From bb48f38a15e092f39a1016aaf1e69d0721c3d8f7 Mon Sep 17 00:00:00 2001
From: Caleb Brown <calebbrown@google.com>
Date: Wed, 6 Mar 2024 11:54:09 +1100
Subject: [PATCH] Bump GVisor to the latest release 20240212. (#1027)

This change includes an additional flag to disable a new (2023-03)
feature that keeps filesystem changes internal to GVisor, which breaks
the start/stop/restart behavior of package analysis.

Signed-off-by: Caleb Brown <calebbrown@google.com>
---
 cmd/analyze/Dockerfile      | 2 +-
 internal/sandbox/sandbox.go | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/cmd/analyze/Dockerfile b/cmd/analyze/Dockerfile
index 5358860c..37dd225d 100644
--- a/cmd/analyze/Dockerfile
+++ b/cmd/analyze/Dockerfile
@@ -28,7 +28,7 @@ RUN apt-get update && apt-get upgrade -y && \
 # Install gVisor.
 RUN mkdir -m 0700 -p /etc/apt/keyrings && \
     curl -fsSL https://gvisor.dev/archive.key -o /etc/apt/keyrings/gvisor.key && \
-    echo "deb [signed-by=/etc/apt/keyrings/gvisor.key] https://storage.googleapis.com/gvisor/releases 20220425 main" > /etc/apt/sources.list.d/gvisor.list && \
+    echo "deb [signed-by=/etc/apt/keyrings/gvisor.key] https://storage.googleapis.com/gvisor/releases 20240212 main" > /etc/apt/sources.list.d/gvisor.list && \
     apt-get update && apt-get install -y runsc
 
 COPY --from=build /src/analyze /usr/local/bin/analyze
diff --git a/internal/sandbox/sandbox.go b/internal/sandbox/sandbox.go
index ac3b2e7a..1b174259 100644
--- a/internal/sandbox/sandbox.go
+++ b/internal/sandbox/sandbox.go
@@ -331,6 +331,7 @@ func (s *podmanSandbox) startContainerCmd(ctx context.Context, logDir string) *e
 	args := []string{
 		"start",
 		"--runtime=" + runtimeBin,
+		"--runtime-flag=overlay2=none",
 		"--runtime-flag=root=" + rootDir,
 		"--runtime-flag=debug-log=" + filepath.Join(logDir, "runsc.log.%COMMAND%"),
 	}