From c718f15d47fd0b381bd1944907761bdf75fe4df5 Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@redhat.com>
Date: Mon, 12 Feb 2018 12:55:38 +0100
Subject: [PATCH] vendor: bump runtime-tools to fix caps drop handling

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
---
 vendor.conf                                   |  2 +-
 .../opencontainers/runtime-tools/README.md    | 12 +++++++++++
 .../runtime-tools/generate/generate.go        | 20 +------------------
 .../runtime-tools/specerror/runtime.go        | 12 +++++------
 .../runtime-tools/validate/validate.go        | 20 ++++++++++++++++++-
 5 files changed, 39 insertions(+), 27 deletions(-)

diff --git a/vendor.conf b/vendor.conf
index 320a04be..68ce90d6 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -20,7 +20,7 @@ github.com/containernetworking/cni v0.4.0
 google.golang.org/grpc v1.0.4 https://github.com/grpc/grpc-go
 github.com/opencontainers/selinux b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd
 github.com/opencontainers/go-digest v1.0.0-rc0
-github.com/opencontainers/runtime-tools 625e2322645b151a7cbb93a8b42920933e72167f
+github.com/opencontainers/runtime-tools 263fad0457d4a42d08aea3fb2bc4da7d2f8c3af7
 github.com/opencontainers/runc 9f9c96235cc97674e935002fc3d78361b696a69e
 github.com/mrunalp/fileutils master
 github.com/vishvananda/netlink master
diff --git a/vendor/github.com/opencontainers/runtime-tools/README.md b/vendor/github.com/opencontainers/runtime-tools/README.md
index 5f16436b..796d1ac7 100644
--- a/vendor/github.com/opencontainers/runtime-tools/README.md
+++ b/vendor/github.com/opencontainers/runtime-tools/README.md
@@ -37,17 +37,29 @@ If your distribution does not package node-tap, you can install [npm][] (for exa
 $ npm install tap
 ```
 
+Build the validation executables:
+
 ```console
 $ make runtimetest validation-executables
+```
+
+Runtime validation currently [only supports](docs/runtime-compliance-testing.md) the [OCI Runtime Command Line Interface](doc/command-line-interface.md).
+If we add support for alternative APIs in the future, runtime validation will gain an option to select the desired runtime API.
+For the command line interface, the `RUNTIME` option selects the runtime command (`funC` in the [OCI Runtime Command Line Interface](doc/command-line-interface.md)).
+
+```
+$ sudo make RUNTIME=runc localvalidation
 RUNTIME=runc tap validation/linux_rootfs_propagation_shared.t validation/create.t validation/default.t validation/linux_readonly_paths.t validation/linux_masked_paths.t validation/mounts.t validation/process.t validation/root_readonly_false.t validation/linux_sysctl.t validation/linux_devices.t validation/linux_gid_mappings.t validation/process_oom_score_adj.t validation/process_capabilities.t validation/process_rlimits.t validation/root_readonly_true.t validation/linux_rootfs_propagation_unbindable.t validation/hostname.t validation/linux_uid_mappings.t
 validation/linux_rootfs_propagation_shared.t ........ 18/19
   not ok rootfs propagation
+    error: 'rootfs should be shared, but not'
 
 validation/create.t ................................... 4/4
 validation/default.t ................................ 19/19
 validation/linux_readonly_paths.t ................... 19/19
 validation/linux_masked_paths.t ..................... 18/19
   not ok masked paths
+    error: /masktest should not be readable
 
 validation/mounts.t ................................... 0/1
   Skipped: 1
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
index d2951b52..05234001 100644
--- a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
@@ -914,12 +914,6 @@ func (g *Generator) ClearPreStartHooks() {
 // AddPreStartHook add a prestart hook into g.spec.Hooks.Prestart.
 func (g *Generator) AddPreStartHook(preStartHook rspec.Hook) error {
 	g.initSpecHooks()
-	for i, hook := range g.spec.Hooks.Prestart {
-		if hook.Path == preStartHook.Path {
-			g.spec.Hooks.Prestart[i] = preStartHook
-			return nil
-		}
-	}
 	g.spec.Hooks.Prestart = append(g.spec.Hooks.Prestart, preStartHook)
 	return nil
 }
@@ -935,12 +929,6 @@ func (g *Generator) ClearPostStopHooks() {
 // AddPostStopHook adds a poststop hook into g.spec.Hooks.Poststop.
 func (g *Generator) AddPostStopHook(postStopHook rspec.Hook) error {
 	g.initSpecHooks()
-	for i, hook := range g.spec.Hooks.Poststop {
-		if hook.Path == postStopHook.Path {
-			g.spec.Hooks.Poststop[i] = postStopHook
-			return nil
-		}
-	}
 	g.spec.Hooks.Poststop = append(g.spec.Hooks.Poststop, postStopHook)
 	return nil
 }
@@ -956,12 +944,6 @@ func (g *Generator) ClearPostStartHooks() {
 // AddPostStartHook adds a poststart hook into g.spec.Hooks.Poststart.
 func (g *Generator) AddPostStartHook(postStartHook rspec.Hook) error {
 	g.initSpecHooks()
-	for i, hook := range g.spec.Hooks.Poststart {
-		if hook.Path == postStartHook.Path {
-			g.spec.Hooks.Poststart[i] = postStartHook
-			return nil
-		}
-	}
 	g.spec.Hooks.Poststart = append(g.spec.Hooks.Poststart, postStartHook)
 	return nil
 }
@@ -1225,7 +1207,7 @@ func (g *Generator) DropProcessCapabilityPermitted(c string) error {
 	cp := strings.ToUpper(c)
 	for i, cap := range g.spec.Process.Capabilities.Permitted {
 		if strings.ToUpper(cap) == cp {
-			g.spec.Process.Capabilities.Ambient = removeFunc(g.spec.Process.Capabilities.Ambient, i)
+			g.spec.Process.Capabilities.Permitted = removeFunc(g.spec.Process.Capabilities.Permitted, i)
 		}
 	}
 
diff --git a/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go b/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go
index 0144f669..383aea63 100644
--- a/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go
+++ b/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go
@@ -68,10 +68,10 @@ const (
 	PropApplyFailNotCreate
 	// StartWithoutIDGenError represents "`start` operation MUST generate an error if it is not provided the container ID."
 	StartWithoutIDGenError
-	// StartNonCreateHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container."
-	StartNonCreateHaveNoEffect
-	// StartNonCreateGenError represents "Attempting to `start` a container that is not `created` MUST generate an error."
-	StartNonCreateGenError
+	// StartNotCreatedHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container."
+	StartNotCreatedHaveNoEffect
+	// StartNotCreatedGenError represents "Attempting to `start` a container that is not `created` MUST generate an error."
+	StartNotCreatedGenError
 	// StartProcImplement represents "`start` operation MUST run the user-specified program as specified by `process`."
 	StartProcImplement
 	// StartWithProcUnsetGenError represents "`start` operation MUST generate an error if `process` was not set."
@@ -163,8 +163,8 @@ func init() {
 	register(PropApplyFailGenError, rfc2119.Must, createRef)
 	register(PropApplyFailNotCreate, rfc2119.Must, createRef)
 	register(StartWithoutIDGenError, rfc2119.Must, startRef)
-	register(StartNonCreateHaveNoEffect, rfc2119.Must, startRef)
-	register(StartNonCreateGenError, rfc2119.Must, startRef)
+	register(StartNotCreatedHaveNoEffect, rfc2119.Must, startRef)
+	register(StartNotCreatedGenError, rfc2119.Must, startRef)
 	register(StartProcImplement, rfc2119.Must, startRef)
 	register(StartWithProcUnsetGenError, rfc2119.Must, startRef)
 	register(KillWithoutIDGenError, rfc2119.Must, killRef)
diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
index 1030099d..1f4d96ce 100644
--- a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
@@ -142,6 +142,8 @@ func JSONSchemaURL(version string) (url string, err error) {
 // runtime-spec JSON Schema, using the version of the schema that
 // matches the configuration's declared version.
 func (v *Validator) CheckJSONSchema() (errs error) {
+	logrus.Debugf("check JSON schema")
+
 	url, err := JSONSchemaURL(v.spec.Version)
 	if err != nil {
 		errs = multierror.Append(errs, err)
@@ -733,7 +735,7 @@ func (v *Validator) CheckLinux() (errs error) {
 		}
 
 		if _, exists := devTypeList[devID]; exists {
-			logrus.Warnf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor)
+			logrus.Warnf("%v", specerror.NewError(specerror.DevicesErrorOnDup, fmt.Errorf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor), rspec.Version))
 		} else {
 			devTypeList[devID] = true
 		}
@@ -817,6 +819,18 @@ func (v *Validator) CheckLinuxResources() (errs error) {
 		}
 	}
 
+	if r.BlockIO != nil && r.BlockIO.WeightDevice != nil {
+		for i, weightDevice := range r.BlockIO.WeightDevice {
+			if weightDevice.Weight == nil && weightDevice.LeafWeight == nil {
+				errs = multierror.Append(errs,
+					specerror.NewError(
+						specerror.BlkIOWeightOrLeafWeightExist,
+						fmt.Errorf("linux.resources.blockIO.weightDevice[%d] specifies neither weight nor leafWeight", i),
+						rspec.Version))
+			}
+		}
+	}
+
 	return
 }
 
@@ -990,5 +1004,9 @@ func checkMandatory(obj interface{}) (errs error) {
 func (v *Validator) CheckMandatoryFields() error {
 	logrus.Debugf("check mandatory fields")
 
+	if v.spec == nil {
+		return fmt.Errorf("Spec can't be nil")
+	}
+
 	return checkMandatory(v.spec)
 }