diff --git a/hack/dockerfile/binaries-commits b/hack/dockerfile/binaries-commits index 805a4ae5c8..f1c8773b75 100644 --- a/hack/dockerfile/binaries-commits +++ b/hack/dockerfile/binaries-commits @@ -1,7 +1,9 @@ #!/bin/sh TOMLV_COMMIT=9baf8a8a9f2ed20a8e54160840c492f937eeaf9a -RUNC_COMMIT=51371867a01c467f08af739783b8beafc154c4d7 + +# When updating RUNC_COMMIT, also update runc in vendor.conf accordingly +RUNC_COMMIT=a01dafd48bc1c7cc12bdb01206f9fea7dd6feb70 CONTAINERD_COMMIT=78fb8f45890a601e0fd9051cf9f9f74923e950fd TINI_COMMIT=949e6facb77383876aeff8a6944dde66b3089574 LIBNETWORK_COMMIT=7b2b1feb1de4817d522cc372af149ff48d25028e diff --git a/vendor.conf b/vendor.conf index aaf0c81c21..47fb2bfe01 100644 --- a/vendor.conf +++ b/vendor.conf @@ -60,7 +60,8 @@ github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f github.com/docker/go v1.5.1-1-1-gbaf439e github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c -github.com/opencontainers/runc 51371867a01c467f08af739783b8beafc15 # libcontainer +# When updating, also update RUNC_COMMIT in hack/dockerfile/binaries-commits accordingly +github.com/opencontainers/runc a01dafd48bc1c7cc12bdb01206f9fea7dd6feb70 https://github.com/docker/runc.git # libcontainer github.com/opencontainers/runtime-spec 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json) diff --git a/vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux.go b/vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux.go index d76846eafb..f469131e97 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux.go @@ -33,19 +33,15 @@ func InitLabels(options []string) (string, string, error) { pcon := selinux.NewContext(processLabel) mcon := selinux.NewContext(mountLabel) for _, opt := range options { - val := strings.SplitN(opt, "=", 2) - if val[0] != "label" { - continue - } - if len(val) < 2 { - return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt) - } - if val[1] == "disable" { + if opt == "disable" { return "", "", nil } - con := strings.SplitN(val[1], ":", 2) - if len(con) < 2 || !validOptions[con[0]] { - return "", "", fmt.Errorf("bad label option %q, valid options 'disable, user, role, level, type'", con[0]) + if i := strings.Index(opt, ":"); i == -1 { + return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt) + } + con := strings.SplitN(opt, ":", 2) + if !validOptions[con[0]] { + return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0]) } pcon[con[0]] = con[1] @@ -146,7 +142,7 @@ func Relabel(path string, fileLabel string, shared bool) error { fileLabel = c.Get() } if err := selinux.Chcon(path, fileLabel, true); err != nil { - return fmt.Errorf("SELinux relabeling of %s is not allowed: %q", path, err) + return err } return nil } diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c index c80f8e600f..5b680d0ba9 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c +++ b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c @@ -435,6 +435,11 @@ void nsexec(void) if (pipenum == -1) return; + /* make the process non-dumpable */ + if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { + bail("failed to set process as non-dumpable"); + } + /* Parse all of the netlink configuration. */ nl_parse(pipenum, &config);