github.com/urfave/cli"
- )
-
-@@ -27,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) *
- }
-
- root := filepath.Join(context.GlobalString("root"), id)
-- path := filepath.Join(root, "notify.sock")
-+ socketPath := filepath.Join(root, "notify", "notify.sock")
-
- notifySocket := ¬ifySocket{
- socket: nil,
- host: notifySocketHost,
-- socketPath: path,
-+ socketPath: socketPath,
- }
-
- return notifySocket
-@@ -44,13 +46,19 @@ func (s *notifySocket) Close() error {
-
- // If systemd is supporting sd_notify protocol, this function will add support
- // for sd_notify protocol from within the container.
--func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) {
-- mount := specs.Mount{Destination: s.host, Source: s.socketPath, Options: []string{"bind"}}
-+func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) error {
-+ pathInContainer := filepath.Join("/run/notify", path.Base(s.socketPath))
-+ mount := specs.Mount{
-+ Destination: path.Dir(pathInContainer),
-+ Source: path.Dir(s.socketPath),
-+ Options: []string{"bind", "nosuid", "noexec", "nodev", "ro"},
-+ }
- spec.Mounts = append(spec.Mounts, mount)
-- spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", s.host))
-+ spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", pathInContainer))
-+ return nil
- }
-
--func (s *notifySocket) setupSocket() error {
-+func (s *notifySocket) bindSocket() error {
- addr := net.UnixAddr{
- Name: s.socketPath,
- Net: "unixgram",
-@@ -71,45 +79,89 @@ func (s *notifySocket) setupSocket() error {
- return nil
- }
-
--// pid1 must be set only with -d, as it is used to set the new process as the main process
--// for the service in systemd
--func (s *notifySocket) run(pid1 int) {
-- buf := make([]byte, 512)
-- notifySocketHostAddr := net.UnixAddr{Name: s.host, Net: "unixgram"}
-+func (s *notifySocket) setupSocketDirectory() error {
-+ return os.Mkdir(path.Dir(s.socketPath), 0755)
-+}
-+
-+func notifySocketStart(context *cli.Context, notifySocketHost, id string) (*notifySocket, error) {
-+ notifySocket := newNotifySocket(context, notifySocketHost, id)
-+ if notifySocket == nil {
-+ return nil, nil
-+ }
-+
-+ if err := notifySocket.bindSocket(); err != nil {
-+ return nil, err
-+ }
-+ return notifySocket, nil
-+}
-+
-+func (n *notifySocket) waitForContainer(container libcontainer.Container) error {
-+ s, err := container.State()
-+ if err != nil {
-+ return err
-+ }
-+ return n.run(s.InitProcessPid)
-+}
-+
-+func (n *notifySocket) run(pid1 int) error {
-+ if n.socket == nil {
-+ return nil
-+ }
-+ notifySocketHostAddr := net.UnixAddr{Name: n.host, Net: "unixgram"}
- client, err := net.DialUnix("unixgram", nil, ¬ifySocketHostAddr)
- if err != nil {
-- logrus.Error(err)
-- return
-+ return err
- }
-- for {
-- r, err := s.socket.Read(buf)
-- if err != nil {
-- break
-+
-+ ticker := time.NewTicker(time.Millisecond * 100)
-+ defer ticker.Stop()
-+
-+ fileChan := make(chan []byte)
-+ go func() {
-+ for {
-+ buf := make([]byte, 512)
-+ r, err := n.socket.Read(buf)
-+ if err != nil {
-+ return
-+ }
-+ got := buf[0:r]
-+ if !bytes.HasPrefix(got, []byte("READY=")) {
-+ continue
-+ }
-+ fileChan <- got
-+ return
- }
-- var out bytes.Buffer
-- for _, line := range bytes.Split(buf[0:r], []byte{'\n'}) {
-- if bytes.HasPrefix(line, []byte("READY=")) {
-+ }()
-+
-+ for {
-+ select {
-+ case <-ticker.C:
-+ _, err := os.Stat(filepath.Join("/proc", strconv.Itoa(pid1)))
-+ if err != nil {
-+ return nil
-+ }
-+ case b := <-fileChan:
-+ for _, line := range bytes.Split(b, []byte{'\n'}) {
-+ var out bytes.Buffer
- _, err = out.Write(line)
- if err != nil {
-- return
-+ return err
- }
-
- _, err = out.Write([]byte{'\n'})
- if err != nil {
-- return
-+ return err
- }
-
- _, err = client.Write(out.Bytes())
- if err != nil {
-- return
-+ return err
- }
-
- // now we can inform systemd to use pid1 as the pid to monitor
-- if pid1 > 0 {
-- newPid := fmt.Sprintf("MAINPID=%d\n", pid1)
-- client.Write([]byte(newPid))
-- }
-- return
-+ newPid := fmt.Sprintf("MAINPID=%d\n", pid1)
-+ client.Write([]byte(newPid))
-+ return nil
- }
- }
- }
-diff --git a/signals.go b/signals.go
-index b67f65a0..dd25e094 100644
---- a/signals.go
-+++ b/signals.go
-@@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
- h.notifySocket.run(pid1)
- return 0, nil
- }
-+ h.notifySocket.run(os.Getpid())
- go h.notifySocket.run(0)
- }
-
-@@ -97,9 +98,6 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
- // status because we must ensure that any of the go specific process
- // fun such as flushing pipes are complete before we return.
- process.Wait()
-- if h.notifySocket != nil {
-- h.notifySocket.Close()
-- }
- return e.status, nil
- }
- }
-diff --git a/start.go b/start.go
-index 2bb698b2..3a1769a4 100644
---- a/start.go
-+++ b/start.go
-@@ -3,6 +3,7 @@ package main
- import (
- "errors"
- "fmt"
-+ "os"
-
- "github.com/opencontainers/runc/libcontainer"
- "github.com/urfave/cli"
-@@ -31,7 +32,17 @@ your host.`,
- }
- switch status {
- case libcontainer.Created:
-- return container.Exec()
-+ notifySocket, err := notifySocketStart(context, os.Getenv("NOTIFY_SOCKET"), container.ID())
-+ if err != nil {
-+ return err
-+ }
-+ if err := container.Exec(); err != nil {
-+ return err
-+ }
-+ if notifySocket != nil {
-+ return notifySocket.waitForContainer(container)
-+ }
-+ return nil
- case libcontainer.Stopped:
- return errors.New("cannot start a container that has stopped")
- case libcontainer.Running:
-diff --git a/utils_linux.go b/utils_linux.go
-index 984e6b0f..46c26246 100644
---- a/utils_linux.go
-+++ b/utils_linux.go
-@@ -408,7 +408,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
-
- notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id)
- if notifySocket != nil {
-- notifySocket.setupSpec(context, spec)
-+ if err := notifySocket.setupSpec(context, spec); err != nil {
-+ return -1, err
-+ }
- }
-
- container, err := createContainer(context, id, spec)
-@@ -417,10 +419,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
- }
-
- if notifySocket != nil {
-- err := notifySocket.setupSocket()
-+ err := notifySocket.setupSocketDirectory()
- if err != nil {
- return -1, err
- }
-+ if action == CT_ACT_RUN {
-+ err := notifySocket.bindSocket()
-+ if err != nil {
-+ return -1, err
-+ }
-+ }
- }
-
- // Support on-demand socket activation by passing file descriptors into the container init process.
---
-2.21.0
-
diff --git a/SPECS/runc.spec b/SPECS/runc.spec
index ae1734a..f7d65df 100644
--- a/SPECS/runc.spec
+++ b/SPECS/runc.spec
@@ -21,18 +21,17 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL
# https://github.com/opencontainers/runc
%global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
%global git0 https://%{import_path}
-%global commit0 dc9208a3303feef5b3839f4323d9beb36df0a9dd
-%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
+%global release_candidate rc92
Name: %{repo}
Version: 1.0.0
-Release: 66.rc10%{?dist}
+Release: 68.%{release_candidate}%{?dist}
Summary: CLI for running Open Containers
ExcludeArch: %{ix86}
License: ASL 2.0
URL: %{git0}
-Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
-Patch0: 1807.patch
+Source0: %{git0}/archive/v1.0.0-%{release_candidate}.tar.gz
+#Patch0: 1807.patch
BuildRequires: golang >= 1.12.12-4
BuildRequires: git
BuildRequires: go-md2man
@@ -45,7 +44,7 @@ in accordance with the Open Container Initiative's specifications,
and to manage containers running under runc.
%prep
-%autosetup -Sgit -n %{repo}-%{commit0}
+%autosetup -Sgit -n %{repo}-%{version}-%{release_candidate}
sed -i '/\#\!\/bin\/bash/d' contrib/completions/bash/%{name}
%build
@@ -57,6 +56,7 @@ popd
pushd GOPATH/src/%{import_path}
export GOPATH=%{gopath}:$(pwd)/GOPATH
+export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
export BUILDTAGS="selinux seccomp"
%gobuild -o %{name} %{import_path}
@@ -88,9 +88,18 @@ install -p -m 0644 contrib/completions/bash/%{name} %{buildroot}%{_datadir}/bash
%{_datadir}/bash-completion/completions/%{name}
%changelog
-* Fri May 01 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-66.rc10
-- drop container-selinux runtime dependency
-- Related: #1806044
+* Tue Aug 11 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-68.rc92
+- update to https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc92
+- propagate proper CFLAGS to CGO_CFLAGS to assure code hardening and optimization
+- Related: #1821193
+
+* Thu Jul 02 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-67.rc91
+- update to https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc91
+- Related: #1821193
+
+* Tue May 12 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-66.rc10
+- synchronize containter-tools 8.3.0 with 8.2.1
+- Related: #1821193
* Wed Feb 12 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-65.rc10
- address CVE-2019-19921 by updating to rc10