Skip to content

Commit 7364f7a

Browse files
nfntynfnty
committed
Update
1 parent b5deec4 commit 7364f7a

File tree

2 files changed

+27
-16
lines changed

2 files changed

+27
-16
lines changed

docker/docker/PKGBUILD

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
# Maintainer: Morten Linderud <foxboron@archlinux.org>
33

44
pkgname=docker
5-
pkgver=20.10.12
5+
pkgver=20.10.17
66
pkgrel=1
77
epoch=1
88
pkgdesc='Pack, ship and run any application as a lightweight container'
@@ -17,9 +17,9 @@ optdepends=('btrfs-progs: btrfs backend support'
1717
'docker-scan: vulnerability scanner')
1818
# https://github.com/moby/moby/tree/v20.10.0/hack/dockerfile/install
1919
_TINI_COMMIT=de40ad007797e0dcd8b7126f27bb87401d224240
20-
_LIBNETWORK_COMMIT=64b7a4574d1426139437d20e81c0b6d391130ec8
20+
_LIBNETWORK_COMMIT=f6ccccb1c082a432c2a5814aaedaca56af33d9ea
2121
# TODO: Split into `docker-buildx` and make it a dependency
22-
_BUILDX_COMMIT=05846896d149da05f3d6fd1e7770da187b52a247
22+
_BUILDX_COMMIT=6224def4dd2c3d347eee19db595348c50d7cb491
2323
source=("git+https://github.com/docker/cli.git#tag=v$pkgver"
2424
"git+https://github.com/moby/moby.git#tag=v$pkgver"
2525
"git+https://github.com/docker/libnetwork.git#commit=$_LIBNETWORK_COMMIT"
@@ -66,7 +66,8 @@ build() {
6666
done
6767
local _commit _pkgbuild _dockerfile
6868
err=0
69-
for _commit in LIBNETWORK TINI; do
69+
# FIXME: Do not check TINI anymore, use tag instead of commit
70+
for _commit in LIBNETWORK; do
7071
_pkgbuild=_${_commit}_COMMIT
7172
_dockerfile=${_commit}_COMMIT
7273
if [[ ${!_pkgbuild} != ${!_dockerfile} ]]; then

docker/docker/capabilities.patch

Lines changed: 22 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,27 @@
11
diff --git a/oci/oci.go b/oci/oci.go
2-
index 6c84ba3488..d931f92d27 100644
2+
index 60227c2680..2727ed38ce 100644
33
--- a/oci/oci.go
44
+++ b/oci/oci.go
5-
@@ -18,12 +18,6 @@ func SetCapabilities(s *specs.Spec, caplist []string) error {
6-
s.Process.Capabilities.Bounding = caplist
7-
s.Process.Capabilities.Permitted = caplist
8-
s.Process.Capabilities.Inheritable = caplist
9-
- // setUser has already been executed here
10-
- // if non root drop capabilities in the way execve does
11-
- if s.Process.User.UID != 0 {
12-
- s.Process.Capabilities.Effective = []string{}
13-
- s.Process.Capabilities.Permitted = []string{}
14-
- }
5+
@@ -20,18 +20,10 @@ var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\
6+
// All capabilities are added if privileged is true.
7+
func SetCapabilities(s *specs.Spec, caplist []string) error {
8+
// setUser has already been executed here
9+
- if s.Process.User.UID == 0 {
10+
- s.Process.Capabilities = &specs.LinuxCapabilities{
11+
- Effective: caplist,
12+
- Bounding: caplist,
13+
- Permitted: caplist,
14+
- }
15+
- } else {
16+
- // Do not set Effective and Permitted capabilities for non-root users,
17+
- // to match what execve does.
18+
- s.Process.Capabilities = &specs.LinuxCapabilities{
19+
- Bounding: caplist,
20+
- }
21+
+ s.Process.Capabilities = &specs.LinuxCapabilities{
22+
+ Effective: caplist,
23+
+ Bounding: caplist,
24+
+ Permitted: caplist,
25+
}
1526
return nil
1627
}
17-

0 commit comments

Comments
 (0)