gentoo resync : 17.02.2018

2 files changed, 0 insertions, 109 deletions

diff --git a/app-emulation/runc/Manifest b/app-emulation/runc/Manifest
index 5e516c8fcb33..3d7b48d4c9fe 100644
--- a/app-emulation/runc/Manifest
+++ b/app-emulation/runc/Manifest
@@ -1,4 +1,3 @@
-AUX runc-1.0.0_rc2-init-non-dumpable.patch 4016 BLAKE2B 8f39ce2a9862939b797e5b9ca74c990669afa3ff966b5a9b4e0d97d57fc390af715785272100940c73414209012de2cc9720fd97103442fb4477c00fbd8666a4 SHA512 2e10cc4ea85f0a95c53a4de6922b8a20395b6225f06449b9f3a994a79113f476563bb6acf365ba12de7896fc537141130790e14de1c612b97e283eeb82877139
 DIST runc-1.0.0_rc4.tar.gz 1090513 BLAKE2B 276303e2085eddd549290e3af1a3af4570d0aef43f66f956267451810b0f0fb77f13ed12fe13b76efcd820fc7e0b46eac370a062f43c8600091a807cb12cf733 SHA512 cc2ae38b96f3f3355d9ba26f7af15c57975276aeaf58dcfe7fe5f0f0411ece8584a7cb51ae7fdd2f4109366f55ac8dfb86f225e26377fe07b685bbc56a2518ed
 EBUILD runc-1.0.0_rc4.ebuild 1256 BLAKE2B 7f7b657ae6f25116fbb7945a4c1e4c3690b736965152be821491ea4fdf4cd5ed5e0b3d7dd1a95607f40706e78f1aadab95b2b5d93324adf0ac7ce94c2cb7b463 SHA512 5236b7ffc8c95960f1590d59bb1dccedb4755aea162c9c5c2cce6239fffbf8a2d951bac4c19bcd513335aa9bff24865f1cb0a1ef2909cdea416d8c18684f96ec
 EBUILD runc-9999.ebuild 1080 BLAKE2B 09034744e5842eb2a340b3095ee3098c58b0853d81ee899b2b8e84c15ffe59638bfc6fb89d158edd4271f1e630c97dafdb4cbe7fb9286049dfe2bbf5eef213ed SHA512 b026b5cbfd44e110a2c2cd72125c757c6b957137fe9491b85e1f25014b564226a3e76c23ea463fd4d7ad742228b2b7bc533aa6b2539b43ca5c37aa2dd07218e3
diff --git a/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch b/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch
deleted file mode 100644
index 486835ad826c..000000000000
--- a/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001
-From: Michael Crosby <crosbymichael@gmail.com>
-Date: Wed, 7 Dec 2016 15:05:51 -0800
-Subject: [PATCH] Set init processes as non-dumpable
-
-This sets the init processes that join and setup the container's
-namespaces as non-dumpable before they setns to the container's pid (or
-any other ) namespace.
-
-This settings is automatically reset to the default after the Exec in
-the container so that it does not change functionality for the
-applications that are running inside, just our init processes.
-
-This prevents parent processes, the pid 1 of the container, to ptrace
-the init process before it drops caps and other sets LSMs.
-
-This patch also ensures that the stateDirFD being used is still closed
-prior to exec, even though it is set as O_CLOEXEC, because of the order
-in the kernel.
-
-https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
-
-The order during the exec syscall is that the process is set back to
-dumpable before O_CLOEXEC are processed.
-
-Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
----
- libcontainer/init_linux.go          | 3 ++-
- libcontainer/nsenter/nsexec.c       | 5 +++++
- libcontainer/setns_init_linux.go    | 7 ++++++-
- libcontainer/standard_init_linux.go | 3 +++
- 4 files changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
-index b1e6762..4043d51 100644
---- a/libcontainer/init_linux.go
-+++ b/libcontainer/init_linux.go
-@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error)
- 	switch t {
- 	case initSetns:
- 		return &linuxSetnsInit{
--			config: config,
-+			config:     config,
-+			stateDirFD: stateDirFD,
- 		}, nil
- 	case initStandard:
- 		return &linuxStandardInit{
-diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
-index b93f827..4b5398b 100644
---- a/libcontainer/nsenter/nsexec.c
-+++ b/libcontainer/nsenter/nsexec.c
-@@ -408,6 +408,11 @@ void nsexec(void)
- 	if (pipenum == -1)
- 		return;
- 
-+	/* make the process non-dumpable */
-+	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
-+		bail("failed to set process as non-dumpable");
-+	}
-+
- 	/* Parse all of the netlink configuration. */
- 	nl_parse(pipenum, &config);
- 
-diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
-index 2a8f345..7f5f182 100644
---- a/libcontainer/setns_init_linux.go
-+++ b/libcontainer/setns_init_linux.go
-@@ -5,6 +5,7 @@ package libcontainer
- import (
- 	"fmt"
- 	"os"
-+	"syscall"
- 
- 	"github.com/opencontainers/runc/libcontainer/apparmor"
- 	"github.com/opencontainers/runc/libcontainer/keys"
-@@ -16,7 +17,8 @@ import (
- // linuxSetnsInit performs the container's initialization for running a new process
- // inside an existing container.
- type linuxSetnsInit struct {
--	config *initConfig
-+	config     *initConfig
-+	stateDirFD int
- }
- 
- func (l *linuxSetnsInit) getSessionRingName() string {
-@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error {
- 	if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
- 		return err
- 	}
-+	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
-+	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
-+	syscall.Close(l.stateDirFD)
- 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
- }
-diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
-index 2104f1a..6a65154 100644
---- a/libcontainer/standard_init_linux.go
-+++ b/libcontainer/standard_init_linux.go
-@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error {
- 			return newSystemErrorWithCause(err, "init seccomp")
- 		}
- 	}
-+	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
-+	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
-+	syscall.Close(l.stateDirFD)
- 	if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
- 		return newSystemErrorWithCause(err, "exec user process")
- 	}