vendor: bump runc to f000fe11
This commit is contained in:
Seth Jennings
22
vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
generated
vendored
22
vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
generated
vendored
@@ -5,12 +5,14 @@ package libcontainer
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"runtime"
|
||||
|
||||
"github.com/opencontainers/runc/libcontainer/apparmor"
|
||||
"github.com/opencontainers/runc/libcontainer/keys"
|
||||
"github.com/opencontainers/runc/libcontainer/seccomp"
|
||||
"github.com/opencontainers/runc/libcontainer/system"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/pkg/errors"
|
||||
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
@@ -28,10 +30,19 @@ func (l *linuxSetnsInit) getSessionRingName() string {
|
||||
}
|
||||
|
||||
func (l *linuxSetnsInit) Init() error {
|
||||
runtime.LockOSThread()
|
||||
defer runtime.UnlockOSThread()
|
||||
|
||||
if !l.config.Config.NoNewKeyring {
|
||||
// do not inherit the parent's session keyring
|
||||
// Do not inherit the parent's session keyring.
|
||||
if _, err := keys.JoinSessionKeyring(l.getSessionRingName()); err != nil {
|
||||
return err
|
||||
// Same justification as in standart_init_linux.go as to why we
|
||||
// don't bail on ENOSYS.
|
||||
//
|
||||
// TODO(cyphar): And we should have logging here too.
|
||||
if errors.Cause(err) != unix.ENOSYS {
|
||||
return errors.Wrap(err, "join session keyring")
|
||||
}
|
||||
}
|
||||
}
|
||||
if l.config.CreateConsole {
|
||||
@@ -47,6 +58,10 @@ func (l *linuxSetnsInit) Init() error {
|
||||
return err
|
||||
}
|
||||
}
|
||||
if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
|
||||
return err
|
||||
}
|
||||
defer label.SetProcessLabel("")
|
||||
// Without NoNewPrivileges seccomp is a privileged operation, so we need to
|
||||
// do this before dropping capabilities; otherwise do it as late as possible
|
||||
// just before execve so as few syscalls take place after it as possible.
|
||||
@@ -61,9 +76,6 @@ func (l *linuxSetnsInit) Init() error {
|
||||
if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
|
||||
return err
|
||||
}
|
||||
// Set seccomp as close to execve as possible, so as few syscalls take
|
||||
// place afterward (reducing the amount of syscalls that users need to
|
||||
// enable in their seccomp profiles).
|
||||
|
||||
Reference in New Issue
Block a user