From 08289ce2b74865fc31b1ff32cb5c766d068343d3 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Fri, 8 May 2020 20:45:12 +0900
Subject: [PATCH 1/2] dockerd-rootless.sh: bump up slirp4netns requirement to
 v0.4.0

slirp4netns v0.3.X turned out not to work with RootlessKit >= v0.7.1:
https://github.com/rootless-containers/rootlesskit/issues/143

As slirp4netns v0.3.X reached EOL on Mar 31, 2020, RootlessKit is not
going to fix support for slirp4netns v0.3.X.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit c86abee1a49b482935ae805c8fb724086b732141)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Upstream-commit: 9057ddf37c19c9d0eb7bc4a99677033b9e24bf17
Component: engine
---
 components/engine/contrib/dockerd-rootless.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/components/engine/contrib/dockerd-rootless.sh b/components/engine/contrib/dockerd-rootless.sh
index 410013d9be5..b042808cb28 100755
--- a/components/engine/contrib/dockerd-rootless.sh
+++ b/components/engine/contrib/dockerd-rootless.sh
@@ -7,7 +7,7 @@
 # External dependencies:
 # * newuidmap and newgidmap needs to be installed.
 # * /etc/subuid and /etc/subgid needs to be configured for the current user.
-# * Either one of slirp4netns (v0.3+), VPNKit, lxc-user-nic needs to be installed.
+# * Either one of slirp4netns (>= v0.4.0), VPNKit, lxc-user-nic needs to be installed.
 #   slirp4netns is used by default if installed. Otherwise fallsback to VPNKit.
 #   The default value can be overridden with $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|lxc-user-nic)
 #
@@ -37,27 +37,27 @@ fi
 
 : "${DOCKERD_ROOTLESS_ROOTLESSKIT_NET:=}"
 : "${DOCKERD_ROOTLESS_ROOTLESSKIT_MTU:=}"
-# if slirp4netns v0.4.0+ is installed, slirp4netns is hardened using sandbox (mount namespace) and seccomp
 : "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX:=auto}"
 : "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP:=auto}"
 net=$DOCKERD_ROOTLESS_ROOTLESSKIT_NET
 mtu=$DOCKERD_ROOTLESS_ROOTLESSKIT_MTU
 if [ -z $net ]; then
 	if which slirp4netns >/dev/null 2>&1; then
-		if slirp4netns --help | grep -- --disable-host-loopback; then
+		# If --netns-type is present in --help, slirp4netns is >= v0.4.0.
+		if slirp4netns --help | grep -qw -- --netns-type; then
 			net=slirp4netns
 			if [ -z $mtu ]; then
 				mtu=65520
 			fi
 		else
-			echo "slirp4netns does not support --disable-host-loopback. Falling back to VPNKit."
+			echo "slirp4netns found but seems older than v0.4.0. Falling back to VPNKit."
 		fi
 	fi
 	if [ -z $net ]; then
 		if which vpnkit >/dev/null 2>&1; then
 			net=vpnkit
 		else
-			echo "Either slirp4netns (v0.3+) or vpnkit needs to be installed"
+			echo "Either slirp4netns (>= v0.4.0) or vpnkit needs to be installed"
 			exit 1
 		fi
 	fi

From a36b2dcf99e421705af735195ea9a82520c87092 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Tue, 12 May 2020 13:21:48 +0900
Subject: [PATCH 2/2] pkg/archive: escape ":" symbol in overlay lowerdir

lowerdir needs escaping:
https://github.com/torvalds/linux/blob/v5.4/fs/overlayfs/super.c#L835-L853

Fix #40939

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 6a5e3547fbe0d17eb99762cf2c24fae485308473)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Upstream-commit: 0a3b2bda3495e259208c49b08f5bd208078f9371
Component: engine
---
 components/engine/pkg/archive/archive_linux.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/components/engine/pkg/archive/archive_linux.go b/components/engine/pkg/archive/archive_linux.go
index 0601f7b0d1f..c0f81ac3d68 100644
--- a/components/engine/pkg/archive/archive_linux.go
+++ b/components/engine/pkg/archive/archive_linux.go
@@ -151,7 +151,9 @@ func mknodChar0Overlay(cleansedOriginalPath string) error {
 	if err := ioutil.WriteFile(lowerDummy, []byte{}, 0600); err != nil {
 		return errors.Wrapf(err, "failed to create a dummy lower file %s", lowerDummy)
 	}
-	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lower, upper, work)
+	// lowerdir needs ":" to be escaped: https://github.com/moby/moby/issues/40939#issuecomment-627098286
+	lowerEscaped := strings.ReplaceAll(lower, ":", "\\:")
+	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerEscaped, upper, work)
 	// docker/pkg/mount.Mount() requires procfs to be mounted. So we use syscall.Mount() directly instead.
 	if err := syscall.Mount("overlay", merged, "overlay", uintptr(0), mOpts); err != nil {
 		return errors.Wrapf(err, "failed to mount overlay (%s) on %s", mOpts, merged)
@@ -236,7 +238,9 @@ func createDirWithOverlayOpaque(tmp string) (string, error) {
 	if err := os.MkdirAll(lowerDummy, 0700); err != nil {
 		return "", errors.Wrapf(err, "failed to create a dummy lower directory %s", lowerDummy)
 	}
-	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lower, upper, work)
+	// lowerdir needs ":" to be escaped: https://github.com/moby/moby/issues/40939#issuecomment-627098286
+	lowerEscaped := strings.ReplaceAll(lower, ":", "\\:")
+	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerEscaped, upper, work)
 	// docker/pkg/mount.Mount() requires procfs to be mounted. So we use syscall.Mount() directly instead.
 	if err := syscall.Mount("overlay", merged, "overlay", uintptr(0), mOpts); err != nil {
 		return "", errors.Wrapf(err, "failed to mount overlay (%s) on %s", mOpts, merged)