do not use memfd if kernel version < 5.5

termux · Feb 25, 2025 · 0101982 · 0101982
1 parent e21dff5
commit 0101982
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/root-packages/runc/build.sh b/root-packages/runc/build.sh
@@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="A tool for spawning and running containers according to
 TERMUX_PKG_LICENSE="Apache-2.0"
 TERMUX_PKG_MAINTAINER="@termux"
 TERMUX_PKG_VERSION="1.2.5"
+TERMUX_PKG_REVISION=1
 TERMUX_PKG_SRCURL=https://github.com/opencontainers/runc/archive/v${TERMUX_PKG_VERSION}.tar.gz
 TERMUX_PKG_SHA256=1ae11980477b789732915dfd7ba4246f5babe5ff76a31021d36365007d9713b0
 TERMUX_PKG_AUTO_UPDATE=true

diff --git a/root-packages/runc/memfd.patch b/root-packages/runc/memfd.patch
@@ -0,0 +1,18 @@
+diff --git a/libcontainer/exeseal/cloned_binary_linux.go b/libcontainer/exeseal/cloned_binary_linux.go
+index 0c8231ee..f716451d 100644
+--- a/libcontainer/exeseal/cloned_binary_linux.go
++++ b/libcontainer/exeseal/cloned_binary_linux.go
+@@ -47,8 +47,12 @@ func sealMemfd(f **os.File) error {
+ 	// errors because they are not needed and we want to continue
+ 	// to work on older kernels.
+ 	fd := (*f).Fd()
++	// Prior to kernel Linux 5.5 F_SEAL_FUTURE_WRITE has bug which maps memory as shared
++	// between processes even if it is set as private.
++	// https://github.com/torvalds/linux/commit/05d351102dbe4e103d6bdac18b1122cd3cd04925
++	// https://github.com/opencontainers/runc/pull/4641
+ 	// F_SEAL_FUTURE_WRITE -- Linux 5.1
+-	_, _ = unix.FcntlInt(fd, unix.F_ADD_SEALS, unix.F_SEAL_FUTURE_WRITE)
++	// _, _ = unix.FcntlInt(fd, unix.F_ADD_SEALS, unix.F_SEAL_FUTURE_WRITE)
+ 	// F_SEAL_EXEC -- Linux 6.3
+ 	const F_SEAL_EXEC = 0x20 //nolint:revive // this matches the unix.* name
+ 	_, _ = unix.FcntlInt(fd, unix.F_ADD_SEALS, F_SEAL_EXEC)