sync patches

patch/0126-runc-add-check-in-spec.patch
patch/0127-runc-add-mount-destination-validation-fix-CVE-2021.patch
patch/0128-runc-optimize-nsexec-logging.patch
patch/0129-runc-improve-log-for-debugging.patch
patch/0130-runc-fix-cgroup-info-print-error.patch

apply-patch

@@ -17,8 +17,9 @@ fi
 series=$cwd/series.conf
 while IPF= read -r line
 do
-    if [[ "$line" =~ ^0.* ]]; then
+    if [[ "$line" =~ ^patch* ]]; then
-        cd $src && patch -p1 < $cwd/patch/$line
+        echo patch -p1 $cwd/$line
+        cd $src && patch -p1 < $cwd/$line
     fi
 done <"$series"
 

patch/0126-runc-add-check-in-spec.patch

@@ -0,0 +1,27 @@
+From 34e659c12eb4ae543e3c7a6539a3d51ec2ec295b Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Fri, 19 Feb 2021 11:18:25 +0800
+Subject: [PATCH] runc: add check in spec
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index fcf34ea..364ac89 100644
+--- a/Makefile
++++ b/Makefile
+@@ -89,6 +89,9 @@ man:
+ runcimage:
+ 	docker build -t $(RUNC_IMAGE) .
+ 
++check:
++	go test -v ./libcontainer
++
+ test:
+ 	make unittest integration rootlessintegration
+ 
+-- 
+1.8.3.1
+

patch/0128-runc-optimize-nsexec-logging.patch

@@ -0,0 +1,280 @@
+From f59d2013c5b1e3a7a500023848c5a366301bddec Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Tue, 8 Jun 2021 17:08:59 +0800
+Subject: [PATCH] runc: optimize nsexec logging
+
+Conflict:NA
+Reference:https://github.com/opencontainers/runc/pull/2034/commits
+          https://github.com/opencontainers/runc/commit/64bb59f5920b15d886cb2be52aede641fd4a047b
+          https://github.com/opencontainers/runc/commit/201d60c51d0b78afb780841443200a25d63493a6
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ libcontainer/container_linux.go | 21 ++++++++++
+ libcontainer/logs/logs.go       | 68 +++++++++++++++++++++++++++++++++
+ libcontainer/nsenter/nsexec.c   | 53 +++++++++++++++++++++++--
+ libcontainer/process_linux.go   |  3 ++
+ 4 files changed, 142 insertions(+), 3 deletions(-)
+ create mode 100644 libcontainer/logs/logs.go
+
+diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
+index 73192866..7be84a63 100644
+--- a/libcontainer/container_linux.go
++++ b/libcontainer/container_linux.go
+@@ -23,6 +23,7 @@ import (
+ 	"github.com/opencontainers/runc/libcontainer/cgroups"
+ 	"github.com/opencontainers/runc/libcontainer/configs"
+ 	"github.com/opencontainers/runc/libcontainer/criurpc"
++	"github.com/opencontainers/runc/libcontainer/logs"
+ 	"github.com/opencontainers/runc/libcontainer/system"
+ 	"github.com/opencontainers/runc/libcontainer/utils"
+ 	"github.com/syndtr/gocapability/capability"
+@@ -309,6 +310,17 @@ func (c *linuxContainer) start(process *Process) error {
+ 	if err != nil {
+ 		return newSystemErrorWithCause(err, "creating new parent process")
+ 	}
++
++	if logsDone := logs.ForwardLogs(); logsDone != nil {
++		defer func() {
++			select {
++			case <-logsDone:
++			case <-time.After(3 * time.Second):
++				logrus.Warnf("wait child close logfd timeout")
++			}
++		}()
++	}
++
+ 	if err := parent.start(); err != nil {
+ 		printCgroupInfo(c.config.Cgroups.Path)
+ 		// terminate the process to ensure that it properly is reaped.
+@@ -408,6 +420,9 @@ func (c *linuxContainer) newParentProcess(p *Process) (parentProcess, error) {
+ 	if err != nil {
+ 		return nil, newSystemErrorWithCause(err, "creating new init pipe")
+ 	}
++	if err := logs.InitLogPipe(); err != nil {
++		return nil, fmt.Errorf("Unable to create the log pipe:  %s", err)
++	}
+ 	cmd, err := c.commandTemplate(p, childPipe)
+ 	if err != nil {
+ 		return nil, newSystemErrorWithCause(err, "creating new command template")
+@@ -450,6 +465,12 @@ func (c *linuxContainer) commandTemplate(p *Process, childPipe *os.File) (*exec.
+ 	cmd.Env = append(cmd.Env,
+ 		fmt.Sprintf("_LIBCONTAINER_INITPIPE=%d", stdioFdCount+len(cmd.ExtraFiles)-1),
+ 	)
++
++	cmd.ExtraFiles = append(cmd.ExtraFiles, logs.ChildLogPipe)
++	cmd.Env = append(cmd.Env,
++		fmt.Sprintf("_LIBCONTAINER_LOGPIPE=%d", stdioFdCount+len(cmd.ExtraFiles)-1),
++	)
++
+ 	// NOTE: when running a container with no PID namespace and the parent process spawning the container is
+ 	// PID1 the pdeathsig is being delivered to the container's init process by the kernel for some reason
+ 	// even with the parent still running.
+diff --git a/libcontainer/logs/logs.go b/libcontainer/logs/logs.go
+new file mode 100644
+index 00000000..219fe382
+--- /dev/null
++++ b/libcontainer/logs/logs.go
+@@ -0,0 +1,68 @@
++package logs
++
++import (
++	"bufio"
++	"encoding/json"
++	"os"
++
++	"github.com/Sirupsen/logrus"
++)
++
++var (
++	ParentLogPipe *os.File
++	ChildLogPipe  *os.File
++)
++
++func InitLogPipe() error {
++	var err error
++	if ParentLogPipe == nil {
++		ParentLogPipe, ChildLogPipe, err = os.Pipe()
++	}
++	return err
++}
++
++func CloseChild() {
++	if ChildLogPipe != nil {
++		ChildLogPipe.Close()
++		ChildLogPipe = nil
++	}
++}
++
++func ForwardLogs() chan error {
++	done := make(chan error, 1)
++	if ParentLogPipe == nil {
++		close(done)
++		return done
++	}
++
++	s := bufio.NewScanner(ParentLogPipe)
++	go func() {
++		for s.Scan() {
++			processEntry(s.Bytes())
++		}
++		if err := ParentLogPipe.Close(); err != nil {
++			logrus.Errorf("error closing log source: %v", err)
++		}
++		// The only error we want to return is when reading from
++		// logPipe has failed.
++		done <- s.Err()
++		close(done)
++	}()
++
++	return done
++}
++
++func processEntry(text []byte) {
++	if len(text) == 0 {
++		return
++	}
++	var jl struct {
++		Level string `json:"level"`
++		Msg   string `json:"msg"`
++	}
++	if err := json.Unmarshal(text, &jl); err != nil {
++		logrus.Errorf("failed to decode %q to json: %v", text, err)
++		return
++	}
++	logrus.Errorf("error from child %s", jl.Msg)
++}
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index 4f73b1a1..8e059e09 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
+@@ -77,6 +77,8 @@ struct nlconfig_t {
+ 	size_t oom_score_adj_len;
+ };
+ 
++int logfd;
++
+ /*
+  * List of netlink message types sent to us as part of bootstrapping the init.
+  * These constants are defined in libcontainer/message_linux.go.
+@@ -111,6 +113,26 @@ int setns(int fd, int nstype)
+ }
+ #endif
+ 
++void write_log_with_info(const char *level, const char *function, int line, const char *format, ...)
++{
++	static char message[1024];
++	va_list args;
++
++	if (logfd < 0 || level == NULL)
++		return;
++
++	va_start(args, format);
++	if (vsnprintf(message, 1024, format, args) < 0)
++		return;
++	va_end(args);
++
++	if (dprintf(logfd, "{\"level\":\"%s\", \"msg\": \"%s:%d %s\"}\n", level, function, line, message) < 0)
++		return;
++}
++
++#define logerr(fmt, ...) \
++	write_log_with_info("error", __FUNCTION__, __LINE__, fmt, ##__VA_ARGS__)
++
+ /* XXX: This is ugly. */
+ static int syncfd = -1;
+ 
+@@ -118,13 +140,13 @@ static int syncfd = -1;
+ #define bail(fmt, ...)								\
+ 	do {									\
+ 		int ret = __COUNTER__ + 1;					\
+-		fprintf(stderr, "nsenter: " fmt ": %m\n", ##__VA_ARGS__);	\
++		logerr("nsenter: " fmt ": %m", ##__VA_ARGS__);	\
+ 		if (syncfd >= 0) {						\
+ 			enum sync_t s = SYNC_ERR;				\
+ 			if (write(syncfd, &s, sizeof(s)) != sizeof(s))		\
+-				fprintf(stderr, "nsenter: failed: write(s)");	\
++				logerr("nsenter: failed: write(s)");	\
+ 			if (write(syncfd, &ret, sizeof(ret)) != sizeof(ret))	\
+-				fprintf(stderr, "nsenter: failed: write(ret)");	\
++				logerr("nsenter: failed: write(ret)");	\
+ 		}								\
+ 		exit(ret);							\
+ 	} while(0)
+@@ -259,6 +281,24 @@ static int initpipe(void)
+ 	return pipenum;
+ }
+ 
++static void setup_logpipe(void)
++{
++	char *logpipe, *endptr;
++
++	logpipe = getenv("_LIBCONTAINER_LOGPIPE");
++	if (logpipe == NULL || *logpipe == '\0') {
++		logfd = -1;
++		return;
++	}
++
++	logfd = strtol(logpipe, &endptr, 10);
++	if (logpipe == endptr || *endptr != '\0') {
++		fprintf(stderr, "unable to parse _LIBCONTAINER_LOGPIPE, value: %s\n", logpipe);
++		/* It is too early to use bail */
++		exit(1);
++	}
++}
++
+ /* Returns the clone(2) flag for a namespace, given the name of a namespace. */
+ static int nsflag(char *name)
+ {
+@@ -442,6 +482,12 @@ void nsexec(void)
+ 	int sync_child_pipe[2], sync_grandchild_pipe[2];
+ 	struct nlconfig_t config = {0};
+ 
++	/*
++	 * Setup a pipe to send logs to the parent. This should happen
++	 * first, because bail will use that pipe.
++	 */
++	setup_logpipe();
++
+ 	/*
+ 	 * If we don't have an init pipe, just return to the go routine.
+ 	 * We'll only get an init pipe for start or exec.
+@@ -867,6 +913,7 @@ void nsexec(void)
+ 			/* Free netlink data. */
+ 			nl_free(&config);
+ 
++			close(logfd);
+ 			/* Finish executing, let the Go runtime take over. */
+ 			return;
+ 		}
+diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
+index 25fe30b5..0c5cd47c 100644
+--- a/libcontainer/process_linux.go
++++ b/libcontainer/process_linux.go
+@@ -18,6 +18,7 @@ import (
+ 	"github.com/opencontainers/runc/libcontainer/configs"
+ 	"github.com/opencontainers/runc/libcontainer/system"
+ 	"github.com/opencontainers/runc/libcontainer/utils"
++	"github.com/opencontainers/runc/libcontainer/logs"
+ 	"golang.org/x/sys/unix"
+ )
+ 
+@@ -73,6 +74,7 @@ func (p *setnsProcess) start() (err error) {
+ 	defer p.parentPipe.Close()
+ 	err = p.cmd.Start()
+ 	p.childPipe.Close()
++	logs.CloseChild()
+ 	if err != nil {
+ 		return newSystemErrorWithCause(err, "starting setns process")
+ 	}
+@@ -256,6 +258,7 @@ func (p *initProcess) start() error {
+ 	p.process.ops = p
+ 	p.childPipe.Close()
+ 	p.rootDir.Close()
++	logs.CloseChild()
+ 	if err != nil {
+ 		p.process.ops = nil
+ 		return newSystemErrorWithCause(err, "starting init process command")
+-- 
+2.27.0
+

patch/0129-runc-improve-log-for-debugging.patch

@@ -0,0 +1,297 @@
+From da07a376d48d2d589f8ce5669f93450da4f01521 Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Mon, 25 Oct 2021 15:57:42 +0800
+Subject: [PATCH] runc: improve log for debugging
+
+add following logs for debugging
+1. print pid and memory cgroup information when container init process
+   start fail.
+2. improve error return in execSetns()
+3. using logpipe to support for logging from child process
+4. add log when init() finished in child process for debug
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ libcontainer/factory_linux.go       | 13 +++++++++----
+ libcontainer/init_linux.go          |  4 +++-
+ libcontainer/logs/logs.go           |  2 +-
+ libcontainer/nsenter/nsexec.c       |  1 -
+ libcontainer/process_linux.go       | 10 +++++-----
+ libcontainer/setns_init_linux.go    |  5 +++++
+ libcontainer/standard_init_linux.go | 18 ++++++++++++++----
+ main.go                             |  6 +++++-
+ main_unix.go                        | 10 ++++++++++
+ 9 files changed, 52 insertions(+), 17 deletions(-)
+
+diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go
+index fe9ce242..e4ef5184 100644
+--- a/libcontainer/factory_linux.go
++++ b/libcontainer/factory_linux.go
+@@ -4,15 +4,15 @@ package libcontainer
+ 
+ import (
+ 	"encoding/json"
++	"errors"
+ 	"fmt"
++	"io/ioutil"
+ 	"os"
+ 	"path/filepath"
+ 	"regexp"
+ 	"runtime/debug"
+ 	"strconv"
+ 	"syscall"
+-	"io/ioutil"
+-	"errors"
+ 
+ 	"github.com/docker/docker/pkg/mount"
+ 	"github.com/opencontainers/runc/libcontainer/cgroups"
+@@ -281,6 +281,11 @@ func (l *LinuxFactory) StartInitialization() (err error) {
+ 		defer consoleSocket.Close()
+ 	}
+ 
++	logPipeFd, err2 := strconv.Atoi(os.Getenv("_LIBCONTAINER_LOGPIPE"))
++	if err2 != nil {
++		logPipeFd = 0
++	}
++
+ 	// clear the current process's environment to clean any libcontainer
+ 	// specific env vars.
+ 	os.Clearenv()
+@@ -303,7 +308,7 @@ func (l *LinuxFactory) StartInitialization() (err error) {
+ 		}
+ 	}()
+ 
+-	i, err := newContainerInit(it, pipe, consoleSocket, rootfd)
++	i, err := newContainerInit(it, pipe, consoleSocket, rootfd, logPipeFd)
+ 	if err != nil {
+ 		return err
+ 	}
+@@ -346,7 +351,7 @@ func (l *LinuxFactory) updateStateCapabilites(compatState *CompatState, configPa
+ 			var memSize int64 = int64(memorySwappiness)
+ 			if memSize < 0 {
+ 				memSize = 0
+-				var memUSize uint64 = uint64(memSize-1)
++				var memUSize uint64 = uint64(memSize - 1)
+ 				compatState.Config.Cgroups.MemorySwappiness = &memUSize
+ 				needUpdate = true
+ 			}
+diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
+index ee632b4c..e9a83e9b 100644
+--- a/libcontainer/init_linux.go
++++ b/libcontainer/init_linux.go
+@@ -66,7 +66,7 @@ type initer interface {
+ 	Init() error
+ }
+ 
+-func newContainerInit(t initType, pipe *os.File, consoleSocket *os.File, stateDirFD int) (initer, error) {
++func newContainerInit(t initType, pipe *os.File, consoleSocket *os.File, stateDirFD, logFd int) (initer, error) {
+ 	var config *initConfig
+ 	if err := json.NewDecoder(pipe).Decode(&config); err != nil {
+ 		return nil, err
+@@ -81,6 +81,7 @@ func newContainerInit(t initType, pipe *os.File, consoleSocket *os.File, stateDi
+ 			pipe:          pipe,
+ 			consoleSocket: consoleSocket,
+ 			config:        config,
++			logFd:         logFd,
+ 		}, nil
+ 	case initStandard:
+ 		return &linuxStandardInit{
+@@ -89,6 +90,7 @@ func newContainerInit(t initType, pipe *os.File, consoleSocket *os.File, stateDi
+ 			parentPid:     syscall.Getppid(),
+ 			config:        config,
+ 			stateDirFD:    stateDirFD,
++			logFd:         logFd,
+ 		}, nil
+ 	}
+ 	return nil, fmt.Errorf("unknown init type %q", t)
+diff --git a/libcontainer/logs/logs.go b/libcontainer/logs/logs.go
+index 219fe382..408a1480 100644
+--- a/libcontainer/logs/logs.go
++++ b/libcontainer/logs/logs.go
+@@ -64,5 +64,5 @@ func processEntry(text []byte) {
+ 		logrus.Errorf("failed to decode %q to json: %v", text, err)
+ 		return
+ 	}
+-	logrus.Errorf("error from child %s", jl.Msg)
++	logrus.Infof("log from child: %s", jl.Msg)
+ }
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index 8e059e09..0075b6e4 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
+@@ -913,7 +913,6 @@ void nsexec(void)
+ 			/* Free netlink data. */
+ 			nl_free(&config);
+ 
+-			close(logfd);
+ 			/* Finish executing, let the Go runtime take over. */
+ 			return;
+ 		}
+diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
+index 0c5cd47c..5cdc30c4 100644
+--- a/libcontainer/process_linux.go
++++ b/libcontainer/process_linux.go
+@@ -16,9 +16,9 @@ import (
+ 	"github.com/Sirupsen/logrus"
+ 	"github.com/opencontainers/runc/libcontainer/cgroups"
+ 	"github.com/opencontainers/runc/libcontainer/configs"
++	"github.com/opencontainers/runc/libcontainer/logs"
+ 	"github.com/opencontainers/runc/libcontainer/system"
+ 	"github.com/opencontainers/runc/libcontainer/utils"
+-	"github.com/opencontainers/runc/libcontainer/logs"
+ 	"golang.org/x/sys/unix"
+ )
+ 
+@@ -137,7 +137,7 @@ func (p *setnsProcess) execSetns() error {
+ 	}
+ 	if !status.Success() {
+ 		p.cmd.Wait()
+-		return newSystemError(&exec.ExitError{ProcessState: status})
++		return newSystemErrorWithCause(&exec.ExitError{ProcessState: status}, "getting setns process status")
+ 	}
+ 	var pid *pid
+ 	if err := json.NewDecoder(p.parentPipe).Decode(&pid); err != nil {
+@@ -224,16 +224,16 @@ func (p *initProcess) execSetns() error {
+ 	status, err := p.cmd.Process.Wait()
+ 	if err != nil {
+ 		p.cmd.Wait()
+-		return err
++		return newSystemErrorWithCause(err, "waiting on setns process to finish")
+ 	}
+ 	if !status.Success() {
+ 		p.cmd.Wait()
+-		return &exec.ExitError{ProcessState: status}
++		return newSystemErrorWithCause(&exec.ExitError{ProcessState: status}, "getting setns process status")
+ 	}
+ 	var pid *pid
+ 	if err := json.NewDecoder(p.parentPipe).Decode(&pid); err != nil {
+ 		p.cmd.Wait()
+-		return err
++		return newSystemErrorWithCause(err, "reading pid from init pipe")
+ 	}
+ 
+ 	// Clean up the zombie parent process
+diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
+index b3fab219..1f7ec98b 100644
+--- a/libcontainer/setns_init_linux.go
++++ b/libcontainer/setns_init_linux.go
+@@ -21,6 +21,7 @@ type linuxSetnsInit struct {
+ 	pipe          *os.File
+ 	consoleSocket *os.File
+ 	config        *initConfig
++	logFd         int
+ }
+ 
+ func (l *linuxSetnsInit) getSessionRingName() string {
+@@ -68,5 +69,9 @@ func (l *linuxSetnsInit) Init() error {
+ 	if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
+ 		return err
+ 	}
++	if l.logFd != 0 {
++		syscall.Close(l.logFd)
++	}
++
+ 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
+ }
+diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
+index b985180a..53c81e9f 100644
+--- a/libcontainer/standard_init_linux.go
++++ b/libcontainer/standard_init_linux.go
+@@ -27,6 +27,7 @@ type linuxStandardInit struct {
+ 	parentPid     int
+ 	stateDirFD    int
+ 	config        *initConfig
++	logFd         int
+ }
+ 
+ func (l *linuxStandardInit) getSessionRingParams() (string, uint32, uint32) {
+@@ -181,6 +182,10 @@ func (l *linuxStandardInit) Init() error {
+ 	// close the pipe to signal that we have completed our init.
+ 	l.pipe.Close()
+ 
++	if l.logFd != 0 {
++		syscall.Close(l.logFd)
++	}
++
+ 	// wait for the fifo to be opened on the other side before
+ 	// exec'ing the users process.
+ 	ch := make(chan Error, 1)
+@@ -222,13 +227,18 @@ func (l *linuxStandardInit) Init() error {
+ }
+ 
+ func printCgroupInfo(path string) {
++	cgroupRoot := "/sys/fs/cgroup"
+ 	infoFileList := []string{
+ 		"/proc/meminfo",
+ 		"/sys/fs/cgroup/memory/memory.stat",
+-		filepath.Join("/sys/fs/cgroup/files", path, "/files.limit"),
+-		filepath.Join("/sys/fs/cgroup/files", path, "/files.usage"),
+-		filepath.Join("/sys/fs/cgroup/memory", path, "/memory.stat"),
+-		filepath.Join("/sys/fs/cgroup/cpu", path, "/cpu.stat"),
++		filepath.Join(cgroupRoot, "files", path, "files.limit"),
++		filepath.Join(cgroupRoot, "files", path, "files.usage"),
++		filepath.Join(cgroupRoot, "pids", path, "pids.max"),
++		filepath.Join(cgroupRoot, "pids", path, "pids.current"),
++		filepath.Join(cgroupRoot, "memory", path, "memory.usage_in_bytes"),
++		filepath.Join(cgroupRoot, "memory", path, "memory.limit_in_bytes"),
++		filepath.Join(cgroupRoot, "memory", path, "memory.stat"),
++		filepath.Join(cgroupRoot, "cpu", path, "cpu.stat"),
+ 	}
+ 	for _, file := range infoFileList {
+ 		printFileContent(file)
+diff --git a/main.go b/main.go
+index 04762424..4141ec56 100644
+--- a/main.go
++++ b/main.go
+@@ -10,7 +10,7 @@ import (
+ 	"time"
+ 
+ 	"github.com/Sirupsen/logrus"
+-	"github.com/Sirupsen/logrus/hooks/syslog"
++	logrus_syslog "github.com/Sirupsen/logrus/hooks/syslog"
+ 	"github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/urfave/cli"
+ )
+@@ -118,6 +118,10 @@ func main() {
+ 		updateCommand,
+ 	}
+ 	app.Before = func(context *cli.Context) error {
++		if logrus.StandardLogger().Out != logrus.New().Out {
++			return nil
++		}
++
+ 		if path := context.GlobalString("log"); path != "" {
+ 			f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND|os.O_SYNC, 0666)
+ 			if err != nil {
+diff --git a/main_unix.go b/main_unix.go
+index 56904e08..45e6df61 100644
+--- a/main_unix.go
++++ b/main_unix.go
+@@ -6,7 +6,9 @@ import (
+ 	"fmt"
+ 	"os"
+ 	"runtime"
++	"strconv"
+ 
++	"github.com/Sirupsen/logrus"
+ 	"github.com/opencontainers/runc/libcontainer"
+ 	_ "github.com/opencontainers/runc/libcontainer/nsenter"
+ 	"github.com/urfave/cli"
+@@ -16,6 +18,14 @@ func init() {
+ 	if len(os.Args) > 1 && os.Args[1] == "init" {
+ 		runtime.GOMAXPROCS(1)
+ 		runtime.LockOSThread()
++
++		logPipeFd, err := strconv.Atoi(os.Getenv("_LIBCONTAINER_LOGPIPE"))
++		if err != nil {
++			return
++		}
++		logrus.SetOutput(os.NewFile(uintptr(logPipeFd), "logpipe"))
++		logrus.SetFormatter(new(logrus.JSONFormatter))
++		logrus.Info("child process init-function finished")
+ 	}
+ }
+ 
+-- 
+2.27.0
+

patch/0130-runc-fix-cgroup-info-print-error.patch

@@ -0,0 +1,50 @@
+From 107de8857b41b5ac3c2d1230383e3855fac872de Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Tue, 7 Dec 2021 20:40:52 +0800
+Subject: [PATCH] runc: fix cgroup info print error
+
+reason: still using syslog hook to print logrus in create-init,
+as logPipe will be closed before printCgroupInfo() called, cgroup info
+could not be printed by logPipe.
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ main_unix.go | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/main_unix.go b/main_unix.go
+index 45e6df61..0355b276 100644
+--- a/main_unix.go
++++ b/main_unix.go
+@@ -19,13 +19,14 @@ func init() {
+ 		runtime.GOMAXPROCS(1)
+ 		runtime.LockOSThread()
+ 
+-		logPipeFd, err := strconv.Atoi(os.Getenv("_LIBCONTAINER_LOGPIPE"))
+-		if err != nil {
+-			return
++		if initType := os.Getenv("_LIBCONTAINER_INITTYPE"); initType == "setns" {
++			logPipeFd, err := strconv.Atoi(os.Getenv("_LIBCONTAINER_LOGPIPE"))
++			if err != nil {
++				return
++			}
++			logrus.SetOutput(os.NewFile(uintptr(logPipeFd), "logpipe"))
++			logrus.SetFormatter(new(logrus.JSONFormatter))
+ 		}
+-		logrus.SetOutput(os.NewFile(uintptr(logPipeFd), "logpipe"))
+-		logrus.SetFormatter(new(logrus.JSONFormatter))
+-		logrus.Info("child process init-function finished")
+ 	}
+ }
+ 
+@@ -33,6 +34,7 @@ var initCommand = cli.Command{
+ 	Name:  "init",
+ 	Usage: `initialize the namespaces and launch the process (do not call it outside of runc)`,
+ 	Action: func(context *cli.Context) error {
++		logrus.Info("child process init-command start")
+ 		factory, _ := libcontainer.New("")
+ 		if err := factory.StartInitialization(); err != nil {
+ 			fmt.Fprintf(os.Stderr, "libcontainer: container start initialization failed: %s", err)
+-- 
+2.27.0
+

runc.spec

@@ -4,7 +4,7 @@
 
 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 114
+Release: 115
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -35,6 +35,7 @@ cp %{SOURCE4} .
 sh ./apply-patch 
 
 mkdir -p .gopath/src/github.com/opencontainers
+export GO111MODULE=off
 export GOPATH=`pwd`/.gopath
 ln -sf `pwd` .gopath/src/github.com/opencontainers/runc
 cd .gopath/src/github.com/opencontainers/runc
@@ -52,6 +53,19 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Tue Jan 26 2022 songyanting <songyanting@huawei.com> - 1.0.0.rc3-115
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:sync bugfix, include
+       1. add check in spec
+       2. add mount destination validation(fix CVE-2021-30465)
+       3. fix backport patch apply ignored
+       4. optimize nsexec logging
+       5. improve log for debugging
+       6. fix cgroup info print error
+       7. support unit test
+
 * Tue Oct 26 2021 chenchen <chen_aka_jan@163.com> - 1.0.0.rc3-114
 - change the spec file name to be the same as the repo name
 

series.conf

@@ -1,126 +1,131 @@
-0001-.travis.yml-Don-t-require-FETCH_HEAD.patch
+patch/0001-.travis.yml-Don-t-require-FETCH_HEAD.patch
-0002-Don-t-try-to-read-freezer.state-from-the-cu.patch
+patch/0002-Don-t-try-to-read-freezer.state-from-the-cu.patch
-0003-Use-opencontainers-selinux-package.patch
+patch/0003-Use-opencontainers-selinux-package.patch
-0004-handle-unprivileged-operations-and-dumpable.patch
+patch/0004-handle-unprivileged-operations-and-dumpable.patch
-0005-runc-add-support-for-rootless-containers.patch
+patch/0005-runc-add-support-for-rootless-containers.patch
-0006-rootless-add-rootless-cgroup-manager.patch
+patch/0006-rootless-add-rootless-cgroup-manager.patch
-0007-libcontainer-configs-add-proper-HostUID-and.patch
+patch/0007-libcontainer-configs-add-proper-HostUID-and.patch
-0008-libcontainer-init-fix-unmapped-console-fcho.patch
+patch/0008-libcontainer-init-fix-unmapped-console-fcho.patch
-0009-rootless-add-autogenerated-rootless-config-.patch
+patch/0009-rootless-add-autogenerated-rootless-config-.patch
-0010-integration-added-root-requires.patch
+patch/0010-integration-added-root-requires.patch
-0011-tests-add-rootless-integration-tests.patch
+patch/0011-tests-add-rootless-integration-tests.patch
-0012-vendor-add-golang.org-x-sys-unix-9a7256cb28.patch
+patch/0012-vendor-add-golang.org-x-sys-unix-9a7256cb28.patch
-0013-libcontainer-rewrite-cmsg-to-use-sys-unix.patch
+patch/0013-libcontainer-rewrite-cmsg-to-use-sys-unix.patch
-0014-Set-container-state-only-once-during-start.patch
+patch/0014-Set-container-state-only-once-during-start.patch
-0015-checkpoint-check-if-system-supports-pre-dum.patch
+patch/0015-checkpoint-check-if-system-supports-pre-dum.patch
-0016-Fix-console-syscalls.patch
+patch/0016-Fix-console-syscalls.patch
-0017-restore-apply-resource-limits.patch
+patch/0017-restore-apply-resource-limits.patch
-0018-could-load-a-stopped-container.patch
+patch/0018-could-load-a-stopped-container.patch
-0019-Revert-back-to-using-sbin.patch
+patch/0019-Revert-back-to-using-sbin.patch
-0020-add-testcase-in-generic_error_test.go.patch
+patch/0020-add-testcase-in-generic_error_test.go.patch
-0021-Fix-misspelling-of-properties-in-various-pl.patch
+patch/0021-Fix-misspelling-of-properties-in-various-pl.patch
-0022-Add-a-rootless-containers-section-on-README.patch
+patch/0022-Add-a-rootless-containers-section-on-README.patch
-0023-vendor-clean-up-to-be-better-written.patch
+patch/0023-vendor-clean-up-to-be-better-written.patch
-0024-Optimizing-looping-over-namespaces.patch
+patch/0024-Optimizing-looping-over-namespaces.patch
-0025-Add-a-rootless-section-to-spec-man-page-and.patch
+patch/0025-Add-a-rootless-section-to-spec-man-page-and.patch
-0026-Allow-updating-container-pids-limit.patch
+patch/0026-Allow-updating-container-pids-limit.patch
-0027-Remove-redundant-declaraion-of-namespace-sl.patch
+patch/0027-Remove-redundant-declaraion-of-namespace-sl.patch
-0028-Revert-saneTerminal.patch
+patch/0028-Revert-saneTerminal.patch
-0029-vendor-runtime-spec-fork-docker-runtime-spe.patch
+patch/0029-vendor-runtime-spec-fork-docker-runtime-spe.patch
-0030-Update-memory-specs-to-use-int64-not-uint64.patch
+patch/0030-Update-memory-specs-to-use-int64-not-uint64.patch
-0031-Add-spec-for-euleros.patch
+patch/0031-Add-spec-for-euleros.patch
-0032-runc-17-Always-save-own-namespace-paths.patch
+patch/0032-runc-17-Always-save-own-namespace-paths.patch
-0033-runc-change-runc-default-umask-to-027.patch
+patch/0033-runc-change-runc-default-umask-to-027.patch
-0034-runc-17-Add-some-compatibility-code-to-surpor.patch
+patch/0034-runc-17-Add-some-compatibility-code-to-surpor.patch
-0035-runc-17-Add-root-to-HookState-for-compatibili.patch
+patch/0035-runc-17-Add-root-to-HookState-for-compatibili.patch
-0036-runc-17-add-compatibility-for-docker-1.11.2.patch
+patch/0036-runc-17-add-compatibility-for-docker-1.11.2.patch
-0037-docker-Don-t-enalbe-kmem-accounting-by-defa.patch
+patch/0037-docker-Don-t-enalbe-kmem-accounting-by-defa.patch
-0039-Fix-unittest-and-integration-test-error-cause.patch
+patch/0039-Fix-unittest-and-integration-test-error-cause.patch
-0041-Add-timeout-for-syscall.Openat.patch
+patch/0041-Add-timeout-for-syscall.Openat.patch
-0042-update-state-earlier-to-avoid-cgroup-leak-whe.patch
+patch/0042-update-state-earlier-to-avoid-cgroup-leak-whe.patch
-0043-runc-Use-rslave-instead-of-rprivate-in-chro.patch
+patch/0043-runc-Use-rslave-instead-of-rprivate-in-chro.patch
-0044-runc-default-mount-propagation-correctly.patch
+patch/0044-runc-default-mount-propagation-correctly.patch
-0045-runc-add-hook-specific-info-when-error-occurr.patch
+patch/0045-runc-add-hook-specific-info-when-error-occurr.patch
-0046-runc-print-cgroup-info-if-cpuset-missing-occu.patch
+patch/0046-runc-print-cgroup-info-if-cpuset-missing-occu.patch
-0047-runc-add-more-specific-log-for-hooks.patch
+patch/0047-runc-add-more-specific-log-for-hooks.patch
-0048-runc-Only-configure-networking.patch
+patch/0048-runc-Only-configure-networking.patch
-0049-cgroups-fs-fix-NPE-on-Destroy-than-no-cgrou.patch
+patch/0049-cgroups-fs-fix-NPE-on-Destroy-than-no-cgrou.patch
-0050-runc-Avoid-race-when-opening-exec-fifo.patch
+patch/0050-runc-Avoid-race-when-opening-exec-fifo.patch
-0051-runc-Return-from-goroutine-when-it-should-t.patch
+patch/0051-runc-Return-from-goroutine-when-it-should-t.patch
-0052-runc-reduce-max-number-of-retries-to-10.patch
+patch/0052-runc-reduce-max-number-of-retries-to-10.patch
-0053-runc-print-error-message-during-start-into-co.patch
+patch/0053-runc-print-error-message-during-start-into-co.patch
-0054-runc-ignore-exec.fifo-removing-not-exist-erro.patch
+patch/0054-runc-ignore-exec.fifo-removing-not-exist-erro.patch
-0055-Add-file-fds-limit.patch
+patch/0055-Add-file-fds-limit.patch
-0056-runc-Modify-max-files.limit-to-max-because-of.patch
+patch/0056-runc-Modify-max-files.limit-to-max-because-of.patch
-0057-runc-change-read-value-of-cgroup-files.limit-.patch
+patch/0057-runc-change-read-value-of-cgroup-files.limit-.patch
-0058-runc-fix-panic-when-Linux-is-nil.patch
+patch/0058-runc-fix-panic-when-Linux-is-nil.patch
-0059-Fix-setup-cgroup-before-prestart-hook.patch
+patch/0059-Fix-setup-cgroup-before-prestart-hook.patch
-0060-runc-runc-logs-forwarding-to-syslog.patch
+patch/0060-runc-runc-logs-forwarding-to-syslog.patch
-0061-runc-17-change-golang-build-version-to-make-o.patch
+patch/0061-runc-17-change-golang-build-version-to-make-o.patch
-0062-runc-Check-the-hook-timeout-in-case-overflow.patch
+patch/0062-runc-Check-the-hook-timeout-in-case-overflow.patch
-0063-docker-close-openchan-immediately-to-avoid-er.patch
+patch/0063-docker-close-openchan-immediately-to-avoid-er.patch
-0064-runc-bump-to-v1.0.0.rc3.4-after-normalization.patch
+patch/0064-runc-bump-to-v1.0.0.rc3.4-after-normalization.patch
-0065-runc-support-namespaced-kernel-params-can-be-.patch
+patch/0065-runc-support-namespaced-kernel-params-can-be-.patch
-0066-runc-bump-to-v1.0.0.rc3.6.patch
+patch/0066-runc-bump-to-v1.0.0.rc3.6.patch
-0067-runc-make-the-runc-log-more-useful.patch
+patch/0067-runc-make-the-runc-log-more-useful.patch
-0068-runc-reduced-the-same-log-when-the-hook-exect.patch
+patch/0068-runc-reduced-the-same-log-when-the-hook-exect.patch
-0069-runc-Change-Files-to-LinuxFiles-for-file-limi.patch
+patch/0069-runc-Change-Files-to-LinuxFiles-for-file-limi.patch
-0070-runc-not-print-no-such-file-when-cli-err.patch
+patch/0070-runc-not-print-no-such-file-when-cli-err.patch
-0071-runc-revert-Change-Files-to-LinuxFiles-for-fi.patch
+patch/0071-runc-revert-Change-Files-to-LinuxFiles-for-fi.patch
-0072-Revert-runc-not-print-no-such-file-when-cli-e.patch
+patch/0072-Revert-runc-not-print-no-such-file-when-cli-e.patch
-0073-runc-fix-state.json-no-such-file-or-directory.patch
+patch/0073-runc-fix-state.json-no-such-file-or-directory.patch
-0074-runc-fix-check-sysctl-in-host-network-mode.patch
+patch/0074-runc-fix-check-sysctl-in-host-network-mode.patch
-0075-runc-Fix-systemd-journald-service-dependency.patch
+patch/0075-runc-Fix-systemd-journald-service-dependency.patch
-0076-runc-Fix-syslog-hook-bug.patch
+patch/0076-runc-Fix-syslog-hook-bug.patch
-0077-runc-Require-libseccomp-static-lib-for-upgrade-f.patch
+patch/0077-runc-Require-libseccomp-static-lib-for-upgrade-f.patch
-0078-runc-Fix-race-in-runc-exec.patch
+patch/0078-runc-Fix-race-in-runc-exec.patch
-0079-runc-modify-spec-file-for-upgrade.patch
+patch/0079-runc-modify-spec-file-for-upgrade.patch
-0080-runc-support-specify-umask.patch
+patch/0080-runc-support-specify-umask.patch
-0081-runc-fix-oom-killer-disable-unhandled-due-t.patch
+patch/0081-runc-fix-oom-killer-disable-unhandled-due-t.patch
-0082-runc-make-runc-spec-and-docker-18.9-compati.patch
+patch/0082-runc-make-runc-spec-and-docker-18.9-compati.patch
-0083-log-fix-runc-log-decode-failed.patch
+patch/0083-log-fix-runc-log-decode-failed.patch
-0084-oci-fix-runc-panic-and-support-oom-score.patch
+patch/0084-oci-fix-runc-panic-and-support-oom-score.patch
-0085-runc-do-not-setup-sysctl-in-runc-when-userns-.patch
+patch/0085-runc-do-not-setup-sysctl-in-runc-when-userns-.patch
-0086-runc-support-set-seccomp-priority.patch
+patch/0086-runc-support-set-seccomp-priority.patch
-0087-runc-fix-spec-LinuxSyscall-struct.patch
+patch/0087-runc-fix-spec-LinuxSyscall-struct.patch
-0088-nsenter-clone-proc-self-exe-to-avoid-exposi.patch
+patch/0088-nsenter-clone-proc-self-exe-to-avoid-exposi.patch
-0089-Revert-nsenter-clone-proc-self-exe-to-avoid.patch
+patch/0089-Revert-nsenter-clone-proc-self-exe-to-avoid.patch
-0090-nsenter-clone-proc-self-exe-to-avoid-exposi.patch
+patch/0090-nsenter-clone-proc-self-exe-to-avoid-exposi.patch
-0091-runc-cve-2019-5736-workaround-if-memfd_create.patch
+patch/0091-runc-cve-2019-5736-workaround-if-memfd_create.patch
-0092-runc-cve-2019-5736-fix-build-failure.patch
+patch/0092-runc-cve-2019-5736-fix-build-failure.patch
-0093-runc-fix-error-when-check-the-init-process.patch
+patch/0093-runc-fix-error-when-check-the-init-process.patch
-0094-runc-If-tmp-is-mounted-by-option-noexec-docke.patch
+patch/0094-runc-If-tmp-is-mounted-by-option-noexec-docke.patch
-0095-runc-just-warning-when-poststart-and-poststop.patch
+patch/0095-runc-just-warning-when-poststart-and-poststop.patch
-0096-runc-do-not-kill-container-if-poststart-hooks.patch
+patch/0096-runc-do-not-kill-container-if-poststart-hooks.patch
-0097-runc-Fix-mountpoint-leak-and-pivot_root-error.patch
+patch/0097-runc-Fix-mountpoint-leak-and-pivot_root-error.patch
-0098-runc-fix-read-only-containers-under-userns-.patch
+patch/0098-runc-fix-read-only-containers-under-userns-.patch
-0099-runc-enable-bep-ldflags.patch
+patch/0099-runc-enable-bep-ldflags.patch
-0100-runc-set-makefile-buildid.patch
+patch/0100-runc-set-makefile-buildid.patch
-0101-runc-print-memory-info-when-syscall.Exec-fail.patch
+patch/0101-runc-print-memory-info-when-syscall.Exec-fail.patch
-0102-runc-add-sysctl-kernel.pid_max-to-whitelist.patch
+patch/0102-runc-add-sysctl-kernel.pid_max-to-whitelist.patch
-0104-runc-Retry-adding-pids-to-cgroups-when-EINV.patch
+patch/0104-runc-Retry-adding-pids-to-cgroups-when-EINV.patch
-0105-runc-disable-core-dump-during-pipe-io.patch
+patch/0105-runc-disable-core-dump-during-pipe-io.patch
-0106-runc-do-not-override-devices.allow-file-when-.patch
+patch/0106-runc-do-not-override-devices.allow-file-when-.patch
-0107-runc-fix-exec-problem-caused-by-libseccomp-up.patch
+patch/0107-runc-fix-exec-problem-caused-by-libseccomp-up.patch
-0108-runc-print-files-limit-and-usage-when-exec-fa.patch
+patch/0108-runc-print-files-limit-and-usage-when-exec-fa.patch
-0109-runc-add-copyright.patch
+patch/0109-runc-add-copyright.patch
-0110-runc-add-lisence.patch
+patch/0110-runc-add-lisence.patch
-0111-runc-add-log-message-for-cgroup-file-check.patch
+patch/0111-runc-add-log-message-for-cgroup-file-check.patch
-0112-runc-add-log-message-for-cgroup-file-check.patch
+patch/0112-runc-add-log-message-for-cgroup-file-check.patch
-0113-runc-modify-files-cgroup-info-reading-path.patch
+patch/0113-runc-modify-files-cgroup-info-reading-path.patch
-0112-runc-Fixes-1585-config.Namespaces-is-empty-.patch
+patch/0112-runc-Fixes-1585-config.Namespaces-is-empty-.patch
-0113-runc-Write-freezer-state-after-every-state-.patch
+patch/0113-runc-Write-freezer-state-after-every-state-.patch
-0114-runc-may-kill-other-process-when-container-.patch
+patch/0114-runc-may-kill-other-process-when-container-.patch
-0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch
+patch/0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch
-0116-runc-check-nil-pointers-in-cgroup-manager.patch
+patch/0116-runc-check-nil-pointers-in-cgroup-manager.patch
-0117-runc-Pass-back-the-pid-of-runc-1-CHILD-so-w.patch
+patch/0117-runc-Pass-back-the-pid-of-runc-1-CHILD-so-w.patch
-0118-runc-don-t-deny-all-devices-when-update-cgroup-resou.patch
+patch/0118-runc-don-t-deny-all-devices-when-update-cgroup-resou.patch
-0118-runc-rootfs-do-not-permit-proc-mounts-to-no.patch
+patch/0118-runc-rootfs-do-not-permit-proc-mounts-to-no.patch
-0119-runc-use-git-commit-to-store-commit-ID.patch
+patch/0119-runc-use-git-commit-to-store-commit-ID.patch
-0120-runc-fix-permission-denied.patch
+patch/0120-runc-fix-permission-denied.patch
-0121-runc-add-sys-symbol-to-support-riscv.patch
+patch/0121-runc-add-sys-symbol-to-support-riscv.patch
-0122-runc-add-riscv-on-existing-files.patch
+patch/0122-runc-add-riscv-on-existing-files.patch
-0121-runc-add-cpu-and-memory-info-when-print-cgroup-info.patch
+patch/0121-runc-add-cpu-and-memory-info-when-print-cgroup-info.patch
-0124-runc-fix-freezing-race.patch
+patch/0124-runc-fix-freezing-race.patch
-0125-runc-compile-option-compliance.patch
+patch/0125-runc-compile-option-compliance.patch
+patch/0126-runc-add-check-in-spec.patch
+patch/0127-runc-add-mount-destination-validation-fix-CVE-2021.patch
+patch/0128-runc-optimize-nsexec-logging.patch
+patch/0129-runc-improve-log-for-debugging.patch
+patch/0130-runc-fix-cgroup-info-print-error.patch
 #end

test_unit.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Copyright (c) Huawei Technologies Co., Ltd. 2021. All rights reserved.
+# Description: This shell script is used to do unit test.
+# Author: xiadanni1@huawei.com
+# Create: 2021-12-20                                                     
+
+test_log=${PWD}/unit_test_log
+rm -rf "${test_log}"
+touch "${test_log}"
+while IPF= read -r line
+do
+    echo "Start to test: ${line}"
+    go test -timeout 300s -v "${line}" >> "${test_log}"
+    cat "${test_log}" | grep -E -- "--- FAIL:|^FAIL"
+    if [ $? -eq 0 ]; then
+        echo "Testing failed... Please check ${test_log}"
+        exit 1
+    fi
+    tail -n 1 "${test_log}"
+done < "unit_test_list"

unit_test_list

@@ -0,0 +1,12 @@
+github.com/opencontainers/runc/libcontainer
+github.com/opencontainers/runc/libcontainer/specconv
+github.com/opencontainers/runc/libcontainer/devices
+github.com/opencontainers/runc/libcontainer/stacktrace
+github.com/opencontainers/runc/libcontainer/xattr
+github.com/opencontainers/runc/libcontainer/seccomp
+github.com/opencontainers/runc/libcontainer/cgroups
+github.com/opencontainers/runc/libcontainer/cgroups/fs
+github.com/opencontainers/runc/libcontainer/configs/validate
+github.com/opencontainers/runc/libcontainer/system
+github.com/opencontainers/runc/libcontainer/nsenter
+github.com/opencontainers/runc/libcontainer/user