runc:build security options

Signed-off-by: xiadanni <xiadanni1@huawei.com>
2021-03-18 11:14:47 +08:00 · 2021-03-18 11:14:47 +08:00 · 2f6befc1d9
commit 2f6befc1d9
parent 86bbece715
4 changed files with 50 additions and 2 deletions
--- a/0125-runc-compile-option-compliance.patch
+++ b/0125-runc-compile-option-compliance.patch
@ -0,0 +1,38 @@
 From d7e62b082d564d0ac1e58257f34d25082e58c3cf Mon Sep 17 00:00:00 2001
 From: xiadanni <xiadanni1@huawei.com>
 Date: Thu, 18 Mar 2021 11:17:13 +0800
 Subject: [PATCH] runc: compile option compliance
 Signed-off-by: xiadanni <xiadanni1@huawei.com>
 ---
 Makefile | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)
 diff --git a/Makefile b/Makefile
 index 43d15bf..fcf34ea 100644
 --- a/Makefile
 +++ b/Makefile
@@ -39,10 +39,17 @@ recvtty: contrib/cmd/recvtty/recvtty
 contrib/cmd/recvtty/recvtty: $(SOURCES)
 	go build -i -ldflags " -buildid=IdByIsula ${BEP_FLAG} -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -tags "$(BUILDTAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
 +LD_FLAGS='-w -buildid=none -tmpdir=/tmp/bep-runc -linkmode=external -extldflags=-Wl,-z,relro,-z,now \
 +          -X main.gitCommit=${COMMIT} -X main.version=${VERSION}'
 +
 static: $(SOURCES)
 -	mkdir -p ${BEP_DIR}
 -	CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -buildid=IdByIsula -extldflags -static  ${BEP_FLAG}  -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o runc .
 -	CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -buildid=IdByIsula -extldflags -static  ${BEP_FLAG}  -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
 +	rm -rf /tmp/bep-runc && mkdir /tmp/bep-runc
 +	CGO_ENABLED=1 \
 +	CGO_CFLAGS="-fstack-protector-strong -fPIE" \
 +	CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
 +	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
 +	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
 +	go build -buildmode=pie -i -tags "$(BUILDTAGS) cgo static_build" -ldflags '-extldflags=-static' -ldflags $(LD_FLAGS) -o runc .
 release:
 	@flag_list=(seccomp selinux apparmor static); \
 -- 
 1.8.3.1
--- a/2
+++ b/2
@ -1 +1 @@
-331003887c493ae924ef3f0dd3dfdf522a2c40c5
+115f07e6a16508a63b98f4f375e285607822b8a8
--- a/runc-openeuler.spec
+++ b/runc-openeuler.spec
@ -1,8 +1,10 @@
 #needsrootforbuild
 %global _bindir /usr/local/bin
 %global debug_package %{nil}
 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 111
+Release: 112
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 License: ASL 2.0
@ -38,6 +40,7 @@ ln -sf `pwd` .gopath/src/github.com/opencontainers/runc
 cd .gopath/src/github.com/opencontainers/runc
 make BUILDTAGS="seccomp selinux" static 
 rm -rf .gopath
 strip runc
 install -d $RPM_BUILD_ROOT/%{_bindir}
 install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
@ -49,6 +52,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 %changelog
 * Thu Mar 18 2021 xiadanni<xiadanni1@huawei.com> - 1.0.0.rc3-112
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC:build security option
 * Thu Mar 18 2021 xiadanni<xiadanni1@huawei.com> - 1.0.0.rc3-111
 - Type:bugfix
 - ID:NA
--- a/series.conf
+++ b/series.conf
@ -122,4 +122,5 @@
 0122-runc-add-riscv-on-existing-files.patch
 0121-runc-add-cpu-and-memory-info-when-print-cgroup-info.patch
 0124-runc-fix-freezing-race.patch
 0125-runc-compile-option-compliance.patch
 #end
`@ -1 +1 @@`
	`331003887c493ae924ef3f0dd3dfdf522a2c40c5`	`115f07e6a16508a63b98f4f375e285607822b8a8`