runc/patch/0098-runc-fix-read-only-containers-under-userns-.patch

From 6e35f145221347264ea5d4814308ab0624725024 Mon Sep 17 00:00:00 2001
From: zhangsong34 <zhangsong34@huawei.com>
Date: Tue, 2 Apr 2019 10:00:20 +0800
Subject: [PATCH] runc:  fix --read-only containers under
 --userns-remap

reason:fix --read-only containers under --userns-remap
cherry-pick from:
	https://github.com/opencontainers/runc/pull/1572

Change-Id: I0f823caf1e72e4d61df9abe5f97fa5605425fd2c
Signed-off-by: Tycho Andersen <tycho@docker.com>
Signed-off-by: zhangsong34 <zhangsong34@huawei.com>
---
 libcontainer/rootfs_linux.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 53797e9..18a25f2 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -769,7 +769,14 @@ func remountReadonly(m *configs.Mount) error {
 		flags = m.Flags
 	)
 	for i := 0; i < 5; i++ {
-		if err := syscall.Mount("", dest, "", uintptr(flags|syscall.MS_REMOUNT|syscall.MS_RDONLY), ""); err != nil {
+		// There is a special case in the kernel for
+		// MS_REMOUNT | MS_BIND, which allows us to change only the
+		// flags even as an unprivileged user (i.e. user namespace)
+		// assuming we don't drop any security related flags (nodev,
+		// nosuid, etc.). So, let's use that case so that we can do
+		// this re-mount without failing in a userns.
+		flags |= syscall.MS_REMOUNT | syscall.MS_BIND | syscall.MS_RDONLY
+		if err := syscall.Mount("", dest, "", uintptr(flags), ""); err != nil {
 			switch err {
 			case syscall.EBUSY:
 				time.Sleep(100 * time.Millisecond)
-- 
1.8.3.1
runc: package init Signed-off-by: openeuler-iSula <isula@huawei.com> 2019-12-29 15:30:08 +08:00			`From 6e35f145221347264ea5d4814308ab0624725024 Mon Sep 17 00:00:00 2001`
			`From: zhangsong34 <zhangsong34@huawei.com>`
			`Date: Tue, 2 Apr 2019 10:00:20 +0800`
			`Subject: [PATCH] runc: fix --read-only containers under`
			`--userns-remap`

			`reason:fix --read-only containers under --userns-remap`
			`cherry-pick from:`
			`https://github.com/opencontainers/runc/pull/1572`

			`Change-Id: I0f823caf1e72e4d61df9abe5f97fa5605425fd2c`
			`Signed-off-by: Tycho Andersen <tycho@docker.com>`
			`Signed-off-by: zhangsong34 <zhangsong34@huawei.com>`
			`---`
			`libcontainer/rootfs_linux.go \| 9 ++++++++-`
			`1 file changed, 8 insertions(+), 1 deletion(-)`

			`diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go`
			`index 53797e9..18a25f2 100644`
			`--- a/libcontainer/rootfs_linux.go`
			`+++ b/libcontainer/rootfs_linux.go`
			`@@ -769,7 +769,14 @@ func remountReadonly(m *configs.Mount) error {`
			`flags = m.Flags`
			`)`
			`for i := 0; i < 5; i++ {`
			`- if err := syscall.Mount("", dest, "", uintptr(flags\|syscall.MS_REMOUNT\|syscall.MS_RDONLY), ""); err != nil {`
			`+ // There is a special case in the kernel for`
			`+ // MS_REMOUNT \| MS_BIND, which allows us to change only the`
			`+ // flags even as an unprivileged user (i.e. user namespace)`
			`+ // assuming we don't drop any security related flags (nodev,`
			`+ // nosuid, etc.). So, let's use that case so that we can do`
			`+ // this re-mount without failing in a userns.`
			`+ flags \|= syscall.MS_REMOUNT \| syscall.MS_BIND \| syscall.MS_RDONLY`
			`+ if err := syscall.Mount("", dest, "", uintptr(flags), ""); err != nil {`
			`switch err {`
			`case syscall.EBUSY:`
			`time.Sleep(100 * time.Millisecond)`
			`--`
			`1.8.3.1`