Update runc to 89c3c97a8482f3a57cd4bb683df1a7b2c61405d8

crosbymichael · crosbymichael · commit 4a341841c58e · 2016-05-04T11:36:07.000-07:00
Fixes adamlaska#211 Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
diff --git a/hack/vendor.sh b/hack/vendor.sh
@@ -14,7 +14,7 @@ clone git github.com/docker/go-units 5d2041e26a699eaca682e2ea41c8f891e1060444
 clone git github.com/godbus/dbus e2cf28118e66a6a63db46cf6088a35d2054d3bb0
 clone git github.com/golang/glog 23def4e6c14b4da8ac2ed8007337bc5eb5007998
 clone git github.com/golang/protobuf 8d92cf5fc15a4382f8964b08e1f42a75c0591aa3
-clone git github.com/opencontainers/runc 9c89737e6e117a8be5a4980bc9795fe1a2b1028e
+clone git github.com/opencontainers/runc 89c3c97a8482f3a57cd4bb683df1a7b2c61405d8
 clone git github.com/opencontainers/runtime-spec f955d90e70a98ddfb886bd930ffd076da9b67998
 clone git github.com/rcrowley/go-metrics eeba7bd0dd01ace6e690fa833b3f22aaec29af43
 clone git github.com/satori/go.uuid f9ab0dce87d815821e221626b772e3475a0d2749
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
@@ -18,7 +18,7 @@ import (
 
 const cgroupNamePrefix = "name="
 
-// https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
+// https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
 func FindCgroupMountpoint(subsystem string) (string, error) {
 	// We are not using mount.GetMounts() because it's super-inefficient,
 	// parsing it directly sped up x10 times because of not using Sscanf.
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/src/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
@@ -69,6 +69,9 @@ func setupRootfs(config *configs.Config, console *linuxConsole, pipe io.ReadWrit
 		if err := setupDevSymlinks(config.Rootfs); err != nil {
 			return newSystemErrorWithCause(err, "setting up /dev symlinks")
 		}
+		if err := label.Relabel(filepath.Join(config.Rootfs, "dev"), config.MountLabel, false); err != nil {
+			return err
+		}
 	}
 	// Signal the parent to run the pre-start hooks.
 	// The hooks are run after the mounts are setup, but before we switch to the new
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/selinux/selinux.go b/vendor/src/github.com/opencontainers/runc/libcontainer/selinux/selinux.go
@@ -486,14 +486,14 @@ func DupSecOpt(src string) []string {
 		con["level"] == "" {
 		return nil
 	}
-	return []string{"label:user:" + con["user"],
-		"label:role:" + con["role"],
-		"label:type:" + con["type"],
-		"label:level:" + con["level"]}
+	return []string{"label=user:" + con["user"],
+		"label=role:" + con["role"],
+		"label=type:" + con["type"],
+		"label=level:" + con["level"]}
 }
 
 // DisableSecOpt returns a security opt that can be used to disabling SELinux
 // labeling support for future container processes
 func DisableSecOpt() []string {
-	return []string{"label:disable"}
+	return []string{"label=disable"}
 }
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/standard_init_linux.go b/vendor/src/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
@@ -123,7 +123,10 @@ func (l *linuxStandardInit) Init() error {
 	if err := syncParentReady(l.pipe); err != nil {
 		return err
 	}
-	if l.config.Config.Seccomp != nil {
+	// Without NoNewPrivileges seccomp is a privileged operation, so we need to
+	// do this before dropping capabilities; otherwise do it as late as possible
+	// just before execve so as few syscalls take place after it as possible.
+	if l.config.Config.Seccomp != nil && !l.config.NoNewPrivileges {
 		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
 			return err
 		}
@@ -142,6 +145,11 @@ func (l *linuxStandardInit) Init() error {
 	if syscall.Getppid() != l.parentPid {
 		return syscall.Kill(syscall.Getpid(), syscall.SIGKILL)
 	}
+	if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
+		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
+			return err
+		}
+	}
 
 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
 }

Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,9 @@ func setupRootfs(config configs.Config, console linuxConsole, pipe io.ReadWrit`
`69`	`69`	`if err := setupDevSymlinks(config.Rootfs); err != nil {`
`70`	`70`	`return newSystemErrorWithCause(err, "setting up /dev symlinks")`
`71`	`71`	`}`
	`72`	`+ if err := label.Relabel(filepath.Join(config.Rootfs, "dev"), config.MountLabel, false); err != nil {`
	`73`	`+ return err`
	`74`	`+ }`
`72`	`75`	`}`
`73`	`76`	`// Signal the parent to run the pre-start hooks.`
`74`	`77`	`// The hooks are run after the mounts are setup, but before we switch to the new`
Original file line number	Diff line number	Diff line change
`@@ -486,14 +486,14 @@ func DupSecOpt(src string) []string {`
`486`	`486`	`con["level"] == "" {`
`487`	`487`	`return nil`
`488`	`488`	`}`
`489`		`- return []string{"label:user:" + con["user"],`
`490`		`- "label:role:" + con["role"],`
`491`		`- "label:type:" + con["type"],`
`492`		`- "label:level:" + con["level"]}`
	`489`	`+ return []string{"label=user:" + con["user"],`
	`490`	`+ "label=role:" + con["role"],`
	`491`	`+ "label=type:" + con["type"],`
	`492`	`+ "label=level:" + con["level"]}`
`493`	`493`	`}`
`494`	`494`
`495`	`495`	`// DisableSecOpt returns a security opt that can be used to disabling SELinux`
`496`	`496`	`// labeling support for future container processes`
`497`	`497`	`func DisableSecOpt() []string {`
`498`		`- return []string{"label:disable"}`
	`498`	`+ return []string{"label=disable"}`
`499`	`499`	`}`
Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,10 @@ func (l *linuxStandardInit) Init() error {`
`123`	`123`	`if err := syncParentReady(l.pipe); err != nil {`
`124`	`124`	`return err`
`125`	`125`	`}`
`126`		`- if l.config.Config.Seccomp != nil {`
	`126`	`+ // Without NoNewPrivileges seccomp is a privileged operation, so we need to`
	`127`	`+ // do this before dropping capabilities; otherwise do it as late as possible`
	`128`	`+ // just before execve so as few syscalls take place after it as possible.`
	`129`	`+ if l.config.Config.Seccomp != nil && !l.config.NoNewPrivileges {`
`127`	`130`	`if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {`
`128`	`131`	`return err`
`129`	`132`	`}`
`@@ -142,6 +145,11 @@ func (l *linuxStandardInit) Init() error {`
`142`	`145`	`if syscall.Getppid() != l.parentPid {`
`143`	`146`	`return syscall.Kill(syscall.Getpid(), syscall.SIGKILL)`
`144`	`147`	`}`
	`148`	`+ if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {`
	`149`	`+ if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {`
	`150`	`+ return err`
	`151`	`+ }`
	`152`	`+ }`
`145`	`153`
`146`	`154`	`return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())`
`147`	`155`	`}`