Merge pull request #4494 from kolyshkin/12-4490

[1.2] Post overlay addition and dmz removal nits

libcontainer/process.go

@@ -49,7 +49,7 @@ type Process struct {
 	// ExtraFiles specifies additional open files to be inherited by the container
 	ExtraFiles []*os.File
 
-	// open handles to cloned binaries -- see dmz.ClonedBinary for more details
+	// open handles to cloned binaries -- see dmz.CloneSelfExe for more details
 	clonedExes []*os.File
 
 	// Initial sizings for the console

libcontainer/setns_init_linux.go

@@ -150,11 +150,6 @@ func (l *linuxSetnsInit) Init() error {
 	// (otherwise the (*os.File) finaliser could close the wrong file). See
 	// CVE-2024-21626 for more information as to why this protection is
 	// necessary.
-	//
-	// This is not needed for runc-dmz, because the extra execve(2) step means
-	// that all O_CLOEXEC file descriptors have already been closed and thus
-	// the second execve(2) from runc-dmz cannot access internal file
-	// descriptors from runc.
 	if err := utils.UnsafeCloseFrom(l.config.PassedFilesCount + 3); err != nil {
 		return err
 	}

libcontainer/standard_init_linux.go

@@ -284,11 +284,6 @@ func (l *linuxStandardInit) Init() error {
 	// (otherwise the (*os.File) finaliser could close the wrong file). See
 	// CVE-2024-21626 for more information as to why this protection is
 	// necessary.
-	//
-	// This is not needed for runc-dmz, because the extra execve(2) step means
-	// that all O_CLOEXEC file descriptors have already been closed and thus
-	// the second execve(2) from runc-dmz cannot access internal file
-	// descriptors from runc.
 	if err := utils.UnsafeCloseFrom(l.config.PassedFilesCount + 3); err != nil {
 		return err
 	}

script/check-config.sh

@@ -241,6 +241,9 @@ flags=(
 
 	# required for bind-mounting /dev/mqueue into containers
 	POSIX_MQUEUE
+
+	# Most containers use overlayfs, and now runc itself uses it.
+	OVERLAY_FS
 )
 check_flags "${flags[@]}"