diff --git a/patch/0152-runc-do-not-support-set-umask-through-native.umask.patch b/patch/0152-runc-do-not-support-set-umask-through-native.umask.patch new file mode 100644 index 0000000000000000000000000000000000000000..b997cd6b9b08b3bfd85b28cd3cf6eeda4fff0076 --- /dev/null +++ b/patch/0152-runc-do-not-support-set-umask-through-native.umask.patch @@ -0,0 +1,48 @@ +From 4ad8d9afa92e3b9a94d9ff099ae21bc771f903da Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Thu, 11 Jul 2024 19:40:00 +0800 +Subject: [PATCH] runc:do not support set umask through native.umask + +--- + libcontainer/rootfs_linux.go | 6 ------ + libcontainer/setns_init_linux.go | 7 ------- + 2 files changed, 13 deletions(-) + +diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go +index 7d52b62..a948090 100644 +--- a/libcontainer/rootfs_linux.go ++++ b/libcontainer/rootfs_linux.go +@@ -149,12 +149,6 @@ func finalizeRootfs(config *configs.Config) (err error) { + } + } + +- umask := libcontainerUtils.SearchLabels(config.Labels, "native.umask") +- if umask == "normal" { +- syscall.Umask(0022) +- } else { +- syscall.Umask(0027) +- } + return nil + } + +diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go +index 74a91a6..d80fec6 100644 +--- a/libcontainer/setns_init_linux.go ++++ b/libcontainer/setns_init_linux.go +@@ -45,13 +45,6 @@ func (l *linuxSetnsInit) Init() error { + return err + } + } +- // set exec process umask to 0027 or 0022 according to container's config +- umask := utils.SearchLabels(l.config.Config.Labels, "native.umask") +- if umask == "normal" { +- syscall.Umask(0022) +- } else { +- syscall.Umask(0027) +- } + if l.config.NoNewPrivileges { + if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil { + return err +-- +2.33.0 + diff --git a/runc.spec b/runc.spec index d1ed5610da6b73490fbcaf00a9195eed296549a5..af4d1d282a0ed96c2792fc12020423eaca3d6eea 100644 --- a/runc.spec +++ b/runc.spec @@ -2,7 +2,7 @@ Name: docker-runc Version: 1.0.0.rc3 -Release: 225 +Release: 226 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Thu Jul 11 2024 zhongjiawei - 1.0.0.rc3-226 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:do not support set umask through native.umask + * Mon Mar 04 2024 zhongjiawei - 1.0.0.rc3-225 - Type:bugfix - CVE:NA diff --git a/series.conf b/series.conf index e3a078c65cba14d3712cd0ed99324ee670ae5a82..acf00ea23da3c69243f49ce7be24b8b40d414ad6 100644 --- a/series.conf +++ b/series.conf @@ -143,3 +143,4 @@ 0149-runc-check-cmd-exist.patch 0150-runc-Fix-File-to-Close.patch 0151-runc-Fix-tmpfs-mode-opts-when-dir-already-exis.patch +0152-runc-do-not-support-set-umask-through-native.umask.patch