vendor opencontainers/runc 3abefdff18bc201199c5dfd0e91e941cb4c61376

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

hack/vendor.sh

@@ -72,7 +72,7 @@ clone git github.com/golang/protobuf 3c84672111d91bb5ac31719e112f9f7126a0e26e
 clone git github.com/golang/glog 44145f04b68cf362d9c4df2182967c2275eaefed
 clone git github.com/gorilla/mux v1.1
 clone git github.com/imdario/mergo 6633656539c1639d9d78127b7d47c622b5d7b6dc
-clone git github.com/opencontainers/runc cc29e3dded8e27ba8f65738f40d251c885030a28
+clone git github.com/opencontainers/runc 3abefdff18bc201199c5dfd0e91e941cb4c61376
 clone git github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852
 clone git github.com/gogo/protobuf 43a2e0b1c32252bfbbdf81f7faa7a88fb3fa4028
 clone git github.com/gorilla/context v1.1

vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go

@@ -33,15 +33,19 @@ func InitLabels(options []string) (string, string, error) {
 		pcon := selinux.NewContext(processLabel)
 		mcon := selinux.NewContext(mountLabel)
 		for _, opt := range options {
-			if opt == "disable" {
+			val := strings.SplitN(opt, "=", 2)
+			if val[0] != "label" {
+				continue
+			}
+			if len(val) < 2 {
+				return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
+			}
+			if val[1] == "disable" {
 				return "", "", nil
 			}
-			if i := strings.Index(opt, ":"); i == -1 {
+			con := strings.SplitN(val[1], ":", 2)
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
+			if len(con) < 2 || !validOptions[con[0]] {
-			}
+				return "", "", fmt.Errorf("bad label option %q, valid options 'disable, user, role, level, type'", con[0])
-			con := strings.SplitN(opt, ":", 2)
-			if !validOptions[con[0]] {
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
 
 			}
 			pcon[con[0]] = con[1]
@@ -129,7 +133,7 @@ func Relabel(path string, fileLabel string, shared bool) error {
 
 	exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true}
 	if exclude_paths[path] {
-		return fmt.Errorf("Relabeling of %s is not allowed", path)
+		return fmt.Errorf("SELinux relabeling of %s is not allowed", path)
 	}
 
 	if shared {
@@ -137,7 +141,10 @@ func Relabel(path string, fileLabel string, shared bool) error {
 		c["level"] = "s0"
 		fileLabel = c.Get()
 	}
-	return selinux.Chcon(path, fileLabel, true)
+	if err := selinux.Chcon(path, fileLabel, true); err != nil {
+		return fmt.Errorf("SELinux relabeling of %s is not allowed: %q", path, err)
+	}
+	return nil
 }
 
 // GetPidLabel will return the label of the process running with the specified pid

vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go

@@ -8,7 +8,7 @@ import (
 
 // Setuid sets the uid of the calling thread to the specified uid.
 func Setuid(uid int) (err error) {
-	_, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0)
+	_, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID32, uintptr(uid), 0, 0)
 	if e1 != 0 {
 		err = e1
 	}

vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go

@@ -4,28 +4,9 @@ package system
 
 /*
 #include <unistd.h>
-#include <limits.h>
-
-int GetLongBit() {
-#ifdef _SC_LONG_BIT
-    int longbits;
-
-    longbits = sysconf(_SC_LONG_BIT);
-    if (longbits <  0) {
-        longbits = (CHAR_BIT * sizeof(long));
-    }
-    return longbits;
-#else
-    return (CHAR_BIT * sizeof(long));
-#endif
-}
 */
 import "C"
 
 func GetClockTicks() int {
 	return int(C.sysconf(C._SC_CLK_TCK))
 }
-
-func GetLongBit() int {
-	return int(C.GetLongBit())
-}