test: Bump up runc to 9f9c96235cc97674e935002fc3d78361b696a69e

This brings in a fix for a cgroups setup race condition that we hit sometimes in the tests. Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2018-01-19 13:37:10 -08:00 · 2018-01-19 13:37:10 -08:00 · 970b8d61a7
commit 970b8d61a7
parent 77561e95cf
89 changed files with 3197 additions and 970 deletions
--- a/vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
@ -47,7 +47,10 @@ func (l *linuxSetnsInit) Init() error {
 			return err
 		}
 	}
-	if l.config.Config.Seccomp != nil {
+	// Without NoNewPrivileges seccomp is a privileged operation, so we need to
+	// do this before dropping capabilities; otherwise do it as late as possible
+	// just before execve so as few syscalls take place after it as possible.
+	if l.config.Config.Seccomp != nil && !l.config.NoNewPrivileges {
 		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
 			return err
 		}
@ -61,5 +64,13 @@ func (l *linuxSetnsInit) Init() error {
 	if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
 		return err
 	}
+	// Set seccomp as close to execve as possible, so as few syscalls take
+	// place afterward (reducing the amount of syscalls that users need to
+	// enable in their seccomp profiles).
+	if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
+		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
+			return newSystemErrorWithCause(err, "init seccomp")
+		}
+	}
 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
 }