!281 runc:sync some patches

From: @zhong-jiawei-1 
Reviewed-by: @zhangsong234 
Signed-off-by: @zhangsong234

git-commit

@@ -1 +1 @@
-d40eb8bbaaf0365a8d2468625474125181b65c83
+b41140eddc29b390cf030de10de67c9878d50ae6

patch/0040-add-loongarch64-seccomp-support.patch

@@ -0,0 +1,150 @@
+diff --git a/libcontainer/seccomp/config.go b/libcontainer/seccomp/config.go
+index 2b15576..841f9d9 100644
+--- a/libcontainer/seccomp/config.go
++++ b/libcontainer/seccomp/config.go
+@@ -69,6 +69,7 @@ var archs = map[string]string{
+ 	"SCMP_ARCH_RISCV64":     "riscv64",
+ 	"SCMP_ARCH_S390":        "s390",
+ 	"SCMP_ARCH_S390X":       "s390x",
++	"SCMP_ARCH_LOONGARCH64": "loong64",
+ }
+ 
+ // KnownArchs returns the list of the known archs.
+diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
+index 6376512..391c319 100644
+--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
++++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
+@@ -75,6 +75,7 @@ const uint32_t C_AUDIT_ARCH_PPC64LE      = AUDIT_ARCH_PPC64LE;
+ const uint32_t C_AUDIT_ARCH_S390         = AUDIT_ARCH_S390;
+ const uint32_t C_AUDIT_ARCH_S390X        = AUDIT_ARCH_S390X;
+ const uint32_t C_AUDIT_ARCH_RISCV64      = AUDIT_ARCH_RISCV64;
++const uint32_t C_AUDIT_ARCH_LOONGARCH64  = AUDIT_ARCH_LOONGARCH64;
+ */
+ import "C"
+ 
+@@ -212,6 +213,8 @@ func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) {
+ 		return nativeArch(C.C_AUDIT_ARCH_S390X), nil
+ 	case libseccomp.ArchRISCV64:
+ 		return nativeArch(C.C_AUDIT_ARCH_RISCV64), nil
++	case libseccomp.ArchLOONGARCH64:
++		return nativeArch(C.C_AUDIT_ARCH_LOONGARCH64), nil
+ 	default:
+ 		return invalidArch, fmt.Errorf("unknown architecture: %v", arch)
+ 	}
+diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
+index e2d363a..a66fe35 100644
+--- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go
++++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
+@@ -105,6 +105,7 @@ var testArches = []string{
+ 	"ppc64le",
+ 	"s390",
+ 	"s390x",
++	"loong64",
+ }
+ 
+ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string) {
+diff --git a/libcontainer/system/syscall_linux_64.go b/libcontainer/system/syscall_linux_64.go
+index 97f1ba0..5db345a 100644
+--- a/libcontainer/system/syscall_linux_64.go
++++ b/libcontainer/system/syscall_linux_64.go
+@@ -1,6 +1,6 @@
+ //go:build linux && (arm64 || amd64 || mips || mipsle || mips64 || mips64le || loong64 || ppc || ppc64 || ppc64le || riscv64 || s390x)
+ // +build linux
+-// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le riscv64 s390x
++// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le riscv64 s390x loong64
+ 
+ package system
+ 
+diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+index 135f74a..e32af2f 100644
+--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
++++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+@@ -643,6 +643,7 @@ const (
+ 	ArchPARISC      Arch = "SCMP_ARCH_PARISC"
+ 	ArchPARISC64    Arch = "SCMP_ARCH_PARISC64"
+ 	ArchRISCV64     Arch = "SCMP_ARCH_RISCV64"
++	ArchLOONGARCH64 Arch = "SCMP_ARCH_LOONGARCH64"
+ )
+ 
+ // LinuxSeccompAction taken upon Seccomp rule match
+diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
+index 8dad12f..2552394 100644
+--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
++++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
+@@ -174,6 +174,8 @@ const (
+ 	ArchPARISC64
+ 	// ArchRISCV64 represents RISCV64
+ 	ArchRISCV64
++	// ArchLOONGARCH64 represents 64-bit LoongArch System syscalls
++	ArchLOONGARCH64
+ )
+ 
+ const (
+@@ -305,6 +307,8 @@ func GetArchFromString(arch string) (ScmpArch, error) {
+ 		return ArchPARISC64, nil
+ 	case "riscv64":
+ 		return ArchRISCV64, nil
++	case "loongarch64", "loong64":
++		return ArchLOONGARCH64, nil
+ 	default:
+ 		return ArchInvalid, fmt.Errorf("cannot convert unrecognized string %q", arch)
+ 	}
+@@ -351,6 +355,8 @@ func (a ScmpArch) String() string {
+ 		return "parisc64"
+ 	case ArchRISCV64:
+ 		return "riscv64"
++	case ArchLOONGARCH64:
++		return "loong64"
+ 	case ArchNative:
+ 		return "native"
+ 	case ArchInvalid:
+diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
+index df4dfb7..1997fb3 100644
+--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
++++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
+@@ -68,6 +68,10 @@ const uint32_t C_ARCH_BAD = ARCH_BAD;
+ #define SCMP_ARCH_RISCV64 ARCH_BAD
+ #endif
+ 
++#ifndef SCMP_ARCH_LOONGARCH64
++#define SCMP_ARCH_LOONGARCH64 ARCH_BAD
++#endif
++
+ const uint32_t C_ARCH_NATIVE       = SCMP_ARCH_NATIVE;
+ const uint32_t C_ARCH_X86          = SCMP_ARCH_X86;
+ const uint32_t C_ARCH_X86_64       = SCMP_ARCH_X86_64;
+@@ -88,6 +92,7 @@ const uint32_t C_ARCH_S390X        = SCMP_ARCH_S390X;
+ const uint32_t C_ARCH_PARISC       = SCMP_ARCH_PARISC;
+ const uint32_t C_ARCH_PARISC64     = SCMP_ARCH_PARISC64;
+ const uint32_t C_ARCH_RISCV64      = SCMP_ARCH_RISCV64;
++const uint32_t C_ARCH_LOONGARCH64 = SCMP_ARCH_LOONGARCH64;
+ 
+ #ifndef SCMP_ACT_LOG
+ #define SCMP_ACT_LOG 0x7ffc0000U
+@@ -291,7 +296,7 @@ const (
+ 	scmpError C.int = -1
+ 	// Comparison boundaries to check for architecture validity
+ 	archStart ScmpArch = ArchNative
+-	archEnd   ScmpArch = ArchRISCV64
++	archEnd   ScmpArch = ArchLOONGARCH64
+ 	// Comparison boundaries to check for action validity
+ 	actionStart ScmpAction = ActKillThread
+ 	actionEnd   ScmpAction = ActKillProcess
+@@ -551,6 +556,8 @@ func archFromNative(a C.uint32_t) (ScmpArch, error) {
+ 		return ArchPARISC64, nil
+ 	case C.C_ARCH_RISCV64:
+ 		return ArchRISCV64, nil
++	case C.C_ARCH_LOONGARCH64:
++		return ArchLOONGARCH64, nil
+ 	default:
+ 		return 0x0, fmt.Errorf("unrecognized architecture %#x", uint32(a))
+ 	}
+@@ -597,6 +604,8 @@ func (a ScmpArch) toNative() C.uint32_t {
+ 		return C.C_ARCH_PARISC64
+ 	case ArchRISCV64:
+ 		return C.C_ARCH_RISCV64
++	case ArchLOONGARCH64:
++		return C.C_ARCH_LOONGARCH64
+ 	case ArchNative:
+ 		return C.C_ARCH_NATIVE
+ 	default:

patch/0042-runc-fix-a-data-race.patch

@@ -0,0 +1,26 @@
+From d1ef3ab619c7743d389fc882ec65df38d140fc08 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Mon, 17 Jun 2024 23:22:39 +0800
+Subject: [PATCH] libct/config: fix a data race
+
+Reference:https://github.com/opencontainers/runc/commit/c342872276d4a3d5f662684115e282cbb20bf227
+---
+ libcontainer/configs/config.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
+index f85ade3f..c9ecc3cb 100644
+--- a/libcontainer/configs/config.go
++++ b/libcontainer/configs/config.go
+@@ -455,7 +455,7 @@ func (c Command) Run(s *specs.State) error {
+ 			return err
+ 		case <-timerCh:
+ 			cmd.Process.Kill()
+-			cmd.Wait()
++			<-errC
+ 			return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())
+ 		case <-timeAfter:
+ 			if c.Timeout != nil {
+-- 
+2.33.0
+

patch/0043-runc-do-not-support-set-umask-through-native.umask.patch

@@ -0,0 +1,48 @@
+From 19a4209a82132f930fe55cbb2255eb453b465e56 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Thu, 11 Jul 2024 20:18:01 +0800
+Subject: [PATCH] runc:do not support set umask through native.umask
+
+Signed-off-by: zhongjiawei <zhongjiawei1@huawei.com>
+---
+ libcontainer/rootfs_linux.go     | 6 ------
+ libcontainer/setns_init_linux.go | 6 ------
+ 2 files changed, 12 deletions(-)
+
+diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
+index c42e388..499d753 100644
+--- a/libcontainer/rootfs_linux.go
++++ b/libcontainer/rootfs_linux.go
+@@ -192,12 +192,6 @@ func finalizeRootfs(config *configs.Config) (err error) {
+ 	} else {
+ 		unix.Umask(0o022)
+ 	}
+-	umask := utils.SearchLabels(config.Labels, "native.umask")
+-	if umask == "normal" {
+-		unix.Umask(0o022)
+-	} else {
+-		unix.Umask(0o027)
+-	}
+ 	return nil
+ }
+ 
+diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
+index f1dcab6..d8cdfdf 100644
+--- a/libcontainer/setns_init_linux.go
++++ b/libcontainer/setns_init_linux.go
+@@ -56,12 +56,6 @@ func (l *linuxSetnsInit) Init() error {
+ 			return err
+ 		}
+ 	}
+-        umask := utils.SearchLabels(l.config.Config.Labels, "native.umask")
+-        if umask == "normal" {
+-                unix.Umask(0o022)
+-        } else {
+-                unix.Umask(0o027)
+-        }
+ 	if l.config.NoNewPrivileges {
+ 		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+ 			return err
+-- 
+2.33.0
+

runc.spec

@@ -3,7 +3,7 @@
 
 Name: runc
 Version: 1.1.8
-Release: 14
+Release: 15
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Fri Aug 30 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.8-15
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:sync some patches
+
 * Fri May 24 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.8-14
 - Type:CVE
 - CVE:CVE-2024-3154

series.conf

@@ -36,3 +36,6 @@ patch/0036-runc-increase-the-number-of-cgroup-deletion-retries.patch
 patch/0037-runc-fix-CVE-2024-21626.patch
 patch/0038-runc-check-cmd-exist.patch
 patch/0039-runc-fix-CVE-2024-3154.patch
+patch/0040-add-loongarch64-seccomp-support.patch
+patch/0042-runc-fix-a-data-race.patch
+patch/0043-runc-do-not-support-set-umask-through-native.umask.patch