--- /dev/null
--- /dev/null
++runc (1.0.0~rc6+dfsg1-3) unstable; urgency=medium
++
++ * Team upload.
++
++ [ Shengjing Zhu ]
++ * Improve patch for CVE-2019-5736 based on upstream commits.
++ Now the patch includes following commits:
++ + 2d4a37b nsenter: cloned_binary: userspace copy fallback if sendfile fails
++ + 16612d7 nsenter: cloned_binary: try to ro-bind /proc/self/exe before
++ copying
++ + af9da0a nsenter: cloned_binary: use the runc statedir for O_TMPFILE
++ + 2429d59 nsenter: cloned_binary: expand and add pre-3.11 fallbacks
++ + 5b775bf nsenter: cloned_binary: detect and handle short copies
++ + bb7d8b1 nsexec (CVE-2019-5736): avoid parsing environ
++ + 0a8e411 nsenter: clone /proc/self/exe to avoid exposing host binary to
++ container
++
++ [ Arnaud Rebillout ]
++ * Add version and gitcommit to the ldflags (Closes: #909644)
++ Note that we fill the git commit with something that is NOT a git commit
++ at all, instead we use it as a placeholder for the debian version. The
++ debian version is a relevant information for the user, and it's nice to
++ be able to show it, some way or another.
++
++ -- Shengjing Zhu <zhsj@debian.org> Sun, 10 Mar 2019 17:51:44 +0800
++
++runc (1.0.0~rc6+dfsg1-2) unstable; urgency=medium
++
++ * Team upload.
++ * Apply upstream patch addressing CVE-2019-5736 (Closes: #922050)
++ Thanks Noah Meyerhans!
++
++ -- Shengjing Zhu <zhsj@debian.org> Tue, 12 Feb 2019 23:45:09 +0800
++
++runc (1.0.0~rc6+dfsg1-1) unstable; urgency=medium
++
++ * Standards-Version: 4.3.0.
++ * New upstream release.
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Fri, 25 Jan 2019 07:55:34 +1100
++
++runc (1.0.0~rc5+dfsg1-4) unstable; urgency=medium
++
++ * New patch to disable Hugetlb tests.
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Thu, 27 Sep 2018 08:16:11 +1000
++
++runc (1.0.0~rc5+dfsg1-3) unstable; urgency=medium
++
++ * TAGS += ambient
++ * New patch to fix FTBFS on mips* architectures.
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Mon, 18 Jun 2018 11:47:25 +1000
++
++runc (1.0.0~rc5+dfsg1-2) unstable; urgency=medium
++
++ * New patch to fix integer overflow on i686.
++ * Build with "selinux" tag (Closes: #865993).
++ Thanks, Laurent Bigonville.
++ * Added myself to uploaders.
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Sat, 16 Jun 2018 22:12:23 +1000
++
++runc (1.0.0~rc5+dfsg1-1) unstable; urgency=medium
++
++ * Team upload.
++
++ [ Arnaud Rebillout ]
++ * Set minimum requirement for golang-gocapability-dev.
++ And drop the alternative name golang-github-syndtr-gocapability-dev,
++ this name never existed in the first place.
++
++ [ Dmitry Smirnov ]
++ * New upstream release
++ * Testsuite: autopkgtest-pkg-go
++ * Standards-Version: 4.1.4; Priority: optional
++ * debhelper to version 11; compat to version 10.
++ * Added "XS-Go-Import-Path".
++ * (Build-)Depends:
++ - golang-github-codegangsta-cli-dev
++ - golang-github-coreos-pkg-dev
++ - golang-golang-x-sys-dev
++ - golang-logrus-dev
++ + golang-github-containerd-console-dev
++ + golang-github-pkg-errors-dev
++ + golang-github-sirupsen-logrus-dev
++ + golang-github-urfave-cli-dev
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Fri, 15 Jun 2018 21:48:18 +1000
++
++runc (1.0.0~rc4+dfsg1-6) unstable; urgency=medium
++
++ [ Michael Stapelberg ]
++ * update debian/gitlab-ci.yml (using salsa.debian.org/go-team/ci/cmd/ci)
++
++ [ Dmitry Smirnov ]
++ * Removed myself from uploaders.
++
++ [ Balint Reczey ]
++ * Team upload
++ * Stop using unix.SIGUNUSED which has been removed from golang.org/x/sys
++ (Closes: #889704)
++
++ -- Balint Reczey <rbalint@ubuntu.com> Tue, 10 Apr 2018 18:40:56 +0200
++
++runc (1.0.0~rc4+dfsg1-5) unstable; urgency=medium
++
++ * Vcs-* urls: pkg-go-team -> go-team.
++
++ -- Alexandre Viau <aviau@debian.org> Mon, 05 Feb 2018 23:05:40 -0500
++
++runc (1.0.0~rc4+dfsg1-4) unstable; urgency=medium
++
++ * Point vcs-* urls to packages subgroup.
++
++ -- Alexandre Viau <aviau@debian.org> Thu, 25 Jan 2018 15:23:12 -0500
++
++runc (1.0.0~rc4+dfsg1-3) unstable; urgency=medium
++
++ * Change my email to @debian.org.
++ * Move to salsa.debian.org.
++
++ -- Alexandre Viau <aviau@debian.org> Fri, 29 Dec 2017 00:34:59 -0500
++
++runc (1.0.0~rc4+dfsg1-2) unstable; urgency=medium
++
++ * Mark runc breaking docker.io (<= 1.13.1~ds1-2) (Closes: #877146)
++
++ -- Balint Reczey <rbalint@ubuntu.com> Sat, 30 Sep 2017 11:50:52 -0400
++
++runc (1.0.0~rc4+dfsg1-1) unstable; urgency=medium
++
++ * Team Upload
++ * Update watch file to match release candidates
++ * Update Files-Excuded and d/control to match dependencies of rc4
++ * New upstream release candidate 1.0.0-rc4
++ * Drop obsoleted patches
++ * Drop outdated README.source
++ * Require at least final 1.0.0 release of
++ golang-github-opencontainers-specs-dev (Closes: #858250)
++ * Fix typo in golang-github-opencontainers-runc-dev package description
++ (Closes: #873760)
++
++ -- Balint Reczey <rbalint@ubuntu.com> Sat, 30 Sep 2017 11:50:50 -0400
++
++runc (1.0.0~rc2+git20170201.133.9df8b30-3) unstable; urgency=medium
++
++ * Replace golang-go with golang-any in Build-Depends
++
++ -- Konstantinos Margaritis <markos@debian.org> Wed, 09 Aug 2017 15:00:55 +0300
++
++runc (1.0.0~rc2+git20170201.133.9df8b30-2) unstable; urgency=medium
++
++ * Patch to make libcontainer ignore cgroup2 hierarchy. Patch pulled from
++ https://github.com/opencontainers/runc/pull/1266.
++
++ -- Vincent Bernat <bernat@debian.org> Fri, 30 Jun 2017 07:10:34 +0200
++
++runc (1.0.0~rc2+git20170201.133.9df8b30-1) unstable; urgency=medium
++
++ * New upstream snapshot for Docker 1.13.1.
++
++ -- Tim Potter <tpot@hpe.com> Wed, 24 May 2017 11:36:40 +1000
++
++runc (1.0.0~rc2+git20161109.131.5137186-2) unstable; urgency=medium
++
++ * Add Breaks line to binary package to avoid messing up previous
++ Docker installs.
++
++ -- Tim Potter <tpot@hpe.com> Fri, 24 Feb 2017 09:49:06 +1100
++
++runc (1.0.0~rc2+git20161109.131.5137186-1) unstable; urgency=medium
++
++ * New upstream snapshot.
++ * Refresh backported patch for CVE-2016-9962.
++
++ -- Tim Potter <tpot@hpe.com> Wed, 15 Feb 2017 09:08:52 +1100
++
++runc (0.1.1+dfsg1-2) unstable; urgency=medium
++
++ * Team upload.
++ * Backport patch for CVE-2016-9962 (Closes: #850951)
++
++ -- Tianon Gravi <tianon@debian.org> Wed, 01 Feb 2017 07:17:54 -0800
++
++runc (0.1.1+dfsg1-1) unstable; urgency=medium
++
++ * New upstream release [June 2016].
++ * testworks: disabled privileged and failing tests.
++ * Build with "apparmor seccomp" tags (Closes: #830818);
++ Build-Depends += "libapparmor-dev".
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Wed, 13 Jul 2016 23:00:43 +1000
++
++runc (0.1.0+dfsg1-1) unstable; urgency=medium
++
++ * Dropped dependency on "golang-docker-dev" in favour of bundled
++ (or build time sub-vendored) "github.com/docker/docker" in order
++ to avoid circular dependency with Docker.
++ * Standards-Version: 3.9.8.
++ * Corrected Vcs-Git URL.
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Sun, 12 Jun 2016 17:56:45 +1000
++
++runc (0.1.0+dfsg-1) unstable; urgency=medium
++
++ [ Tim Potter ]
++ * Team upload
++ * New upstream release [April 2016]
++ = golang-github-opencontainers-specs-dev (>= 0.5.0~)
++ * De-vendor new dependencies; pquerna/ffjson appears unused
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Sat, 23 Apr 2016 07:59:18 +1000
++
++runc (0.0.9+dfsg-1) unstable; urgency=medium
++
++ * New upstream release [March 2016].
++ * (Build-)Depends:
++ = golang-github-opencontainers-specs-dev (>= 0.4.0~)
++ = golang-github-codegangsta-cli-dev (>= 0.0~git20151221~)
++ - help2man
++ + go-md2man
++ * Install upstream man pages.
++ * Install "runc" binary to "/usr/sbin".
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Sat, 16 Apr 2016 17:23:48 +1000
++
++runc (0.0.8+dfsg-2) unstable; urgency=medium
++
++ * (Build-)Depends:
++ + golang-github-docker-go-units-dev
++ + golang-github-seccomp-libseccomp-golang-dev
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Wed, 23 Mar 2016 20:05:01 +1100
++
++runc (0.0.8+dfsg-1) unstable; urgency=medium
++
++ * New upstream release [February 2016].
++ * Build-Depends:
++ + golang-github-vishvananda-netlink-dev
++ * Updated Vcs URLs.
++ * Standards-Version: 3.9.7.
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Fri, 26 Feb 2016 18:19:24 +1100
++
++runc (0.0.4~dfsg-1) unstable; urgency=medium
++
++ * New upstream release (Closes: #802507).
++ * Dropped obsolete lintian-overrides.
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Wed, 21 Oct 2015 09:02:42 +1100
++
++runc (0.0.3~dfsg2-1) unstable; urgency=low
++
++ * Initial release (Closes: #796486).
++ Thanks, Alexandre Viau.
++
++ -- Dmitry Smirnov <onlyjob@debian.org> Sun, 06 Sep 2015 18:06:34 +1000
--- /dev/null
--- /dev/null
++libcontainer/criurpc/criurpc.pb.go
++
++## Remove generated man pages:
++man/man8/*
++
++## Drop hanging test (introduced in 0.0.9).
++## https://github.com/opencontainers/runc/issues/692
++libcontainer/nsenter/nsenter_test.go
++
++## Generated:
++libcontainer/criurpc/criurpc.pb.go
++
++
++## Failing tests:
++
++## Privileged tests:
++### couldn't get cgroup root: mountpoint for cgroup not found
++libcontainer/cgroups/fs/apply_raw_test.go
++
++### FAIL: TestXattr (0.00s)
++### xattr_test.go:26: Success
++### xattr_test.go:30: failed
++libcontainer/xattr/xattr_test.go
--- /dev/null
--- /dev/null
++10
--- /dev/null
--- /dev/null
++Source: runc
++Section: devel
++Priority: optional
++Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
++Uploaders: Alexandre Viau <aviau@debian.org>, Dmitry Smirnov <onlyjob@debian.org>,
++ Tim Potter <tpot@hpe.com>
++Build-Depends: debhelper (>= 11~),
++ dh-golang,
++ go-md2man,
++ golang-any,
++ golang-dbus-dev,
++ golang-github-containerd-console-dev,
++ golang-github-coreos-go-systemd-dev,
++ golang-github-docker-go-units-dev,
++ golang-github-mrunalp-fileutils-dev,
++ golang-github-opencontainers-selinux-dev,
++ golang-github-opencontainers-specs-dev (>= 1.0.1-5~),
++ golang-github-pkg-errors-dev,
++ golang-github-seccomp-libseccomp-golang-dev,
++ golang-github-sirupsen-logrus-dev (>= 1.0.2~),
++ golang-github-urfave-cli-dev,
++ golang-github-vishvananda-netlink-dev,
++ golang-gocapability-dev (>= 0.0~git20160928~),
++ golang-goprotobuf-dev,
++ libapparmor-dev,
++ protobuf-compiler
++Standards-Version: 4.3.0
++Homepage: https://github.com/opencontainers/runc
++Vcs-Git: https://salsa.debian.org/go-team/packages/runc.git
++Vcs-Browser: https://salsa.debian.org/go-team/packages/runc
++XS-Go-Import-Path: github.com/opencontainers/runc
++Testsuite: autopkgtest-pkg-go
++
++Package: runc
++Architecture: any
++Depends: ${misc:Depends}, ${shlibs:Depends}
++Breaks: docker.io (<= 1.13.1~ds1-2)
++Built-Using: ${misc:Built-Using}
++Description: Open Container Project - runtime
++ "runc" is a command line client for running applications packaged according
++ to the Open Container Format (OCF) and is a compliant implementation of
++ the Open Container Project specification.
++
++Package: golang-github-opencontainers-runc-dev
++Architecture: all
++Depends: ${misc:Depends},
++ golang-dbus-dev,
++ golang-github-coreos-go-systemd-dev,
++ golang-github-docker-go-units-dev,
++ golang-github-opencontainers-selinux-dev,
++ golang-github-opencontainers-specs-dev (>= 1.0.1-5~),
++ golang-github-seccomp-libseccomp-golang-dev,
++ golang-github-sirupsen-logrus-dev (>= 1.0.2~),
++ golang-github-urfave-cli-dev,
++ golang-github-vishvananda-netlink-dev,
++ golang-gocapability-dev (>= 0.0~git20160928~),
++ golang-goprotobuf-dev
++Description: Open Container Project - development files
++ "runc" is a command line client for running applications packaged according
++ to the Open Container Format (OCF) and is a compliant implementation of
++ the Open Container Project specification.
++ .
++ This package provides development files formerly known as
++ "github.com/docker/libcontainer".
--- /dev/null
--- /dev/null
++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
++Upstream-Name: runc
++Source: https://github.com/opencontainers/runc
++Files-Excluded:
++ vendor/github.com/containerd/console
++ vendor/github.com/coreos/go-systemd
++ vendor/github.com/coreos/pkg
++ ~~vendor/github.com/cyphar/filepath-securejoin
++ vendor/github.com/docker/go-units
++ vendor/github.com/godbus/dbus
++ vendor/github.com/golang/protobuf
++ vendor/github.com/mrunalp/fileutils
++ vendor/github.com/opencontainers/runtime-spec
++ vendor/github.com/opencontainers/selinux
++ vendor/github.com/pkg/errors
++ vendor/github.com/seccomp/libseccomp-golang
++ vendor/github.com/sirupsen/logrus
++ vendor/github.com/syndtr/gocapability
++ vendor/github.com/urfave/cli
++ vendor/github.com/vishvananda/netlink
++ vendor/golang.org/x/sys
++
++Files: *
++Copyright: 2012-2015 Docker, Inc.
++License: Apache-2.0
++
++Files:
++ vendor/github.com/cyphar/filepath-securejoin/*
++Copyright:
++ 2014-2015 Docker Inc & Go Authors. All rights reserved.
++ 2017 SUSE LLC. All rights reserved.
++License: BSD-3-Clause~Google
++
++Files: debian/*
++Copyright:
++ 2015 Alexandre Viau <alexandre@alexandreviau.net>
++ 2015-2019 Dmitry Smirnov <onlyjob@debian.org>
++License: GPL-3+
++
++Files: debian/patches/*
++Copyright: 2015 Dmitry Smirnov <onlyjob@debian.org>
++License: GPL-3+ or Apache-2.0
++Comment: patches can be licensed under the same terms as upstream.
++
++License: Apache-2.0
++ Licensed under the Apache License, Version 2.0 (the "License");
++ you may not use this file except in compliance with the License.
++ You may obtain a copy of the License at
++ .
++ http://www.apache.org/licenses/LICENSE-2.0
++ .
++ Unless required by applicable law or agreed to in writing, software
++ distributed under the License is distributed on an "AS IS" BASIS,
++ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ See the License for the specific language governing permissions and
++ limitations under the License.
++ .
++ The complete text of the Apache version 2.0 license
++ can be found in "/usr/share/common-licenses/Apache-2.0".
++
++License: GPL-3+
++ This program is free software: you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation, either version 3 of the License, or
++ (at your option) any later version.
++ ․
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++ ․
++ The complete text of the GNU General Public License version 3
++ can be found in "/usr/share/common-licenses/GPL-3".
++
++License: BSD-3-Clause~Google
++ Redistribution and use in source and binary forms, with or without
++ modification, are permitted provided that the following conditions are
++ met:
++ .
++ * Redistributions of source code must retain the above copyright
++ notice, this list of conditions and the following disclaimer.
++ * Redistributions in binary form must reproduce the above
++ copyright notice, this list of conditions and the following disclaimer
++ in the documentation and/or other materials provided with the
++ distribution.
++ * Neither the name of Google Inc. nor the names of its
++ contributors may be used to endorse or promote products derived from
++ this software without specific prior written permission.
++ .
++ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
++ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- /dev/null
--- /dev/null
++[buildpackage]
++overlay = True
++export-dir = ../build-area/
++tarball-dir = ../
++
++[dch]
++id-length = 0
++
++[import-orig]
++pristine-tar = True
++merge = False
--- /dev/null
--- /dev/null
++
++# auto-generated, DO NOT MODIFY.
++# The authoritative copy of this file lives at:
++# https://salsa.debian.org/go-team/ci/blob/master/cmd/ci/gitlabciyml.go
++
++# TODO: publish under debian-go-team/ci
++image: stapelberg/ci2
++
++test_the_archive:
++ artifacts:
++ paths:
++ - before-applying-commit.json
++ - after-applying-commit.json
++ script:
++ # Create an overlay to discard writes to /srv/gopath/src after the build:
++ - "rm -rf /cache/overlay/{upper,work}"
++ - "mkdir -p /cache/overlay/{upper,work}"
++ - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src"
++ - "export GOPATH=/srv/gopath"
++ - "export GOCACHE=/cache/go"
++ # Build the world as-is:
++ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json"
++ # Copy this package into the overlay:
++ - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'"
++ - "pgt-gopath -dsc /tmp/export/*.dsc"
++ # Rebuild the world:
++ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json"
++ - "ci-diff before-applying-commit.json after-applying-commit.json"
--- /dev/null
--- /dev/null
++usr/share/gocode/src
--- /dev/null
--- /dev/null
++From: Shengjing Zhu <zhsj@debian.org>
++Date: Sun, 10 Mar 2019 17:47:46 +0800
++Subject: CVE-2019-5736
++
++Backport upstream patches for CVE-2019-5736
++
++Include commits:
++2d4a37b427167907ef2402586a8e8e2931a22490 nsenter: cloned_binary: userspace copy fallback if sendfile fails
++16612d74de5f84977e50a9c8ead7f0e9e13b8628 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying
++af9da0a45082783f6005b252488943b5ee2e2138 nsenter: cloned_binary: use the runc statedir for O_TMPFILE
++2429d59352b81f6b9cc79b5ed26780c5fe6ba4ec nsenter: cloned_binary: expand and add pre-3.11 fallbacks
++5b775bf297c47a6bc50e36da89d1ec74a6fa01dc nsenter: cloned_binary: detect and handle short copies
++bb7d8b1f41f7bf0399204d54009d6da57c3cc775 nsexec (CVE-2019-5736): avoid parsing environ
++0a8e4117e7f715d5fbeef398405813ce8e88558b nsenter: clone /proc/self/exe to avoid exposing host binary to container
++
++Debian-Bug: https://bugs.debian.org/922050
++---
++ libcontainer/nsenter/cloned_binary.c | 516 +++++++++++++++++++++++++++++++++++
++ libcontainer/nsenter/nsexec.c | 11 +
++ 2 files changed, 527 insertions(+)
++ create mode 100644 libcontainer/nsenter/cloned_binary.c
++
++diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
++new file mode 100644
++index 0000000..b410e29
++--- /dev/null
+++++ b/libcontainer/nsenter/cloned_binary.c
++@@ -0,0 +1,516 @@
+++/*
+++ * Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
+++ * Copyright (C) 2019 SUSE LLC
+++ *
+++ * Licensed under the Apache License, Version 2.0 (the "License");
+++ * you may not use this file except in compliance with the License.
+++ * You may obtain a copy of the License at
+++ *
+++ * http://www.apache.org/licenses/LICENSE-2.0
+++ *
+++ * Unless required by applicable law or agreed to in writing, software
+++ * distributed under the License is distributed on an "AS IS" BASIS,
+++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+++ * See the License for the specific language governing permissions and
+++ * limitations under the License.
+++ */
+++
+++#define _GNU_SOURCE
+++#include <unistd.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <stdbool.h>
+++#include <string.h>
+++#include <limits.h>
+++#include <fcntl.h>
+++#include <errno.h>
+++
+++#include <sys/types.h>
+++#include <sys/stat.h>
+++#include <sys/statfs.h>
+++#include <sys/vfs.h>
+++#include <sys/mman.h>
+++#include <sys/mount.h>
+++#include <sys/sendfile.h>
+++#include <sys/syscall.h>
+++
+++/* Use our own wrapper for memfd_create. */
+++#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
+++# define SYS_memfd_create __NR_memfd_create
+++#endif
+++/* memfd_create(2) flags -- copied from <linux/memfd.h>. */
+++#ifndef MFD_CLOEXEC
+++# define MFD_CLOEXEC 0x0001U
+++# define MFD_ALLOW_SEALING 0x0002U
+++#endif
+++int memfd_create(const char *name, unsigned int flags)
+++{
+++#ifdef SYS_memfd_create
+++ return syscall(SYS_memfd_create, name, flags);
+++#else
+++ errno = ENOSYS;
+++ return -1;
+++#endif
+++}
+++
+++
+++/* This comes directly from <linux/fcntl.h>. */
+++#ifndef F_LINUX_SPECIFIC_BASE
+++# define F_LINUX_SPECIFIC_BASE 1024
+++#endif
+++#ifndef F_ADD_SEALS
+++# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
+++# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
+++#endif
+++#ifndef F_SEAL_SEAL
+++# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */
+++# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
+++# define F_SEAL_GROW 0x0004 /* prevent file from growing */
+++# define F_SEAL_WRITE 0x0008 /* prevent writes */
+++#endif
+++
+++#define CLONED_BINARY_ENV "_LIBCONTAINER_CLONED_BINARY"
+++#define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
+++#define RUNC_MEMFD_SEALS \
+++ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
+++
+++static void *must_realloc(void *ptr, size_t size)
+++{
+++ void *old = ptr;
+++ do {
+++ ptr = realloc(old, size);
+++ } while(!ptr);
+++ return ptr;
+++}
+++
+++/*
+++ * Verify whether we are currently in a self-cloned program (namely, is
+++ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
+++ * for shmem files), and we want to be sure it's actually sealed.
+++ */
+++static int is_self_cloned(void)
+++{
+++ int fd, ret, is_cloned = 0;
+++ struct stat statbuf = {};
+++ struct statfs fsbuf = {};
+++
+++ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
+++ if (fd < 0)
+++ return -ENOTRECOVERABLE;
+++
+++ /*
+++ * Is the binary a fully-sealed memfd? We don't need CLONED_BINARY_ENV for
+++ * this, because you cannot write to a sealed memfd no matter what (so
+++ * sharing it isn't a bad thing -- and an admin could bind-mount a sealed
+++ * memfd to /usr/bin/runc to allow re-use).
+++ */
+++ ret = fcntl(fd, F_GET_SEALS);
+++ if (ret >= 0) {
+++ is_cloned = (ret == RUNC_MEMFD_SEALS);
+++ goto out;
+++ }
+++
+++ /*
+++ * All other forms require CLONED_BINARY_ENV, since they are potentially
+++ * writeable (or we can't tell if they're fully safe) and thus we must
+++ * check the environment as an extra layer of defence.
+++ */
+++ if (!getenv(CLONED_BINARY_ENV)) {
+++ is_cloned = false;
+++ goto out;
+++ }
+++
+++ /*
+++ * Is the binary on a read-only filesystem? We can't detect bind-mounts in
+++ * particular (in-kernel they are identical to regular mounts) but we can
+++ * at least be sure that it's read-only. In addition, to make sure that
+++ * it's *our* bind-mount we check CLONED_BINARY_ENV.
+++ */
+++ if (fstatfs(fd, &fsbuf) >= 0)
+++ is_cloned |= (fsbuf.f_flags & MS_RDONLY);
+++
+++ /*
+++ * Okay, we're a tmpfile -- or we're currently running on RHEL <=7.6
+++ * which appears to have a borked backport of F_GET_SEALS. Either way,
+++ * having a file which has no hardlinks indicates that we aren't using
+++ * a host-side "runc" binary and this is something that a container
+++ * cannot fake (because unlinking requires being able to resolve the
+++ * path that you want to unlink).
+++ */
+++ if (fstat(fd, &statbuf) >= 0)
+++ is_cloned |= (statbuf.st_nlink == 0);
+++
+++out:
+++ close(fd);
+++ return is_cloned;
+++}
+++
+++/* Read a given file into a new buffer, and providing the length. */
+++static char *read_file(char *path, size_t *length)
+++{
+++ int fd;
+++ char buf[4096], *copy = NULL;
+++
+++ if (!length)
+++ return NULL;
+++
+++ fd = open(path, O_RDONLY | O_CLOEXEC);
+++ if (fd < 0)
+++ return NULL;
+++
+++ *length = 0;
+++ for (;;) {
+++ ssize_t n;
+++
+++ n = read(fd, buf, sizeof(buf));
+++ if (n < 0)
+++ goto error;
+++ if (!n)
+++ break;
+++
+++ copy = must_realloc(copy, (*length + n) * sizeof(*copy));
+++ memcpy(copy + *length, buf, n);
+++ *length += n;
+++ }
+++ close(fd);
+++ return copy;
+++
+++error:
+++ close(fd);
+++ free(copy);
+++ return NULL;
+++}
+++
+++/*
+++ * A poor-man's version of "xargs -0". Basically parses a given block of
+++ * NUL-delimited data, within the given length and adds a pointer to each entry
+++ * to the array of pointers.
+++ */
+++static int parse_xargs(char *data, int data_length, char ***output)
+++{
+++ int num = 0;
+++ char *cur = data;
+++
+++ if (!data || *output != NULL)
+++ return -1;
+++
+++ while (cur < data + data_length) {
+++ num++;
+++ *output = must_realloc(*output, (num + 1) * sizeof(**output));
+++ (*output)[num - 1] = cur;
+++ cur += strlen(cur) + 1;
+++ }
+++ (*output)[num] = NULL;
+++ return num;
+++}
+++
+++/*
+++ * "Parse" out argv from /proc/self/cmdline.
+++ * This is necessary because we are running in a context where we don't have a
+++ * main() that we can just get the arguments from.
+++ */
+++static int fetchve(char ***argv)
+++{
+++ char *cmdline = NULL;
+++ size_t cmdline_size;
+++
+++ cmdline = read_file("/proc/self/cmdline", &cmdline_size);
+++ if (!cmdline)
+++ goto error;
+++
+++ if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
+++ goto error;
+++
+++ return 0;
+++
+++error:
+++ free(cmdline);
+++ return -EINVAL;
+++}
+++
+++enum {
+++ EFD_NONE = 0,
+++ EFD_MEMFD,
+++ EFD_FILE,
+++};
+++
+++/*
+++ * This comes from <linux/fcntl.h>. We can't hard-code __O_TMPFILE because it
+++ * changes depending on the architecture. If we don't have O_TMPFILE we always
+++ * have the mkostemp(3) fallback.
+++ */
+++#ifndef O_TMPFILE
+++# if defined(__O_TMPFILE) && defined(O_DIRECTORY)
+++# define O_TMPFILE (__O_TMPFILE | O_DIRECTORY)
+++# endif
+++#endif
+++
+++static int make_execfd(int *fdtype)
+++{
+++ int fd = -1;
+++ char template[PATH_MAX] = {0};
+++ char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
+++
+++ if (!prefix || *prefix != '/')
+++ prefix = "/tmp";
+++ if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
+++ return -1;
+++
+++ /*
+++ * Now try memfd, it's much nicer than actually creating a file in STATEDIR
+++ * since it's easily detected thanks to sealing and also doesn't require
+++ * assumptions about STATEDIR.
+++ */
+++ *fdtype = EFD_MEMFD;
+++ fd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
+++ if (fd >= 0)
+++ return fd;
+++ if (errno != ENOSYS && errno != EINVAL)
+++ goto error;
+++
+++#ifdef O_TMPFILE
+++ /*
+++ * Try O_TMPFILE to avoid races where someone might snatch our file. Note
+++ * that O_EXCL isn't actually a security measure here (since you can just
+++ * fd re-open it and clear O_EXCL).
+++ */
+++ *fdtype = EFD_FILE;
+++ fd = open(prefix, O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0700);
+++ if (fd >= 0) {
+++ struct stat statbuf = {};
+++ bool working_otmpfile = false;
+++
+++ /*
+++ * open(2) ignores unknown O_* flags -- yeah, I was surprised when I
+++ * found this out too. As a result we can't check for EINVAL. However,
+++ * if we get nlink != 0 (or EISDIR) then we know that this kernel
+++ * doesn't support O_TMPFILE.
+++ */
+++ if (fstat(fd, &statbuf) >= 0)
+++ working_otmpfile = (statbuf.st_nlink == 0);
+++
+++ if (working_otmpfile)
+++ return fd;
+++
+++ /* Pretend that we got EISDIR since O_TMPFILE failed. */
+++ close(fd);
+++ errno = EISDIR;
+++ }
+++ if (errno != EISDIR)
+++ goto error;
+++#endif /* defined(O_TMPFILE) */
+++
+++ /*
+++ * Our final option is to create a temporary file the old-school way, and
+++ * then unlink it so that nothing else sees it by accident.
+++ */
+++ *fdtype = EFD_FILE;
+++ fd = mkostemp(template, O_CLOEXEC);
+++ if (fd >= 0) {
+++ if (unlink(template) >= 0)
+++ return fd;
+++ close(fd);
+++ }
+++
+++error:
+++ *fdtype = EFD_NONE;
+++ return -1;
+++}
+++
+++static int seal_execfd(int *fd, int fdtype)
+++{
+++ switch (fdtype) {
+++ case EFD_MEMFD:
+++ return fcntl(*fd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
+++ case EFD_FILE: {
+++ /* Need to re-open our pseudo-memfd as an O_PATH to avoid execve(2) giving -ETXTBSY. */
+++ int newfd;
+++ char fdpath[PATH_MAX] = {0};
+++
+++ if (fchmod(*fd, 0100) < 0)
+++ return -1;
+++
+++ if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", *fd) < 0)
+++ return -1;
+++
+++ newfd = open(fdpath, O_PATH | O_CLOEXEC);
+++ if (newfd < 0)
+++ return -1;
+++
+++ close(*fd);
+++ *fd = newfd;
+++ return 0;
+++ }
+++ default:
+++ break;
+++ }
+++ return -1;
+++}
+++
+++static int try_bindfd(void)
+++{
+++ int fd, ret = -1;
+++ char template[PATH_MAX] = {0};
+++ char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
+++
+++ if (!prefix || *prefix != '/')
+++ prefix = "/tmp";
+++ if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
+++ return ret;
+++
+++ /*
+++ * We need somewhere to mount it, mounting anything over /proc/self is a
+++ * BAD idea on the host -- even if we do it temporarily.
+++ */
+++ fd = mkstemp(template);
+++ if (fd < 0)
+++ return ret;
+++ close(fd);
+++
+++ /*
+++ * For obvious reasons this won't work in rootless mode because we haven't
+++ * created a userns+mntns -- but getting that to work will be a bit
+++ * complicated and it's only worth doing if someone actually needs it.
+++ */
+++ ret = -EPERM;
+++ if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0)
+++ goto out;
+++ if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0)
+++ goto out_umount;
+++
+++
+++ /* Get read-only handle that we're sure can't be made read-write. */
+++ ret = open(template, O_PATH | O_CLOEXEC);
+++
+++out_umount:
+++ /*
+++ * Make sure the MNT_DETACH works, otherwise we could get remounted
+++ * read-write and that would be quite bad (the fd would be made read-write
+++ * too, invalidating the protection).
+++ */
+++ if (umount2(template, MNT_DETACH) < 0) {
+++ if (ret >= 0)
+++ close(ret);
+++ ret = -ENOTRECOVERABLE;
+++ }
+++
+++out:
+++ /*
+++ * We don't care about unlink errors, the worst that happens is that
+++ * there's an empty file left around in STATEDIR.
+++ */
+++ unlink(template);
+++ return ret;
+++}
+++
+++static ssize_t fd_to_fd(int outfd, int infd)
+++{
+++ ssize_t total = 0;
+++ char buffer[4096];
+++
+++ for (;;) {
+++ ssize_t nread, nwritten = 0;
+++
+++ nread = read(infd, buffer, sizeof(buffer));
+++ if (nread < 0)
+++ return -1;
+++ if (!nread)
+++ break;
+++
+++ do {
+++ ssize_t n = write(outfd, buffer + nwritten, nread - nwritten);
+++ if (n < 0)
+++ return -1;
+++ nwritten += n;
+++ } while(nwritten < nread);
+++
+++ total += nwritten;
+++ }
+++
+++ return total;
+++}
+++
+++static int clone_binary(void)
+++{
+++ int binfd, execfd;
+++ struct stat statbuf = {};
+++ size_t sent = 0;
+++ int fdtype = EFD_NONE;
+++
+++ /*
+++ * Before we resort to copying, let's try creating an ro-binfd in one shot
+++ * by getting a handle for a read-only bind-mount of the execfd.
+++ */
+++ execfd = try_bindfd();
+++ if (execfd >= 0)
+++ return execfd;
+++
+++ /*
+++ * Dammit, that didn't work -- time to copy the binary to a safe place we
+++ * can seal the contents.
+++ */
+++ execfd = make_execfd(&fdtype);
+++ if (execfd < 0 || fdtype == EFD_NONE)
+++ return -ENOTRECOVERABLE;
+++
+++ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
+++ if (binfd < 0)
+++ goto error;
+++
+++ if (fstat(binfd, &statbuf) < 0)
+++ goto error_binfd;
+++
+++ while (sent < statbuf.st_size) {
+++ int n = sendfile(execfd, binfd, NULL, statbuf.st_size - sent);
+++ if (n < 0) {
+++ /* sendfile can fail so we fallback to a dumb user-space copy. */
+++ n = fd_to_fd(execfd, binfd);
+++ if (n < 0)
+++ goto error_binfd;
+++ }
+++ sent += n;
+++ }
+++ close(binfd);
+++ if (sent != statbuf.st_size)
+++ goto error;
+++
+++ if (seal_execfd(&execfd, fdtype) < 0)
+++ goto error;
+++
+++ return execfd;
+++
+++error_binfd:
+++ close(binfd);
+++error:
+++ close(execfd);
+++ return -EIO;
+++}
+++
+++/* Get cheap access to the environment. */
+++extern char **environ;
+++
+++int ensure_cloned_binary(void)
+++{
+++ int execfd;
+++ char **argv = NULL;
+++
+++ /* Check that we're not self-cloned, and if we are then bail. */
+++ int cloned = is_self_cloned();
+++ if (cloned > 0 || cloned == -ENOTRECOVERABLE)
+++ return cloned;
+++
+++ if (fetchve(&argv) < 0)
+++ return -EINVAL;
+++
+++ execfd = clone_binary();
+++ if (execfd < 0)
+++ return -EIO;
+++
+++ if (putenv(CLONED_BINARY_ENV "=1"))
+++ goto error;
+++
+++ fexecve(execfd, argv, environ);
+++error:
+++ close(execfd);
+++ return -ENOEXEC;
+++}
++diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
++index 28269df..7750af3 100644
++--- a/libcontainer/nsenter/nsexec.c
+++++ b/libcontainer/nsenter/nsexec.c
++@@ -534,6 +534,9 @@ void join_namespaces(char *nslist)
++ free(namespaces);
++ }
++
+++/* Defined in cloned_binary.c. */
+++extern int ensure_cloned_binary(void);
+++
++ void nsexec(void)
++ {
++ int pipenum;
++@@ -549,6 +552,14 @@ void nsexec(void)
++ if (pipenum == -1)
++ return;
++
+++ /*
+++ * We need to re-exec if we are not in a cloned binary. This is necessary
+++ * to ensure that containers won't be able to access the host binary
+++ * through /proc/self/exe. See CVE-2019-5736.
+++ */
+++ if (ensure_cloned_binary() < 0)
+++ bail("could not ensure we are a cloned binary");
+++
++ /* Parse all of the netlink configuration. */
++ nl_parse(pipenum, &config);
++
--- /dev/null
--- /dev/null
++test--fix_TestGetAdditionalGroups.patch
++test--skip-Hugetlb.patch
++test--skip_TestFactoryNewTmpfs.patch
++CVE-2019-5736.patch
--- /dev/null
--- /dev/null
++Last-Update: 2018-06-16
++Forwarded: https://github.com/opencontainers/runc/pull/1821
++Bug-Upstream: https://github.com/opencontainers/runc/issues/941
++Author: Dmitry Smirnov <onlyjob@debian.org>
++Description: fix FTBFS on i686
++ src/github.com/opencontainers/runc/libcontainer/user/user_test.go:448:36: constant 2147483648 overflows int
++
++--- a/libcontainer/user/user_test.go
+++++ b/libcontainer/user/user_test.go
++@@ -444,9 +444,9 @@
++
++ if utils.GetIntSize() > 4 {
++ tests = append(tests, foo{
++ // groups with too large id
++- groups: []string{strconv.Itoa(1 << 31)},
+++ groups: []string{strconv.Itoa( 1<<31 -1 )},
++ expected: nil,
++ hasError: true,
++ })
++ }
++--- a/libcontainer/user/user.go
+++++ b/libcontainer/user/user.go
++@@ -472,9 +472,9 @@
++ if err != nil {
++ return nil, fmt.Errorf("Unable to find group %s", ag)
++ }
++ // Ensure gid is inside gid range.
++- if gid < minId || gid > maxId {
+++ if gid < minId || gid >= maxId {
++ return nil, ErrRange
++ }
++ gidMap[gid] = struct{}{}
++ }
--- /dev/null
--- /dev/null
++Last-Update: 2018-09-27
++Forwarded: not-needed
++Bug-Upstream: https://github.com/opencontainers/runc/issues/1822
++Author: Dmitry Smirnov <onlyjob@debian.org>
++Description: disabled unreliable tests due to random failures on [ppc64el, s390x].
++
++--- a/libcontainer/cgroups/fs/hugetlb_test.go
+++++ b/libcontainer/cgroups/fs/hugetlb_test.go
++@@ -87,8 +87,9 @@
++ }
++ }
++
++ func TestHugetlbStatsNoUsageFile(t *testing.T) {
+++t.Skip("Disabled unreliable test")
++ helper := NewCgroupTestUtil("hugetlb", t)
++ defer helper.cleanup()
++ helper.writeFileContents(map[string]string{
++ maxUsage: hugetlbMaxUsageContents,
++@@ -102,8 +103,9 @@
++ }
++ }
++
++ func TestHugetlbStatsNoMaxUsageFile(t *testing.T) {
+++t.Skip("Disabled unreliable test")
++ helper := NewCgroupTestUtil("hugetlb", t)
++ defer helper.cleanup()
++ for _, pageSize := range HugePageSizes {
++ helper.writeFileContents(map[string]string{
++@@ -119,8 +121,9 @@
++ }
++ }
++
++ func TestHugetlbStatsBadUsageFile(t *testing.T) {
+++t.Skip("Disabled unreliable test")
++ helper := NewCgroupTestUtil("hugetlb", t)
++ defer helper.cleanup()
++ for _, pageSize := range HugePageSizes {
++ helper.writeFileContents(map[string]string{
++@@ -137,8 +140,9 @@
++ }
++ }
++
++ func TestHugetlbStatsBadMaxUsageFile(t *testing.T) {
+++t.Skip("Disabled unreliable test")
++ helper := NewCgroupTestUtil("hugetlb", t)
++ defer helper.cleanup()
++ helper.writeFileContents(map[string]string{
++ usage: hugetlbUsageContents,
--- /dev/null
--- /dev/null
++Last-Update: 2018-06-15
++Forwarded: not-needed
++Author: Dmitry Smirnov <onlyjob@debian.org>
++Description: disable test (requires root)
++
++--- a/libcontainer/factory_linux_test.go
+++++ b/libcontainer/factory_linux_test.go
++@@ -77,8 +77,9 @@
++ }
++ }
++
++ func TestFactoryNewTmpfs(t *testing.T) {
+++t.Skip("DM - skipping privileged test")
++ root, rerr := newTestRoot()
++ if rerr != nil {
++ t.Fatal(rerr)
++ }
--- /dev/null
--- /dev/null
++#!/usr/bin/make -f
++
++# Uncomment this to turn on verbose mode.
++#export DH_VERBOSE=1
++
++export DH_GOPKG := github.com/opencontainers/runc
++export DH_GOLANG_INSTALL_EXTRA := libcontainer/seccomp/fixtures
++
++include /usr/share/dpkg/pkg-info.mk
++
++TAGS=apparmor seccomp selinux ambient
++LDFLAGS := -X main.version=$(DEB_VERSION_UPSTREAM) -X main.gitCommit=$(DEB_VERSION)
++
++%:
++ dh $@ --buildsystem=golang --with=golang --builddirectory=_build
++
++override_dh_clean:
++ dh_clean
++ ## Remove Files-Excluded (when built from checkout or non-DFSG tarball):
++ $(RM) -rv `perl -0nE 'say $$1 if m{^Files\-Excluded\:\s*(.*?)(?:\n\n|Files:|Comment:)}sm;' debian/copyright`
++
++override_dh_auto_configure:
++ $(MAKE) -C libcontainer/criurpc
++ cd man && ./md2man-all.sh
++ dh_auto_configure
++# ## Sub-vendor "github.com/docker/docker/pkg" (system lib takes preference over bundled one):
++# mkdir -p _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker
++# if [ -d "/usr/share/gocode/src/github.com/docker/docker/pkg" ]; then \
++# cp -vr /usr/share/gocode/src/github.com/docker/docker/pkg _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/ ;\
++# elif [ -d "vendor/github.com/docker/docker/pkg" ]; then \
++# cp -vr vendor/github.com/docker/docker/pkg _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/ ;\
++# fi
++ ## Remove extra license files:
++ $(RM) -v \
++ _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/*/*/LICENSE* \
++ ;
++# ln -svrf vendor/github.com/opencontainers/specs _build/src/github.com/opencontainers/
++
++override_dh_auto_build:
++ dh_auto_build -- -tags "$(TAGS)" -ldflags "$(LDFLAGS)"
++
++override_dh_auto_test:
++ DH_GOLANG_EXCLUDES="libcontainer/integration" \
++ dh_auto_test -- -tags "$(TAGS)"
--- /dev/null
--- /dev/null
++README*
++NOTICE
--- /dev/null
--- /dev/null
++usr/bin/* /usr/sbin/
--- /dev/null
--- /dev/null
++runc: spelling-error-in-binary
--- /dev/null
--- /dev/null
++man/man8/*.8
--- /dev/null
--- /dev/null
++3.0 (quilt)
--- /dev/null
--- /dev/null
++# Result of Files-Excluded:
++source-contains-empty-directory vendor/*
--- /dev/null
--- /dev/null
++version=3
++
++opts=\
++repack,\
++repacksuffix=+dfsg1,\
++uversionmangle=s/-rc/~rc/,\
++dversionmangle=s/[~+]dfsg\d*$// \
++ https://github.com/opencontainers/runc/releases \
++ .*archive/v?(\d\.\d\.\d.*)\.tar\.gz
projects / runc.git / commitdiff