packages/runc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!320 runc:allowing libct/cap to work with nil capabilities

Browse Source 
From: @jade_t 
Reviewed-by: @zhong-jiawei-1, @xuxuepeng 
Signed-off-by: @xuxuepeng
This commit is contained in:
openeuler-ci-bot 2025-03-27 01:08:30 +00:00 committed by Gitee
commit 6a9e2cda18
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 68 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
git-commit
View File

@ -1 +1 @@
f93bc478fbbc54f67e5883f09d3ced9ce5789766 cb487aade572b4cb5aa3d601fb8184b080f1ef83

59
patch/0061-runc-libct-cap-allow-New-nil.patch Normal file
View File

@ -0,0 +1,59 @@
From b55c8fbbb8ecfd407a1d9eeec850b8c4885f4331 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 8 Jan 2025 12:25:42 -0800
Subject: [PATCH] libct/cap: allow New(nil)
In runtime-spec, capabilities property is optional, but
libcontainer/capabilities panics when New(nil) is called.
Because of this, there's a kludge in finalizeNamespace to ensure
capabilities.New is not called with nil argument, and there's a
TestProcessEmptyCaps to ensure runc won't panic.
Let's fix this at the source, allowing libct/cap to work with nil
capabilities.
(The caller is fixed by the next commit.)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/capabilities/capabilities.go | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/libcontainer/capabilities/capabilities.go b/libcontainer/capabilities/capabilities.go
index d38b8a7c..49b842ca 100644
--- a/libcontainer/capabilities/capabilities.go
+++ b/libcontainer/capabilities/capabilities.go
@@ -54,6 +54,9 @@ func New(capConfig *configs.Capabilities) (*Caps, error) {
err error
c Caps
)
+ if capConfig == nil {
+ return &c, nil
+ }
unknownCaps := make(map[string]struct{})
c.caps = map[capability.CapType][]capability.Cap{
@@ -108,6 +111,9 @@ type Caps struct {
// ApplyBoundingSet sets the capability bounding set to those specified in the whitelist.
func (c *Caps) ApplyBoundingSet() error {
+ if c.pid == nil {
+ return nil
+ }
c.pid.Clear(capability.BOUNDING)
c.pid.Set(capability.BOUNDING, c.caps[capability.BOUNDING]...)
return c.pid.Apply(capability.BOUNDING)
@@ -115,6 +121,9 @@ func (c *Caps) ApplyBoundingSet() error {
// Apply sets all the capabilities for the current process in the config.
func (c *Caps) ApplyCaps() error {
+ if c.pid == nil {
+ return nil
+ }
c.pid.Clear(allCapabilityTypes)
for _, g := range capTypes {
c.pid.Set(g, c.caps[g]...)
--
2.33.0

8
runc.spec
View File

@ -3,7 +3,7 @@
Name: runc Name: runc
Version: 1.1.3 Version: 1.1.3
Release: 32 Release: 33
Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
License: ASL 2.0 License: ASL 2.0
@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
%{_bindir}/runc %{_bindir}/runc
%changelog %changelog
* Wed Mar 26 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1.1.3-33
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:allowing libct/cap to work with nil capabilities
* Mon Jan 06 2025 xulei <xulei@xfusion.com> - 1.1.3-32 * Mon Jan 06 2025 xulei <xulei@xfusion.com> - 1.1.3-32
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA

1
series.conf
View File

@ -58,3 +58,4 @@ patch/0057-rootfs-consolidate-mountpoint-creation-logic.patch
patch/0058-rootfs-try-to-scope-MkdirAll-to-stay-inside-the-root.patch patch/0058-rootfs-try-to-scope-MkdirAll-to-stay-inside-the-root.patch
patch/0059-runc-fix-can-t-set-cpuset-cpus-and-cpuset-mems-at-th.patch patch/0059-runc-fix-can-t-set-cpuset-cpus-and-cpuset-mems-at-th.patch
patch/0060-runc-fix-failed-exec-after-systemctl-daemon-reload.patch patch/0060-runc-fix-failed-exec-after-systemctl-daemon-reload.patch
patch/0061-runc-libct-cap-allow-New-nil.patch