!505 update from upstream

From: @zh_xiaoyu 
Reviewed-by: @duguhaotian 
Signed-off-by: @duguhaotian

0046-fix-storage-layer-and-driver-ut-failed-in-container.patch

@@ -0,0 +1,267 @@
+From 6cf9f48c2339f85fa233c4e557da08884f666704 Mon Sep 17 00:00:00 2001
+From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
+Date: Tue, 22 Nov 2022 16:52:51 +0800
+Subject: [PATCH 46/54] fix storage layer and driver ut failed in container
+
+Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
+---
+ .../oci/storage/layers/storage_driver_ut.cc   | 61 ++++++++++++++++---
+ .../oci/storage/layers/storage_layers_ut.cc   | 54 +++++++++++++++-
+ 2 files changed, 106 insertions(+), 9 deletions(-)
+
+diff --git a/test/image/oci/storage/layers/storage_driver_ut.cc b/test/image/oci/storage/layers/storage_driver_ut.cc
+index 735526f1..650368d8 100644
+--- a/test/image/oci/storage/layers/storage_driver_ut.cc
++++ b/test/image/oci/storage/layers/storage_driver_ut.cc
+@@ -58,6 +58,28 @@ std::string GetDirectory()
+     return static_cast<std::string>(abs_path) + "../../../../../../test/image/oci/storage/layers";
+ }
+ 
++bool check_support_overlay(std::string root_dir)
++{
++    if (!util_support_overlay()) {
++        std::cout << "Cannot support overlay, skip storage driver ut test." << std::endl;
++        return false;
++    }
++
++    char *backing_fs = util_get_fs_name(root_dir.c_str());
++    if (backing_fs == NULL) {
++        std::cout << "Failed to get fs name for " << root_dir << ", skip storage driver ut test." << std::endl;
++        return false;
++    }
++
++    if (strcmp(backing_fs, "aufs") == 0 || strcmp(backing_fs, "zfs") == 0 || strcmp(backing_fs, "overlayfs") == 0 ||
++        strcmp(backing_fs, "ecryptfs") == 0) {
++        std::cout << "Backing fs cannot support overlay, skip storage driver ut test." << std::endl;
++        return false;
++    }
++
++    return true;
++}
++
+ bool dirExists(const char *path)
+ {
+     DIR *dp = nullptr;
+@@ -99,11 +121,16 @@ protected:
+     void SetUp() override
+     {
+         MockDriverQuota_SetMock(&m_driver_quota_mock);
+-        std::string isulad_dir { "/var/lib/isulad/" };
++        std::string isulad_dir { "/tmp/isulad/" };
++        mkdir(isulad_dir.c_str(), 0755);
+         std::string root_dir = isulad_dir + "data";
+         std::string run_dir = isulad_dir + "data/run";
+         std::string data_dir = GetDirectory() + "/data";
+-        struct storage_module_init_options *opts;
++
++        support_overlay = check_support_overlay(root_dir);
++        if (!support_overlay) {
++            return;
++        }
+ 
+         ASSERT_STRNE(util_clean_path(data_dir.c_str(), data_path, sizeof(data_path)), nullptr);
+         std::string cp_command = "cp -r " + std::string(data_path) + " " + isulad_dir;
+@@ -117,15 +144,16 @@ protected:
+                             + root_dir + "/overlay/9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63/work ";
+         ASSERT_EQ(system(mkdir.c_str()), 0);
+ 
+-        opts = (struct storage_module_init_options *)util_common_calloc_s(sizeof(struct storage_module_init_options));
++        struct storage_module_init_options *opts = (struct storage_module_init_options *)util_common_calloc_s(sizeof(struct storage_module_init_options));
+         opts->storage_root = strdup(root_dir.c_str());
+         opts->storage_run_root = strdup(run_dir.c_str());
+         opts->driver_name = strdup("overlay");
+-        opts->driver_opts = (char **)util_common_calloc_s(4 * sizeof(char *));
++        opts->driver_opts = (char **)util_common_calloc_s(5 * sizeof(char *));
+         opts->driver_opts[0] = strdup("overlay2.basesize=128M");
+         opts->driver_opts[1] = strdup("overlay2.override_kernel_check=true");
+         opts->driver_opts[2] = strdup("overlay2.skip_mount_home=false");
+         opts->driver_opts[3] = strdup("overlay2.mountopt=rw");
++        opts->driver_opts[4] = strdup("overlay2.skip_mount_home=true");
+         opts->driver_opts_len = 4;
+ 
+         EXPECT_CALL(m_driver_quota_mock, QuotaCtl(_, _, _, _)).WillRepeatedly(Invoke(invokeQuotaCtl));
+@@ -141,18 +169,25 @@ protected:
+     void TearDown() override
+     {
+         MockDriverQuota_SetMock(nullptr);
+-        ASSERT_EQ(graphdriver_cleanup(), 0);
+-        std::string rm_command = "rm -rf /var/lib/isulad/data";
++        if (support_overlay) {
++            ASSERT_EQ(graphdriver_cleanup(), 0);
++        }
++        std::string rm_command = "rm -rf /tmp/isulad/";
+         ASSERT_EQ(system(rm_command.c_str()), 0);
+     }
+ 
+     NiceMock<MockDriverQuota> m_driver_quota_mock;
+     char data_path[PATH_MAX] = { 0x00 };
++    bool support_overlay;
+ };
+ 
+ 
+ TEST_F(StorageDriverUnitTest, test_graphdriver_layer_exists)
+ {
++    if (!support_overlay) {
++        return;
++    }
++
+     std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" };
+     std::string incorrectId { "eb29745b8228e1e97c01b1d5c2554a319c00a94d8dd5746a3904222ad65a13f8" };
+     ASSERT_TRUE(graphdriver_layer_exists(id.c_str()));
+@@ -161,6 +196,10 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_layer_exists)
+ 
+ TEST_F(StorageDriverUnitTest, test_graphdriver_create_rw)
+ {
++    if (!support_overlay) {
++        return;
++    }
++
+     std::string id { "eb29745b8228e1e97c01b1d5c2554a319c00a94d8dd5746a3904222ad65a13f8" };
+     struct driver_create_opts *create_opts;
+ 
+@@ -186,8 +225,12 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_create_rw)
+ 
+ TEST_F(StorageDriverUnitTest, test_graphdriver_mount_layer)
+ {
++    if (!support_overlay) {
++        return;
++    }
++
+     std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" };
+-    std::string merged_dir = "/var/lib/isulad/data/overlay/" + id + "/merged";
++    std::string merged_dir = "/tmp/isulad/data/overlay/" + id + "/merged";
+     struct driver_mount_opts *mount_opts = nullptr;
+     char* mount_dir = nullptr;
+ 
+@@ -219,6 +262,10 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_mount_layer)
+ 
+ TEST_F(StorageDriverUnitTest, test_graphdriver_try_repair_lowers)
+ {
++    if (!support_overlay) {
++        return;
++    }
++
+     std::string id { "1be74353c3d0fd55fb5638a52953e6f1bc441e5b1710921db9ec2aa202725569" };
+     ASSERT_EQ(graphdriver_try_repair_lowers(id.c_str(), nullptr), 0);
+ }
+diff --git a/test/image/oci/storage/layers/storage_layers_ut.cc b/test/image/oci/storage/layers/storage_layers_ut.cc
+index 87dfb4a1..fca37e83 100644
+--- a/test/image/oci/storage/layers/storage_layers_ut.cc
++++ b/test/image/oci/storage/layers/storage_layers_ut.cc
+@@ -59,6 +59,28 @@ std::string GetDirectory()
+     return static_cast<std::string>(abs_path) + "../../../../../../test/image/oci/storage/layers";
+ }
+ 
++bool check_support_overlay(std::string root_dir)
++{
++    if (!util_support_overlay()) {
++        std::cout << "Cannot support overlay, skip storage driver ut test." << std::endl;
++        return false;
++    }
++
++    char *backing_fs = util_get_fs_name(root_dir.c_str());
++    if (backing_fs == NULL) {
++        std::cout << "Failed to get fs name for " << root_dir << ", skip storage driver ut test." << std::endl;
++        return false;
++    }
++
++    if (strcmp(backing_fs, "aufs") == 0 || strcmp(backing_fs, "zfs") == 0 || strcmp(backing_fs, "overlayfs") == 0 ||
++        strcmp(backing_fs, "ecryptfs") == 0) {
++        std::cout << "Backing fs cannot support overlay, skip storage driver ut test." << std::endl;
++        return false;
++    }
++
++    return true;
++}
++
+ bool dirExists(const char *path)
+ {
+     DIR *dp = nullptr;
+@@ -159,6 +181,11 @@ protected:
+         std::string run_dir = isulad_dir + "data/run";
+         std::string data_dir = GetDirectory() + "/data";
+ 
++        support_overlay = check_support_overlay(root_dir);
++        if (!support_overlay) {
++            return;
++        }
++
+         ASSERT_STRNE(util_clean_path(data_dir.c_str(), data_path, sizeof(data_path)), nullptr);
+         std::string cp_command = "cp -r " + std::string(data_path) + " " + isulad_dir;
+         ASSERT_EQ(system(cp_command.c_str()), 0);
+@@ -186,8 +213,10 @@ protected:
+     {
+         MockDriverQuota_SetMock(nullptr);
+ 
+-        layer_store_exit();
+-        layer_store_cleanup();
++        if (support_overlay) {
++            layer_store_exit();
++            layer_store_cleanup();
++        }
+ 
+         std::string rm_command = "rm -rf /tmp/isulad/";
+         ASSERT_EQ(system(rm_command.c_str()), 0);
+@@ -197,10 +226,15 @@ protected:
+     char real_path[PATH_MAX] = { 0x00 };
+     char real_run_path[PATH_MAX] = { 0x00 };
+     char data_path[PATH_MAX] = { 0x00 };
++    bool support_overlay;
+ };
+ 
+ TEST_F(StorageLayersUnitTest, test_layers_load)
+ {
++    if (!support_overlay) {
++        return;
++    }
++
+     struct layer_list *layer_list = (struct layer_list *)util_common_calloc_s(sizeof(struct layer_list));
+     ASSERT_NE(layer_list, nullptr);
+ 
+@@ -246,6 +280,10 @@ TEST_F(StorageLayersUnitTest, test_layers_load)
+ 
+ TEST_F(StorageLayersUnitTest, test_layer_store_exists)
+ {
++    if (!support_overlay) {
++        return;
++    }
++
+     std::string id { "7db8f44a0a8e12ea4283e3180e98880007efbd5de2e7c98b67de9cdd4dfffb0b" };
+     std::string incorrectId { "50551ff67da98ab8540d7132" };
+ 
+@@ -255,6 +293,10 @@ TEST_F(StorageLayersUnitTest, test_layer_store_exists)
+ 
+ TEST_F(StorageLayersUnitTest, test_layer_store_create)
+ {
++    if (!support_overlay) {
++        return;
++    }
++
+     struct layer_opts *layer_opt = (struct layer_opts *)util_common_calloc_s(sizeof(struct layer_opts));
+     layer_opt->parent = strdup("9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63");
+     layer_opt->writable = true;
+@@ -278,6 +320,10 @@ TEST_F(StorageLayersUnitTest, test_layer_store_create)
+ 
+ TEST_F(StorageLayersUnitTest, test_layer_store_by_compress_digest)
+ {
++    if (!support_overlay) {
++        return;
++    }
++
+     std::string compress { "sha256:0e03bdcc26d7a9a57ef3b6f1bf1a210cff6239bff7c8cac72435984032851689" };
+     std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" };
+     struct layer_list *layer_list = (struct layer_list *)util_common_calloc_s(sizeof(struct layer_list));
+@@ -294,6 +340,10 @@ TEST_F(StorageLayersUnitTest, test_layer_store_by_compress_digest)
+ 
+ TEST_F(StorageLayersUnitTest, test_layer_store_by_uncompress_digest)
+ {
++    if (!support_overlay) {
++        return;
++    }
++
+     std::string uncompress { "sha256:9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" };
+     std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" };
+     struct layer_list *layer_list = (struct layer_list *)util_common_calloc_s(sizeof(struct layer_list));
+-- 
+2.25.1
+

0047-handle-security-warning-for-cleanup-module.patch

@@ -0,0 +1,96 @@
+From 9c056dc6d696d3eabd192ad6b396e27bb5846362 Mon Sep 17 00:00:00 2001
+From: "Neil.wrz" <wangrunze13@huawei.com>
+Date: Thu, 17 Nov 2022 19:25:26 -0800
+Subject: [PATCH 47/54] handle security warning for cleanup module
+
+Signed-off-by: Neil.wrz <wangrunze13@huawei.com>
+---
+ .../container/leftover_cleanup/cleanup.c        | 17 +++++++++++++----
+ src/daemon/modules/image/image.c                | 14 +++++++++++---
+ 2 files changed, 24 insertions(+), 7 deletions(-)
+
+diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c
+index ec9517cf..9ce1dd0c 100644
+--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c
++++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c
+@@ -82,15 +82,25 @@ static int default_cleaner()
+ 
+ static struct cleaners *cleaner_init()
+ {
++    int ret = 0;
+     struct cleaners *clns = create_cleaners();
+     
+     if (clns == NULL) {
+         return NULL;
+     }
+ 
+-    add_clean_node(clns, default_cleaner, "default clean");
++    ret = add_clean_node(clns, default_cleaner, "default clean");
++    if (ret != 0) {
++        ERROR("add default_cleaner error");
++        return clns;
++    }
++
+ #ifdef ENABLE_OCI_IMAGE
+-    add_clean_node(clns, oci_rootfs_cleaner, "clean rootfs");
++    ret = add_clean_node(clns, oci_rootfs_cleaner, "clean rootfs");
++    if (ret != 0) {
++        ERROR("add oci_rootfs_cleaner error");
++        return clns;
++    }
+ #endif
+ 
+     return clns;
+@@ -101,11 +111,10 @@ static void do_clean(struct cleaners * clns)
+     struct linked_list *it = NULL;
+     struct linked_list *next = NULL;
+     struct clean_node *c_node = NULL;
+-    int ret = 0;
+ 
+     linked_list_for_each_safe(it, &(clns->cleaner_list), next) {
+         c_node = (struct clean_node *)it->elem;
+-        if ((ret = c_node->cleaner()) != 0) {
++        if (c_node->cleaner() != 0) {
+             ERROR("failed to clean for: %s", c_node->desc);
+         } else {
+             DEBUG("do clean success for: %s", c_node->desc);
+diff --git a/src/daemon/modules/image/image.c b/src/daemon/modules/image/image.c
+index ed7d968a..fb0db361 100644
+--- a/src/daemon/modules/image/image.c
++++ b/src/daemon/modules/image/image.c
+@@ -1775,21 +1775,29 @@ int im_container_export(const im_export_request *request)
+ #ifdef ENABLE_OCI_IMAGE
+ char *im_get_rootfs_dir(const im_get_rf_dir_request *request) {
+     char *dir = NULL;
++    struct bim *bim = NULL;
+ 
+     if (request->type == NULL) {
+         ERROR("Missing image type");
+         return NULL;
+     }
+ 
+-    struct bim *bim = NULL;
+     bim = bim_get(request->type, NULL, NULL, NULL);
++
++    if (bim == NULL) {
++        ERROR("Failed to init bim, image type:%s", request->type);
++        return NULL;
++    }
++
+     if (bim->ops->get_dir_rf == NULL) {
+         ERROR("Unimplemnts get rootfs dir in %s", bim->type);
+-        return NULL;
++        goto out;
+     }
++
+     dir = bim->ops->get_dir_rf();
+-    bim_put(bim);
+ 
++out:
++    bim_put(bim);
+     return dir;
+ }
+ #else
+-- 
+2.25.1
+

0048-add-unit-test-for-util-sha256.patch

@@ -0,0 +1,222 @@
+From 4029481a18ba302e4842b40f479dac63381570f3 Mon Sep 17 00:00:00 2001
+From: chengzrz <czrzrichard@gmail.com>
+Date: Fri, 25 Nov 2022 10:13:43 +0800
+Subject: [PATCH 48/54] add unit test for util/sha256
+
+Signed-off-by: chengzrz <czrzrichard@gmail.com>
+---
+ test/CMakeLists.txt        |   1 +
+ test/sha256/CMakeLists.txt |  18 +++++
+ test/sha256/sha256_ut.cc   | 162 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 181 insertions(+)
+ create mode 100644 test/sha256/CMakeLists.txt
+ create mode 100644 test/sha256/sha256_ut.cc
+
+diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
+index 6b6cd5de..27201100 100644
+--- a/test/CMakeLists.txt
++++ b/test/CMakeLists.txt
+@@ -44,6 +44,7 @@ IF(ENABLE_UT)
+     add_subdirectory(runtime)
+     add_subdirectory(specs)
+     add_subdirectory(services)
++    add_subdirectory(sha256)
+ ENDIF(ENABLE_UT)
+ 
+ IF(ENABLE_FUZZ)
+diff --git a/test/sha256/CMakeLists.txt b/test/sha256/CMakeLists.txt
+new file mode 100644
+index 00000000..10779f4c
+--- /dev/null
++++ b/test/sha256/CMakeLists.txt
+@@ -0,0 +1,18 @@
++project(iSulad_UT)
++
++SET(EXE sha256_ut)
++
++add_executable(${EXE}
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/tar/util_gzip.c
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/sha256/sha256.c
++    sha256_ut.cc)
++
++target_include_directories(${EXE} PUBLIC
++    ${GTEST_INCLUDE_DIR}
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../include
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/common
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/tar
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/sha256
++    )
++target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} libutils_ut -lcrypto -lyajl -lz)
++add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml)
+diff --git a/test/sha256/sha256_ut.cc b/test/sha256/sha256_ut.cc
+new file mode 100644
+index 00000000..746220d7
+--- /dev/null
++++ b/test/sha256/sha256_ut.cc
+@@ -0,0 +1,162 @@
++/*
++ * Copyright (c) Huawei Technologies Co., Ltd. 2022. All rights reserved.
++ * iSulad licensed under the Mulan PSL v2.
++ * You can use this software according to the terms and conditions of the Mulan PSL v2.
++ * You may obtain a copy of Mulan PSL v2 at:
++ *     http://license.coscl.org.cn/MulanPSL2
++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
++ * PURPOSE.
++ * See the Mulan PSL v2 for more details.
++ * Description: sha256 unit test
++ * Author: chengzeruizhi
++ * Create: 2022-11-22
++ */
++
++#include <gtest/gtest.h>
++
++#include "constants.h"
++#include "util_gzip.h"
++#include "utils.h"
++#include "utils_file.h"
++#include "sha256.h"
++
++TEST(sha256, test_sha256_digest_file)
++{
++    int get_err;
++    char *digest = sha256_digest_file(NULL, false);
++    EXPECT_EQ(digest, nullptr);
++
++    digest = sha256_digest_file(NULL, true);
++    EXPECT_EQ(digest, nullptr);
++
++    int fd = util_open("/tmp/sha256_empty_file", O_RDWR | O_CREAT, DEFAULT_SECURE_FILE_MODE);
++    ASSERT_GE(fd, 0);
++    digest = sha256_digest_file("/tmp/sha256_empty_file", false);
++    EXPECT_STREQ(digest, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
++    int emptyfile_ret = util_gzip_z("/tmp/sha256_empty_file", "/tmp/sha256_empty_file.gz", DEFAULT_SECURE_FILE_MODE);
++    digest = sha256_digest_file("/tmp/sha256_empty_file.gz", true);
++    EXPECT_STREQ(digest, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
++    close(fd);
++    util_force_remove_file("/tmp/sha256_empty_file", &get_err);
++    if (emptyfile_ret == 0) {
++        util_force_remove_file("/tmp/sha256_empty_file.gz", &get_err);
++    }
++
++    int fd2 = util_open("/tmp/sha256_test_file", O_RDWR | O_CREAT, DEFAULT_SECURE_FILE_MODE);
++    ASSERT_GE(fd2, 0);
++    util_write_nointr(fd2, "asdjfljsad", 10);
++    digest = sha256_digest_file("/tmp/sha256_test_file", false);
++    EXPECT_STREQ(digest, "fe2d2648f9221659cf67068096ba561211d06d37dbfaf2d61b0b3bc34f43d3e1");
++    int testfile_ret = util_gzip_z("/tmp/sha256_test_file", "/tmp/sha256_test_file.gz", DEFAULT_SECURE_FILE_MODE);
++    digest = sha256_digest_file("/tmp/sha256_test_file.gz", true);
++    EXPECT_STREQ(digest, "fe2d2648f9221659cf67068096ba561211d06d37dbfaf2d61b0b3bc34f43d3e1");
++    close(fd2);
++    util_force_remove_file("/tmp/sha256_test_file", &get_err);
++    if (testfile_ret == 0) {
++        util_force_remove_file("/tmp/sha256_test_file.gz", &get_err);
++    }
++}
++
++TEST(sha256, test_sha256_digest_str)
++{
++    char *digest = sha256_digest_str(NULL);
++    EXPECT_EQ(digest, nullptr);
++
++    digest = sha256_digest_str("");
++    EXPECT_STREQ(digest, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
++
++    digest = sha256_digest_str(
++            "^cvdgfdgghaswere3575676y&*`~cx,xfdgdvcvdfd][';./?.,<>|\\!@#$%^&*()_+=-090wvvs3sdfel33cxvdf***$");
++    EXPECT_STREQ(digest, "899a57a99c14c047eab26f8d6719da256a0737f6c28728ba5777b4fc5398c657");
++}
++
++TEST(sha256, test_sha256_full_gzip_digest)
++{
++    int get_err;
++    char *digest = sha256_full_gzip_digest(NULL);
++    EXPECT_EQ(digest, nullptr);
++
++    int fd = util_open("/tmp/sha256_empty_file", O_RDWR | O_CREAT, DEFAULT_SECURE_FILE_MODE);
++    ASSERT_GE(fd, 0);
++    digest = sha256_full_gzip_digest("/tmp/sha256_empty_file");
++    EXPECT_EQ(digest, nullptr);
++
++    int emptyfile_ret = util_gzip_z("/tmp/sha256_empty_file", "/tmp/sha256_empty_file.gz", DEFAULT_SECURE_FILE_MODE);
++    digest = sha256_full_gzip_digest("/tmp/sha256_empty_file.gz");
++    EXPECT_STREQ(digest, "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
++    close(fd);
++    util_force_remove_file("/tmp/sha256_empty_file", &get_err);
++    if (emptyfile_ret == 0) {
++        util_force_remove_file("/tmp/sha256_empty_file.gz", &get_err);
++    }
++
++    int fd2 = util_open("/tmp/sha256_test_file", O_RDWR | O_CREAT, DEFAULT_SECURE_FILE_MODE);
++    ASSERT_GE(fd2, 0);
++    util_write_nointr(fd2, "asdjfljsad", 10);
++    digest = sha256_full_gzip_digest("/tmp/sha256_test_file");
++    EXPECT_EQ(digest, nullptr);
++    int testfile_ret = util_gzip_z("/tmp/sha256_test_file", "/tmp/sha256_test_file.gz", DEFAULT_SECURE_FILE_MODE);
++    digest = sha256_full_gzip_digest("/tmp/sha256_test_file.gz");
++    EXPECT_STREQ(digest, "sha256:fe2d2648f9221659cf67068096ba561211d06d37dbfaf2d61b0b3bc34f43d3e1");
++    close(fd2);
++    util_force_remove_file("/tmp/sha256_test_file", &get_err);
++    if (testfile_ret == 0) {
++        util_force_remove_file("/tmp/sha256_test_file.gz", &get_err);
++    }
++}
++
++TEST(sha256, test_sha256_full_file_digest)
++{
++    int get_err;
++    char *digest = sha256_full_file_digest(NULL);
++    EXPECT_EQ(digest, nullptr);
++
++    int fd = util_open("/tmp/sha256_empty_file", O_RDWR | O_CREAT, DEFAULT_SECURE_FILE_MODE);
++    ASSERT_GE(fd, 0);
++    digest = sha256_full_file_digest("/tmp/sha256_empty_file");
++    EXPECT_STREQ(digest, "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
++    close(fd);
++    util_force_remove_file("/tmp/sha256_empty_file", &get_err);
++
++    int fd2 = util_open("/tmp/sha256_test_file", O_RDWR | O_CREAT, DEFAULT_SECURE_FILE_MODE);
++    ASSERT_GE(fd2, 0);
++    util_write_nointr(fd2, "asdjfljsad", 10);
++    digest = sha256_full_file_digest("/tmp/sha256_test_file");
++    EXPECT_STREQ(digest, "sha256:fe2d2648f9221659cf67068096ba561211d06d37dbfaf2d61b0b3bc34f43d3e1");
++    close(fd2);
++    util_force_remove_file("/tmp/sha256_test_file", &get_err);
++}
++
++TEST(sha256, test_sha256_valid_digest_file)
++{
++    int get_err;
++
++    ASSERT_FALSE(sha256_valid_digest_file(NULL, NULL));
++    int fd = util_open("/tmp/sha256_test_file", O_RDWR | O_CREAT, DEFAULT_SECURE_FILE_MODE);
++    ASSERT_GE(fd, 0);
++    util_write_nointr(fd, "asdjfljsad", 10);
++    EXPECT_TRUE(sha256_valid_digest_file("/tmp/sha256_test_file",
++                                         "sha256:fe2d2648f9221659cf67068096ba561211d06d37dbfaf2d61b0b3bc34f43d3e1"));
++    util_force_remove_file("/tmp/sha256_test_file", &get_err);
++}
++
++TEST(sha256, test_sha256_full_digest_str)
++{
++    char *full_digest = sha256_full_digest_str(NULL);
++    EXPECT_EQ(full_digest, nullptr);
++    full_digest = sha256_full_digest_str(util_strdup_s(""));
++    EXPECT_STREQ(full_digest, "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
++}
++
++TEST(sha256, test_util_without_sha256_prefix)
++{
++    char *digest = util_without_sha256_prefix(NULL);
++    EXPECT_EQ(digest, nullptr);
++    digest = util_without_sha256_prefix(util_strdup_s("sha246:"));
++    EXPECT_EQ(digest, nullptr);
++    digest = util_without_sha256_prefix(util_strdup_s("sha256:"));
++    EXPECT_STREQ(digest, "");
++    digest = util_without_sha256_prefix(util_strdup_s("sha256:asdfawf2q3rqrg234rewfd]\a]sd;v.z/xc"));
++    EXPECT_STREQ(digest, "asdfawf2q3rqrg234rewfd]\a]sd;v.z/xc");
++}
+\ No newline at end of file
+-- 
+2.25.1
+

0049-add-primary-group-to-additional-groups.patch

@@ -1,7 +1,7 @@
 From d1527a3b8405d92f638c46c8250f2636ba18c644 Mon Sep 17 00:00:00 2001
 From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
 Date: Fri, 25 Nov 2022 16:22:47 +0800
-Subject: [PATCH] add primary group to additional groups
+Subject: [PATCH 49/54] add primary group to additional groups
 
 Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
 ---

0050-add-unit-test-for-buffer.patch

@@ -0,0 +1,178 @@
+From afad1f4da9a5411280e094e121cba18180d60958 Mon Sep 17 00:00:00 2001
+From: chengzrz <czrzrichard@gmail.com>
+Date: Fri, 25 Nov 2022 17:15:22 +0800
+Subject: [PATCH 50/54] add unit test for buffer
+
+Signed-off-by: chengzrz <czrzrichard@gmail.com>
+---
+ test/CMakeLists.txt        |  1 +
+ test/buffer/CMakeLists.txt | 17 ++++++++
+ test/buffer/buffer_ut.cc   | 89 ++++++++++++++++++++++++++++++++++++++
+ test/tar/CMakeLists.txt    | 18 ++++++++
+ test/tar/tar_ut.cc         |  0
+ 5 files changed, 125 insertions(+)
+ create mode 100644 test/buffer/CMakeLists.txt
+ create mode 100644 test/buffer/buffer_ut.cc
+ create mode 100644 test/tar/CMakeLists.txt
+ create mode 100644 test/tar/tar_ut.cc
+
+diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
+index 27201100..8b927f91 100644
+--- a/test/CMakeLists.txt
++++ b/test/CMakeLists.txt
+@@ -45,6 +45,7 @@ IF(ENABLE_UT)
+     add_subdirectory(specs)
+     add_subdirectory(services)
+     add_subdirectory(sha256)
++    add_subdirectory(buffer)
+ ENDIF(ENABLE_UT)
+ 
+ IF(ENABLE_FUZZ)
+diff --git a/test/buffer/CMakeLists.txt b/test/buffer/CMakeLists.txt
+new file mode 100644
+index 00000000..f900b592
+--- /dev/null
++++ b/test/buffer/CMakeLists.txt
+@@ -0,0 +1,17 @@
++project(iSulad_UT)
++
++SET(EXE buffer_ut)
++
++add_executable(${EXE}
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/buffer/buffer.c
++    buffer_ut.cc)
++
++target_include_directories(${EXE} PUBLIC
++    ${GTEST_INCLUDE_DIR}
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../include
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/common
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/buffer
++    )
++
++target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} libutils_ut -lcrypto -lyajl -lz)
++add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml)
+diff --git a/test/buffer/buffer_ut.cc b/test/buffer/buffer_ut.cc
+new file mode 100644
+index 00000000..9c5630e0
+--- /dev/null
++++ b/test/buffer/buffer_ut.cc
+@@ -0,0 +1,89 @@
++/*
++ * Copyright (c) Huawei Technologies Co., Ltd. 2022. All rights reserved.
++ * iSulad licensed under the Mulan PSL v2.
++ * You can use this software according to the terms and conditions of the Mulan PSL v2.
++ * You may obtain a copy of Mulan PSL v2 at:
++ *     http://license.coscl.org.cn/MulanPSL2
++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
++ * PURPOSE.
++ * See the Mulan PSL v2 for more details.
++ * Description: buffer unit test
++ * Author: chengzeruizhi
++ * Create: 2022-11-29
++ */
++
++#include <gtest/gtest.h>
++
++#include "buffer.h"
++
++TEST(buffer, test_buffer_alloc)
++{
++    Buffer *buffer = buffer_alloc(0);
++    EXPECT_EQ(buffer, nullptr);
++
++    buffer = buffer_alloc(-1);
++    EXPECT_EQ(buffer, nullptr);
++
++    buffer = buffer_alloc(SIZE_MAX + 1);
++    EXPECT_EQ(buffer, nullptr);
++
++    buffer = buffer_alloc(10);
++    ASSERT_NE(buffer, nullptr);
++    EXPECT_EQ(buffer->total_size, 10);
++    EXPECT_EQ(buffer->bytes_used, 0);
++    EXPECT_NE(buffer->contents, nullptr);
++    buffer_free(buffer);
++}
++
++TEST(buffer, test_buffer_strlen)
++{
++    Buffer *buffer = buffer_alloc(0);
++    EXPECT_EQ(buffer_strlen(buffer), 0);
++    buffer = buffer_alloc(-1);
++    EXPECT_EQ(buffer_strlen(buffer), 0);
++    buffer = buffer_alloc(SIZE_MAX + 1);
++    EXPECT_EQ(buffer_strlen(buffer), 0);
++    buffer = buffer_alloc(10);
++    ASSERT_NE(buffer, nullptr);
++    EXPECT_EQ(buffer_strlen(buffer), 0);
++    ASSERT_EQ(buffer_append(buffer, "append", 6), 0);
++    EXPECT_EQ(buffer_strlen(buffer), 6);
++    buffer_free(buffer);
++}
++
++TEST(buffer, test_buffer_free)
++{
++    Buffer *buffer = nullptr;
++    buffer_free(buffer);
++    EXPECT_EQ(buffer, nullptr);
++}
++
++TEST(buffer, test_buffer_append)
++{
++    EXPECT_EQ(buffer_append(nullptr, "append", 6), -1);
++    Buffer *buffer = buffer_alloc(5);
++    EXPECT_EQ(buffer_append(buffer, "buffer needs to grow", 20), 0);
++    EXPECT_STREQ(buffer->contents, "buffer needs to grow");
++    EXPECT_EQ(buffer->bytes_used, 20);
++    EXPECT_EQ(buffer->total_size, 42);
++    buffer_free(buffer);
++
++    buffer = buffer_alloc(20);
++    EXPECT_EQ(buffer_append(buffer, "first", 5), 0);
++    EXPECT_EQ(buffer->bytes_used, 5);
++    EXPECT_STREQ(buffer->contents, "first");
++    EXPECT_EQ(buffer_append(buffer, "second", 6), 0);
++    EXPECT_EQ(buffer->bytes_used, 11);
++    EXPECT_EQ(buffer->total_size, 20);
++    EXPECT_STREQ(buffer->contents, "firstsecond");
++}
++
++TEST(buffer, test_buffer_empty)
++{
++    Buffer *buffer = buffer_alloc(10);
++    buffer_append(buffer, "content", 7);
++    buffer_empty(buffer);
++    EXPECT_EQ(buffer->total_size, 10);
++    EXPECT_EQ(buffer->bytes_used, 0);
++}
+diff --git a/test/tar/CMakeLists.txt b/test/tar/CMakeLists.txt
+new file mode 100644
+index 00000000..10779f4c
+--- /dev/null
++++ b/test/tar/CMakeLists.txt
+@@ -0,0 +1,18 @@
++project(iSulad_UT)
++
++SET(EXE sha256_ut)
++
++add_executable(${EXE}
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/tar/util_gzip.c
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/sha256/sha256.c
++    sha256_ut.cc)
++
++target_include_directories(${EXE} PUBLIC
++    ${GTEST_INCLUDE_DIR}
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../include
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/common
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/tar
++    ${CMAKE_CURRENT_SOURCE_DIR}/../../src/utils/sha256
++    )
++target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} libutils_ut -lcrypto -lyajl -lz)
++add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml)
+diff --git a/test/tar/tar_ut.cc b/test/tar/tar_ut.cc
+new file mode 100644
+index 00000000..e69de29b
+-- 
+2.25.1
+

0051-remove-chmod-751-permission-for-dirs-by-engine-when-.patch

@@ -1,7 +1,7 @@
-From 4814ce0283857e1d07c491dab3876136a0a6a714 Mon Sep 17 00:00:00 2001
+From 7c1c3107fffbfd208acccce8f3c077e10babed3d Mon Sep 17 00:00:00 2001
 From: yangjiaqi <yangjiaqi16@huawei.com>
-Date: Mon, 28 Nov 2022 18:36:10 +0800
-Subject: [PATCH] remove chmod 751 permission for dirs by engine when
+Date: Mon, 28 Nov 2022 21:03:19 +0800
+Subject: [PATCH 51/54] remove chmod 751 permission for dirs by engine when
  user-remap enabled
 
 ---
@@ -9,7 +9,7 @@ Subject: [PATCH] remove chmod 751 permission for dirs by engine when
  1 file changed, 55 deletions(-)
 
 diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
-index 2b3c879..85a8ab5 100644
+index 2b3c8794..85a8ab52 100644
 --- a/src/daemon/modules/service/service_container.c
 +++ b/src/daemon/modules/service/service_container.c
 @@ -413,54 +413,6 @@ static int mount_host_channel(const host_config_host_channel *host_channel, cons
@@ -82,5 +82,5 @@ index 2b3c879..85a8ab5 100644
          if (mount_host_channel(cont->hostconfig->host_channel, cont->hostconfig->user_remap)) {
              ERROR("Failed to mount host channel");
 -- 
-2.30.0
+2.25.1
 

0052-add-console-ut.patch

@@ -0,0 +1,168 @@
+From 04c7beb8788826063c19715b58e11c4eea7efbe6 Mon Sep 17 00:00:00 2001
+From: "Neil.wrz" <wangrunze13@huawei.com>
+Date: Wed, 30 Nov 2022 23:54:47 -0800
+Subject: [PATCH 52/54] add console ut
+
+Signed-off-by: Neil.wrz <wangrunze13@huawei.com>
+---
+ test/CMakeLists.txt         |   1 +
+ test/console/CMakeLists.txt |  20 +++++++
+ test/console/console_ut.cc  | 107 ++++++++++++++++++++++++++++++++++++
+ 3 files changed, 128 insertions(+)
+ create mode 100644 test/console/CMakeLists.txt
+ create mode 100644 test/console/console_ut.cc
+
+diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
+index 8b927f91..06adb602 100644
+--- a/test/CMakeLists.txt
++++ b/test/CMakeLists.txt
+@@ -46,6 +46,7 @@ IF(ENABLE_UT)
+     add_subdirectory(services)
+     add_subdirectory(sha256)
+     add_subdirectory(buffer)
++    add_subdirectory(console)
+ ENDIF(ENABLE_UT)
+ 
+ IF(ENABLE_FUZZ)
+diff --git a/test/console/CMakeLists.txt b/test/console/CMakeLists.txt
+new file mode 100644
+index 00000000..acadc620
+--- /dev/null
++++ b/test/console/CMakeLists.txt
+@@ -0,0 +1,20 @@
++project(iSulad_UT)
++
++SET(EXE console_ut)
++
++add_executable(${EXE}
++    ${CMAKE_SOURCE_DIR}/src/utils/console/console.c
++    console_ut.cc)
++
++
++target_include_directories(${EXE} PUBLIC
++    ${GTEST_INCLUDE_DIR}
++    ${CMAKE_SOURCE_DIR}/src/utils/console
++    ${CMAKE_SOURCE_DIR}/src/utils/cutils
++    ${CMAKE_SOURCE_DIR}/src/common
++    )
++
++target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} libutils_ut -lcrypto -lyajl -lz)
++add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml)
++
++
+diff --git a/test/console/console_ut.cc b/test/console/console_ut.cc
+new file mode 100644
+index 00000000..73479000
+--- /dev/null
++++ b/test/console/console_ut.cc
+@@ -0,0 +1,107 @@
++#include <sys/stat.h>
++#include <gtest/gtest.h>
++#include <fcntl.h>
++#include <limits.h>
++#include <string.h>
++
++#include "console.h"
++
++#define FIFO_NAME "fifo1"
++#define PATH_NOT_EXIST "./path_not_found/"
++#define LONGER_PATH_MAX 4098
++
++TEST(utils_console, test_console_fifo_create)
++{
++    int ret = 0;
++    struct stat buf;
++
++    ret = console_fifo_create(FIFO_NAME);
++    if (ret != 0) {
++        return;
++    }
++
++    if (stat(FIFO_NAME, &buf) < 0) {
++        return;
++    }
++
++    ASSERT_EQ(S_ISFIFO(buf.st_mode), true);
++
++    ret = access(FIFO_NAME, R_OK|W_OK);
++    ASSERT_EQ(ret, 0);
++
++    remove(FIFO_NAME);
++}
++
++TEST(utils_console, test_console_fifo_create_failed)
++{
++    int ret = 0;
++
++    ret = console_fifo_create(PATH_NOT_EXIST FIFO_NAME);
++    ASSERT_EQ(ret, -1);
++}
++
++TEST(utils_console, test_console_fifo_delete)
++{
++    int ret = 0;
++    char path_buf[LONGER_PATH_MAX] = { 0x00 };
++
++    memset(path_buf, 'a', LONGER_PATH_MAX);
++    path_buf[LONGER_PATH_MAX - 1] = 0;
++    ASSERT_EQ(strlen(path_buf), LONGER_PATH_MAX-1)<< "strlen is " << strlen(path_buf);
++
++    ret = console_fifo_create(FIFO_NAME);
++    if (ret != 0) {
++        return;
++    }
++
++    // PATH TOO LONG
++    ret = console_fifo_delete(path_buf);
++    ASSERT_EQ(ret, -1) << []()->std::string { remove(FIFO_NAME); return "failed"; }();
++
++    // PATH NULL
++    ret = console_fifo_delete(NULL);
++    ASSERT_EQ(ret, -1) << []()->std::string { remove(FIFO_NAME); return "failed"; }();
++
++    // PATH LEN IS ZERO
++    ret = console_fifo_delete("");
++    ASSERT_EQ(ret, 0) << []()->std::string { remove(FIFO_NAME); return "failed"; }();
++
++    // PATH NOT FOUND
++    ret = console_fifo_delete(PATH_NOT_EXIST FIFO_NAME);
++    ASSERT_EQ(ret, 0) << []()->std::string { remove(FIFO_NAME); return "failed"; }();
++
++    ret = console_fifo_delete(FIFO_NAME);
++    ASSERT_EQ(ret, 0) << []()->std::string { remove(FIFO_NAME); return "failed"; }();
++}
++
++TEST(utils_console, test_console_fifo_open)
++{
++    int ret = 0;
++    int fifooutfd = -1;
++
++    ret = console_fifo_create(FIFO_NAME);
++    if (ret != 0) {
++        return;
++    }
++
++    ret = console_fifo_open(FIFO_NAME, &fifooutfd, O_RDWR | O_NONBLOCK);
++    ASSERT_EQ(ret, 0) << []()->std::string { remove(FIFO_NAME); return "failed"; }();
++    console_fifo_close(fifooutfd);
++    remove(FIFO_NAME);
++}
++
++TEST(utils_console, test_console_fifo_open_withlock)
++{
++    int ret = 0;
++    int fifooutfd = -1;
++
++    ret = console_fifo_create(FIFO_NAME);
++    if (ret != 0) {
++        return;
++    }
++
++    ret = console_fifo_open_withlock(FIFO_NAME, &fifooutfd, O_RDWR | O_NONBLOCK);
++    ASSERT_EQ(ret, 0) << []()->std::string { remove(FIFO_NAME); return "failed"; }();
++    console_fifo_close(fifooutfd);
++    remove(FIFO_NAME);
++}
+-- 
+2.25.1
+

0053-fix-additional-gids-for-exec-user.patch

@@ -0,0 +1,128 @@
+From 51a57b584eed06e0d857963f2e2750114e26ef52 Mon Sep 17 00:00:00 2001
+From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
+Date: Sat, 3 Dec 2022 15:43:43 +0800
+Subject: [PATCH 53/54] fix additional gids for exec user
+
+Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
+---
+ src/daemon/modules/runtime/engines/engine.h   |  1 +
+ .../modules/runtime/engines/lcr/lcr_rt_ops.c  | 71 +++++++++++++++++++
+ 2 files changed, 72 insertions(+)
+
+diff --git a/src/daemon/modules/runtime/engines/engine.h b/src/daemon/modules/runtime/engines/engine.h
+index 95428e0f..04c4a670 100644
+--- a/src/daemon/modules/runtime/engines/engine.h
++++ b/src/daemon/modules/runtime/engines/engine.h
+@@ -71,6 +71,7 @@ typedef struct _engine_exec_request_t {
+     const char **console_fifos;
+ 
+     const char *user;
++    const char *add_gids;
+ 
+     const char **env;
+     size_t env_len;
+diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
+index a2b93b72..f2eec6d2 100644
+--- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
++++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
+@@ -352,12 +352,76 @@ static int generate_user_string_by_uid_gid(const defs_process_user *puser, char
+     return 0;
+ }
+ 
++static char **covert_gids_to_string(const gid_t *gids, const size_t gids_len)
++{
++    int nret = 0;
++    size_t i = 0;
++    size_t len = 0;
++    char **result = NULL;
++
++    result = util_smart_calloc_s(sizeof(char *), gids_len);
++    if (result == NULL) {
++        ERROR("Out of memory");
++        return NULL;
++    }
++
++    for (i = 0; i < gids_len; i++) {
++        char gid_str[ISULAD_NUMSTRLEN32] = { 0 };
++
++        nret = snprintf(gid_str, ISULAD_NUMSTRLEN32, "%u", (unsigned int)gids[i]);
++        if (nret < 0 || nret >= ISULAD_NUMSTRLEN32) {
++            ERROR("Invalid gid :%u", (unsigned int)gids[i]);
++            util_free_array_by_len(result, len);
++            return NULL;
++        }
++
++        result[i] = util_strdup_s(gid_str);
++        len++;
++    }
++
++    return result;
++}
++
++// additional gids string(GID[,GID])
++static int generate_add_gids_string(const defs_process_user *puser, char **add_gids)
++{
++    const size_t max_gids = 100;
++    char **gids = NULL;
++
++    if (puser->additional_gids == NULL || puser->additional_gids_len == 0) {
++        INFO("None attach additional gids");
++        return 0;
++    }
++
++    if (puser->additional_gids_len > max_gids) {
++        ERROR("Too many additional gids");
++        return -1;
++    }
++
++    gids = covert_gids_to_string(puser->additional_gids, puser->additional_gids_len);
++    if (gids == NULL) {
++        ERROR("Failed to covert gids to string");
++        return -1;
++    }
++
++    *add_gids = util_string_join(",", (const char **)gids, puser->additional_gids_len);
++    if (*add_gids == NULL) {
++        ERROR("Failed to string join");
++        util_free_array_by_len(gids, puser->additional_gids_len);
++        return -1;
++    }
++
++    util_free_array_by_len(gids, puser->additional_gids_len);
++    return 0;
++}
++
+ int rt_lcr_exec(const char *id, const char *runtime, const rt_exec_params_t *params, int *exit_code)
+ {
+     int ret = 0;
+     struct engine_operation *engine_ops = NULL;
+     engine_exec_request_t request = { 0 };
+     char *user = NULL;
++    char *add_gids = NULL;
+ 
+     engine_ops = engines_get_handler(runtime);
+     if (engine_ops == NULL || engine_ops->engine_exec_op == NULL) {
+@@ -385,6 +449,12 @@ int rt_lcr_exec(const char *id, const char *runtime, const rt_exec_params_t *par
+             goto out;
+         }
+         request.user = user;
++
++        if (generate_add_gids_string(params->spec->user, &add_gids) != 0) {
++            ret = -1;
++            goto out;
++        }
++        request.add_gids = add_gids;
+     }
+ 
+     request.open_stdin = params->attach_stdin;
+@@ -412,6 +482,7 @@ out:
+         engine_ops->engine_clear_errmsg_op();
+     }
+     free(user);
++    free(add_gids);
+     return ret;
+ }
+ 
+-- 
+2.25.1
+

0054-add-CI-for-additional-gid.patch

@@ -0,0 +1,112 @@
+From 31ed5d907341363408c8d90aa72a6eee12ad7ccb Mon Sep 17 00:00:00 2001
+From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
+Date: Sat, 3 Dec 2022 17:10:38 +0800
+Subject: [PATCH 54/54] add CI for additional gid
+
+Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
+---
+ .../container_cases/exec_additional_gids.sh   | 92 +++++++++++++++++++
+ 1 file changed, 92 insertions(+)
+ create mode 100755 CI/test_cases/container_cases/exec_additional_gids.sh
+
+diff --git a/CI/test_cases/container_cases/exec_additional_gids.sh b/CI/test_cases/container_cases/exec_additional_gids.sh
+new file mode 100755
+index 00000000..f24678d3
+--- /dev/null
++++ b/CI/test_cases/container_cases/exec_additional_gids.sh
+@@ -0,0 +1,92 @@
++#!/bin/bash
++#
++# attributes: isulad exec check additional gids
++# concurrent: YES
++# spend time: 1
++
++#######################################################################
++##- Copyright (c) Huawei Technologies Co., Ltd. 2022. All rights reserved.
++# - iSulad licensed under the Mulan PSL v2.
++# - You can use this software according to the terms and conditions of the Mulan PSL v2.
++# - You may obtain a copy of Mulan PSL v2 at:
++# -     http://license.coscl.org.cn/MulanPSL2
++# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
++# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
++# - PURPOSE.
++# - See the Mulan PSL v2 for more details.
++##- @Description:CI
++##- @Author: zhangxiaoyu
++##- @Create: 2022-12-03
++#######################################################################
++
++curr_path=$(dirname $(readlink -f "$0"))
++data_path=$(realpath $curr_path/../data)
++source ../helpers.sh
++test="exec additional gids test => test_exec_additional_gids"
++test_log=$(mktemp /tmp/additional_gids_test_XXX)
++
++USERNAME="user"
++USER_UID="1000"
++USER_GID="$USER_UID"
++ADDITIONAL_GID="1001"
++ADDITIONAL_GROUP="additional"
++
++cont_name=add_gids_test
++file_info="Keep it secret, keep it safe"
++
++function additional_gids_test()
++{
++    local ret=0
++
++    isula rm -f `isula ps -a -q`
++
++    isula run -tid -n $cont_name ubuntu bash
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to run container" && ((ret++))
++
++    isula exec $cont_name bash -c "groupadd --gid $USER_GID $USERNAME \
++        && groupadd --gid $ADDITIONAL_GID $ADDITIONAL_GROUP \
++        && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME -G $ADDITIONAL_GROUP \
++        && mkdir /app && chown ${USERNAME}:${USERNAME} /app \
++        && echo $file_info > /app/sekrit.txt \
++        && chown 0:${USER_GID} /app/sekrit.txt \
++        && chmod 606 /app/sekrit.txt"
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - create user and group failed" && ((ret++))
++
++    /usr/bin/expect <<- EOF > ${test_log} 2>&1
++set timeout 10
++spawn isula exec -it --workdir /app -u $USERNAME $cont_name bash
++expect "${USERNAME}*"
++send "newgrp ${ADDITIONAL_GROUP}\n"
++expect "*"
++send "groups\n"
++expect "$"
++send "cat sekrit.txt\n"
++expect "*"
++send "exit\n"
++expect "${USERNAME}*"
++send "exit\n"
++expect eof
++EOF
++
++    cat $test_log | grep "$file_info"
++    [[ $? -eq 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - read file success, but should fail" && ((ret++))
++
++    cat $test_log | grep "Permission denied"
++    [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - read error message failed" && ((ret++))
++
++    isula rm -f `isula ps -a -q`
++
++    return ${ret}
++}
++
++declare -i ans=0
++
++msg_info "${test} starting..."
++
++additional_gids_test || ((ans++))
++
++rm -rf ${test_log}
++
++msg_info "${test} finished with return ${ret}..."
++
++show_result ${ans} "${curr_path}/${0}"
+-- 
+2.25.1
+

iSulad.spec

@@ -1,5 +1,5 @@
 %global _version 2.0.17
-%global _release 10
+%global _release 11
 %global is_systemd 1
 %global enable_shimv2 1
 %global is_embedded 1
@@ -58,8 +58,15 @@ Patch0042: 0042-isula-usage-consistency-optimization.patch
 Patch0043: 0043-fix-do-container_unref-in-oci_rootfs_clean.patch
 Patch0044: 0044-fix-can-not-install-isulad-rpm-because-of-spec.patch
 Patch0045: 0045-remove-unknown-option-wno-maybe-uninitialized.patch
-Patch0046: 0046-add-primary-group-to-additional-groups.patch
-Patch0047: 0047-remove-chmod-751-permission-for-dirs-by-engine-when-.patch
+Patch0046: 0046-fix-storage-layer-and-driver-ut-failed-in-container.patch
+Patch0047: 0047-handle-security-warning-for-cleanup-module.patch
+Patch0048: 0048-add-unit-test-for-util-sha256.patch
+Patch0049: 0049-add-primary-group-to-additional-groups.patch
+Patch0050: 0050-add-unit-test-for-buffer.patch
+Patch0051: 0051-remove-chmod-751-permission-for-dirs-by-engine-when-.patch
+Patch0052: 0052-add-console-ut.patch
+Patch0053: 0053-fix-additional-gids-for-exec-user.patch
+Patch0054: 0054-add-CI-for-additional-gid.patch
 
 %ifarch x86_64 aarch64
 Provides:       libhttpclient.so()(64bit)
@@ -286,6 +293,12 @@ fi
 %endif
 
 %changelog
+* Tue Dec 06 2022 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 2.0.17-11
+- Type: bugfix
+- ID: NA
+- SUG: NA
+- DESC: update from upstream
+
 * Mon Nov 28 2022 yangjiaqi <yangjiaqi16@huawei.com> - 2.0.17-10
 - Type: bugfix
 - ID: NA