From ed88bb6a036a3e35dc335dd6814df3911a1ade15 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Sat, 11 Sep 2021 05:20:04 +0800
Subject: [PATCH] runc: honor seccomp errnoRet to fix curl failed

If clone3 returns EPERM, glibc will return error, which causes curl
failed in kernel 5.10. So seccomp adds new rule to change clone3 return
code to NOSYS, as glibc will try to call clone then when clone3 returns
NOSYS.

Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
 git-commit                                    |   2 +-
 ...-seccomp-errnoRet-to-fix-curl-failed.patch | 133 ++++++++++++++++++
 runc-openeuler.spec                           |   6 +
 series.conf                                   |   1 +
 4 files changed, 141 insertions(+), 1 deletion(-)
 create mode 100644 patch/0126-runc-honor-seccomp-errnoRet-to-fix-curl-failed.patch

diff --git a/git-commit b/git-commit
index ed10351..20fc417 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-115f07e6a16508a63b98f4f375e285607822b8a8
+086f61a1fa54aaf82d0903a577bafd90067173fa
diff --git a/patch/0126-runc-honor-seccomp-errnoRet-to-fix-curl-failed.patch b/patch/0126-runc-honor-seccomp-errnoRet-to-fix-curl-failed.patch
new file mode 100644
index 0000000..16b6725
--- /dev/null
+++ b/patch/0126-runc-honor-seccomp-errnoRet-to-fix-curl-failed.patch
@@ -0,0 +1,133 @@
+From 1f186f2162aa1e6814fe8fcef94e5823840af9f0 Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Sat, 11 Sep 2021 05:14:11 +0800
+Subject: [PATCH] runc: honor seccomp errnoRet to fix curl failed
+
+If clone3 returns EPERM, glibc will return error, which causes curl
+failed in kernel 5.10. So seccomp adds new rule to change clone3 return
+code to NOSYS, as glibc will try to call clone then when clone3 returns
+NOSYS.
+
+upstream:https://github.com/opencontainers/runc/commit/41aa19662b6aa05b8ec70962f0c74f6f77098835
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ libcontainer/configs/config.go                       |  6 ++++--
+ libcontainer/seccomp/seccomp_linux.go                | 12 +++++++++---
+ libcontainer/specconv/spec_linux.go                  |  1 +
+ .../opencontainers/runtime-spec/specs-go/config.go   |  8 +++++---
+ 4 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
+index 9074c86..3d8490a 100644
+--- a/libcontainer/configs/config.go
++++ b/libcontainer/configs/config.go
+@@ -4,11 +4,12 @@ import (
+ 	"bytes"
+ 	"encoding/json"
+ 	"fmt"
+-	"github.com/Sirupsen/logrus"
+-	"github.com/opencontainers/runtime-spec/specs-go"
+ 	"os/exec"
+ 	"strings"
+ 	"time"
++
++	"github.com/Sirupsen/logrus"
++	"github.com/opencontainers/runtime-spec/specs-go"
+ )
+ 
+ const (
+@@ -79,6 +80,7 @@ type Syscall struct {
+ 	Name     string `json:"name"`
+ 	Action   Action `json:"action"`
+ 	Priority uint8  `json:"priority,omitempty"`
++	ErrnoRet *uint  `json:"errnoRet"`
+ 	Args     []*Arg `json:"args"`
+ }
+ 
+diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go
+index 0c97da6..26cec43 100644
+--- a/libcontainer/seccomp/seccomp_linux.go
++++ b/libcontainer/seccomp/seccomp_linux.go
+@@ -36,7 +36,7 @@ func InitSeccomp(config *configs.Seccomp) error {
+ 		return fmt.Errorf("cannot initialize Seccomp - nil config passed")
+ 	}
+ 
+-	defaultAction, err := getAction(config.DefaultAction)
++	defaultAction, err := getAction(config.DefaultAction, nil)
+ 	if err != nil {
+ 		return fmt.Errorf("error initializing seccomp - invalid default action")
+ 	}
+@@ -100,17 +100,23 @@ func IsEnabled() bool {
+ }
+ 
+ // Convert Libcontainer Action to Libseccomp ScmpAction
+-func getAction(act configs.Action) (libseccomp.ScmpAction, error) {
++func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error) {
+ 	switch act {
+ 	case configs.Kill:
+ 		return actKill, nil
+ 	case configs.Errno:
++		if errnoRet != nil {
++			return libseccomp.ActErrno.SetReturnCode(int16(*errnoRet)), nil
++		}
+ 		return actErrno, nil
+ 	case configs.Trap:
+ 		return actTrap, nil
+ 	case configs.Allow:
+ 		return actAllow, nil
+ 	case configs.Trace:
++		if errnoRet != nil {
++			return libseccomp.ActTrace.SetReturnCode(int16(*errnoRet)), nil
++		}
+ 		return actTrace, nil
+ 	default:
+ 		return libseccomp.ActInvalid, fmt.Errorf("invalid action, cannot use in rule")
+@@ -173,7 +179,7 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
+ 	}
+ 
+ 	// Convert the call's action to the libseccomp equivalent
+-	callAct, err := getAction(call.Action)
++	callAct, err := getAction(call.Action, call.ErrnoRet)
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
+index 0cbc66f..d275967 100644
+--- a/libcontainer/specconv/spec_linux.go
++++ b/libcontainer/specconv/spec_linux.go
+@@ -759,6 +759,7 @@ func setupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
+ 				Name:     name,
+ 				Action:   newAction,
+ 				Priority: call.Priority,
++				ErrnoRet: call.ErrnoRet,
+ 				Args:     []*configs.Arg{},
+ 			}
+ 			// Loop through all the arguments of the syscall and convert them
+diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+index 8439744..4b52684 100644
+--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
++++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+@@ -487,9 +487,10 @@ type WindowsNetworkResources struct {
+ 
+ // LinuxSeccomp represents syscall restrictions
+ type LinuxSeccomp struct {
+-	DefaultAction LinuxSeccompAction `json:"defaultAction"`
+-	Architectures []Arch             `json:"architectures,omitempty"`
+-	Syscalls      []LinuxSyscall     `json:"syscalls"`
++	DefaultAction   LinuxSeccompAction `json:"defaultAction"`
++	DefaultErrnoRet *uint              `json:"defaultErrnoRet,omitempty"`
++	Architectures   []Arch             `json:"architectures,omitempty"`
++	Syscalls        []LinuxSyscall     `json:"syscalls"`
+ }
+ 
+ // Arch used for additional architectures
+@@ -559,4 +560,5 @@ type LinuxSyscall struct {
+ 	Priority uint8              `json:"priority,omitempty"`
+ 	Args     []LinuxSeccompArg  `json:"args"`
+ 	Comment  string             `json:"comment"`
++	ErrnoRet *uint              `json:"errnoRet,omitempty"`
+ }
+-- 
+2.27.0
+
diff --git a/runc-openeuler.spec b/runc-openeuler.spec
index 4241e43..e8207d8 100644
--- a/runc-openeuler.spec
+++ b/runc-openeuler.spec
@@ -52,6 +52,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Sat Sep 11 2021 xiadanni<xiadanni1@huawei.com> - 18.09.0-118
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:honor seccomp errnoRet to fix curl failed
+
 * Thu Mar 18 2021 xiadanni<xiadanni1@huawei.com> - 1.0.0.rc3-113
 - Type:bugfix
 - CVE:NA
diff --git a/series.conf b/series.conf
index 7c53b83..88a2fb9 100644
--- a/series.conf
+++ b/series.conf
@@ -123,4 +123,5 @@
 0121-runc-add-cpu-and-memory-info-when-print-cgroup-info.patch
 0124-runc-fix-freezing-race.patch
 0125-runc-compile-option-compliance.patch
+0126-runc-honor-seccomp-errnoRet-to-fix-curl-failed.patch
 #end
-- 
Gitee