Bug#924208: marked as done (unblock: runc/1.0.0~rc6+dfsg1-3)

To: Jonathan Wiltshire <jmw@debian.org>
Subject: Bug#924208: marked as done (unblock: runc/1.0.0~rc6+dfsg1-3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 23 Mar 2019 16:45:03 +0000
Message-id: <[🔎] handler.924208.D924208.15533592226973.ackdone@bugs.debian.org>
Reply-to: 924208@bugs.debian.org
References: <20190323164017.GA3168@powdarrmonkey.net> <[🔎] 20190310102347.GA26660@debian>

Your message dated Sat, 23 Mar 2019 16:40:17 +0000
with message-id <20190323164017.GA3168@powdarrmonkey.net>
and subject line Re: Bug#924208: unblock: runc/1.0.0~rc6+dfsg1-3
has caused the Debian Bug report #924208,
regarding unblock: runc/1.0.0~rc6+dfsg1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
924208: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924208
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: runc/1.0.0~rc6+dfsg1-3
From: Shengjing Zhu <zhsj@debian.org>
Date: Sun, 10 Mar 2019 18:23:47 +0800
Message-id: <[🔎] 20190310102347.GA26660@debian>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package runc

-3 will be uploaded to unstable after ack, it

* Improve the patch for CVE-2019-5736. After the CVE published, there are
  more commits in upstream applied, and are nice to have for buster.
* Add version info to build flags, this fixes #909644

debdiff is in attachment, and can be viewed on salsa,
https://salsa.debian.org/go-team/packages/runc/compare/debian%2F1.0.0_rc6+dfsg1-2...master

unblock runc/1.0.0~rc6+dfsg1-3

diff -Nru runc-1.0.0~rc6+dfsg1/debian/changelog runc-1.0.0~rc6+dfsg1/debian/changelog
--- runc-1.0.0~rc6+dfsg1/debian/changelog	2019-02-12 23:45:09.000000000 +0800
+++ runc-1.0.0~rc6+dfsg1/debian/changelog	2019-03-10 17:51:44.000000000 +0800
@@ -1,3 +1,29 @@
+runc (1.0.0~rc6+dfsg1-3) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Shengjing Zhu ]
+  * Improve patch for CVE-2019-5736 based on upstream commits.
+    Now the patch includes following commits:
+    + 2d4a37b nsenter: cloned_binary: userspace copy fallback if sendfile fails
+    + 16612d7 nsenter: cloned_binary: try to ro-bind /proc/self/exe before
+              copying
+    + af9da0a nsenter: cloned_binary: use the runc statedir for O_TMPFILE
+    + 2429d59 nsenter: cloned_binary: expand and add pre-3.11 fallbacks
+    + 5b775bf nsenter: cloned_binary: detect and handle short copies
+    + bb7d8b1 nsexec (CVE-2019-5736): avoid parsing environ
+    + 0a8e411 nsenter: clone /proc/self/exe to avoid exposing host binary to
+              container
+
+  [ Arnaud Rebillout ]
+  * Add version and gitcommit to the ldflags (Closes: #909644)
+    Note that we fill the git commit with something that is NOT a git commit
+    at all, instead we use it as a placeholder for the debian version. The
+    debian version is a relevant information for the user, and it's nice to
+    be able to show it, some way or another.
+
+ -- Shengjing Zhu <zhsj@debian.org>  Sun, 10 Mar 2019 17:51:44 +0800
+
 runc (1.0.0~rc6+dfsg1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru runc-1.0.0~rc6+dfsg1/debian/patches/CVE-2019-5736.patch runc-1.0.0~rc6+dfsg1/debian/patches/CVE-2019-5736.patch
--- runc-1.0.0~rc6+dfsg1/debian/patches/CVE-2019-5736.patch	2019-02-12 23:45:09.000000000 +0800
+++ runc-1.0.0~rc6+dfsg1/debian/patches/CVE-2019-5736.patch	2019-03-10 17:51:44.000000000 +0800
@@ -1,33 +1,31 @@
-Author: Aleksa Sarai <asarai@suse.de>
-Origin: https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922050
-Subject: nsenter: clone /proc/self/exe to avoid exposing host binary to container
-    
-    There are quite a few circumstances where /proc/self/exe pointing to a
-    pretty important container binary is a _bad_ thing, so to avoid this we
-    have to make a copy (preferably doing self-clean-up and not being
-    writeable).
-    
-    We require memfd_create(2) -- though there is an O_TMPFILE fallback --
-    but we can always extend this to use a scratch MNT_DETACH overlayfs or
-    tmpfs. The main downside to this approach is no page-cache sharing for
-    the runc binary (which overlayfs would give us) but this is far less
-    complicated.
-    
-    This is only done during nsenter so that it happens transparently to the
-    Go code, and any libcontainer users benefit from it. This also makes
-    ExtraFiles and --preserve-fds handling trivial (because we don't need to
-    worry about it).
-    
-    Fixes: CVE-2019-5736
-    Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
-    Signed-off-by: Aleksa Sarai <asarai@suse.de>
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Sun, 10 Mar 2019 17:47:46 +0800
+Subject: CVE-2019-5736
 
-Index: runc-1.0.0~rc6+dfsg1/libcontainer/nsenter/cloned_binary.c
-===================================================================
+Backport upstream patches for CVE-2019-5736
+
+Include commits:
+2d4a37b427167907ef2402586a8e8e2931a22490 nsenter: cloned_binary: userspace copy fallback if sendfile fails
+16612d74de5f84977e50a9c8ead7f0e9e13b8628 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying
+af9da0a45082783f6005b252488943b5ee2e2138 nsenter: cloned_binary: use the runc statedir for O_TMPFILE
+2429d59352b81f6b9cc79b5ed26780c5fe6ba4ec nsenter: cloned_binary: expand and add pre-3.11 fallbacks
+5b775bf297c47a6bc50e36da89d1ec74a6fa01dc nsenter: cloned_binary: detect and handle short copies
+bb7d8b1f41f7bf0399204d54009d6da57c3cc775 nsexec (CVE-2019-5736): avoid parsing environ
+0a8e4117e7f715d5fbeef398405813ce8e88558b nsenter: clone /proc/self/exe to avoid exposing host binary to container
+
+Debian-Bug: https://bugs.debian.org/922050
+---
+ libcontainer/nsenter/cloned_binary.c | 516 +++++++++++++++++++++++++++++++++++
+ libcontainer/nsenter/nsexec.c        |  11 +
+ 2 files changed, 527 insertions(+)
+ create mode 100644 libcontainer/nsenter/cloned_binary.c
+
+diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
+new file mode 100644
+index 0000000..b410e29
 --- /dev/null
-+++ runc-1.0.0~rc6+dfsg1/libcontainer/nsenter/cloned_binary.c
-@@ -0,0 +1,268 @@
++++ b/libcontainer/nsenter/cloned_binary.c
+@@ -0,0 +1,516 @@
 +/*
 + * Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
 + * Copyright (C) 2019 SUSE LLC
@@ -57,8 +55,10 @@
 +
 +#include <sys/types.h>
 +#include <sys/stat.h>
++#include <sys/statfs.h>
 +#include <sys/vfs.h>
 +#include <sys/mman.h>
++#include <sys/mount.h>
 +#include <sys/sendfile.h>
 +#include <sys/syscall.h>
 +
@@ -66,18 +66,21 @@
 +#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
 +#  define SYS_memfd_create __NR_memfd_create
 +#endif
-+#ifdef SYS_memfd_create
-+#  define HAVE_MEMFD_CREATE
 +/* memfd_create(2) flags -- copied from <linux/memfd.h>. */
-+#  ifndef MFD_CLOEXEC
-+#    define MFD_CLOEXEC       0x0001U
-+#    define MFD_ALLOW_SEALING 0x0002U
-+#  endif
++#ifndef MFD_CLOEXEC
++#  define MFD_CLOEXEC       0x0001U
++#  define MFD_ALLOW_SEALING 0x0002U
++#endif
 +int memfd_create(const char *name, unsigned int flags)
 +{
++#ifdef SYS_memfd_create
 +	return syscall(SYS_memfd_create, name, flags);
-+}
++#else
++	errno = ENOSYS;
++	return -1;
 +#endif
++}
++
 +
 +/* This comes directly from <linux/fcntl.h>. */
 +#ifndef F_LINUX_SPECIFIC_BASE
@@ -94,12 +97,10 @@
 +#  define F_SEAL_WRITE  0x0008	/* prevent writes */
 +#endif
 +
-+#define RUNC_SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
-+#ifdef HAVE_MEMFD_CREATE
-+#  define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
-+#  define RUNC_MEMFD_SEALS \
++#define CLONED_BINARY_ENV "_LIBCONTAINER_CLONED_BINARY"
++#define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
++#define RUNC_MEMFD_SEALS \
 +	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
-+#endif
 +
 +static void *must_realloc(void *ptr, size_t size)
 +{
@@ -118,28 +119,61 @@
 +static int is_self_cloned(void)
 +{
 +	int fd, ret, is_cloned = 0;
++	struct stat statbuf = {};
++	struct statfs fsbuf = {};
 +
 +	fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
 +	if (fd < 0)
 +		return -ENOTRECOVERABLE;
 +
-+#ifdef HAVE_MEMFD_CREATE
++	/*
++	 * Is the binary a fully-sealed memfd? We don't need CLONED_BINARY_ENV for
++	 * this, because you cannot write to a sealed memfd no matter what (so
++	 * sharing it isn't a bad thing -- and an admin could bind-mount a sealed
++	 * memfd to /usr/bin/runc to allow re-use).
++	 */
 +	ret = fcntl(fd, F_GET_SEALS);
-+	is_cloned = (ret == RUNC_MEMFD_SEALS);
-+#else
-+	struct stat statbuf = {0};
-+	ret = fstat(fd, &statbuf);
-+	if (ret >= 0)
-+		is_cloned = (statbuf.st_nlink == 0);
-+#endif
++	if (ret >= 0) {
++		is_cloned = (ret == RUNC_MEMFD_SEALS);
++		goto out;
++	}
++
++	/*
++	 * All other forms require CLONED_BINARY_ENV, since they are potentially
++	 * writeable (or we can't tell if they're fully safe) and thus we must
++	 * check the environment as an extra layer of defence.
++	 */
++	if (!getenv(CLONED_BINARY_ENV)) {
++		is_cloned = false;
++		goto out;
++	}
++
++	/*
++	 * Is the binary on a read-only filesystem? We can't detect bind-mounts in
++	 * particular (in-kernel they are identical to regular mounts) but we can
++	 * at least be sure that it's read-only. In addition, to make sure that
++	 * it's *our* bind-mount we check CLONED_BINARY_ENV.
++	 */
++	if (fstatfs(fd, &fsbuf) >= 0)
++		is_cloned |= (fsbuf.f_flags & MS_RDONLY);
++
++	/*
++	 * Okay, we're a tmpfile -- or we're currently running on RHEL <=7.6
++	 * which appears to have a borked backport of F_GET_SEALS. Either way,
++	 * having a file which has no hardlinks indicates that we aren't using
++	 * a host-side "runc" binary and this is something that a container
++	 * cannot fake (because unlinking requires being able to resolve the
++	 * path that you want to unlink).
++	 */
++	if (fstat(fd, &statbuf) >= 0)
++		is_cloned |= (statbuf.st_nlink == 0);
++
++out:
 +	close(fd);
 +	return is_cloned;
 +}
 +
-+/*
-+ * Basic wrapper around mmap(2) that gives you the file length so you can
-+ * safely treat it as an ordinary buffer. Only gives you read access.
-+ */
++/* Read a given file into a new buffer, and providing the length. */
 +static char *read_file(char *path, size_t *length)
 +{
 +	int fd;
@@ -154,7 +188,7 @@
 +
 +	*length = 0;
 +	for (;;) {
-+		int n;
++		ssize_t n;
 +
 +		n = read(fd, buf, sizeof(buf));
 +		if (n < 0)
@@ -199,107 +233,319 @@
 +}
 +
 +/*
-+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
++ * "Parse" out argv from /proc/self/cmdline.
 + * This is necessary because we are running in a context where we don't have a
 + * main() that we can just get the arguments from.
 + */
-+static int fetchve(char ***argv, char ***envp)
++static int fetchve(char ***argv)
 +{
-+	char *cmdline = NULL, *environ = NULL;
-+	size_t cmdline_size, environ_size;
++	char *cmdline = NULL;
++	size_t cmdline_size;
 +
 +	cmdline = read_file("/proc/self/cmdline", &cmdline_size);
 +	if (!cmdline)
 +		goto error;
-+	environ = read_file("/proc/self/environ", &environ_size);
-+	if (!environ)
-+		goto error;
 +
 +	if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
 +		goto error;
-+	if (parse_xargs(environ, environ_size, envp) <= 0)
-+		goto error;
 +
 +	return 0;
 +
 +error:
-+	free(environ);
 +	free(cmdline);
 +	return -EINVAL;
 +}
 +
-+static int clone_binary(void)
-+{
-+	int binfd, memfd;
-+	ssize_t sent = 0;
++enum {
++	EFD_NONE = 0,
++	EFD_MEMFD,
++	EFD_FILE,
++};
 +
-+#ifdef HAVE_MEMFD_CREATE
-+	memfd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
-+#else
-+	memfd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0711);
++/*
++ * This comes from <linux/fcntl.h>. We can't hard-code __O_TMPFILE because it
++ * changes depending on the architecture. If we don't have O_TMPFILE we always
++ * have the mkostemp(3) fallback.
++ */
++#ifndef O_TMPFILE
++#  if defined(__O_TMPFILE) && defined(O_DIRECTORY)
++#    define O_TMPFILE (__O_TMPFILE | O_DIRECTORY)
++#  endif
 +#endif
-+	if (memfd < 0)
++
++static int make_execfd(int *fdtype)
++{
++	int fd = -1;
++	char template[PATH_MAX] = {0};
++	char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
++
++	if (!prefix || *prefix != '/')
++		prefix = "/tmp";
++	if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
++		return -1;
++
++	/*
++	 * Now try memfd, it's much nicer than actually creating a file in STATEDIR
++	 * since it's easily detected thanks to sealing and also doesn't require
++	 * assumptions about STATEDIR.
++	 */
++	*fdtype = EFD_MEMFD;
++	fd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
++	if (fd >= 0)
++		return fd;
++	if (errno != ENOSYS && errno != EINVAL)
++		goto error;
++
++#ifdef O_TMPFILE
++	/*
++	 * Try O_TMPFILE to avoid races where someone might snatch our file. Note
++	 * that O_EXCL isn't actually a security measure here (since you can just
++	 * fd re-open it and clear O_EXCL).
++	 */
++	*fdtype = EFD_FILE;
++	fd = open(prefix, O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0700);
++	if (fd >= 0) {
++		struct stat statbuf = {};
++		bool working_otmpfile = false;
++
++		/*
++		 * open(2) ignores unknown O_* flags -- yeah, I was surprised when I
++		 * found this out too. As a result we can't check for EINVAL. However,
++		 * if we get nlink != 0 (or EISDIR) then we know that this kernel
++		 * doesn't support O_TMPFILE.
++		 */
++		if (fstat(fd, &statbuf) >= 0)
++			working_otmpfile = (statbuf.st_nlink == 0);
++
++		if (working_otmpfile)
++			return fd;
++
++		/* Pretend that we got EISDIR since O_TMPFILE failed. */
++		close(fd);
++		errno = EISDIR;
++	}
++	if (errno != EISDIR)
++		goto error;
++#endif /* defined(O_TMPFILE) */
++
++	/*
++	 * Our final option is to create a temporary file the old-school way, and
++	 * then unlink it so that nothing else sees it by accident.
++	 */
++	*fdtype = EFD_FILE;
++	fd = mkostemp(template, O_CLOEXEC);
++	if (fd >= 0) {
++		if (unlink(template) >= 0)
++			return fd;
++		close(fd);
++	}
++
++error:
++	*fdtype = EFD_NONE;
++	return -1;
++}
++
++static int seal_execfd(int *fd, int fdtype)
++{
++	switch (fdtype) {
++	case EFD_MEMFD:
++		return fcntl(*fd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
++	case EFD_FILE: {
++		/* Need to re-open our pseudo-memfd as an O_PATH to avoid execve(2) giving -ETXTBSY. */
++		int newfd;
++		char fdpath[PATH_MAX] = {0};
++
++		if (fchmod(*fd, 0100) < 0)
++			return -1;
++
++		if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", *fd) < 0)
++			return -1;
++
++		newfd = open(fdpath, O_PATH | O_CLOEXEC);
++		if (newfd < 0)
++			return -1;
++
++		close(*fd);
++		*fd = newfd;
++		return 0;
++	}
++	default:
++	   break;
++	}
++	return -1;
++}
++
++static int try_bindfd(void)
++{
++	int fd, ret = -1;
++	char template[PATH_MAX] = {0};
++	char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
++
++	if (!prefix || *prefix != '/')
++		prefix = "/tmp";
++	if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
++		return ret;
++
++	/*
++	 * We need somewhere to mount it, mounting anything over /proc/self is a
++	 * BAD idea on the host -- even if we do it temporarily.
++	 */
++	fd = mkstemp(template);
++	if (fd < 0)
++		return ret;
++	close(fd);
++
++	/*
++	 * For obvious reasons this won't work in rootless mode because we haven't
++	 * created a userns+mntns -- but getting that to work will be a bit
++	 * complicated and it's only worth doing if someone actually needs it.
++	 */
++	ret = -EPERM;
++	if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0)
++		goto out;
++	if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0)
++		goto out_umount;
++
++
++	/* Get read-only handle that we're sure can't be made read-write. */
++	ret = open(template, O_PATH | O_CLOEXEC);
++
++out_umount:
++	/*
++	 * Make sure the MNT_DETACH works, otherwise we could get remounted
++	 * read-write and that would be quite bad (the fd would be made read-write
++	 * too, invalidating the protection).
++	 */
++	if (umount2(template, MNT_DETACH) < 0) {
++		if (ret >= 0)
++			close(ret);
++		ret = -ENOTRECOVERABLE;
++	}
++
++out:
++	/*
++	 * We don't care about unlink errors, the worst that happens is that
++	 * there's an empty file left around in STATEDIR.
++	 */
++	unlink(template);
++	return ret;
++}
++
++static ssize_t fd_to_fd(int outfd, int infd)
++{
++	ssize_t total = 0;
++	char buffer[4096];
++
++	for (;;) {
++		ssize_t nread, nwritten = 0;
++
++		nread = read(infd, buffer, sizeof(buffer));
++		if (nread < 0)
++			return -1;
++		if (!nread)
++			break;
++
++		do {
++			ssize_t n = write(outfd, buffer + nwritten, nread - nwritten);
++			if (n < 0)
++				return -1;
++			nwritten += n;
++		} while(nwritten < nread);
++
++		total += nwritten;
++	}
++
++	return total;
++}
++
++static int clone_binary(void)
++{
++	int binfd, execfd;
++	struct stat statbuf = {};
++	size_t sent = 0;
++	int fdtype = EFD_NONE;
++
++	/*
++	 * Before we resort to copying, let's try creating an ro-binfd in one shot
++	 * by getting a handle for a read-only bind-mount of the execfd.
++	 */
++	execfd = try_bindfd();
++	if (execfd >= 0)
++		return execfd;
++
++	/*
++	 * Dammit, that didn't work -- time to copy the binary to a safe place we
++	 * can seal the contents.
++	 */
++	execfd = make_execfd(&fdtype);
++	if (execfd < 0 || fdtype == EFD_NONE)
 +		return -ENOTRECOVERABLE;
 +
 +	binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
 +	if (binfd < 0)
 +		goto error;
 +
-+	sent = sendfile(memfd, binfd, NULL, RUNC_SENDFILE_MAX);
-+	close(binfd);
-+	if (sent < 0)
-+		goto error;
++	if (fstat(binfd, &statbuf) < 0)
++		goto error_binfd;
 +
-+#ifdef HAVE_MEMFD_CREATE
-+	int err = fcntl(memfd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
-+	if (err < 0)
++	while (sent < statbuf.st_size) {
++		int n = sendfile(execfd, binfd, NULL, statbuf.st_size - sent);
++		if (n < 0) {
++			/* sendfile can fail so we fallback to a dumb user-space copy. */
++			n = fd_to_fd(execfd, binfd);
++			if (n < 0)
++				goto error_binfd;
++		}
++		sent += n;
++	}
++	close(binfd);
++	if (sent != statbuf.st_size)
 +		goto error;
-+#else
-+	/* Need to re-open "memfd" as read-only to avoid execve(2) giving -EXTBUSY. */
-+	int newfd;
-+	char *fdpath = NULL;
 +
-+	if (asprintf(&fdpath, "/proc/self/fd/%d", memfd) < 0)
-+		goto error;
-+	newfd = open(fdpath, O_RDONLY | O_CLOEXEC);
-+	free(fdpath);
-+	if (newfd < 0)
++	if (seal_execfd(&execfd, fdtype) < 0)
 +		goto error;
 +
-+	close(memfd);
-+	memfd = newfd;
-+#endif
-+	return memfd;
++	return execfd;
 +
++error_binfd:
++	close(binfd);
 +error:
-+	close(memfd);
++	close(execfd);
 +	return -EIO;
 +}
 +
++/* Get cheap access to the environment. */
++extern char **environ;
++
 +int ensure_cloned_binary(void)
 +{
 +	int execfd;
-+	char **argv = NULL, **envp = NULL;
++	char **argv = NULL;
 +
 +	/* Check that we're not self-cloned, and if we are then bail. */
 +	int cloned = is_self_cloned();
 +	if (cloned > 0 || cloned == -ENOTRECOVERABLE)
 +		return cloned;
 +
-+	if (fetchve(&argv, &envp) < 0)
++	if (fetchve(&argv) < 0)
 +		return -EINVAL;
 +
 +	execfd = clone_binary();
 +	if (execfd < 0)
 +		return -EIO;
 +
-+	fexecve(execfd, argv, envp);
++	if (putenv(CLONED_BINARY_ENV "=1"))
++		goto error;
++
++	fexecve(execfd, argv, environ);
++error:
++	close(execfd);
 +	return -ENOEXEC;
 +}
-Index: runc-1.0.0~rc6+dfsg1/libcontainer/nsenter/nsexec.c
-===================================================================
---- runc-1.0.0~rc6+dfsg1.orig/libcontainer/nsenter/nsexec.c
-+++ runc-1.0.0~rc6+dfsg1/libcontainer/nsenter/nsexec.c
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index 28269df..7750af3 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
 @@ -534,6 +534,9 @@ void join_namespaces(char *nslist)
  	free(namespaces);
  }
diff -Nru runc-1.0.0~rc6+dfsg1/debian/rules runc-1.0.0~rc6+dfsg1/debian/rules
--- runc-1.0.0~rc6+dfsg1/debian/rules	2019-02-12 23:45:09.000000000 +0800
+++ runc-1.0.0~rc6+dfsg1/debian/rules	2019-03-10 17:51:44.000000000 +0800
@@ -5,7 +5,11 @@
 
 export DH_GOPKG := github.com/opencontainers/runc
 export DH_GOLANG_INSTALL_EXTRA := libcontainer/seccomp/fixtures
+
+include /usr/share/dpkg/pkg-info.mk
+
 TAGS=apparmor seccomp selinux ambient
+LDFLAGS := -X main.version=$(DEB_VERSION_UPSTREAM) -X main.gitCommit=$(DEB_VERSION)
 
 %:
 	dh $@ --buildsystem=golang --with=golang --builddirectory=_build
@@ -33,7 +37,7 @@
 #	ln -svrf vendor/github.com/opencontainers/specs  _build/src/github.com/opencontainers/
 
 override_dh_auto_build:
-	dh_auto_build -- -tags "$(TAGS)"
+	dh_auto_build -- -tags "$(TAGS)" -ldflags "$(LDFLAGS)"
 
 override_dh_auto_test:
 	DH_GOLANG_EXCLUDES="libcontainer/integration" \

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: Shengjing Zhu <zhsj@debian.org>, 924208-done@bugs.debian.org

Subject: Re: Bug#924208: unblock: runc/1.0.0~rc6+dfsg1-3

From: Jonathan Wiltshire <jmw@debian.org>

Date: Sat, 23 Mar 2019 16:40:17 +0000

Message-id: <20190323164017.GA3168@powdarrmonkey.net>

In-reply-to: <[🔎] CAFyCLW85NTZaSsa7uQ+hyk_MD4b+ERz3Fj+tg_nvZOpBn1H81A@mail.gmail.com>

References: <[🔎] 20190310102347.GA26660@debian> <[🔎] 20190317171212.GA9924@powdarrmonkey.net> <[🔎] 20190310102347.GA26660@debian> <[🔎] CAFyCLW85NTZaSsa7uQ+hyk_MD4b+ERz3Fj+tg_nvZOpBn1H81A@mail.gmail.com>
On Tue, Mar 19, 2019 at 01:29:09AM +0800, Shengjing Zhu wrote:
> runc/1.0.0~rc6+dfsg1-3 is in unstable now.
> 
> Please unblock runc/1.0.0~rc6+dfsg1-3

Unblocked; thanks.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
--- End Message ---

Reply to:

References:
- Bug#924208: unblock: runc/1.0.0~rc6+dfsg1-3
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: Processed: Re: Bug#924938: unblock: healpix-java/3.40-1
Next by Date: Bug#924112: marked as done (RM: node-xterm/2.7.0+ds1-1)
Previous by thread: Processed: Re: Bug#924208: unblock: runc/1.0.0~rc6+dfsg1-3
Next by thread: Bug#923323: python-pykmip 0.5.0-4+deb9u1 flagged for acceptance
Index(es):
- Date
- Thread