[gentoo-commits] repo/gentoo:master commit in: app-emulation/runc/files/

[Patrice Clement]

commit: d8fb9aaaf78dc8cad22d3e8954bfc4087095bc8b
Author: Michael Mair-Keimberger  gmail  com>
AuthorDate: Fri Feb 16 07:51:42 2018 +
Commit: Patrice Clement  gentoo  org>
CommitDate: Sat Feb 17 14:26:07 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8fb9aaa

app-emulation/runc: remove unused patch.

Closes: https://github.com/gentoo/gentoo/pull/7201

 .../files/runc-1.0.0_rc2-init-non-dumpable.patch   | 108 -
 1 file changed, 108 deletions(-)

diff --git a/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch 
b/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch
deleted file mode 100644
index 486835ad826..000
--- a/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001
-From: Michael Crosby 
-Date: Wed, 7 Dec 2016 15:05:51 -0800
-Subject: [PATCH] Set init processes as non-dumpable
-
-This sets the init processes that join and setup the container's
-namespaces as non-dumpable before they setns to the container's pid (or
-any other ) namespace.
-
-This settings is automatically reset to the default after the Exec in
-the container so that it does not change functionality for the
-applications that are running inside, just our init processes.
-
-This prevents parent processes, the pid 1 of the container, to ptrace
-the init process before it drops caps and other sets LSMs.
-
-This patch also ensures that the stateDirFD being used is still closed
-prior to exec, even though it is set as O_CLOEXEC, because of the order
-in the kernel.
-
-https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
-
-The order during the exec syscall is that the process is set back to
-dumpable before O_CLOEXEC are processed.
-
-Signed-off-by: Michael Crosby 

- libcontainer/init_linux.go  | 3 ++-
- libcontainer/nsenter/nsexec.c   | 5 +
- libcontainer/setns_init_linux.go| 7 ++-
- libcontainer/standard_init_linux.go | 3 +++
- 4 files changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
-index b1e6762..4043d51 100644
 a/libcontainer/init_linux.go
-+++ b/libcontainer/init_linux.go
-@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD 
int) (initer, error)
-   switch t {
-   case initSetns:
-   return &linuxSetnsInit{
--  config: config,
-+  config: config,
-+  stateDirFD: stateDirFD,
-   }, nil
-   case initStandard:
-   return &linuxStandardInit{
-diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
-index b93f827..4b5398b 100644
 a/libcontainer/nsenter/nsexec.c
-+++ b/libcontainer/nsenter/nsexec.c
-@@ -408,6 +408,11 @@ void nsexec(void)
-   if (pipenum == -1)
-   return;
- 
-+  /* make the process non-dumpable */
-+  if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
-+  bail("failed to set process as non-dumpable");
-+  }
-+
-   /* Parse all of the netlink configuration. */
-   nl_parse(pipenum, &config);
- 
-diff --git a/libcontainer/setns_init_linux.go 
b/libcontainer/setns_init_linux.go
-index 2a8f345..7f5f182 100644
 a/libcontainer/setns_init_linux.go
-+++ b/libcontainer/setns_init_linux.go
-@@ -5,6 +5,7 @@ package libcontainer
- import (
-   "fmt"
-   "os"
-+  "syscall"
- 
-   "github.com/opencontainers/runc/libcontainer/apparmor"
-   "github.com/opencontainers/runc/libcontainer/keys"
-@@ -16,7 +17,8 @@ import (
- // linuxSetnsInit performs the container's initialization for running a new 
process
- // inside an existing container.
- type linuxSetnsInit struct {
--  config *initConfig
-+  config *initConfig
-+  stateDirFD int
- }
- 
- func (l *linuxSetnsInit) getSessionRingName() string {
-@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error {
-   if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
-   return err
-   }
-+  // close the statedir fd before exec because the kernel resets dumpable 
in the wrong order
-+  // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
-+  syscall.Close(l.stateDirFD)
-   return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
- }
-diff --git a/libcontainer/standard_init_linux.go 
b/libcontainer/standard_init_linux.go
-index 2104f1a..6a65154 100644
 a/libcontainer/standard_init_linux.go
-+++ b/libcontainer/standard_init_linux.go
-@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error {
-   return newSystemErrorWithCause(err, "init seccomp")
-   }
-   }
-+  // close the statedir fd before exec because the kernel resets dumpable 
in the wrong order
-+  // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L

[gentoo-commits] repo/gentoo:master commit in: app-emulation/runc/files/, app-emulation/runc/

[Manuel Rüger]

commit: 8bd76a7d71bd8549706fe1bf2ba60a7cbe972fab
Author: Manuel Rüger  gentoo  org>
AuthorDate: Wed Jan 11 11:34:13 2017 +
Commit: Manuel Rüger  gentoo  org>
CommitDate: Wed Jan 11 11:35:03 2017 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bd76a7d

app-emulation/runc: Apply fix for CVE-2016-9962

Package-Manager: Portage-2.3.3, Repoman-2.3.1

 .../files/runc-1.0.0_rc2-init-non-dumpable.patch   | 108 +
 app-emulation/runc/runc-1.0.0_rc2-r2.ebuild|  59 +++
 2 files changed, 167 insertions(+)

diff --git a/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch 
b/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch
new file mode 100644
index ..486835a
--- /dev/null
+++ b/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch
@@ -0,0 +1,108 @@
+From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001
+From: Michael Crosby 
+Date: Wed, 7 Dec 2016 15:05:51 -0800
+Subject: [PATCH] Set init processes as non-dumpable
+
+This sets the init processes that join and setup the container's
+namespaces as non-dumpable before they setns to the container's pid (or
+any other ) namespace.
+
+This settings is automatically reset to the default after the Exec in
+the container so that it does not change functionality for the
+applications that are running inside, just our init processes.
+
+This prevents parent processes, the pid 1 of the container, to ptrace
+the init process before it drops caps and other sets LSMs.
+
+This patch also ensures that the stateDirFD being used is still closed
+prior to exec, even though it is set as O_CLOEXEC, because of the order
+in the kernel.
+
+https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
+
+The order during the exec syscall is that the process is set back to
+dumpable before O_CLOEXEC are processed.
+
+Signed-off-by: Michael Crosby 
+---
+ libcontainer/init_linux.go  | 3 ++-
+ libcontainer/nsenter/nsexec.c   | 5 +
+ libcontainer/setns_init_linux.go| 7 ++-
+ libcontainer/standard_init_linux.go | 3 +++
+ 4 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
+index b1e6762..4043d51 100644
+--- a/libcontainer/init_linux.go
 b/libcontainer/init_linux.go
+@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD 
int) (initer, error)
+   switch t {
+   case initSetns:
+   return &linuxSetnsInit{
+-  config: config,
++  config: config,
++  stateDirFD: stateDirFD,
+   }, nil
+   case initStandard:
+   return &linuxStandardInit{
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index b93f827..4b5398b 100644
+--- a/libcontainer/nsenter/nsexec.c
 b/libcontainer/nsenter/nsexec.c
+@@ -408,6 +408,11 @@ void nsexec(void)
+   if (pipenum == -1)
+   return;
+ 
++  /* make the process non-dumpable */
++  if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
++  bail("failed to set process as non-dumpable");
++  }
++
+   /* Parse all of the netlink configuration. */
+   nl_parse(pipenum, &config);
+ 
+diff --git a/libcontainer/setns_init_linux.go 
b/libcontainer/setns_init_linux.go
+index 2a8f345..7f5f182 100644
+--- a/libcontainer/setns_init_linux.go
 b/libcontainer/setns_init_linux.go
+@@ -5,6 +5,7 @@ package libcontainer
+ import (
+   "fmt"
+   "os"
++  "syscall"
+ 
+   "github.com/opencontainers/runc/libcontainer/apparmor"
+   "github.com/opencontainers/runc/libcontainer/keys"
+@@ -16,7 +17,8 @@ import (
+ // linuxSetnsInit performs the container's initialization for running a new 
process
+ // inside an existing container.
+ type linuxSetnsInit struct {
+-  config *initConfig
++  config *initConfig
++  stateDirFD int
+ }
+ 
+ func (l *linuxSetnsInit) getSessionRingName() string {
+@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error {
+   if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
+   return err
+   }
++  // close the statedir fd before exec because the kernel resets dumpable 
in the wrong order
++  // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
++  syscall.Close(l.stateDirFD)
+   return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
+ }
+diff --git a/libcontainer/standard_init_linux.go 
b/libcontainer/standard_init_linux.go
+index 2104f1a..6a65154 100644
+--- a/libcontainer/standard_init_linux.go
 b/libcontainer/standard_init_linux.go
+@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error {
+   return newSystemErrorWithCause(err, "init seccomp")
+   }
+   }
++  // close the statedir fd before exec because the kernel resets dumpable 
in the wrong order
++  // https