diff --git a/hack/vendor.sh b/hack/vendor.sh index f1c778e6..a5ac78cd 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -72,7 +72,7 @@ clone git github.com/golang/protobuf 3c84672111d91bb5ac31719e112f9f7126a0e26e clone git github.com/golang/glog 44145f04b68cf362d9c4df2182967c2275eaefed clone git github.com/gorilla/mux v1.1 clone git github.com/imdario/mergo 6633656539c1639d9d78127b7d47c622b5d7b6dc -clone git github.com/opencontainers/runc cc29e3dded8e27ba8f65738f40d251c885030a28 +clone git github.com/opencontainers/runc 3abefdff18bc201199c5dfd0e91e941cb4c61376 clone git github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852 clone git github.com/gogo/protobuf 43a2e0b1c32252bfbbdf81f7faa7a88fb3fa4028 clone git github.com/gorilla/context v1.1 diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go b/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go index 4493bda7..41944832 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go @@ -33,15 +33,19 @@ func InitLabels(options []string) (string, string, error) { pcon := selinux.NewContext(processLabel) mcon := selinux.NewContext(mountLabel) for _, opt := range options { - if opt == "disable" { + val := strings.SplitN(opt, "=", 2) + if val[0] != "label" { + continue + } + if len(val) < 2 { + return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt) + } + if val[1] == "disable" { return "", "", nil } - if i := strings.Index(opt, ":"); i == -1 { - return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt) - } - con := strings.SplitN(opt, ":", 2) - if !validOptions[con[0]] { - return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0]) + con := strings.SplitN(val[1], ":", 2) + if len(con) < 2 || !validOptions[con[0]] { + return "", "", fmt.Errorf("bad label option %q, valid options 'disable, user, role, level, type'", con[0]) } pcon[con[0]] = con[1] @@ -129,7 +133,7 @@ func Relabel(path string, fileLabel string, shared bool) error { exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true} if exclude_paths[path] { - return fmt.Errorf("Relabeling of %s is not allowed", path) + return fmt.Errorf("SELinux relabeling of %s is not allowed", path) } if shared { @@ -137,7 +141,10 @@ func Relabel(path string, fileLabel string, shared bool) error { c["level"] = "s0" fileLabel = c.Get() } - return selinux.Chcon(path, fileLabel, true) + if err := selinux.Chcon(path, fileLabel, true); err != nil { + return fmt.Errorf("SELinux relabeling of %s is not allowed: %q", path, err) + } + return nil } // GetPidLabel will return the label of the process running with the specified pid diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go b/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go index c9900651..bb44d895 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go @@ -8,7 +8,7 @@ import ( // Setuid sets the uid of the calling thread to the specified uid. func Setuid(uid int) (err error) { - _, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0) + _, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID32, uintptr(uid), 0, 0) if e1 != 0 { err = e1 } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go b/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go index 4fba6c2b..b3a07cba 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go @@ -4,28 +4,9 @@ package system /* #include -#include - -int GetLongBit() { -#ifdef _SC_LONG_BIT - int longbits; - - longbits = sysconf(_SC_LONG_BIT); - if (longbits < 0) { - longbits = (CHAR_BIT * sizeof(long)); - } - return longbits; -#else - return (CHAR_BIT * sizeof(long)); -#endif -} */ import "C" func GetClockTicks() int { return int(C.sysconf(C._SC_CLK_TCK)) } - -func GetLongBit() int { - return int(C.GetLongBit()) -}