diff --git a/.gitignore b/.gitignore index a5fa0cc..bb99c27 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/runc-c91b5be.tar.gz +SOURCES/runc-5d93f81.tar.gz diff --git a/.runc.metadata b/.runc.metadata index 76dcf21..a39af1c 100644 --- a/.runc.metadata +++ b/.runc.metadata @@ -1 +1 @@ -930145d8c0ec09a4face7be395dee26b24866bc0 SOURCES/runc-c91b5be.tar.gz +2d07a2ecc585678c4739ac6c8c3dc36a7d9f6ea6 SOURCES/runc-5d93f81.tar.gz diff --git a/SOURCES/0001-Set-init-processes-as-non-dumpable.patch b/SOURCES/0001-Set-init-processes-as-non-dumpable.patch deleted file mode 100644 index 937ba38..0000000 --- a/SOURCES/0001-Set-init-processes-as-non-dumpable.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001 -From: Michael Crosby -Date: Wed, 7 Dec 2016 15:05:51 -0800 -Subject: [PATCH] Set init processes as non-dumpable - -This sets the init processes that join and setup the container's -namespaces as non-dumpable before they setns to the container's pid (or -any other ) namespace. - -This settings is automatically reset to the default after the Exec in -the container so that it does not change functionality for the -applications that are running inside, just our init processes. - -This prevents parent processes, the pid 1 of the container, to ptrace -the init process before it drops caps and other sets LSMs. - -This patch also ensures that the stateDirFD being used is still closed -prior to exec, even though it is set as O_CLOEXEC, because of the order -in the kernel. - -https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 - -The order during the exec syscall is that the process is set back to -dumpable before O_CLOEXEC are processed. - -Signed-off-by: Michael Crosby ---- - libcontainer/init_linux.go | 3 ++- - libcontainer/nsenter/nsexec.c | 5 +++++ - libcontainer/setns_init_linux.go | 7 ++++++- - libcontainer/standard_init_linux.go | 3 +++ - 4 files changed, 16 insertions(+), 2 deletions(-) - -diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go -index b1e6762..4043d51 100644 ---- a/libcontainer/init_linux.go -+++ b/libcontainer/init_linux.go -@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error) - switch t { - case initSetns: - return &linuxSetnsInit{ -- config: config, -+ config: config, -+ stateDirFD: stateDirFD, - }, nil - case initStandard: - return &linuxStandardInit{ -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index b93f827..4b5398b 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -408,6 +408,11 @@ void nsexec(void) - if (pipenum == -1) - return; - -+ /* make the process non-dumpable */ -+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { -+ bail("failed to set process as non-dumpable"); -+ } -+ - /* Parse all of the netlink configuration. */ - nl_parse(pipenum, &config); - -diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go -index 2a8f345..7f5f182 100644 ---- a/libcontainer/setns_init_linux.go -+++ b/libcontainer/setns_init_linux.go -@@ -5,6 +5,7 @@ package libcontainer - import ( - "fmt" - "os" -+ "syscall" - - "github.com/opencontainers/runc/libcontainer/apparmor" - "github.com/opencontainers/runc/libcontainer/keys" -@@ -16,7 +17,8 @@ import ( - // linuxSetnsInit performs the container's initialization for running a new process - // inside an existing container. - type linuxSetnsInit struct { -- config *initConfig -+ config *initConfig -+ stateDirFD int - } - - func (l *linuxSetnsInit) getSessionRingName() string { -@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error { - if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil { - return err - } -+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order -+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 -+ syscall.Close(l.stateDirFD) - return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ()) - } -diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go -index 2104f1a..6a65154 100644 ---- a/libcontainer/standard_init_linux.go -+++ b/libcontainer/standard_init_linux.go -@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error { - return newSystemErrorWithCause(err, "init seccomp") - } - } -+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order -+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 -+ syscall.Close(l.stateDirFD) - if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil { - return newSystemErrorWithCause(err, "exec user process") - } --- -2.11.0 - diff --git a/SPECS/runc.spec b/SPECS/runc.spec index b5edd16..3590a95 100644 --- a/SPECS/runc.spec +++ b/SPECS/runc.spec @@ -25,25 +25,25 @@ # https://github.com/opencontainers/runc %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} %global import_path %{provider_prefix} -%global commit c91b5bea4830a57eac7882d7455d59518cdf70ec +%global commit 5d93f81bdbc79a7bf052f8724caa5f0da36c33e4 %global shortcommit %(c=%{commit}; echo ${c:0:7}) -Name: %{repo} +Name: %{repo} %if 0%{?fedora} -Epoch: 1 +Epoch: 1 %endif -Version: 1.0.0 -Release: 1.rc2%{?dist} -Summary: CLI for running Open Containers -License: ASL 2.0 -URL: https://%{provider_prefix} -Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz -Patch0: 0001-Set-init-processes-as-non-dumpable.patch +Version: 1.0.0 +Release: 3.rc2%{?dist} +Summary: CLI for running Open Containers +License: ASL 2.0 +URL: https://%{provider_prefix} +Source0: https://github.com/projectatomic/%{name}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz Requires: criu ExclusiveArch: x86_64 # If go_compiler is not set to 1, there is no virtual provide. Use golang instead. -BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.6.2 +BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.6.2 +BuildRequires: git BuildRequires: go-md2man BuildRequires: libseccomp-devel @@ -155,8 +155,7 @@ providing packages with %{import_path} prefix. %endif %prep -%setup -q -n %{repo}-%{commit} -%patch0 -p1 +%autosetup -Sgit -n %{repo}-%{commit} %build mkdir -p src/github.com/opencontainers @@ -272,6 +271,14 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath} %endif %changelog +* Fri Feb 24 2017 Lokesh Mandvekar - 1.0.0-3.rc2 +- Resolves: #1426674 +- built projectatomic/runc_rhel_7 commit 5d93f81 + +* Mon Feb 06 2017 Lokesh Mandvekar - 1.0.0-2.rc2 +- Resolves: #1419702 - rebase to latest upstream master +- built commit b263a43 + * Wed Jan 11 2017 Lokesh Mandvekar - 1.0.0-1.rc2 - Resolves: #1412239 - *CVE-2016-9962* - set init processes as non-dumpable, runc patch from Michael Crosby