Sophie: docker-1.9.1-1.2.mga5 src

docker-1.9.1-1.2.mga5.src.rpm

Based on this patch which doesn't apply cleanly: 

From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001
From: Michael Crosby <crosbymichael@gmail.com>
Date: Wed, 7 Dec 2016 15:05:51 -0800
Subject: [PATCH] Set init processes as non-dumpable

This sets the init processes that join and setup the container's
namespaces as non-dumpable before they setns to the container's pid (or
any other ) namespace.

This settings is automatically reset to the default after the Exec in
the container so that it does not change functionality for the
applications that are running inside, just our init processes.

This prevents parent processes, the pid 1 of the container, to ptrace
the init process before it drops caps and other sets LSMs.

This patch also ensures that the stateDirFD being used is still closed
prior to exec, even though it is set as O_CLOEXEC, because of the order
in the kernel.

https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318

The order during the exec syscall is that the process is set back to
dumpable before O_CLOEXEC are processed.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
---

diff -ruN docker-1.9.1.orig/vendor/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c docker-1.9.1/vendor/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c
--- docker-1.9.1.orig/vendor/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c	2015-11-20 13:40:30.000000000 +0100
+++ docker-1.9.1/vendor/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c	2017-06-06 16:11:44.673517875 +0200
@@ -16,6 +16,7 @@
 #include <setjmp.h>
 #include <sched.h>
 #include <signal.h>
+#include <sys/prctl.h>
 
 /* All arguments should be above stack, because it grows down */
 struct clone_arg {
@@ -73,6 +73,12 @@
 	pid_t pid;
 	char *console;
 
+	/*  make the process non-dumpable */
+	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
+		pr_perror("failed to set process as non-dumpable");
+		exit(1);
+	}
+
 	val = getenv("_LIBCONTAINER_INITPID");
 	if (val == NULL)
 		return;
diff -ruN docker-1.9.1.orig/vendor/src/github.com/opencontainers/runc/libcontainer/setns_init_linux.go docker-1.9.1/vendor/src/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
--- docker-1.9.1.orig/vendor/src/github.com/opencontainers/runc/libcontainer/setns_init_linux.go	2015-11-20 13:40:30.000000000 +0100
+++ docker-1.9.1/vendor/src/github.com/opencontainers/runc/libcontainer/setns_init_linux.go	2017-06-06 16:14:54.070983646 +0200
@@ -4,6 +4,7 @@
 
 import (
 	"os"
+	"syscall"
 
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runc/libcontainer/label"
@@ -15,6 +16,7 @@
 // inside an existing container.
 type linuxSetnsInit struct {
 	config *initConfig
+	stateDirFD int
 }
 
 func (l *linuxSetnsInit) Init() error {
@@ -40,5 +42,8 @@
 			return err
 		}
 	}
+	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
+	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
+	syscall.Close(l.stateDirFD)
 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
 }
diff -ruN docker-1.9.1.orig/vendor/src/github.com/opencontainers/runc/libcontainer/standard_init_linux.go docker-1.9.1/vendor/src/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
--- docker-1.9.1.orig/vendor/src/github.com/opencontainers/runc/libcontainer/standard_init_linux.go	2015-11-20 13:40:30.000000000 +0100
+++ docker-1.9.1/vendor/src/github.com/opencontainers/runc/libcontainer/standard_init_linux.go	2017-06-06 16:29:17.889409171 +0200
@@ -16,6 +16,7 @@
 type linuxStandardInit struct {
 	parentPid int
 	config    *initConfig
+	stateDirFD int
 }
 
 func (l *linuxStandardInit) Init() error {
@@ -109,5 +110,8 @@
 	if syscall.Getppid() != l.parentPid {
 		return syscall.Kill(syscall.Getpid(), syscall.SIGKILL)
 	}
+	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
+	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
+	syscall.Close(l.stateDirFD)
 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
 }