From fa66579725fdf5d231e0ec85e8eb4cf850b91741 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <giuseppe@scrivano.org>
Date: Tue, 17 Dec 2019 21:59:06 +0100
Subject: [PATCH 1/4] libocispec: sync from upstream

Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
---
 libocispec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libocispec b/libocispec
index 75d182cdc1..450147a59c 160000
--- a/libocispec
+++ b/libocispec
@@ -1 +1 @@
-Subproject commit 75d182cdc1414ba8e8edf6b38f86df031a125d8a
+Subproject commit 450147a59c83ddc0e31adc5031c260c08010daba

From da34b3251792e8a9738f2b95fc0e11c54bb21222 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <giuseppe@scrivano.org>
Date: Tue, 17 Dec 2019 21:59:15 +0100
Subject: [PATCH 2/4] container: honor umask

Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
---
 src/libcrun/container.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/libcrun/container.c b/src/libcrun/container.c
index 991b9ca9b4..c1048cfedf 100644
--- a/src/libcrun/container.c
+++ b/src/libcrun/container.c
@@ -728,6 +728,9 @@ container_init (void *args, const char *notify_socket, int sync_socket,
   if (UNLIKELY (exec_path == NULL))
     return crun_make_error (err, errno, "executable path not specified");
 
+  if (def->process->user)
+    umask (def->process->user->umask);
+
   execv (exec_path, def->process->args);
 
   if (errno == ENOENT)
@@ -2159,6 +2162,9 @@ libcrun_container_exec (libcrun_context_t *context, const char *id, oci_containe
             return ret;
         }
 
+      if (process->user)
+        umask (process->user->umask);
+
       TEMP_FAILURE_RETRY (write (pipefd1, "0", 1));
       close (pipefd1);
       pipefd1 = -1;

From afc183b85518a14828d264fb983392f1a65009e0 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 19 Dec 2019 16:19:54 +0100
Subject: [PATCH 3/4] linux: add support for personality

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 src/libcrun/container.c | 14 ++++++++++++++
 src/libcrun/linux.c     | 21 +++++++++++++++++++++
 src/libcrun/linux.h     |  1 +
 3 files changed, 36 insertions(+)

diff --git a/src/libcrun/container.c b/src/libcrun/container.c
index c1048cfedf..73e5534e05 100644
--- a/src/libcrun/container.c
+++ b/src/libcrun/container.c
@@ -610,6 +610,13 @@ container_init_setup (void *args, const char *notify_socket,
   if (UNLIKELY (ret < 0))
     return ret;
 
+  if (container->container_def->linux && container->container_def->linux->personality)
+    {
+      ret = libcrun_set_personality (container->container_def->linux->personality, err);
+      if (UNLIKELY (ret < 0))
+        return ret;
+    }
+
   if (def->process && !def->process->no_new_privileges)
     {
       char **seccomp_flags = NULL;
@@ -2123,6 +2130,13 @@ libcrun_container_exec (libcrun_context_t *context, const char *id, oci_containe
           libcrun_fail_with_error ((*err)->status, "%s", (*err)->msg);
         }
 
+      if (container->container_def->linux && container->container_def->linux->personality)
+        {
+          ret = libcrun_set_personality (container->container_def->linux->personality, err);
+          if (UNLIKELY (ret < 0))
+            return ret;
+        }
+
       if (!process->no_new_privileges)
         {
           ret = libcrun_apply_seccomp (seccomp_fd, seccomp_flags, seccomp_flags_len, err);
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
index 109587eeb4..dc821e2c26 100644
--- a/src/libcrun/linux.c
+++ b/src/libcrun/linux.c
@@ -45,6 +45,7 @@
 #include <sys/vfs.h>
 #include <limits.h>
 #include <inttypes.h>
+#include <sys/personality.h>
 
 #ifndef RLIMIT_RTTIME
 # define RLIMIT_RTTIME 15
@@ -2546,6 +2547,26 @@ libcrun_container_unpause_linux (libcrun_container_status_t *status, libcrun_err
   return libcrun_container_pause_unpause_linux (status, false, err);
 }
 
+int
+libcrun_set_personality (oci_container_linux_personality *p, libcrun_error_t *err)
+{
+  unsigned long persona = 0;
+  int ret;
+
+  if (strcmp (p->domain, "LINUX") == 0)
+      persona = PER_LINUX;
+  else if (strcmp (p->domain, "LINUX32") == 0)
+      persona = PER_LINUX32;
+  else
+    return crun_make_error (err, 0, "unknown persona specified '%s'", p->domain);
+
+  ret = personality (persona);
+  if (UNLIKELY (ret < 0))
+    return crun_make_error (err, 0, "set personality to '%s'", p->domain);
+
+  return 0;
+}
+
 /* Protection for attacks like CVE-2019-5736.  */
 int ensure_cloned_binary ();
 __attribute__((constructor)) static void libcrun_rexec(void)
diff --git a/src/libcrun/linux.h b/src/libcrun/linux.h
index e3aa7d3a56..c886a02ce6 100644
--- a/src/libcrun/linux.h
+++ b/src/libcrun/linux.h
@@ -55,5 +55,6 @@ int libcrun_create_keyring (const char *name, libcrun_error_t *err);
 int libcrun_container_pause_linux (libcrun_container_status_t *status, libcrun_error_t *err);
 int libcrun_container_unpause_linux (libcrun_container_status_t *status, libcrun_error_t *err);
 int libcrun_container_enter_cgroup_ns (libcrun_container_t *container, libcrun_error_t *err);
+int libcrun_set_personality (oci_container_linux_personality *p, libcrun_error_t *err);
 
 #endif

From edb216fac510e65669b572b91a493e0037cbae5d Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 19 Dec 2019 17:29:18 +0100
Subject: [PATCH 4/4] tests: upgrade Podman

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 tests/podman/Dockerfile   | 2 +-
 tests/podman/run-tests.sh | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/tests/podman/Dockerfile b/tests/podman/Dockerfile
index 033d9ffbe2..f322455f69 100644
--- a/tests/podman/Dockerfile
+++ b/tests/podman/Dockerfile
@@ -12,7 +12,7 @@ RUN yum install -y golang python git gcc automake autoconf libcap-devel \
     mkdir -p /root/go/src/github.com/containers && \
     chmod 755 /root && \
     (cd /root/go/src/github.com/containers && git clone https://github.com/containers/libpod && \
-     cd libpod && git reset --hard v1.6.4 && \
+     cd libpod && \
      make install.catatonit && \
      make)
 
diff --git a/tests/podman/run-tests.sh b/tests/podman/run-tests.sh
index d9d62df767..dfcf9d4cc2 100755
--- a/tests/podman/run-tests.sh
+++ b/tests/podman/run-tests.sh
@@ -13,6 +13,8 @@ export OCI_RUNTIME=/crun/crun
 export CGROUP_MANAGER=cgroupfs
 export STORAGE_OPTIONS="--storage-driver=vfs"
 
+export GO111MODULE=off
+
 ulimit -u unlimited
 export TMPDIR=/var/tmp