@@ -6,6 +6,10 @@ WORKDIR /usr/src/

 RUN gcc -g -Wall -static userns.c -o /usr/bin/userns-test \

 	&& gcc -g -Wall -static ns.c -o /usr/bin/ns-test \

-	&& gcc -g -Wall -static acct.c -o /usr/bin/acct-test

+	&& gcc -g -Wall -static acct.c -o /usr/bin/acct-test \

+	&& gcc -g -Wall -static setuid.c -o /usr/bin/setuid-test \

+	&& gcc -g -Wall -static setgid.c -o /usr/bin/setgid-test \

+	&& gcc -g -Wall -static socket.c -o /usr/bin/socket-test \

+	&& gcc -g -Wall -static raw.c -o /usr/bin/raw-test

 RUN [ "$(uname -m)" = "x86_64" ] && gcc -s -m32 -nostdlib exit32.s -o /usr/bin/exit32-test || true

new file mode 100644

@@ -0,0 +1,14 @@

+#include <stdio.h>

+#include <unistd.h>

+#include <sys/socket.h>

+#include <netinet/ip.h>

+#include <netinet/udp.h>

+

+int main() {

+	if (socket(PF_INET, SOCK_RAW, IPPROTO_UDP) == -1) {

+		perror("socket");

+		return 1;

+	}

+

+	return 0;

+}

new file mode 100644

@@ -0,0 +1,11 @@

+#include <sys/types.h>

+#include <unistd.h>

+#include <stdio.h>

+

+int main() {

+	if (setgid(1) == -1) {

+		perror("setgid");

+		return 1;

+	}

+	return 0;

+}

new file mode 100644

@@ -0,0 +1,11 @@

+#include <sys/types.h>

+#include <unistd.h>

+#include <stdio.h>

+

+int main() {

+	if (setuid(1) == -1) {

+		perror("setuid");

+		return 1;

+	}

+	return 0;

+}

new file mode 100644

@@ -0,0 +1,30 @@

+#include <stdio.h>

+#include <unistd.h>

+#include <sys/types.h>

+#include <sys/socket.h>

+#include <netinet/in.h>

+#include <arpa/inet.h>

+

+int main() {

+	int s;

+	struct sockaddr_in sin;

+

+	s = socket(AF_INET, SOCK_STREAM, 0);

+	if (s == -1) {

+		perror("socket");

+		return 1;

+	}

+

+	sin.sin_family = AF_INET;

+	sin.sin_addr.s_addr = INADDR_ANY;

+	sin.sin_port = htons(80);

+

+	if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) == -1) {

+		perror("bind");

+		return 1;

+	}

+

+	close(s);

+

+	return 0;

+}

@@ -3,7 +3,7 @@ set -e

 set -x

 TOMLV_COMMIT=9baf8a8a9f2ed20a8e54160840c492f937eeaf9a

-RUNC_COMMIT=02f8fa7863dd3f82909a73e2061897828460d52f

+RUNC_COMMIT=ac031b5bf1cc92239461125f4c1ffb760522bbf2

 CONTAINERD_COMMIT=52ef1ceb4b660c42cf4ea9013180a5663968d4c7

 GRIMES_COMMIT=fe069a03affd2547fdb05e5b8b07202d2e41735b

 LIBNETWORK_COMMIT=0f534354b813003a754606689722fe253101bc4e

@@ -20,11 +20,12 @@ else

 	export GOPATH="$TMP_GOPATH"

 fi

+# Do not build with ambient capabilities support

 RUNC_BUILDTAGS="${RUNC_BUILDTAGS:-"seccomp apparmor selinux"}"

 install_runc() {

 	echo "Install runc version $RUNC_COMMIT"

-	git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc"

+	git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc"

 	cd "$GOPATH/src/github.com/opencontainers/runc"

 	git checkout -q "$RUNC_COMMIT"

 	make BUILDTAGS="$RUNC_BUILDTAGS" $1

@@ -1155,24 +1155,185 @@ func (s *DockerSuite) TestRunNoNewPrivSetuid(c *check.C) {

 	}

 }

-func (s *DockerSuite) TestRunAmbientCapabilities(c *check.C) {

-	testRequires(c, DaemonIsLinux, ambientCapabilities)

+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesChown(c *check.C) {

+	testRequires(c, DaemonIsLinux)

+	ensureSyscallTest(c)

+

+	// test that a root user has default capability CAP_CHOWN

+	runCmd := exec.Command(dockerBinary, "run", "busybox", "chown", "100", "/tmp")

+	_, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, check.IsNil)

+	// test that non root user does not have default capability CAP_CHOWN

+	runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "busybox", "chown", "100", "/tmp")

+	out, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

+	// test that root user can drop default capability CAP_CHOWN

+	runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "chown", "busybox", "chown", "100", "/tmp")

+	out, _, err = runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

+}

+

+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesDacOverride(c *check.C) {

+	testRequires(c, DaemonIsLinux)

+	ensureSyscallTest(c)

+

+	// test that a root user has default capability CAP_DAC_OVERRIDE

+	runCmd := exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "echo test > /etc/passwd")

+	_, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, check.IsNil)

+	// test that non root user does not have default capability CAP_DAC_OVERRIDE

+	runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "busybox", "sh", "-c", "echo test > /etc/passwd")

+	out, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Permission denied")

+	// TODO test that root user can drop default capability CAP_DAC_OVERRIDE

+}

+

+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesFowner(c *check.C) {

+	testRequires(c, DaemonIsLinux)

+	ensureSyscallTest(c)

+

+	// test that a root user has default capability CAP_FOWNER

+	runCmd := exec.Command(dockerBinary, "run", "busybox", "chmod", "777", "/etc/passwd")

+	_, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, check.IsNil)

+	// test that non root user does not have default capability CAP_FOWNER

+	runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "busybox", "chmod", "777", "/etc/passwd")

+	out, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

+	// TODO test that root user can drop default capability CAP_FOWNER

+}

+

+// TODO CAP_KILL

+

+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesSetuid(c *check.C) {

+	testRequires(c, DaemonIsLinux)

+	ensureSyscallTest(c)

+

+	// test that a root user has default capability CAP_SETUID

+	runCmd := exec.Command(dockerBinary, "run", "syscall-test", "setuid-test")

+	_, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, check.IsNil)

+	// test that non root user does not have default capability CAP_SETUID

+	runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "setuid-test")

+	out, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

+	// test that root user can drop default capability CAP_SETUID

+	runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "setuid", "syscall-test", "setuid-test")

+	out, _, err = runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

+}

+

+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesSetgid(c *check.C) {

+	testRequires(c, DaemonIsLinux)

+	ensureSyscallTest(c)

+

+	// test that a root user has default capability CAP_SETGID

+	runCmd := exec.Command(dockerBinary, "run", "syscall-test", "setgid-test")

+	_, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, check.IsNil)

+	// test that non root user does not have default capability CAP_SETGID

+	runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "setgid-test")

+	out, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

+	// test that root user can drop default capability CAP_SETGID

+	runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "setgid", "syscall-test", "setgid-test")

+	out, _, err = runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

+}

+

+// TODO CAP_SETPCAP

+

+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetBindService(c *check.C) {

+	testRequires(c, DaemonIsLinux)

+	ensureSyscallTest(c)

+

+	// test that a root user has default capability CAP_NET_BIND_SERVICE

+	runCmd := exec.Command(dockerBinary, "run", "syscall-test", "socket-test")

+	_, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, check.IsNil)

+	// test that non root user does not have default capability CAP_NET_BIND_SERVICE

+	runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "socket-test")

+	out, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Permission denied")

+	// test that root user can drop default capability CAP_NET_BIND_SERVICE

+	runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "net_bind_service", "syscall-test", "socket-test")

+	out, _, err = runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Permission denied")

+}

+

+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetRaw(c *check.C) {

+	testRequires(c, DaemonIsLinux)

+	ensureSyscallTest(c)

+

+	// test that a root user has default capability CAP_NET_RAW

+	runCmd := exec.Command(dockerBinary, "run", "syscall-test", "raw-test")

+	_, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, check.IsNil)

+	// test that non root user does not have default capability CAP_NET_RAW

+	runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "raw-test")

+	out, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

+	// test that root user can drop default capability CAP_NET_RAW

+	runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "net_raw", "syscall-test", "raw-test")

+	out, _, err = runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

+}

-	// test that a non root user can gain capabilities

-	runCmd := exec.Command(dockerBinary, "run", "--user", "1000", "--cap-add", "chown", "busybox", "chown", "100", "/tmp")

+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesChroot(c *check.C) {

+	testRequires(c, DaemonIsLinux)

+	ensureSyscallTest(c)

+

+	// test that a root user has default capability CAP_SYS_CHROOT

+	runCmd := exec.Command(dockerBinary, "run", "busybox", "chroot", "/", "/bin/true")

 	_, _, err := runCommandWithOutput(runCmd)

 	c.Assert(err, check.IsNil)

-	// test that non root user has default capabilities

-	runCmd = exec.Command(dockerBinary, "run", "--user", "1000", "busybox", "chown", "100", "/tmp")

-	_, _, err = runCommandWithOutput(runCmd)

+	// test that non root user does not have default capability CAP_SYS_CHROOT

+	runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "busybox", "chroot", "/", "/bin/true")

+	out, _, err := runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

+	// test that root user can drop default capability CAP_SYS_CHROOT

+	runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "sys_chroot", "busybox", "chroot", "/", "/bin/true")

+	out, _, err = runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

+}

+

+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesMknod(c *check.C) {

+	testRequires(c, DaemonIsLinux)

+	ensureSyscallTest(c)

+

+	// test that a root user has default capability CAP_MKNOD

+	runCmd := exec.Command(dockerBinary, "run", "busybox", "mknod", "/tmp/node", "b", "1", "2")

+	_, _, err := runCommandWithOutput(runCmd)

 	c.Assert(err, check.IsNil)

-	// test this fails without cap_chown

-	runCmd = exec.Command(dockerBinary, "run", "--user", "1000", "--cap-drop", "chown", "busybox", "chown", "100", "/tmp")

+	// test that non root user does not have default capability CAP_MKNOD

+	runCmd = exec.Command(dockerBinary, "run", "--user", "1000:1000", "busybox", "mknod", "/tmp/node", "b", "1", "2")

 	out, _, err := runCommandWithOutput(runCmd)

 	c.Assert(err, checker.NotNil, check.Commentf(out))

-	c.Assert(strings.TrimSpace(out), checker.Equals, "chown: /tmp: Operation not permitted")

+	c.Assert(out, checker.Contains, "Operation not permitted")

+	// test that root user can drop default capability CAP_MKNOD

+	runCmd = exec.Command(dockerBinary, "run", "--cap-drop", "mknod", "busybox", "mknod", "/tmp/node", "b", "1", "2")

+	out, _, err = runCommandWithOutput(runCmd)

+	c.Assert(err, checker.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "Operation not permitted")

 }

+// TODO CAP_AUDIT_WRITE

+// TODO CAP_SETFCAP

+

 func (s *DockerSuite) TestRunApparmorProcDirectory(c *check.C) {

 	testRequires(c, SameHostDaemon, Apparmor)

@@ -1,6 +1,7 @@

 package main

 import (

+	"fmt"

 	"io/ioutil"

 	"os"

 	"os/exec"

@@ -53,15 +54,14 @@ func ensureSyscallTest(c *check.C) {

 	gcc, err := exec.LookPath("gcc")

 	c.Assert(err, checker.IsNil, check.Commentf("could not find gcc"))

-	out, err := exec.Command(gcc, "-g", "-Wall", "-static", "../contrib/syscall-test/userns.c", "-o", tmp+"/"+"userns-test").CombinedOutput()

-	c.Assert(err, checker.IsNil, check.Commentf(string(out)))

-	out, err = exec.Command(gcc, "-g", "-Wall", "-static", "../contrib/syscall-test/ns.c", "-o", tmp+"/"+"ns-test").CombinedOutput()

-	c.Assert(err, checker.IsNil, check.Commentf(string(out)))

-	out, err = exec.Command(gcc, "-g", "-Wall", "-static", "../contrib/syscall-test/acct.c", "-o", tmp+"/"+"acct-test").CombinedOutput()

-	c.Assert(err, checker.IsNil, check.Commentf(string(out)))

+	tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw"}

+	for _, test := range tests {

+		out, err := exec.Command(gcc, "-g", "-Wall", "-static", fmt.Sprintf("../contrib/syscall-test/%s.c", test), "-o", fmt.Sprintf("%s/%s-test", tmp, test)).CombinedOutput()

+		c.Assert(err, checker.IsNil, check.Commentf(string(out)))

+	}

 	if runtime.GOOS == "linux" && runtime.GOARCH == "amd64" {

-		out, err = exec.Command(gcc, "-s", "-m32", "-nostdlib", "../contrib/syscall-test/exit32.s", "-o", tmp+"/"+"exit32-test").CombinedOutput()

+		out, err := exec.Command(gcc, "-s", "-m32", "-nostdlib", "../contrib/syscall-test/exit32.s", "-o", tmp+"/"+"exit32-test").CombinedOutput()

 		c.Assert(err, checker.IsNil, check.Commentf(string(out)))

 	}

@@ -59,7 +59,7 @@ github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f

 github.com/docker/go v1.5.1-1-1-gbaf439e

 github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c

-github.com/opencontainers/runc 02f8fa7863dd3f82909a73e2061897828460d52f # libcontainer

+github.com/opencontainers/runc ac031b5bf1cc92239461125f4c1ffb760522bbf2 # libcontainer

 github.com/opencontainers/runtime-spec 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs

 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0

 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)

@@ -22,7 +22,7 @@ type Cgroup struct {

 	// The path is assumed to be relative to the host system cgroup mountpoint.

 	Path string `json:"path"`

-	// ScopePrefix decribes prefix for the scope name

+	// ScopePrefix describes prefix for the scope name

 	ScopePrefix string `json:"scope_prefix"`

 	// Paths represent the absolute cgroups paths to join.

@@ -95,7 +95,7 @@ type Resources struct {

 	// IO read rate limit per cgroup per device, bytes per second.

 	BlkioThrottleReadBpsDevice []*ThrottleDevice `json:"blkio_throttle_read_bps_device"`

-	// IO write rate limit per cgroup per divice, bytes per second.

+	// IO write rate limit per cgroup per device, bytes per second.

 	BlkioThrottleWriteBpsDevice []*ThrottleDevice `json:"blkio_throttle_write_bps_device"`

 	// IO read rate limit per cgroup per device, IO per second.

@@ -85,11 +85,6 @@ type Config struct {

 	// that the parent process dies.

 	ParentDeathSignal int `json:"parent_death_signal"`

-	// PivotDir allows a custom directory inside the container's root filesystem to be used as pivot, when NoPivotRoot is not set.

-	// When a custom PivotDir not set, a temporary dir inside the root filesystem will be used. The pivot dir needs to be writeable.

-	// This is required when using read only root filesystems. In these cases, a read/writeable path can be (bind) mounted somewhere inside the root filesystem to act as pivot.

-	PivotDir string `json:"pivot_dir"`

-

 	// Path to a directory containing the container's root filesystem.

 	Rootfs string `json:"rootfs"`

@@ -1,5 +1,11 @@

 package configs

+const (

+	// EXT_COPYUP is a directive to copy up the contents of a directory when

+	// a tmpfs is mounted over it.

+	EXT_COPYUP = 1 << iota

+)

+

 type Mount struct {

 	// Source path for the mount.

 	Source string `json:"source"`

@@ -22,6 +28,9 @@ type Mount struct {

 	// Relabel source if set, "z" indicates shared, "Z" indicates unshared.

 	Relabel string `json:"relabel"`

+	// Extensions are additional flags that are specific to runc.

+	Extensions int `json:"extensions"`

+

 	// Optional Command to be run before Source is mounted.

 	PremountCmds []Command `json:"premount_cmds"`

@@ -22,8 +22,8 @@ var (

 	supportedNamespaces = make(map[NamespaceType]bool)

 )

-// nsToFile converts the namespace type to its filename

-func nsToFile(ns NamespaceType) string {

+// NsName converts the namespace type to its filename

+func NsName(ns NamespaceType) string {

 	switch ns {

 	case NEWNET:

 		return "net"

@@ -50,7 +50,7 @@ func IsNamespaceSupported(ns NamespaceType) bool {

 	if ok {

 		return supported

 	}

-	nsFile := nsToFile(ns)

+	nsFile := NsName(ns)

 	// if the namespace type is unknown, just return false

 	if nsFile == "" {

 		return false

@@ -84,7 +84,7 @@ func (n *Namespace) GetPath(pid int) string {

 	if n.Path != "" {

 		return n.Path

 	}

-	return fmt.Sprintf("/proc/%d/ns/%s", pid, nsToFile(n.Type))

+	return fmt.Sprintf("/proc/%d/ns/%s", pid, NsName(n.Type))

 }

 func (n *Namespaces) Remove(t NamespaceType) bool {

@@ -9,6 +9,10 @@ func InitLabels(options []string) (string, string, error) {

 	return "", "", nil

 }

+func GetROMountLabel() string {

+	return ""

+}

+

 func GenLabels(options string) (string, string, error) {

 	return "", "", nil

 }

@@ -33,15 +33,19 @@ func InitLabels(options []string) (string, string, error) {

 		pcon := selinux.NewContext(processLabel)

 		mcon := selinux.NewContext(mountLabel)

 		for _, opt := range options {

-			if opt == "disable" {

-				return "", "", nil

+			val := strings.SplitN(opt, "=", 2)

+			if val[0] != "label" {

+				continue

+			}

+			if len(val) < 2 {

+				return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)

 			}

-			if i := strings.Index(opt, ":"); i == -1 {

-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)

+			if val[1] == "disable" {

+				return "", "", nil

 			}

-			con := strings.SplitN(opt, ":", 2)

-			if !validOptions[con[0]] {

-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])

+			con := strings.SplitN(val[1], ":", 2)

+			if len(con) < 2 || !validOptions[con[0]] {

+				return "", "", fmt.Errorf("bad label option %q, valid options 'disable, user, role, level, type'", con[0])

 			}

 			pcon[con[0]] = con[1]

@@ -55,6 +59,10 @@ func InitLabels(options []string) (string, string, error) {

 	return processLabel, mountLabel, nil

 }

+func GetROMountLabel() string {

+	return selinux.GetROFileLabel()

+}

+

 // DEPRECATED: The GenLabels function is only to be used during the transition to the official API.

 func GenLabels(options string) (string, string, error) {

 	return InitLabels(strings.Fields(options))

new file mode 100644

@@ -0,0 +1,32 @@

+#ifndef NSENTER_NAMESPACE_H

+#define NSENTER_NAMESPACE_H

+

+#ifndef _GNU_SOURCE

+#	define _GNU_SOURCE

+#endif

+#include <sched.h>

+

+/* All of these are taken from include/uapi/linux/sched.h */

+#ifndef CLONE_NEWNS

+#	define CLONE_NEWNS 0x00020000 /* New mount namespace group */

+#endif

+#ifndef CLONE_NEWCGROUP

+#	define CLONE_NEWCGROUP 0x02000000 /* New cgroup namespace */

+#endif

+#ifndef CLONE_NEWUTS

+#	define CLONE_NEWUTS 0x04000000 /* New utsname namespace */

+#endif

+#ifndef CLONE_NEWIPC

+#	define CLONE_NEWIPC 0x08000000 /* New ipc namespace */

+#endif

+#ifndef CLONE_NEWUSER

+#	define CLONE_NEWUSER 0x10000000 /* New user namespace */

+#endif

+#ifndef CLONE_NEWPID

+#	define CLONE_NEWPID 0x20000000 /* New pid namespace */

+#endif

+#ifndef CLONE_NEWNET

+#	define CLONE_NEWNET 0x40000000 /* New network namespace */

+#endif

+

+#endif /* NSENTER_NAMESPACE_H */

new file mode 100644

@@ -0,0 +1,12 @@

+// +build linux,!gccgo

+

+package nsenter

+

+/*

+#cgo CFLAGS: -Wall

+extern void nsexec();

+void __attribute__((constructor)) init(void) {

+	nsexec();

+}

+*/

+import "C"

new file mode 100644

@@ -0,0 +1,25 @@

+// +build linux,gccgo

+

+package nsenter

+

+/*

+#cgo CFLAGS: -Wall

+extern void nsexec();

+void __attribute__((constructor)) init(void) {

+	nsexec();

+}

+*/

+import "C"

+

+// AlwaysFalse is here to stay false

+// (and be exported so the compiler doesn't optimize out its reference)

+var AlwaysFalse bool

+

+func init() {

+	if AlwaysFalse {

+		// by referencing this C init() in a noop test, it will ensure the compiler

+		// links in the C function.

+		// https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65134

+		C.init()

+	}

+}

new file mode 100644

@@ -0,0 +1,5 @@

+// +build !linux !cgo

+

+package nsenter

+

+import "C"

new file mode 100644

@@ -0,0 +1,753 @@

+#define _GNU_SOURCE

+#include <endian.h>

+#include <errno.h>

+#include <fcntl.h>

+#include <grp.h>

+#include <sched.h>

+#include <setjmp.h>

+#include <signal.h>

+#include <stdarg.h>

+#include <stdbool.h>

+#include <stdint.h>

+#include <stdio.h>

+#include <stdlib.h>

+#include <stdbool.h>

+#include <string.h>

+#include <unistd.h>

+

+#include <sys/ioctl.h>

+#include <sys/prctl.h>

+#include <sys/socket.h>

+#include <sys/types.h>

+

+#include <linux/limits.h>

+#include <linux/netlink.h>

+#include <linux/types.h>

+

+/* Get all of the CLONE_NEW* flags. */

+#include "namespace.h"

+

+/* Synchronisation values. */

+enum sync_t {

+	SYNC_USERMAP_PLS = 0x40, /* Request parent to map our users. */

+	SYNC_USERMAP_ACK = 0x41, /* Mapping finished by the parent. */

+	SYNC_RECVPID_PLS = 0x42, /* Tell parent we're sending the PID. */

+	SYNC_RECVPID_ACK = 0x43, /* PID was correctly received by parent. */

+

+	/* XXX: This doesn't help with segfaults and other such issues. */

+	SYNC_ERR = 0xFF, /* Fatal error, no turning back. The error code follows. */

+};

+

+/* longjmp() arguments. */

+#define JUMP_PARENT 0x00

+#define JUMP_CHILD  0xA0

+#define JUMP_INIT   0xA1

+

+/* JSON buffer. */

+#define JSON_MAX 4096

+

+/* Assume the stack grows down, so arguments should be above it. */

+struct clone_t {

+	/*

+	 * Reserve some space for clone() to locate arguments

+	 * and retcode in this place

+	 */

+	char stack[4096] __attribute__ ((aligned(16)));

+	char stack_ptr[0];

+

+	/* There's two children. This is used to execute the different code. */

+	jmp_buf *env;

+	int jmpval;

+};

+

+struct nlconfig_t {

+	char *data;

+	uint32_t cloneflags;

+	char *uidmap;

+	size_t uidmap_len;

+	char *gidmap;

+	size_t gidmap_len;

+	char *namespaces;

+	size_t namespaces_len;

+	uint8_t is_setgroup;

+	int consolefd;

+};

+

+/*

+ * List of netlink message types sent to us as part of bootstrapping the init.

+ * These constants are defined in libcontainer/message_linux.go.

+ */

+#define INIT_MSG		62000

+#define CLONE_FLAGS_ATTR	27281

+#define CONSOLE_PATH_ATTR	27282

+#define NS_PATHS_ATTR		27283

+#define UIDMAP_ATTR		27284

+#define GIDMAP_ATTR		27285

+#define SETGROUP_ATTR		27286

+

+/*

+ * Use the raw syscall for versions of glibc which don't include a function for

+ * it, namely (glibc 2.12).

+ */

+#if __GLIBC__ == 2 && __GLIBC_MINOR__ < 14

+#	define _GNU_SOURCE

+#	include "syscall.h"

+#	if !defined(SYS_setns) && defined(__NR_setns)

+#		define SYS_setns __NR_setns

+#	endif

+

+#ifndef SYS_setns

+#	error "setns(2) syscall not supported by glibc version"

+#endif

+

+int setns(int fd, int nstype)

+{

+	return syscall(SYS_setns, fd, nstype);

+}

+#endif

+

+/* XXX: This is ugly. */

+static int syncfd = -1;

+

+/* TODO(cyphar): Fix this so it correctly deals with syncT. */

+#define bail(fmt, ...)								\

+	do {									\

+		int ret = __COUNTER__ + 1;					\

+		fprintf(stderr, "nsenter: " fmt ": %m\n", ##__VA_ARGS__);	\

+		if (syncfd >= 0) {						\

+			enum sync_t s = SYNC_ERR;				\

+			if (write(syncfd, &s, sizeof(s)) != sizeof(s))		\

+				fprintf(stderr, "nsenter: failed: write(s)");	\

+			if (write(syncfd, &ret, sizeof(ret)) != sizeof(ret))	\

+				fprintf(stderr, "nsenter: failed: write(ret)");	\

+		}								\

+		exit(ret);							\

+	} while(0)

+

+static int write_file(char *data, size_t data_len, char *pathfmt, ...)

+{

+	int fd, len, ret = 0;

+	char path[PATH_MAX];

+

+	va_list ap;

+	va_start(ap, pathfmt);

+	len = vsnprintf(path, PATH_MAX, pathfmt, ap);

+	va_end(ap);

+	if (len < 0)

+		return -1;

+

+	fd = open(path, O_RDWR);

+	if (fd < 0) {

+		ret = -1;

+		goto out;

+	}

+

+	len = write(fd, data, data_len);

+	if (len != data_len) {

+		ret = -1;

+		goto out;

+	}

+

+out:

+	close(fd);

+	return ret;

+}

+

+enum policy_t {

+	SETGROUPS_DEFAULT = 0,

+	SETGROUPS_ALLOW,

+	SETGROUPS_DENY,

+};

+

+/* This *must* be called before we touch gid_map. */

+static void update_setgroups(int pid, enum policy_t setgroup)

+{

+	char *policy;

+

+	switch (setgroup) {

+		case SETGROUPS_ALLOW:

+			policy = "allow";

+			break;

+		case SETGROUPS_DENY:

+			policy = "deny";

+			break;

+		case SETGROUPS_DEFAULT:

+			/* Nothing to do. */

+			return;

+	}

+

+	if (write_file(policy, strlen(policy), "/proc/%d/setgroups", pid) < 0) {

+		/*

+		 * If the kernel is too old to support /proc/pid/setgroups,

+		 * open(2) or write(2) will return ENOENT. This is fine.

+		 */

+		if (errno != ENOENT)

+			bail("failed to write '%s' to /proc/%d/setgroups", policy, pid);

+	}

+}

+

+static void update_uidmap(int pid, char *map, int map_len)

+{

+	if (map == NULL || map_len <= 0)

+		return;

+

+	if (write_file(map, map_len, "/proc/%d/uid_map", pid) < 0)

+		bail("failed to update /proc/%d/uid_map", pid);

+}

+

+static void update_gidmap(int pid, char *map, int map_len)

+{

+	if (map == NULL || map_len <= 0)

+		return;

+

+	if (write_file(map, map_len, "/proc/%d/gid_map", pid) < 0)

+		bail("failed to update /proc/%d/gid_map", pid);

+}

+

+/* A dummy function that just jumps to the given jumpval. */

+static int child_func(void *arg) __attribute__ ((noinline));

+static int child_func(void *arg)

+{

+	struct clone_t *ca = (struct clone_t *)arg;

+	longjmp(*ca->env, ca->jmpval);

+}

+

+static int clone_parent(jmp_buf *env, int jmpval) __attribute__ ((noinline));

+static int clone_parent(jmp_buf *env, int jmpval)

+{

+	struct clone_t ca = {

+		.env    = env,

+		.jmpval = jmpval,

+	};

+

+	return clone(child_func, ca.stack_ptr, CLONE_PARENT | SIGCHLD, &ca);

+}

+

+/*

+ * Gets the init pipe fd from the environment, which is used to read the

+ * bootstrap data and tell the parent what the new pid is after we finish

+ * setting up the environment.

+ */

+static int initpipe(void)

+{

+	int pipenum;

+	char *initpipe, *endptr;

+

+	initpipe = getenv("_LIBCONTAINER_INITPIPE");

+	if (initpipe == NULL || *initpipe == '\0')

+		return -1;

+

+	pipenum = strtol(initpipe, &endptr, 10);

+	if (*endptr != '\0')

+		bail("unable to parse _LIBCONTAINER_INITPIPE");

+

+	return pipenum;

+}

+

+/* Returns the clone(2) flag for a namespace, given the name of a namespace. */

+static int nsflag(char *name)

+{

+	if (!strcmp(name, "cgroup"))

+		return CLONE_NEWCGROUP;

+	else if (!strcmp(name, "ipc"))

+		return CLONE_NEWIPC;

+	else if (!strcmp(name, "mnt"))

+		return CLONE_NEWNS;

+	else if (!strcmp(name, "net"))

+		return CLONE_NEWNET;

+	else if (!strcmp(name, "pid"))

+		return CLONE_NEWPID;

+	else if (!strcmp(name, "user"))

+		return CLONE_NEWUSER;

+	else if (!strcmp(name, "uts"))

+		return CLONE_NEWUTS;

+

+	/* If we don't recognise a name, fallback to 0. */

+	return 0;

+}

+

+static uint32_t readint32(char *buf)

+{

+	return *(uint32_t *) buf;

+}

+

+static uint8_t readint8(char *buf)

+{

+	return *(uint8_t *) buf;

+}

+

+static void nl_parse(int fd, struct nlconfig_t *config)

+{

+	size_t len, size;

+	struct nlmsghdr hdr;

+	char *data, *current;

+

+	/* Retrieve the netlink header. */

+	len = read(fd, &hdr, NLMSG_HDRLEN);

+	if (len != NLMSG_HDRLEN)

+		bail("invalid netlink header length %lu", len);

+

+	if (hdr.nlmsg_type == NLMSG_ERROR)

+		bail("failed to read netlink message");

+

+	if (hdr.nlmsg_type != INIT_MSG)

+		bail("unexpected msg type %d", hdr.nlmsg_type);

+

+	/* Retrieve data. */

+	size = NLMSG_PAYLOAD(&hdr, 0);