From 1308c88aeb0fc415ca253028cff95f9289e155fd Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Fri, 25 Oct 2024 15:03:41 +0800
Subject: [PATCH] docker:support calling clone when clone3 is not support

(cherry picked from commit aa51a103f33ea9cf792ab71a720883a999b63eb1)
---
 VERSION-vendor                                |   2 +-
 docker.spec                                   |   8 +-
 gen-commit.sh                                 |   3 +-
 git-commit                                    |   2 +-
 ...alling-clone-when-clone3-is-not-supp.patch | 123 ++++++++++++++++++
 series.conf                                   |   1 +
 6 files changed, 135 insertions(+), 4 deletions(-)
 create mode 100644 patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch

diff --git a/VERSION-vendor b/VERSION-vendor
index 9007bda..f74a46d 100644
--- a/VERSION-vendor
+++ b/VERSION-vendor
@@ -1 +1 @@
-18.09.0.341
+18.09.0.342
diff --git a/docker.spec b/docker.spec
index 64db0ff..ec80a02 100644
--- a/docker.spec
+++ b/docker.spec
@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 341
+Release: 342
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
@@ -227,6 +227,12 @@ fi
 %endif
 
 %changelog
+* Fri Oct 25 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-342
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:support calling clone when clone3 is not support
+
 * Sat Aug 31 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-341
 - Type:bugfix
 - CVE:NA
diff --git a/gen-commit.sh b/gen-commit.sh
index fd0bcbc..01d00a3 100755
--- a/gen-commit.sh
+++ b/gen-commit.sh
@@ -18,9 +18,10 @@ echo 18.09.0.$new_version > VERSION-vendor
 
 author=$(git config user.name)
 email=$(git config user.email)
+epoch=$(head -10 docker.spec | grep Epoch | awk '{print $NF}')
 version=$(head -10 docker.spec | grep Version | awk '{print $NF}')
 release=$(head -10 docker.spec | grep Release | awk '{print $2}' | awk -F% '{print $1}')
-new_all=$version-$release
+new_all=$epoch:$version-$release
 new_changelog=$(cat << EOF
 * $(LC_ALL="C" date '+%a %b %d %Y') $author<$email> - $new_all\n- Type:\n- CVE:\n- SUG:\n- DESC:\n
 EOF
diff --git a/git-commit b/git-commit
index 0fc7236..91fea79 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-678fb4d2b2fbf91642358d82e5680aec01a15d56
+26b8df427648c7fa5fef833419438cd4e9d3443b
diff --git a/patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch b/patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch
new file mode 100644
index 0000000..5bf1450
--- /dev/null
+++ b/patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch
@@ -0,0 +1,123 @@
+From 28a8f3016bfba8aab5cf0495519ca41f4c43f7a3 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Fri, 25 Oct 2024 15:00:22 +0800
+Subject: [PATCH] docker:support calling clone when clone3 is not support
+
+---
+ components/engine/api/types/seccomp.go        |  1 +
+ components/engine/profiles/seccomp/seccomp.go |  7 +++---
+ .../profiles/seccomp/seccomp_default.go       | 22 ++++++++++---------
+ .../runtime-spec/specs-go/config.go           |  1 +
+ 4 files changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/components/engine/api/types/seccomp.go b/components/engine/api/types/seccomp.go
+index 67a41e1a..0ed7d6ee 100644
+--- a/components/engine/api/types/seccomp.go
++++ b/components/engine/api/types/seccomp.go
+@@ -86,6 +86,7 @@ type Syscall struct {
+ 	Name     string   `json:"name,omitempty"`
+ 	Names    []string `json:"names,omitempty"`
+ 	Action   Action   `json:"action"`
++	ErrnoRet *uint    `json:"errnoRet,omitempty"`
+ 	Args     []*Arg   `json:"args"`
+ 	Comment  string   `json:"comment"`
+ 	Includes Filter   `json:"includes"`
+diff --git a/components/engine/profiles/seccomp/seccomp.go b/components/engine/profiles/seccomp/seccomp.go
+index 4438670a..993e8d87 100644
+--- a/components/engine/profiles/seccomp/seccomp.go
++++ b/components/engine/profiles/seccomp/seccomp.go
+@@ -128,21 +128,22 @@ Loop:
+ 		}
+ 
+ 		if call.Name != "" {
+-			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
++			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args, call.ErrnoRet))
+ 		}
+ 
+ 		for _, n := range call.Names {
+-			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
++			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args, call.ErrnoRet))
+ 		}
+ 	}
+ 
+ 	return newConfig, nil
+ }
+ 
+-func createSpecsSyscall(name string, action types.Action, args []*types.Arg) specs.LinuxSyscall {
++func createSpecsSyscall(name string, action types.Action, args []*types.Arg, errnoRet *uint) specs.LinuxSyscall {
+ 	newCall := specs.LinuxSyscall{
+ 		Names:  []string{name},
+ 		Action: specs.LinuxSeccompAction(action),
++		ErrnoRet: errnoRet,
+ 	}
+ 
+ 	// Loop through all the arguments of the syscall and convert them
+diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
+index a90e441c..0b96de5f 100644
+--- a/components/engine/profiles/seccomp/seccomp_default.go
++++ b/components/engine/profiles/seccomp/seccomp_default.go
+@@ -42,6 +42,7 @@ func arches() []types.Architecture {
+ 
+ // DefaultProfile defines the whitelist for the default seccomp profile.
+ func DefaultProfile() *types.Seccomp {
++	nosys := uint(unix.ENOSYS)
+ 	syscalls := []*types.Syscall{
+ 		{
+ 			Names: []string{
+@@ -489,16 +490,6 @@ func DefaultProfile() *types.Seccomp {
+ 				Arches: []string{"amd64", "x32", "x86"},
+ 			},
+ 		},
+-		{
+-                        Names: []string{
+-				"clone3",
+-                        },
+-                        Action: types.ActAllow,
+-                        Args:   []*types.Arg{},
+-                        Includes: types.Filter{
+-                                Arches: []string{"arm64", "amd64", "x32", "x86"},
+-                        },
+-                },
+ 		{
+ 			Names: []string{
+ 				"s390_pci_mmio_read",
+@@ -525,6 +516,7 @@ func DefaultProfile() *types.Seccomp {
+ 			Names: []string{
+ 				"bpf",
+ 				"clone",
++				"clone3",
+ 				"fanotify_init",
+ 				"lookup_dcookie",
+ 				"mount",
+@@ -584,6 +576,16 @@ func DefaultProfile() *types.Seccomp {
+ 				Caps: []string{"CAP_SYS_ADMIN"},
+ 			},
+ 		},
++		{
++			Names: []string{
++				"clone3",
++			},
++			Action: types.ActErrno,
++			ErrnoRet: &nosys,
++			Excludes: types.Filter{
++				Caps: []string{"CAP_SYS_ADMIN"},
++			},
++		},
+ 		{
+ 			Names: []string{
+ 				"reboot",
+diff --git a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+index 46049b3b..8b17fd1e 100644
+--- a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
++++ b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+@@ -628,6 +628,7 @@ type LinuxSeccompArg struct {
+ type LinuxSyscall struct {
+ 	Names  []string           `json:"names"`
+ 	Action LinuxSeccompAction `json:"action"`
++	ErrnoRet *uint            `json:"errnoRet,omitempty"`
+ 	Args   []LinuxSeccompArg  `json:"args,omitempty"`
+ }
+ 
+-- 
+2.33.0
+
diff --git a/series.conf b/series.conf
index dc53d1f..ed501a7 100644
--- a/series.conf
+++ b/series.conf
@@ -277,4 +277,5 @@ patch/0276-docker-Ignore-SIGURG-on-Linux.patch
 patch/0277-backport-fix-CVE-2024-41110.patch
 patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
 patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch
+patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch
 #end
-- 
Gitee