From 51a618f9c12119c924d83df79c0144eeb0fa8303 Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@redhat.com>
Date: Fri, 12 May 2017 19:52:47 +0200
Subject: [PATCH] vendor: bump oci/runtime-tools to fix caps drop

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
---
 lock.json                                     |  6 ++-
 .../cmd/oci-runtime-tool/generate.go          |  5 +++
 .../completions/bash/oci-runtime-tool         |  1 +
 .../runtime-tools/generate/generate.go        |  8 +---
 .../man/oci-runtime-tool-generate.1.md        |  3 ++
 .../runtime-tools/validate/validate.go        | 37 +++++--------------
 6 files changed, 24 insertions(+), 36 deletions(-)

diff --git a/lock.json b/lock.json
index 24320778..1cb8fb87 100644
--- a/lock.json
+++ b/lock.json
@@ -1,5 +1,5 @@
 {
-    "memo": "348395ad5cf0e6c04bd9b6bd3265db1c2c3c0d2f42710bf3f0cc64e58f1aa269",
+    "memo": "3487610714d3936576aec97198a3843b7304fd35737e5c10b984698069d64447",
     "projects": [
         {
             "name": "cloud.google.com/go",
@@ -523,6 +523,8 @@
             "revision": "b263a43430ac6996a4302b891688544225197294",
             "packages": [
                 "libcontainer/apparmor",
+                "libcontainer/configs",
+                "libcontainer/devices",
                 "libcontainer/system",
                 "libcontainer/user"
             ]
@@ -538,7 +540,7 @@
         {
             "name": "github.com/opencontainers/runtime-tools",
             "branch": "master",
-            "revision": "18a122b45a71765b09c6a451008a63687040b74a",
+            "revision": "69b94fd47d1fe49ddb416dde90f0507259622a11",
             "packages": [
                 "generate",
                 "generate/seccomp",
diff --git a/vendor/github.com/opencontainers/runtime-tools/cmd/oci-runtime-tool/generate.go b/vendor/github.com/opencontainers/runtime-tools/cmd/oci-runtime-tool/generate.go
index e8aeaec8..2488b903 100644
--- a/vendor/github.com/opencontainers/runtime-tools/cmd/oci-runtime-tool/generate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/cmd/oci-runtime-tool/generate.go
@@ -24,6 +24,7 @@ var generateFlags = []cli.Flag{
 	cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest[:options...]"},
 	cli.StringSliceFlag{Name: "cap-add", Usage: "add Linux capabilities"},
 	cli.StringSliceFlag{Name: "cap-drop", Usage: "drop Linux capabilities"},
+	cli.BoolFlag{Name: "cap-drop-all", Usage: "drop all Linux capabilities"},
 	cli.StringFlag{Name: "cgroups-path", Usage: "specify the path to the cgroups"},
 	cli.StringFlag{Name: "cwd", Value: "/", Usage: "current working directory for the process"},
 	cli.StringSliceFlag{Name: "device-add", Usage: "add a device which must be made available in the container"},
@@ -279,6 +280,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
+	if context.Bool("cap-drop-all") {
+		g.ClearProcessCapabilities()
+	}
+
 	var uidMaps, gidMaps []string
 
 	if context.IsSet("uidmappings") {
diff --git a/vendor/github.com/opencontainers/runtime-tools/completions/bash/oci-runtime-tool b/vendor/github.com/opencontainers/runtime-tools/completions/bash/oci-runtime-tool
index 08195346..0b0cbca9 100644
--- a/vendor/github.com/opencontainers/runtime-tools/completions/bash/oci-runtime-tool
+++ b/vendor/github.com/opencontainers/runtime-tools/completions/bash/oci-runtime-tool
@@ -368,6 +368,7 @@ _oci-runtime-tool_generate() {
 	"
 
 	local boolean_options="
+		--cap-drop-all
 		--device-remove-all
 		--disable-oom-kill
 		--help -h
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
index 737cd9e0..5ca0e315 100644
--- a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
@@ -912,35 +912,30 @@ func (g *Generator) DropProcessCapability(c string) error {
 	for i, cap := range g.spec.Process.Capabilities.Bounding {
 		if strings.ToUpper(cap) == cp {
 			g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding[:i], g.spec.Process.Capabilities.Bounding[i+1:]...)
-			return nil
 		}
 	}
 
 	for i, cap := range g.spec.Process.Capabilities.Effective {
 		if strings.ToUpper(cap) == cp {
 			g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective[:i], g.spec.Process.Capabilities.Effective[i+1:]...)
-			return nil
 		}
 	}
 
 	for i, cap := range g.spec.Process.Capabilities.Inheritable {
 		if strings.ToUpper(cap) == cp {
 			g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable[:i], g.spec.Process.Capabilities.Inheritable[i+1:]...)
-			return nil
 		}
 	}
 
 	for i, cap := range g.spec.Process.Capabilities.Permitted {
 		if strings.ToUpper(cap) == cp {
 			g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted[:i], g.spec.Process.Capabilities.Permitted[i+1:]...)
-			return nil
 		}
 	}
 
 	for i, cap := range g.spec.Process.Capabilities.Ambient {
 		if strings.ToUpper(cap) == cp {
 			g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient[:i], g.spec.Process.Capabilities.Ambient[i+1:]...)
-			return nil
 		}
 	}
 
@@ -1031,7 +1026,7 @@ func (g *Generator) AddDevice(device rspec.LinuxDevice) {
 	g.spec.Linux.Devices = append(g.spec.Linux.Devices, device)
 }
 
-//RemoveDevice remove a device from g.spec.Linux.Devices
+// RemoveDevice remove a device from g.spec.Linux.Devices
 func (g *Generator) RemoveDevice(path string) error {
 	if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil {
 		return nil
@@ -1046,6 +1041,7 @@ func (g *Generator) RemoveDevice(path string) error {
 	return nil
 }
 
+// ClearLinuxDevices clears g.spec.Linux.Devices
 func (g *Generator) ClearLinuxDevices() {
 	if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil {
 		return
diff --git a/vendor/github.com/opencontainers/runtime-tools/man/oci-runtime-tool-generate.1.md b/vendor/github.com/opencontainers/runtime-tools/man/oci-runtime-tool-generate.1.md
index 32bdcffa..e497ad4c 100644
--- a/vendor/github.com/opencontainers/runtime-tools/man/oci-runtime-tool-generate.1.md
+++ b/vendor/github.com/opencontainers/runtime-tools/man/oci-runtime-tool-generate.1.md
@@ -45,6 +45,9 @@ read the configuration from `config.json`.
 **--cap-drop**=[]
   Drop Linux capabilities
 
+**--cap-drop-all**true|false
+  Drop all Linux capabilities
+
 **--cgroups-path**=""
   Specifies the path to the cgroups relative to the cgroups mount point.
 
diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
index 95172e9a..41eb5e3d 100644
--- a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
@@ -40,22 +40,6 @@ var (
 		"RLIMIT_SIGPENDING",
 		"RLIMIT_STACK",
 	}
-	defaultCaps = []string{
-		"CAP_CHOWN",
-		"CAP_DAC_OVERRIDE",
-		"CAP_FSETID",
-		"CAP_FOWNER",
-		"CAP_MKNOD",
-		"CAP_NET_RAW",
-		"CAP_SETGID",
-		"CAP_SETUID",
-		"CAP_SETFCAP",
-		"CAP_SETPCAP",
-		"CAP_NET_BIND_SERVICE",
-		"CAP_SYS_CHROOT",
-		"CAP_KILL",
-		"CAP_AUDIT_WRITE",
-	}
 )
 
 // Validator represents a validator for runtime bundle
@@ -174,7 +158,7 @@ func (v *Validator) CheckPlatform() (msgs []string) {
 		"darwin":    {"386", "amd64", "arm", "arm64"},
 		"dragonfly": {"amd64"},
 		"freebsd":   {"386", "amd64", "arm"},
-		"linux":     {"386", "amd64", "arm", "arm64", "ppc64", "ppc64le", "mips64", "mips64le", "s390x"},
+		"linux":     {"386", "amd64", "arm", "arm64", "mips", "mipsle", "mips64", "mips64le", "ppc64", "ppc64le", "s390x"},
 		"netbsd":    {"386", "amd64", "arm"},
 		"openbsd":   {"386", "amd64", "arm"},
 		"plan9":     {"386", "amd64"},
@@ -275,7 +259,7 @@ func (v *Validator) CheckProcess() (msgs []string) {
 		}
 	}
 
-	msgs = append(msgs, v.CheckCapablities()...)
+	msgs = append(msgs, v.CheckCapabilities()...)
 	msgs = append(msgs, v.CheckRlimits()...)
 
 	if v.spec.Platform.OS == "linux" {
@@ -292,7 +276,8 @@ func (v *Validator) CheckProcess() (msgs []string) {
 	return
 }
 
-func (v *Validator) CheckCapablities() (msgs []string) {
+// CheckCapabilities checks v.spec.Process.Capabilities
+func (v *Validator) CheckCapabilities() (msgs []string) {
 	process := v.spec.Process
 	if v.spec.Platform.OS == "linux" {
 		var caps []string
@@ -325,6 +310,7 @@ func (v *Validator) CheckCapablities() (msgs []string) {
 	return
 }
 
+// CheckRlimits checks v.spec.Process.Rlimits
 func (v *Validator) CheckRlimits() (msgs []string) {
 	process := v.spec.Process
 	for index, rlimit := range process.Rlimits {
@@ -525,13 +511,13 @@ func (v *Validator) CheckLinux() (msgs []string) {
 
 	for _, maskedPath := range v.spec.Linux.MaskedPaths {
 		if !strings.HasPrefix(maskedPath, "/") {
-			msgs = append(msgs, "maskedPath %v is not an absolute path", maskedPath)
+			msgs = append(msgs, fmt.Sprintf("maskedPath %v is not an absolute path", maskedPath))
 		}
 	}
 
 	for _, readonlyPath := range v.spec.Linux.ReadonlyPaths {
 		if !strings.HasPrefix(readonlyPath, "/") {
-			msgs = append(msgs, "readonlyPath %v is not an absolute path", readonlyPath)
+			msgs = append(msgs, fmt.Sprintf("readonlyPath %v is not an absolute path", readonlyPath))
 		}
 	}
 
@@ -700,13 +686,8 @@ func namespaceValid(ns rspec.LinuxNamespace) bool {
 
 func deviceValid(d rspec.LinuxDevice) bool {
 	switch d.Type {
-	case "b":
-	case "c":
-	case "u":
-		if d.Major <= 0 {
-			return false
-		}
-		if d.Minor <= 0 {
+	case "b", "c", "u":
+		if d.Major <= 0 || d.Minor <= 0 {
 			return false
 		}
 	case "p":