libcontainer/user/user.go | 2 1 + 1 - 0 !
libcontainer/user/user_test.go | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 fix ftbfs on i686
 src/github.com/opencontainers/runc/libcontainer/user/user_test.go:448:36: constant 2147483648 overflows int

libcontainer/cgroups/fs/hugetlb_test.go | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 disabled unreliable tests due to random failures on [ppc64el, s390x].

libcontainer/factory_linux_test.go | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 disable test (requires root)

libcontainer/nsenter/cloned_binary.c | 268 268 + 0 - 0 !
libcontainer/nsenter/nsexec.c | 11 11 + 0 - 0 !
2 files changed, 279 insertions(+)

 nsenter: clone /proc/self/exe to avoid exposing host binary to container
    
    There are quite a few circumstances where /proc/self/exe pointing to a
    pretty important container binary is a _bad_ thing, so to avoid this we
    have to make a copy (preferably doing self-clean-up and not being
    writeable).
    
    We require memfd_create(2) -- though there is an O_TMPFILE fallback --
    but we can always extend this to use a scratch MNT_DETACH overlayfs or
    tmpfs. The main downside to this approach is no page-cache sharing for
    the runc binary (which overlayfs would give us) but this is far less
    complicated.
    
    This is only done during nsenter so that it happens transparently to the
    Go code, and any libcontainer users benefit from it. This also makes
    ExtraFiles and --preserve-fds handling trivial (because we don't need to
    worry about it).
    
    Fixes: CVE-2019-5736
    Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
    Signed-off-by: Aleksa Sarai <asarai@suse.de>