Accepting request 1165425 from home:cyphar:docker

- Update to runc v1.2.0~rc1. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.1>. - Remove upstreamed patches. - 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch - 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch - 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch OBS-URL: https://build.opensuse.org/request/show/1165425 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=158
2024-04-05 06:50:38 +00:00 · 2024-04-05 06:50:38 +00:00 · 2d98556bab
commit 2d98556bab
parent 904cbe4ac7
9 changed files with 40 additions and 526 deletions
--- a/0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
+++ b/0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
@ -1,44 +0,0 @@
 From 0c224086deacb981d7ea0fcbdab39ddf7bc3f24e Mon Sep 17 00:00:00 2001
 From: Kir Kolyshkin <kolyshkin@gmail.com>
 Date: Fri, 14 Oct 2022 18:37:00 -0700
 Subject: [PATCH 1/3] bsc1221050: libct/seccomp/patchbpf: rm duplicated code
 (This is a cherry-pick of 2cd05e44b662fb79c46d5ebfd6c71e9ebc98d40c.)
 In findLastSyscalls, we convert libseccomp.ArchNative to the real
 libseccomp architecture, but archToNative already does that, so
 this code is redundant.
 Remove the redundant code, and move its comment to archToNative.
 Fixes: 7a8d7162f
 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 ---
 libcontainer/seccomp/patchbpf/enosys_linux.go | 10 ----------
 1 file changed, 10 deletions(-)
 diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
 index efe6dca58b21..c9c1d4ccb685 100644
 --- a/libcontainer/seccomp/patchbpf/enosys_linux.go
 +++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
@@ -233,16 +233,6 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
 			return nil, fmt.Errorf("unable to validate seccomp architecture: %w", err)
 		}
 -		// Map native architecture to a real architecture value to avoid
 -		// doubling-up the lastSyscall mapping.
 -		if arch == libseccomp.ArchNative {
 -			nativeArch, err := libseccomp.GetNativeArch()
 -			if err != nil {
 -				return nil, fmt.Errorf("unable to get native architecture: %w", err)
 -			}
 -			arch = nativeArch
 -		}
 -
 		// Figure out native architecture representation of the architecture.
 		nativeArch, err := archToNative(arch)
 		if err != nil {
 -- 
 2.44.0
--- a/0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
+++ b/0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
@ -1,289 +0,0 @@
 From de510c0c092bae47cdc1b54da25544c3e101e6ec Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Wed, 13 Mar 2024 13:40:16 +1100
 Subject: [PATCH 2/3] bsc1221050: seccomp: patchbpf: rename nativeArch ->
 linuxAuditArch
 (This is a backport of 6167f5ffc3e3fd53e6a41a2effa592a4873ad046.)
 Calling the Linux AUDIT_* architecture constants "native" leads to
 confusing code when we are getting the actual native architecture of the
 running system.
 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 ---
 libcontainer/seccomp/patchbpf/enosys_linux.go | 81 ++++++++++---------
 .../seccomp/patchbpf/enosys_linux_test.go     | 16 ++--
 2 files changed, 49 insertions(+), 48 deletions(-)
 diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
 index c9c1d4ccb685..1b67fda85c64 100644
 --- a/libcontainer/seccomp/patchbpf/enosys_linux.go
 +++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
@@ -164,11 +164,11 @@ func disassembleFilter(filter *libseccomp.ScmpFilter) ([]bpf.Instruction, error)
 	return program, nil
 }
 -type nativeArch uint32
 +type linuxAuditArch uint32
 -const invalidArch nativeArch = 0
 +const invalidArch linuxAuditArch = 0
 -func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) {
 +func scmpArchToAuditArch(arch libseccomp.ScmpArch) (linuxAuditArch, error) {
 	switch arch {
 	case libseccomp.ArchNative:
 		// Convert to actual native architecture.
@@ -176,48 +176,48 @@ func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) {
 		if err != nil {
 			return invalidArch, fmt.Errorf("unable to get native arch: %w", err)
 		}
 -		return archToNative(arch)
 +		return scmpArchToAuditArch(arch)
 	case libseccomp.ArchX86:
 -		return nativeArch(C.C_AUDIT_ARCH_I386), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_I386), nil
 	case libseccomp.ArchAMD64, libseccomp.ArchX32:
 		// NOTE: x32 is treated like x86_64 except all x32 syscalls have the
 		//       30th bit of the syscall number set to indicate that it's not a
 		//       normal x86_64 syscall.
 -		return nativeArch(C.C_AUDIT_ARCH_X86_64), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_X86_64), nil
 	case libseccomp.ArchARM:
 -		return nativeArch(C.C_AUDIT_ARCH_ARM), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_ARM), nil
 	case libseccomp.ArchARM64:
 -		return nativeArch(C.C_AUDIT_ARCH_AARCH64), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_AARCH64), nil
 	case libseccomp.ArchMIPS:
 -		return nativeArch(C.C_AUDIT_ARCH_MIPS), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_MIPS), nil
 	case libseccomp.ArchMIPS64:
 -		return nativeArch(C.C_AUDIT_ARCH_MIPS64), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_MIPS64), nil
 	case libseccomp.ArchMIPS64N32:
 -		return nativeArch(C.C_AUDIT_ARCH_MIPS64N32), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_MIPS64N32), nil
 	case libseccomp.ArchMIPSEL:
 -		return nativeArch(C.C_AUDIT_ARCH_MIPSEL), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL), nil
 	case libseccomp.ArchMIPSEL64:
 -		return nativeArch(C.C_AUDIT_ARCH_MIPSEL64), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL64), nil
 	case libseccomp.ArchMIPSEL64N32:
 -		return nativeArch(C.C_AUDIT_ARCH_MIPSEL64N32), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_MIPSEL64N32), nil
 	case libseccomp.ArchPPC:
 -		return nativeArch(C.C_AUDIT_ARCH_PPC), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_PPC), nil
 	case libseccomp.ArchPPC64:
 -		return nativeArch(C.C_AUDIT_ARCH_PPC64), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_PPC64), nil
 	case libseccomp.ArchPPC64LE:
 -		return nativeArch(C.C_AUDIT_ARCH_PPC64LE), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_PPC64LE), nil
 	case libseccomp.ArchS390:
 -		return nativeArch(C.C_AUDIT_ARCH_S390), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_S390), nil
 	case libseccomp.ArchS390X:
 -		return nativeArch(C.C_AUDIT_ARCH_S390X), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_S390X), nil
 	case libseccomp.ArchRISCV64:
 -		return nativeArch(C.C_AUDIT_ARCH_RISCV64), nil
 +		return linuxAuditArch(C.C_AUDIT_ARCH_RISCV64), nil
 	default:
 		return invalidArch, fmt.Errorf("unknown architecture: %v", arch)
 	}
 }
 -type lastSyscallMap map[nativeArch]map[libseccomp.ScmpArch]libseccomp.ScmpSyscall
 +type lastSyscallMap map[linuxAuditArch]map[libseccomp.ScmpArch]libseccomp.ScmpSyscall
 // Figure out largest syscall number referenced in the filter for each
 // architecture. We will be generating code based on the native architecture
@@ -234,17 +234,17 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
 		}
 		// Figure out native architecture representation of the architecture.
 -		nativeArch, err := archToNative(arch)
 +		auditArch, err := scmpArchToAuditArch(arch)
 		if err != nil {
 			return nil, fmt.Errorf("cannot map architecture %v to AUDIT_ARCH_ constant: %w", arch, err)
 		}
 -		if _, ok := lastSyscalls[nativeArch]; !ok {
 -			lastSyscalls[nativeArch] = map[libseccomp.ScmpArch]libseccomp.ScmpSyscall{}
 +		if _, ok := lastSyscalls[auditArch]; !ok {
 +			lastSyscalls[auditArch] = map[libseccomp.ScmpArch]libseccomp.ScmpSyscall{}
 		}
 -		if _, ok := lastSyscalls[nativeArch][arch]; ok {
 +		if _, ok := lastSyscalls[auditArch][arch]; ok {
 			// Because of ArchNative we may hit the same entry multiple times.
 -			// Just skip it if we've seen this (nativeArch, ScmpArch)
 +			// Just skip it if we've seen this (linuxAuditArch, ScmpArch)
 			// combination before.
 			continue
 		}
@@ -262,10 +262,11 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
 			}
 		}
 		if largestSyscall != 0 {
 -			lastSyscalls[nativeArch][arch] = largestSyscall
 +			logrus.Debugf("seccomp: largest syscall number for arch %v is %v", arch, largestSyscall)
 +			lastSyscalls[auditArch][arch] = largestSyscall
 		} else {
 -			logrus.Warnf("could not find any syscalls for arch %s", ociArch)
 -			delete(lastSyscalls[nativeArch], arch)
 +			logrus.Warnf("could not find any syscalls for arch %v", arch)
 +			delete(lastSyscalls[auditArch], arch)
 		}
 	}
 	return lastSyscalls, nil
@@ -283,10 +284,10 @@ func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
 // close_range(2) which were added out-of-order in the syscall table between
 // kernel releases.
 func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error) {
 -	// A jump-table for each nativeArch used to generate the initial
 +	// A jump-table for each linuxAuditArch used to generate the initial
 	// conditional jumps -- measured from the *END* of the program so they
 	// remain valid after prepending to the tail.
 -	archJumpTable := map[nativeArch]uint32{}
 +	archJumpTable := map[linuxAuditArch]uint32{}
 	// Generate our own -ENOSYS rules for each architecture. They have to be
 	// generated in reverse (prepended to the tail of the program) because the
@@ -299,7 +300,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
 	}
 	// Generate the syscall -ENOSYS rules.
 -	for nativeArch, maxSyscalls := range lastSyscalls {
 +	for auditArch, maxSyscalls := range lastSyscalls {
 		// The number of instructions from the tail of this section which need
 		// to be jumped in order to reach the -ENOSYS return. If the section
 		// does not jump, it will fall through to the actual filter.
@@ -380,7 +381,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
 			// If we're on x86 we need to add a check for x32 and if we're in
 			// the wrong mode we jump over the section.
 -			if uint32(nativeArch) == uint32(C.C_AUDIT_ARCH_X86_64) {
 +			if uint32(auditArch) == uint32(C.C_AUDIT_ARCH_X86_64) {
 				// Generate a prefix to check the mode.
 				switch scmpArch {
 				case libseccomp.ArchAMD64:
@@ -409,8 +410,8 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
 			section = append(section, sectionTail...)
 		case 2:
 			// x32 and x86_64 are a unique case, we can't handle any others.
 -			if uint32(nativeArch) != uint32(C.C_AUDIT_ARCH_X86_64) {
 -				return nil, fmt.Errorf("unknown architecture overlap on native arch %#x", nativeArch)
 +			if uint32(auditArch) != uint32(C.C_AUDIT_ARCH_X86_64) {
 +				return nil, fmt.Errorf("unknown architecture overlap on native arch %#x", auditArch)
 			}
 			x32sysno, ok := maxSyscalls[libseccomp.ArchX32]
@@ -487,7 +488,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
 		programTail = append(section, programTail...)
 		// Update jump table.
 -		archJumpTable[nativeArch] = uint32(len(programTail))
 +		archJumpTable[auditArch] = uint32(len(programTail))
 	}
 	// Add a dummy "jump to filter" for any architecture we might miss below.
@@ -507,9 +508,9 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
 	//       architectures based on how large the jumps are going to be, or
 	//       re-sort the candidate architectures each time to make sure that we
 	//       pick the largest jump which is going to be smaller than 255.
 -	for nativeArch := range lastSyscalls {
 +	for auditArch := range lastSyscalls {
 		// We jump forwards but the jump table is calculated from the *END*.
 -		jump := uint32(len(programTail)) - archJumpTable[nativeArch]
 +		jump := uint32(len(programTail)) - archJumpTable[auditArch]
 		// Same routine as above -- this is a basic jeq check, complicated
 		// slightly if it turns out that we need to do a long jump.
@@ -518,7 +519,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
 				// jeq [arch],[jump]
 				bpf.JumpIf{
 					Cond:     bpf.JumpEqual,
 -					Val:      uint32(nativeArch),
 +					Val:      uint32(auditArch),
 					SkipTrue: uint8(jump),
 				},
 			}, programTail...)
@@ -527,7 +528,7 @@ func generateEnosysStub(lastSyscalls lastSyscallMap) ([]bpf.Instruction, error)
 				// jne [arch],1
 				bpf.JumpIf{
 					Cond:     bpf.JumpNotEqual,
 -					Val:      uint32(nativeArch),
 +					Val:      uint32(auditArch),
 					SkipTrue: 1,
 				},
 				// ja [jump]
 diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
 index e2d363a43bd3..bdfeff68adb3 100644
 --- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go
 +++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
@@ -23,7 +23,7 @@ type seccompData struct {
 }
 // mockSyscallPayload creates a fake seccomp_data struct with the given data.
 -func mockSyscallPayload(t *testing.T, sysno libseccomp.ScmpSyscall, arch nativeArch, args ...uint64) []byte {
 +func mockSyscallPayload(t *testing.T, sysno libseccomp.ScmpSyscall, arch linuxAuditArch, args ...uint64) []byte {
 	var buf bytes.Buffer
 	data := seccompData{
@@ -150,8 +150,8 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 		for _, arch := range testArches {
 			type syscallTest struct {
 -				syscall  string
 				sysno    libseccomp.ScmpSyscall
 +				syscall  string
 				expected uint32
 			}
@@ -160,7 +160,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 				t.Fatalf("unknown libseccomp architecture %q: %v", arch, err)
 			}
 -			nativeArch, err := archToNative(scmpArch)
 +			auditArch, err := scmpArchToAuditArch(scmpArch)
 			if err != nil {
 				t.Fatalf("unknown audit architecture %q: %v", arch, err)
 			}
@@ -179,9 +179,9 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 					t.Fatalf("unknown syscall %q on arch %q: %v", syscall, arch, err)
 				}
 				syscallTests = append(syscallTests, syscallTest{
 -					syscall,
 -					sysno,
 -					expected,
 +					sysno:    sysno,
 +					syscall:  syscall,
 +					expected: expected,
 				})
 			}
@@ -233,7 +233,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 					test.expected = retFallthrough
 				}
 -				payload := mockSyscallPayload(t, test.sysno, nativeArch, 0x1337, 0xF00BA5)
 +				payload := mockSyscallPayload(t, test.sysno, auditArch, 0x1337, 0xF00BA5)
 				// NOTE: golang.org/x/net/bpf returns int here rather
 				// than uint32.
 				rawRet, err := filter.Run(payload)
@@ -247,7 +247,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 						t.Logf("  [%4.1d] %s", idx, insn)
 					}
 					t.Logf("payload: %#v", payload)
 -					t.Errorf("filter %s(%d) %q(%d): got %#x, want %#x", arch, nativeArch, test.syscall, test.sysno, ret, test.expected)
 +					t.Errorf("filter %s(%d) %q(%d): got %#x, want %#x", arch, auditArch, test.syscall, test.sysno, ret, test.expected)
 				}
 			}
 		}
 -- 
 2.44.0
--- a/0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
+++ b/0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
@ -1,162 +0,0 @@
 From d8014991cb2555c17a8828d664a4b7b3924b1e9b Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Wed, 13 Mar 2024 16:12:51 +1100
 Subject: [PATCH 3/3] bsc1221050: seccomp: patchbpf: always include native
 architecture in stub
 (This is a backport of 376417ba7646f05ddb1efa8fe30e2a3b53cf673b.)
 It turns out that on ppc64le (at least), Docker doesn't include any
 architectures in the list of allowed architectures. libseccomp
 interprets this as "just include the default architecture" but patchbpf
 would return a no-op ENOSYS stub, which would lead to the exact issues
 that commit 7a8d7162f9d7 ("seccomp: prepend -ENOSYS stub to all
 filters") fixed for other architectures.
 So, just always include the running architecture in the list. There's
 no real downside.
 SUSE-Bugs: 1192051 1221050
 Ref: https://bugzilla.suse.com/show_bug.cgi?id=1192051#c6
 Reported-by: Fabian Vogt <fvogt@suse.com>
 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 ---
 libcontainer/seccomp/patchbpf/enosys_linux.go | 22 +++++++--
 .../seccomp/patchbpf/enosys_linux_test.go     | 47 +++++++++++++++++--
 2 files changed, 61 insertions(+), 8 deletions(-)
 diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
 index 1b67fda85c64..d459ba8792ca 100644
 --- a/libcontainer/seccomp/patchbpf/enosys_linux.go
 +++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
@@ -224,16 +224,30 @@ type lastSyscallMap map[linuxAuditArch]map[libseccomp.ScmpArch]libseccomp.ScmpSy
 // representation, but SCMP_ARCH_X32 means we have to track cases where the
 // same architecture has different largest syscalls based on the mode.
 func findLastSyscalls(config *configs.Seccomp) (lastSyscallMap, error) {
 -	lastSyscalls := make(lastSyscallMap)
 -	// Only loop over architectures which are present in the filter. Any other
 -	// architectures will get the libseccomp bad architecture action anyway.
 +	scmpArchs := make(map[libseccomp.ScmpArch]struct{})
 	for _, ociArch := range config.Architectures {
 		arch, err := libseccomp.GetArchFromString(ociArch)
 		if err != nil {
 			return nil, fmt.Errorf("unable to validate seccomp architecture: %w", err)
 		}
 +		scmpArchs[arch] = struct{}{}
 +	}
 +	// On architectures like ppc64le, Docker inexplicably doesn't include the
 +	// native architecture in the architecture list which results in no
 +	// architectures being present in the list at all (rendering the ENOSYS
 +	// stub a no-op). So, always include the native architecture.
 +	if nativeScmpArch, err := libseccomp.GetNativeArch(); err != nil {
 +		return nil, fmt.Errorf("unable to get native arch: %w", err)
 +	} else if _, ok := scmpArchs[nativeScmpArch]; !ok {
 +		logrus.Debugf("seccomp: adding implied native architecture %v to config set", nativeScmpArch)
 +		scmpArchs[nativeScmpArch] = struct{}{}
 +	}
 +	logrus.Debugf("seccomp: configured architecture set: %s", scmpArchs)
 -		// Figure out native architecture representation of the architecture.
 +	// Only loop over architectures which are present in the filter. Any other
 +	// architectures will get the libseccomp bad architecture action anyway.
 +	lastSyscalls := make(lastSyscallMap)
 +	for arch := range scmpArchs {
 		auditArch, err := scmpArchToAuditArch(arch)
 		if err != nil {
 			return nil, fmt.Errorf("cannot map architecture %v to AUDIT_ARCH_ constant: %w", arch, err)
 diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
 index bdfeff68adb3..3d442e1daa66 100644
 --- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go
 +++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/configs"
 	libseccomp "github.com/seccomp/libseccomp-golang"
 +	"github.com/sirupsen/logrus"
 	"golang.org/x/net/bpf"
 )
@@ -105,6 +106,18 @@ var testArches = []string{
 	"ppc64le",
 	"s390",
 	"s390x",
 +	// Dummy value to indicate a configuration with no architecture specified.
 +	"native",
 +}
 +
 +var nativeArch string
 +
 +func init() {
 +	scmpNativeArch, err := libseccomp.GetNativeArch()
 +	if err != nil {
 +		logrus.Panicf("get native arch: %v", err)
 +	}
 +	nativeArch = scmpNativeArch.String()
 }
 func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string) {
@@ -155,6 +168,9 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 				expected uint32
 			}
 +			if arch == "native" {
 +				arch = nativeArch
 +			}
 			scmpArch, err := libseccomp.GetArchFromString(arch)
 			if err != nil {
 				t.Fatalf("unknown libseccomp architecture %q: %v", arch, err)
@@ -228,8 +244,15 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 			// Test syscalls in the explicit list.
 			for _, test := range syscallTests {
 -				// Override the expected value in the two special cases.
 -				if !archSet[arch] || isAllowAction(defaultAction) {
 +				// Override the expected value in the two special cases:
 +				//  1. If the default action is allow, the filter won't have
 +				//     the stub prepended so we expect a fallthrough.
 +				//  2. If the executing architecture is not in the architecture
 +				//     set, then the architecture is not handled by the stub --
 +				//     *except* in the case of the native architecture (which
 +				//     is always included in the stub).
 +				if isAllowAction(defaultAction) ||
 +					(!archSet[arch] && arch != nativeArch) {
 					test.expected = retFallthrough
 				}
@@ -263,7 +286,14 @@ var testActions = map[string]configs.Action{
 func TestEnosysStub_SingleArch(t *testing.T) {
 	for _, arch := range testArches {
 -		arches := []string{arch}
 +		var arches []string
 +		// "native" indicates a blank architecture field for seccomp, to test
 +		// the case where the running architecture was not included in the
 +		// architecture. Docker doesn't always set the architecture for some
 +		// reason (namely for ppc64le).
 +		if arch != "native" {
 +			arches = append(arches, arch)
 +		}
 		t.Run("arch="+arch, func(t *testing.T) {
 			for name, action := range testActions {
 				t.Run("action="+name, func(t *testing.T) {
@@ -277,7 +307,16 @@ func TestEnosysStub_SingleArch(t *testing.T) {
 func TestEnosysStub_MultiArch(t *testing.T) {
 	for end := 0; end < len(testArches); end++ {
 		for start := 0; start < end; start++ {
 -			arches := testArches[start:end]
 +			var arches []string
 +			for _, arch := range testArches[start:end] {
 +				// "native" indicates a blank architecture field for seccomp, to test
 +				// the case where the running architecture was not included in the
 +				// architecture. Docker doesn't always set the architecture for some
 +				// reason (namely for ppc64le).
 +				if arch != "native" {
 +					arches = append(arches, arch)
 +				}
 +			}
 			if len(arches) <= 1 {
 				continue
 			}
 -- 
 2.44.0
--- a/runc-1.1.12.tar.xz
+++ b/runc-1.1.12.tar.xz
--- a/runc-1.1.12.tar.xz.asc
+++ b/runc-1.1.12.tar.xz.asc
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmWvvCcQHGFzYXJhaUBz
 dXNlLmNvbQAKCRCeGKomfduNtG2oD/9yLwYdfbx4GU31kCuvTS3odH8XyplL4QLl
 TszoLO/50z/Y9r0QBNuLsDDvAWtsJAYTsRIwEwDgUuziHnbkbHCnE2C+6P7OWUKp
 7VS1mqWzWeVibt0hYBWcooJb8inA/ctwfppZlH8EnTdoyqp0bAuQKtj2muA+LTvN
 n/19qZ0/zAvErya5ugZCfnpJngOM0W//F5OSE/DKI3ct6o3AilxlzlhZuwkiYQud
 nwS5j4CvQp7GkJeuwDluUHGmsT8AW6P3McptS/BcT4wUKWhxcntJG1cdiZOFTW84
 3CLdwMPGQR0SVK5yPMbKogRtglODEW82Ytp4S8BB9sG5PS5rBsvnApSQxFluRMQT
 oaQsEKwPS+VSUwf44QR42iF3fB8dxmmmcautr5yaUiSx4DdFGj9jjrbMa9YCk2da
 J/5ExwJv5nP5R+uwOiH3ziZuFuuH1afbGLrT2ouv61/SMGiYiLEAyiegF94Zg2nu
 5RvMUz33LpEckLrlNN5u9q+/jbfJmZAUtdVafKQQTBRFKPCyHjOroKM11PzoHX6l
 3dsyEPbEfowZ+uM2z9wCfub529fNF8t9k9sUAIQsma5p7+l7xJMbOua2kd1kGiQU
 ec19+KD6ka4NHyDRwxe0iM6/AuFlKKUUTVGZjg2bD+ap0qgDjZ3R5lTmI1pJ8Win
 wfoEKZCm+A==
 =Sl8m
 -----END PGP SIGNATURE-----
--- a/runc-1.2.0-rc.1.tar.xz
+++ b/runc-1.2.0-rc.1.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:3f6fed97bf5db1d4eac43b622a62379e07f3f73dd1c3e5ee5c0f82a1c960e1f7
 size 1603252
--- a/runc-1.2.0-rc.1.tar.xz.asc
+++ b/runc-1.2.0-rc.1.tar.xz.asc
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmYNM/MQHGFzYXJhaUBz
 dXNlLmNvbQAKCRCeGKomfduNtLTvEACihuWRg3CBLJuZFnV5YMkgYO1nhNfcY0TX
 BJWqrjleSkyhrWWNeGPmCLGvCLzQtk+pQzC8T2lN3/y4VNIsdSUrGrMP6uSh3uKu
 TF/IMBL5HJmowv+6RYcKb0kq9ta1lFR8LL63o7hn45xu5ZsnQGwEz+nI4IbrYRjr
 zPyYD5GQgkjFzBeHUb5BcbGNgZ62XTyyhZgUH8D/2+X9B/xqK6RKZ+dEVD4rU/nj
 rQafX4GHg+20OsmUj5AoE+nXkP98YyM33Nh9RQKNdDwS/OZ8lh24BtN4635VRINA
 EsCLKZKAb9Eu0Wqs/b0k8RsWblNEg/fDPvTg8bBJI6tIldVa8K4mqk6tOYL1zZzD
 33F5lhpNdstajFZuehXDHDqhDAQmJ0GAHDFeGZo7Am7wTmxSNNZ0gpo1zcWl9Y/D
 xW12H/oYtMwaj3MrtmlN+Os3V4pm16FgFM6LuPAR79FrXpu1l30D1wkVvQsp5pkD
 XaUxLw6kYzt5Z/PB13L7QccxojRDJtFCDf2n4DLHJWI/qFe57qYCwD0TP/gIDkOA
 HE4t7UU6lygPwIbc+0Zc5S7zOI3/CBgq1IWoMiZamAEs3FzPwt4jC3Czq9zemHPU
 7gyjR5rTVTJu9OOCVhyegxqD2fOxMOEKITAHrKIN+qnQkXAQ5gXeY4mHWr02tkkW
 7rsh+eQR2A==
 =io9I
 -----END PGP SIGNATURE-----
--- a/runc.changes
+++ b/runc.changes
@ -1,3 +1,13 @@
 -------------------------------------------------------------------
 Fri Apr  4 05:04:27 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 - Update to runc v1.2.0~rc1. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.1>.
 - Remove upstreamed patches.
  - 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  - 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  - 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
 -------------------------------------------------------------------
 Thu Mar 21 03:46:48 UTC 2024 - Aleksa Sarai <asarai@suse.com>
--- a/runc.spec
+++ b/runc.spec
@ -18,25 +18,24 @@
 # MANUAL: Make sure you update this each time you update runc.
-%define git_version 51d5e94601ceffbbd85688df1c928ecccbfa4685
+%define git_version 275e6d85f78a9d0a90d9a714ba5f667561a4b0b9
-%define git_short   51d5e94601ce
+%define git_short   275e6d85f78a
 %define project github.com/opencontainers/runc
 Name:           runc
-Version:        1.1.12
+# RPM doesn't handle semver rc releases nicely, so for rc releases we need to
 # do something different.
 %define upstream_version 1.2.0-rc.1
 Version:        1.2.0~rc1
 Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0
 Group:          System/Management
 URL:            https://github.com/opencontainers/runc
-Source0:        https://github.com/opencontainers/runc/releases/download/v%{version}/runc.tar.xz#/runc-%{version}.tar.xz
+Source0:        https://github.com/opencontainers/runc/releases/download/v%{upstream_version}/runc.tar.xz#/runc-%{upstream_version}.tar.xz
-Source1:        https://github.com/opencontainers/runc/releases/download/v%{version}/runc.tar.xz.asc#/runc-%{version}.tar.xz.asc
+Source1:        https://github.com/opencontainers/runc/releases/download/v%{upstream_version}/runc.tar.xz.asc#/runc-%{upstream_version}.tar.xz.asc
 Source2:        runc.keyring
 # SUSE-FIX-UPSTREAM: Backport of <https://github.com/opencontainers/runc/pull/4219>. bsc#1221050
 Patch10:        0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
 Patch11:        0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
 Patch12:        0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
 BuildRequires:  diffutils
 BuildRequires:  fdupes
 BuildRequires:  go
@ -58,7 +57,7 @@ Obsoletes:      docker-runc_50a19c6
 ExcludeArch:    s390
 # Construct "git describe --dirty --long --always".
-%define git_describe v%{version}-0-g%{git_short}
+%define git_describe v%{upstream_version}-0-g%{git_short}
 %description
 runc is a CLI tool for spawning and running containers according to the OCI
@ -67,7 +66,7 @@ of Docker. It was originally designed to be a replacement for LXC within Docker,
 and has grown to become a separate project entirely.
 %prep
-%setup -q -n %{name}-%{version}
+%setup -q -n %{name}-%{upstream_version}
 %autopatch -p1
 %build