forked from pool/docker
91c98f7c10
- remove docker_remove_jornald....patch because we suse dyngccgo instead of dynbinary - replace gcc-go-bulid-static-libgo.patch by gcc-go-patches which patches dyngccgo instea of dynbinary - add fix-ppc64le.patch to fix ppc64le build - fix_bnc_958255.patch: fix Docker creates strange apparmor profile (bnc#958255) - use_fs_cgroups_by_default.patch: Use fs cgroups by default:419fd7449f
- fix_cgroup.parent_path_sanitisation.patch: fix cgroup.Parent path sanitisation:bf899fef45
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=51
68 lines
2.7 KiB
Diff
68 lines
2.7 KiB
Diff
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
|
|
index a0a93a4..da31d06 100644
|
|
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
|
|
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
|
|
@@ -216,12 +216,39 @@ func (m *Manager) GetPids() ([]int, error) {
|
|
return cgroups.GetPids(dir)
|
|
}
|
|
|
|
+// pathClean makes a path safe for use with filepath.Join. This is done by not
|
|
+// only cleaning the path, but also (if the path is relative) adding a leading
|
|
+// '/' and cleaning it (then removing the leading '/'). This ensures that a
|
|
+// path resulting from prepending another path will always resolve to lexically
|
|
+// be a subdirectory of the prefixed path. This is all done lexically, so paths
|
|
+// that include symlinks won't be safe as a result of using pathClean.
|
|
+func pathClean(path string) string {
|
|
+ // Ensure that all paths are cleaned (especially problematic ones like
|
|
+ // "/../../../../../" which can cause lots of issues).
|
|
+ path = filepath.Clean(path)
|
|
+
|
|
+ // If the path isn't absolute, we need to do more processing to fix paths
|
|
+ // such as "../../../../<etc>/some/path". We also shouldn't convert absolute
|
|
+ // paths to relative ones.
|
|
+ if !filepath.IsAbs(path) {
|
|
+ path = filepath.Clean(string(os.PathSeparator) + path)
|
|
+ // This can't fail, as (by definition) all paths are relative to root.
|
|
+ path, _ = filepath.Rel(string(os.PathSeparator), path)
|
|
+ }
|
|
+
|
|
+ // Clean the path again for good measure.
|
|
+ return filepath.Clean(path)
|
|
+}
|
|
+
|
|
func getCgroupData(c *configs.Cgroup, pid int) (*data, error) {
|
|
root, err := getCgroupRoot()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
+ // Clean the parent slice path.
|
|
+ c.Parent = pathClean(c.Parent)
|
|
+
|
|
cgroup := c.Name
|
|
if c.Parent != "" {
|
|
cgroup = filepath.Join(c.Parent, cgroup)
|
|
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
|
|
index f3ec2c3..0b13115 100644
|
|
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
|
|
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
|
|
@@ -4,6 +4,7 @@ package fs
|
|
|
|
import (
|
|
"bytes"
|
|
+ "fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
@@ -92,6 +93,10 @@ func (s *CpusetGroup) ensureParent(current, root string) error {
|
|
if filepath.Clean(parent) == root {
|
|
return nil
|
|
}
|
|
+ // Avoid infinite recursion.
|
|
+ if parent == current {
|
|
+ return fmt.Errorf("cpuset: cgroup parent path outside cgroup root")
|
|
+ }
|
|
if err := s.ensureParent(parent, root); err != nil {
|
|
return err
|
|
}
|