Merge pull request #31259 from mlaventure/bump-runc

Bump runc to version a01dafd48bc1c7cc12bdb01206f9fea7dd6feb70

hack/dockerfile/binaries-commits

@@ -1,7 +1,9 @@
 #!/bin/sh
 
 TOMLV_COMMIT=9baf8a8a9f2ed20a8e54160840c492f937eeaf9a
-RUNC_COMMIT=51371867a01c467f08af739783b8beafc154c4d7
+
+# When updating RUNC_COMMIT, also update runc in vendor.conf accordingly
+RUNC_COMMIT=a01dafd48bc1c7cc12bdb01206f9fea7dd6feb70
 CONTAINERD_COMMIT=78fb8f45890a601e0fd9051cf9f9f74923e950fd
 TINI_COMMIT=949e6facb77383876aeff8a6944dde66b3089574
 LIBNETWORK_COMMIT=7b2b1feb1de4817d522cc372af149ff48d25028e

vendor.conf

@@ -60,7 +60,8 @@ github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f
 github.com/docker/go v1.5.1-1-1-gbaf439e
 github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c
 
-github.com/opencontainers/runc 51371867a01c467f08af739783b8beafc15 # libcontainer
+# When updating, also update RUNC_COMMIT in hack/dockerfile/binaries-commits accordingly
+github.com/opencontainers/runc a01dafd48bc1c7cc12bdb01206f9fea7dd6feb70 https://github.com/docker/runc.git # libcontainer
 github.com/opencontainers/runtime-spec 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs
 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)

vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux.go

@@ -33,19 +33,15 @@ func InitLabels(options []string) (string, string, error) {
 		pcon := selinux.NewContext(processLabel)
 		mcon := selinux.NewContext(mountLabel)
 		for _, opt := range options {
-			val := strings.SplitN(opt, "=", 2)
+			if opt == "disable" {
-			if val[0] != "label" {
-				continue
-			}
-			if len(val) < 2 {
-				return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
-			}
-			if val[1] == "disable" {
 				return "", "", nil
 			}
-			con := strings.SplitN(val[1], ":", 2)
+			if i := strings.Index(opt, ":"); i == -1 {
-			if len(con) < 2 || !validOptions[con[0]] {
+				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
-				return "", "", fmt.Errorf("bad label option %q, valid options 'disable, user, role, level, type'", con[0])
+			}
+			con := strings.SplitN(opt, ":", 2)
+			if !validOptions[con[0]] {
+				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
 
 			}
 			pcon[con[0]] = con[1]
@@ -146,7 +142,7 @@ func Relabel(path string, fileLabel string, shared bool) error {
 		fileLabel = c.Get()
 	}
 	if err := selinux.Chcon(path, fileLabel, true); err != nil {
-		return fmt.Errorf("SELinux relabeling of %s is not allowed: %q", path, err)
+		return err
 	}
 	return nil
 }

vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c

@@ -435,6 +435,11 @@ void nsexec(void)
 	if (pipenum == -1)
 		return;
 
+	/* make the process non-dumpable */
+	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
+		bail("failed to set process as non-dumpable");
+	}
+
 	/* Parse all of the netlink configuration. */
 	nl_parse(pipenum, &config);