From bff689375f2fcee89f9e48ea188177f04fa61e77 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Wed, 23 Sep 2020 16:28:15 +0800
Subject: [PATCH] runc: fix permission denied

Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
 patch/0118-runc-fix-permission-denied.patch | 45 +++++++++++++++++++++
 runc-openeuler.spec                         |  2 +-
 series.conf                                 |  1 +
 3 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 patch/0118-runc-fix-permission-denied.patch

diff --git a/patch/0118-runc-fix-permission-denied.patch b/patch/0118-runc-fix-permission-denied.patch
new file mode 100644
index 0000000..0c304b8
--- /dev/null
+++ b/patch/0118-runc-fix-permission-denied.patch
@@ -0,0 +1,45 @@
+From 6594d5c042a2253386820a640b3a7087e07d0df2 Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Thu, 9 Jul 2020 15:56:54 +0800
+Subject: [PATCH] runc: fix permission denied
+
+reason: when exec as root and config.Cwd is not owned by root,
+exec will fail because root doesn't have the caps.
+
+Signed-off-by: Kurnia D Win <kurnia.d.win@gmail.com>
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ libcontainer/init_linux.go | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
+index 2a93431..73505ef 100644
+--- a/libcontainer/init_linux.go
++++ b/libcontainer/init_linux.go
+@@ -118,6 +118,11 @@ func finalizeNamespace(config *initConfig) error {
+ 	if err := utils.CloseExecFrom(config.PassedFilesCount + 3); err != nil {
+ 		return err
+ 	}
++	if config.Cwd != "" {
++		if err := syscall.Chdir(config.Cwd); err != nil {
++			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
++		}
++	}
+ 
+ 	capabilities := &configs.Capabilities{}
+ 	if config.Capabilities != nil {
+@@ -146,11 +151,6 @@ func finalizeNamespace(config *initConfig) error {
+ 	if err := w.ApplyCaps(); err != nil {
+ 		return err
+ 	}
+-	if config.Cwd != "" {
+-		if err := syscall.Chdir(config.Cwd); err != nil {
+-			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
+-		}
+-	}
+ 	return nil
+ }
+ 
+-- 
+1.8.3.1
+
diff --git a/runc-openeuler.spec b/runc-openeuler.spec
index df0c4fa..c0a742d 100644
--- a/runc-openeuler.spec
+++ b/runc-openeuler.spec
@@ -2,7 +2,7 @@
 
 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 103
+Release: 104
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
diff --git a/series.conf b/series.conf
index 376f1a2..702bb28 100644
--- a/series.conf
+++ b/series.conf
@@ -114,3 +114,4 @@
 0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch
 0116-runc-check-nil-pointers-in-cgroup-manager.patch
 0117-runc-Pass-back-the-pid-of-runc-1-CHILD-so-w.patch
+0118-runc-fix-permission-denied.patch
-- 
Gitee