From 450a0907cf9b3fe550110f412c01792382bec8da Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Thu, 9 Jul 2020 16:01:04 +0800
Subject: [PATCH] runc: fix permission denied

reason: when exec as root and config.Cwd is not owned by root,
exec will fail because root doesn't have the caps.

Signed-off-by: Kurnia D Win <kurnia.d.win@gmail.com>
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
 git-commit                                  |  2 +-
 patch/0120-runc-fix-permission-denied.patch | 45 +++++++++++++++++++++
 runc-openeuler.spec                         |  2 +-
 series.conf                                 |  1 +
 4 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 patch/0120-runc-fix-permission-denied.patch

diff --git a/git-commit b/git-commit
index 1fcc075..2e924b9 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-Ib43bafb0ec680082520d85530ef783b68bc08671
+b12c2b4efdbaa500c4d380bda16fcf758792398e
diff --git a/patch/0120-runc-fix-permission-denied.patch b/patch/0120-runc-fix-permission-denied.patch
new file mode 100644
index 0000000..0c304b8
--- /dev/null
+++ b/patch/0120-runc-fix-permission-denied.patch
@@ -0,0 +1,45 @@
+From 6594d5c042a2253386820a640b3a7087e07d0df2 Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Thu, 9 Jul 2020 15:56:54 +0800
+Subject: [PATCH] runc: fix permission denied
+
+reason: when exec as root and config.Cwd is not owned by root,
+exec will fail because root doesn't have the caps.
+
+Signed-off-by: Kurnia D Win <kurnia.d.win@gmail.com>
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ libcontainer/init_linux.go | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
+index 2a93431..73505ef 100644
+--- a/libcontainer/init_linux.go
++++ b/libcontainer/init_linux.go
+@@ -118,6 +118,11 @@ func finalizeNamespace(config *initConfig) error {
+ 	if err := utils.CloseExecFrom(config.PassedFilesCount + 3); err != nil {
+ 		return err
+ 	}
++	if config.Cwd != "" {
++		if err := syscall.Chdir(config.Cwd); err != nil {
++			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
++		}
++	}
+ 
+ 	capabilities := &configs.Capabilities{}
+ 	if config.Capabilities != nil {
+@@ -146,11 +151,6 @@ func finalizeNamespace(config *initConfig) error {
+ 	if err := w.ApplyCaps(); err != nil {
+ 		return err
+ 	}
+-	if config.Cwd != "" {
+-		if err := syscall.Chdir(config.Cwd); err != nil {
+-			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
+-		}
+-	}
+ 	return nil
+ }
+ 
+-- 
+1.8.3.1
+
diff --git a/runc-openeuler.spec b/runc-openeuler.spec
index 3efd664..eb64d5f 100644
--- a/runc-openeuler.spec
+++ b/runc-openeuler.spec
@@ -2,7 +2,7 @@
 
 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 105
+Release: 106
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
diff --git a/series.conf b/series.conf
index 02dc07d..b8e7bd2 100644
--- a/series.conf
+++ b/series.conf
@@ -116,3 +116,4 @@
 0117-runc-Pass-back-the-pid-of-runc-1-CHILD-so-w.patch
 0118-runc-rootfs-do-not-permit-proc-mounts-to-no.patch
 0119-runc-use-git-commit-to-store-commit-ID.patch
+0120-runc-fix-permission-denied.patch
-- 
Gitee