@@ -3,7 +3,7 @@

 TOMLV_COMMIT=9baf8a8a9f2ed20a8e54160840c492f937eeaf9a

 # When updating RUNC_COMMIT, also update runc in vendor.conf accordingly

-RUNC_COMMIT=b2567b37d7b75eb4cf325b77297b140ea686ce8f

+RUNC_COMMIT=7f24b40cc5423969b4554ef04ba0b00e2b4ba010

 # containerd is also pinned in vendor.conf. When updating the binary

 # version you may also need to update the vendor version to pick up bug

@@ -66,7 +66,7 @@ github.com/pborman/uuid v1.0

 google.golang.org/grpc v1.3.0

 # When updating, also update RUNC_COMMIT in hack/dockerfile/binaries-commits accordingly

-github.com/opencontainers/runc b2567b37d7b75eb4cf325b77297b140ea686ce8f

+github.com/opencontainers/runc 7f24b40cc5423969b4554ef04ba0b00e2b4ba010

 github.com/opencontainers/runtime-spec v1.0.1

 github.com/opencontainers/image-spec v1.0.1

 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0

@@ -56,7 +56,7 @@ make BUILDTAGS='seccomp apparmor'

 |-----------|------------------------------------|-------------|

 | seccomp   | Syscall filtering                  | libseccomp  |

 | selinux   | selinux process and mount labeling | <none>      |

-| apparmor  | apparmor profile support           | libapparmor |

+| apparmor  | apparmor profile support           | <none>      |

 | ambient   | ambient capability support         | kernel 4.3  |

@@ -2,15 +2,10 @@

 package apparmor

-// #cgo LDFLAGS: -lapparmor

-// #include <sys/apparmor.h>

-// #include <stdlib.h>

-import "C"

 import (

 	"fmt"

 	"io/ioutil"

 	"os"

-	"unsafe"

 )

 // IsEnabled returns true if apparmor is enabled for the host.

@@ -24,16 +19,36 @@ func IsEnabled() bool {

 	return false

 }

+func setprocattr(attr, value string) error {

+	// Under AppArmor you can only change your own attr, so use /proc/self/

+	// instead of /proc/<tid>/ like libapparmor does

+	path := fmt.Sprintf("/proc/self/attr/%s", attr)

+

+	f, err := os.OpenFile(path, os.O_WRONLY, 0)

+	if err != nil {

+		return err

+	}

+	defer f.Close()

+

+	_, err = fmt.Fprintf(f, "%s", value)

+	return err

+}

+

+// changeOnExec reimplements aa_change_onexec from libapparmor in Go

+func changeOnExec(name string) error {

+	value := "exec " + name

+	if err := setprocattr("exec", value); err != nil {

+		return fmt.Errorf("apparmor failed to apply profile: %s", err)

+	}

+	return nil

+}

+

 // ApplyProfile will apply the profile with the specified name to the process after

 // the next exec.

 func ApplyProfile(name string) error {

 	if name == "" {

 		return nil

 	}

-	cName := C.CString(name)

-	defer C.free(unsafe.Pointer(cName))

-	if _, err := C.aa_change_onexec(cName); err != nil {

-		return fmt.Errorf("apparmor failed to apply profile: %s", err)

-	}

-	return nil

+

+	return changeOnExec(name)

 }

deleted file mode 100644

@@ -1,6 +0,0 @@

-// +build !windows,!linux,!freebsd

-

-package configs

-

-type Cgroup struct {

-}

@@ -1,4 +1,4 @@

-// +build linux freebsd

+// +build linux

 package configs

new file mode 100644

@@ -0,0 +1,104 @@

+package devices

+

+import (

+	"errors"

+	"io/ioutil"

+	"os"

+	"path/filepath"

+

+	"github.com/opencontainers/runc/libcontainer/configs"

+

+	"golang.org/x/sys/unix"

+)

+

+var (

+	ErrNotADevice = errors.New("not a device node")

+)

+

+// Testing dependencies

+var (

+	unixLstat     = unix.Lstat

+	ioutilReadDir = ioutil.ReadDir

+)

+

+// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the information about a linux device and return that information as a Device struct.

+func DeviceFromPath(path, permissions string) (*configs.Device, error) {

+	var stat unix.Stat_t

+	err := unixLstat(path, &stat)

+	if err != nil {

+		return nil, err

+	}

+

+	var (

+		devNumber = stat.Rdev

+		major     = unix.Major(devNumber)

+	)

+	if major == 0 {

+		return nil, ErrNotADevice

+	}

+

+	var (

+		devType rune

+		mode    = stat.Mode

+	)

+	switch {

+	case mode&unix.S_IFBLK == unix.S_IFBLK:

+		devType = 'b'

+	case mode&unix.S_IFCHR == unix.S_IFCHR:

+		devType = 'c'

+	}

+	return &configs.Device{

+		Type:        devType,

+		Path:        path,

+		Major:       int64(major),

+		Minor:       int64(unix.Minor(devNumber)),

+		Permissions: permissions,

+		FileMode:    os.FileMode(mode),

+		Uid:         stat.Uid,

+		Gid:         stat.Gid,

+	}, nil

+}

+

+func HostDevices() ([]*configs.Device, error) {

+	return getDevices("/dev")

+}

+

+func getDevices(path string) ([]*configs.Device, error) {

+	files, err := ioutilReadDir(path)

+	if err != nil {

+		return nil, err

+	}

+	out := []*configs.Device{}

+	for _, f := range files {

+		switch {

+		case f.IsDir():

+			switch f.Name() {

+			// ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825

+			case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts":

+				continue

+			default:

+				sub, err := getDevices(filepath.Join(path, f.Name()))

+				if err != nil {

+					return nil, err

+				}

+

+				out = append(out, sub...)

+				continue

+			}

+		case f.Name() == "console":

+			continue

+		}

+		device, err := DeviceFromPath(filepath.Join(path, f.Name()), "rwm")

+		if err != nil {

+			if err == ErrNotADevice {

+				continue

+			}

+			if os.IsNotExist(err) {

+				continue

+			}

+			return nil, err

+		}

+		out = append(out, device)

+	}

+	return out, nil

+}

deleted file mode 100644

@@ -1,104 +0,0 @@

-package devices

-

-import (

-	"errors"

-	"io/ioutil"

-	"os"

-	"path/filepath"

-

-	"github.com/opencontainers/runc/libcontainer/configs"

-

-	"golang.org/x/sys/unix"

-)

-

-var (

-	ErrNotADevice = errors.New("not a device node")

-)

-

-// Testing dependencies

-var (

-	unixLstat     = unix.Lstat

-	ioutilReadDir = ioutil.ReadDir

-)

-

-// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the information about a linux device and return that information as a Device struct.

-func DeviceFromPath(path, permissions string) (*configs.Device, error) {

-	var stat unix.Stat_t

-	err := unixLstat(path, &stat)

-	if err != nil {

-		return nil, err

-	}

-

-	var (

-		devNumber = stat.Rdev

-		major     = unix.Major(devNumber)

-	)

-	if major == 0 {

-		return nil, ErrNotADevice

-	}

-

-	var (

-		devType rune

-		mode    = stat.Mode

-	)

-	switch {

-	case mode&unix.S_IFBLK == unix.S_IFBLK:

-		devType = 'b'

-	case mode&unix.S_IFCHR == unix.S_IFCHR:

-		devType = 'c'

-	}

-	return &configs.Device{

-		Type:        devType,

-		Path:        path,

-		Major:       int64(major),

-		Minor:       int64(unix.Minor(devNumber)),

-		Permissions: permissions,

-		FileMode:    os.FileMode(mode),

-		Uid:         stat.Uid,

-		Gid:         stat.Gid,

-	}, nil

-}

-

-func HostDevices() ([]*configs.Device, error) {

-	return getDevices("/dev")

-}

-

-func getDevices(path string) ([]*configs.Device, error) {

-	files, err := ioutilReadDir(path)

-	if err != nil {

-		return nil, err

-	}

-	out := []*configs.Device{}

-	for _, f := range files {

-		switch {

-		case f.IsDir():

-			switch f.Name() {

-			// ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825

-			case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts":

-				continue

-			default:

-				sub, err := getDevices(filepath.Join(path, f.Name()))

-				if err != nil {

-					return nil, err

-				}

-

-				out = append(out, sub...)

-				continue

-			}

-		case f.Name() == "console":

-			continue

-		}

-		device, err := DeviceFromPath(filepath.Join(path, f.Name()), "rwm")

-		if err != nil {

-			if err == ErrNotADevice {

-				continue

-			}

-			if os.IsNotExist(err) {

-				continue

-			}

-			return nil, err

-		}

-		out = append(out, device)

-	}

-	return out, nil

-}

deleted file mode 100644

@@ -1,3 +0,0 @@

-// +build !linux

-

-package devices

@@ -1,4 +1,4 @@

-// +build cgo,linux cgo,freebsd

+// +build cgo,linux

 package system

deleted file mode 100644

@@ -1,38 +0,0 @@

-// +build !darwin,!dragonfly,!freebsd,!linux,!netbsd,!openbsd,!solaris

-

-package user

-

-import (

-	"io"

-	"syscall"

-)

-

-func GetPasswdPath() (string, error) {

-	return "", ErrUnsupported

-}

-

-func GetPasswd() (io.ReadCloser, error) {

-	return nil, ErrUnsupported

-}

-

-func GetGroupPath() (string, error) {

-	return "", ErrUnsupported

-}

-

-func GetGroup() (io.ReadCloser, error) {

-	return nil, ErrUnsupported

-}

-

-// CurrentUser looks up the current user by their user id in /etc/passwd. If the

-// user cannot be found (or there is no /etc/passwd file on the filesystem),

-// then CurrentUser returns an error.

-func CurrentUser() (User, error) {

-	return LookupUid(syscall.Getuid())

-}

-

-// CurrentGroup looks up the current user's group by their primary group id's

-// entry in /etc/passwd. If the group cannot be found (or there is no

-// /etc/group file on the filesystem), then CurrentGroup returns an error.

-func CurrentGroup() (Group, error) {

-	return LookupGid(syscall.Getgid())

-}