diff --git a/patch/0138-runc-libct-fix-shared-pidns-detection.patch b/patch/0138-runc-libct-fix-shared-pidns-detection.patch new file mode 100644 index 0000000000000000000000000000000000000000..91e800e20c662d01c6a40351445f8dbb3267c69d --- /dev/null +++ b/patch/0138-runc-libct-fix-shared-pidns-detection.patch @@ -0,0 +1,67 @@ +From fa6c4b2cbb985a765b4fae14470453b7a573c665 Mon Sep 17 00:00:00 2001 +From: Kir Kolyshkin +Date: Fri, 12 May 2023 16:04:11 -0700 +Subject: [PATCH] libct: fix shared pidns detection + +When someone is using libcontainer to start and kill containers from a +long lived process (i.e. the same process creates and removes the +container), initProcess.wait method is used, which has a kludge to work +around killing containers that do not have their own PID namespace. + +The code that checks for own PID namespace is not entirely correct. +To be exact, it does not set sharePidns flag when the host/caller PID +namespace is implicitly used. As a result, the above mentioned kludge +does not work. + +Fix the issue, add a test case (which fails without the fix). + +Signed-off-by: Kir Kolyshkin +--- + libcontainer/configs/namespaces_syscall.go | 12 ++++++++++++ + libcontainer/container_linux.go | 3 +-- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/libcontainer/configs/namespaces_syscall.go b/libcontainer/configs/namespaces_syscall.go +index fb4b8522..6171a3b6 100644 +--- a/libcontainer/configs/namespaces_syscall.go ++++ b/libcontainer/configs/namespaces_syscall.go +@@ -29,3 +29,15 @@ func (n *Namespaces) CloneFlags() uintptr { + } + return uintptr(flag) + } ++ ++// IsPrivate tells whether the namespace of type t is configured as private ++// (i.e. it exists and is not shared). ++func (n Namespaces) IsPrivate(t NamespaceType) bool { ++ for _, v := range n { ++ if v.Type == t { ++ return v.Path == "" ++ } ++ } ++ // Not found, so implicitly sharing a parent namespace. ++ return false ++} +diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go +index 7be84a63..113dbf42 100644 +--- a/libcontainer/container_linux.go ++++ b/libcontainer/container_linux.go +@@ -488,7 +488,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c + nsMaps[ns.Type] = ns.Path + } + } +- _, sharePidns := nsMaps[configs.NEWPID] + data, err := c.bootstrapData(c.config.Namespaces.CloneFlags(), nsMaps) + if err != nil { + return nil, err +@@ -502,7 +501,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c + container: c, + process: p, + bootstrapData: data, +- sharePidns: sharePidns, ++ sharePidns: !c.config.Namespaces.IsPrivate(configs.NEWPID), + rootDir: rootDir, + }, nil + } +-- +2.33.0 + diff --git a/runc.spec b/runc.spec index 2201081826c84d2508cbbde1e48d496c817ddec6..a3b5b567655d08b9e14021b1a9aa3e920a185cd8 100644 --- a/runc.spec +++ b/runc.spec @@ -2,7 +2,7 @@ Name: docker-runc Version: 1.0.0.rc3 -Release: 212 +Release: 213 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Mon Jun 25 2023 zhongjiawei - 1.0.0.rc3-213 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:sync patch + * Tue Apr 4 2023 zhongjiawei - 1.0.0.rc3-212 - Type:bugfix - CVE:NA diff --git a/series.conf b/series.conf index 1f7041a3abc2145f7de49aa815816cf1d0d90bd3..4e53cac6b6e57a7655830e317a974e1295d69c52 100644 --- a/series.conf +++ b/series.conf @@ -129,3 +129,4 @@ 0135-runc-libct-cg-fs-blkio-do-not-set-weight-0.patch 0136-runc-run-resolve-tmpfs-mount-dest-in-container-scope.patch 0137-runc-Prohibit-proc-and-sys-to-be-symlinks.patch +0138-runc-libct-fix-shared-pidns-detection.patch