From 4a341841c58e236167b227f6758ccdcc89ed2dca Mon Sep 17 00:00:00 2001
From: Michael Crosby <crosbymichael@gmail.com>
Date: Wed, 4 May 2016 11:36:07 -0700
Subject: [PATCH] Update runc to 89c3c97a8482f3a57cd4bb683df1a7b2c61405d8

Fixes #211

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
---
 hack/vendor.sh                                         |  2 +-
 .../opencontainers/runc/libcontainer/cgroups/utils.go  |  2 +-
 .../opencontainers/runc/libcontainer/rootfs_linux.go   |  3 +++
 .../runc/libcontainer/selinux/selinux.go               | 10 +++++-----
 .../runc/libcontainer/standard_init_linux.go           | 10 +++++++++-
 5 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/hack/vendor.sh b/hack/vendor.sh
index bb074e1..08932a8 100755
--- a/hack/vendor.sh
+++ b/hack/vendor.sh
@@ -14,7 +14,7 @@ clone git github.com/docker/go-units 5d2041e26a699eaca682e2ea41c8f891e1060444
 clone git github.com/godbus/dbus e2cf28118e66a6a63db46cf6088a35d2054d3bb0
 clone git github.com/golang/glog 23def4e6c14b4da8ac2ed8007337bc5eb5007998
 clone git github.com/golang/protobuf 8d92cf5fc15a4382f8964b08e1f42a75c0591aa3
-clone git github.com/opencontainers/runc 9c89737e6e117a8be5a4980bc9795fe1a2b1028e
+clone git github.com/opencontainers/runc 89c3c97a8482f3a57cd4bb683df1a7b2c61405d8
 clone git github.com/opencontainers/runtime-spec f955d90e70a98ddfb886bd930ffd076da9b67998
 clone git github.com/rcrowley/go-metrics eeba7bd0dd01ace6e690fa833b3f22aaec29af43
 clone git github.com/satori/go.uuid f9ab0dce87d815821e221626b772e3475a0d2749
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
index 7c3dba0..491faf2 100644
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
@@ -18,7 +18,7 @@ import (
 
 const cgroupNamePrefix = "name="
 
-// https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
+// https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
 func FindCgroupMountpoint(subsystem string) (string, error) {
 	// We are not using mount.GetMounts() because it's super-inefficient,
 	// parsing it directly sped up x10 times because of not using Sscanf.
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/src/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
index fe1db75..4ff01c0 100644
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
@@ -69,6 +69,9 @@ func setupRootfs(config *configs.Config, console *linuxConsole, pipe io.ReadWrit
 		if err := setupDevSymlinks(config.Rootfs); err != nil {
 			return newSystemErrorWithCause(err, "setting up /dev symlinks")
 		}
+		if err := label.Relabel(filepath.Join(config.Rootfs, "dev"), config.MountLabel, false); err != nil {
+			return err
+		}
 	}
 	// Signal the parent to run the pre-start hooks.
 	// The hooks are run after the mounts are setup, but before we switch to the new
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/selinux/selinux.go b/vendor/src/github.com/opencontainers/runc/libcontainer/selinux/selinux.go
index a6cf7f2..2a18e2a 100644
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/selinux/selinux.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/selinux/selinux.go
@@ -486,14 +486,14 @@ func DupSecOpt(src string) []string {
 		con["level"] == "" {
 		return nil
 	}
-	return []string{"label:user:" + con["user"],
-		"label:role:" + con["role"],
-		"label:type:" + con["type"],
-		"label:level:" + con["level"]}
+	return []string{"label=user:" + con["user"],
+		"label=role:" + con["role"],
+		"label=type:" + con["type"],
+		"label=level:" + con["level"]}
 }
 
 // DisableSecOpt returns a security opt that can be used to disabling SELinux
 // labeling support for future container processes
 func DisableSecOpt() []string {
-	return []string{"label:disable"}
+	return []string{"label=disable"}
 }
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/standard_init_linux.go b/vendor/src/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
index 59bd370..5809b4d 100644
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
@@ -123,7 +123,10 @@ func (l *linuxStandardInit) Init() error {
 	if err := syncParentReady(l.pipe); err != nil {
 		return err
 	}
-	if l.config.Config.Seccomp != nil {
+	// Without NoNewPrivileges seccomp is a privileged operation, so we need to
+	// do this before dropping capabilities; otherwise do it as late as possible
+	// just before execve so as few syscalls take place after it as possible.
+	if l.config.Config.Seccomp != nil && !l.config.NoNewPrivileges {
 		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
 			return err
 		}
@@ -142,6 +145,11 @@ func (l *linuxStandardInit) Init() error {
 	if syscall.Getppid() != l.parentPid {
 		return syscall.Kill(syscall.Getpid(), syscall.SIGKILL)
 	}
+	if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
+		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
+			return err
+		}
+	}
 
 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
 }