!253 [sync] PR-251: runc：backport some patches

From: @openeuler-sync-bot 
Reviewed-by: @zhangsong234 
Signed-off-by: @zhangsong234

patch/0150-runc-Fix-File-to-Close.patch

@@ -0,0 +1,27 @@
+From 329422245586df752a020d3887cb0ee83cab7f59 Mon Sep 17 00:00:00 2001
+From: "hang.jiang" <hang.jiang@daocloud.io>
+Date: Fri, 1 Sep 2023 16:17:13 +0800
+Subject: [PATCH 1/4] Fix File to Close
+ 
+Reference:https://github.com/opencontainers/runc/commit/937ca107c3d22da77eb8e8030f2342253b980980
+ 
+Signed-off-by: hang.jiang <hang.jiang@daocloud.io>
+---
+ update.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/update.go b/update.go
+index 226a18af..46f79748 100644
+--- a/update.go
++++ b/update.go
+@@ -162,6 +162,7 @@ other options are ignored.
+ 				if err != nil {
+ 					return err
+ 				}
++				defer f.Close()
+ 			}
+ 			err = json.NewDecoder(f).Decode(&r)
+ 			if err != nil {
+-- 
+2.33.0
+

patch/0151-runc-Fix-tmpfs-mode-opts-when-dir-already-exis.patch

@@ -0,0 +1,59 @@
+From 6594fe86b84fa69fd44172694d9495b37e5c653a Mon Sep 17 00:00:00 2001
+From: Brian Goff <cpuguy83@gmail.com>
+Date: Thu, 22 Jun 2023 21:35:19 +0000
+Subject: [PATCH 2/4] Fix tmpfs mode opts when dir already exists
+ 
+When a directory already exists (or after a container is restarted) the
+perms of the directory being mounted to were being used even when a
+different permission is set on the tmpfs mount options.
+ 
+This prepends the original directory perms to the mount options.
+If the perms were already set in the mount opts then those perms will
+win.
+This eliminates the need to perform a chmod after mount entirely.
+ 
+Reference:https://github.com/opencontainers/runc/commit/9fa8b9de3e74c306db186494187fb789f0fdab4d
+ 
+Signed-off-by: Brian Goff <cpuguy83@gmail.com>
+---
+ libcontainer/rootfs_linux.go | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
+index f5d9214a..7d52b622 100644
+--- a/libcontainer/rootfs_linux.go
++++ b/libcontainer/rootfs_linux.go
+@@ -231,11 +231,16 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
+ 			return err
+ 		}
+ 		m.Destination = dest
+-		stat, err := os.Stat(dest)
+-		if err != nil {
++		if stat, err := os.Stat(dest); err != nil {
+ 			if err := os.MkdirAll(dest, 0755); err != nil {
+ 				return err
+ 			}
++		} else {
++			dt := fmt.Sprintf("mode=%04o", stat.Mode())
++			if m.Data != "" {
++				dt = dt + "," + m.Data
++			}
++			m.Data = dt
+ 		}
+ 		if copyUp {
+ 			tmpDir, err = ioutil.TempDir("/tmp", "runctmpdir")
+@@ -264,11 +269,6 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
+ 				return errMsg
+ 			}
+ 		}
+-		if stat != nil {
+-			if err = os.Chmod(dest, stat.Mode()); err != nil {
+-				return err
+-			}
+-		}
+ 		return nil
+ 	case "bind":
+ 		stat, err := os.Stat(m.Source)
+-- 
+2.33.0
+

runc.spec

@@ -2,7 +2,7 @@
 
 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 224
+Release: 225
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Mon Mar 04 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-225
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:backport some patches
+
 * Mon Feb 5 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-224
 - Type:bugfix
 - CVE:NA

series.conf

@@ -141,3 +141,5 @@
 0147-runc-libct-Destroy-don-t-proceed-in-case-of-errors.patch
 0148-runc-fix-CVE-2024-21626.patch
 0149-runc-check-cmd-exist.patch
+0150-runc-Fix-File-to-Close.patch
+0151-runc-Fix-tmpfs-mode-opts-when-dir-already-exis.patch