packages/runc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

runc:allowing libct/cap to work with nil capabilities

Browse Source 
(cherry picked from commit b5bfd78c38a442d27a829105fa1eb3dfac3e47db)
This commit is contained in:
dongyuzhen 2025-03-26 09:07:43 +08:00 committed by openeuler-sync-bot
parent 2d6d37255e
commit a0f756055b
4 changed files with 68 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
git-commit
View File

@ -1 +1 @@
1b7091b305556e0de2c50f193cd7bf50af035c01 1e298d15b17374a5d32d2431b73ca2b46fa401bc

59
patch/0048-runc-libct-cap-allow-New-nil.patch Normal file
View File

@ -0,0 +1,59 @@
From b55c8fbbb8ecfd407a1d9eeec850b8c4885f4331 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 8 Jan 2025 12:25:42 -0800
Subject: [PATCH] libct/cap: allow New(nil)
In runtime-spec, capabilities property is optional, but
libcontainer/capabilities panics when New(nil) is called.
Because of this, there's a kludge in finalizeNamespace to ensure
capabilities.New is not called with nil argument, and there's a
TestProcessEmptyCaps to ensure runc won't panic.
Let's fix this at the source, allowing libct/cap to work with nil
capabilities.
(The caller is fixed by the next commit.)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/capabilities/capabilities.go | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/libcontainer/capabilities/capabilities.go b/libcontainer/capabilities/capabilities.go
index d38b8a7c..49b842ca 100644
--- a/libcontainer/capabilities/capabilities.go
+++ b/libcontainer/capabilities/capabilities.go
@@ -54,6 +54,9 @@ func New(capConfig *configs.Capabilities) (*Caps, error) {
err error
c Caps
)
+ if capConfig == nil {
+ return &c, nil
+ }
unknownCaps := make(map[string]struct{})
c.caps = map[capability.CapType][]capability.Cap{
@@ -108,6 +111,9 @@ type Caps struct {
// ApplyBoundingSet sets the capability bounding set to those specified in the whitelist.
func (c *Caps) ApplyBoundingSet() error {
+ if c.pid == nil {
+ return nil
+ }
c.pid.Clear(capability.BOUNDING)
c.pid.Set(capability.BOUNDING, c.caps[capability.BOUNDING]...)
return c.pid.Apply(capability.BOUNDING)
@@ -115,6 +121,9 @@ func (c *Caps) ApplyBoundingSet() error {
// Apply sets all the capabilities for the current process in the config.
func (c *Caps) ApplyCaps() error {
+ if c.pid == nil {
+ return nil
+ }
c.pid.Clear(allCapabilityTypes)
for _, g := range capTypes {
c.pid.Set(g, c.caps[g]...)
--
2.33.0

8
runc.spec
View File

@ -3,7 +3,7 @@
Name: runc Name: runc
Version: 1.1.8 Version: 1.1.8
Release: 24 Release: 25
Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
License: ASL 2.0 License: ASL 2.0
@ -57,6 +57,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
%{_bindir}/runc %{_bindir}/runc
%changelog %changelog
* Wed Mar 26 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1.1.8-25
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:allowing libct/cap to work with nil capabilities
* Sun Sep 29 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.8-24 * Sun Sep 29 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.8-24
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA

1
series.conf
View File

@ -44,3 +44,4 @@ patch/0044-runc-format-log-instead-panic-when-procError-missing.patch
patch/0045-rootfs-consolidate-mountpoint-creation-logic.patch patch/0045-rootfs-consolidate-mountpoint-creation-logic.patch
patch/0046-rootfs-try-to-scope-MkdirAll-to-stay-inside-the-root.patch patch/0046-rootfs-try-to-scope-MkdirAll-to-stay-inside-the-root.patch
patch/0047-runc-fix-can-t-set-cpuset-cpus-and-cpuset-mems-at-th.patch patch/0047-runc-fix-can-t-set-cpuset-cpus-and-cpuset-mems-at-th.patch
patch/0048-runc-libct-cap-allow-New-nil.patch