1 |
commit: 8d9eb3429c0bf701bde2eb67c43d9147c225dfdd |
2 |
Author: Virgil Dupras <vdupras <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Oct 7 02:24:34 2018 +0000 |
4 |
Commit: Virgil Dupras <vdupras <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Oct 7 02:24:34 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d9eb342 |
7 |
|
8 |
app-emulation/lxc: remove old |
9 |
|
10 |
Signed-off-by: Virgil Dupras <vdupras <AT> gentoo.org> |
11 |
Package-Manager: Portage-2.3.50, Repoman-2.3.11 |
12 |
|
13 |
app-emulation/lxc/Manifest | 1 - |
14 |
.../lxc/files/lxc-3.0.1-cve-2018-6556.patch | 110 -------------- |
15 |
app-emulation/lxc/lxc-3.0.1-r1.ebuild | 163 --------------------- |
16 |
3 files changed, 274 deletions(-) |
17 |
|
18 |
diff --git a/app-emulation/lxc/Manifest b/app-emulation/lxc/Manifest |
19 |
index 8682903f737..06d28c40ad9 100644 |
20 |
--- a/app-emulation/lxc/Manifest |
21 |
+++ b/app-emulation/lxc/Manifest |
22 |
@@ -1,3 +1,2 @@ |
23 |
DIST lxc-2.1.1.tar.gz 1378640 BLAKE2B 5fca516540a886729434579ff99acf3baa06977fa0e0b6f24dbf15094626335fc073597d308276e3dd20e27ceabf1477cc8e99d1fd24cf50b9aed2720b887b69 SHA512 2989d57acddfe091adcf8031721c3c9a2f8eff5476bd6155366b76ea7511e0f6120e669276e056e3963863e0f0acf3b095d44c36fa6652e67c197671f28cbdd4 |
24 |
-DIST lxc-3.0.1.tar.gz 1239920 BLAKE2B 7be668c11d7211540fe7e2fb6318d38eac0d8d493914f4705d097fca4c004a8d2191609d02bd9e1d9204c3c0b9ea937084d3f9050fc841f6d777768067af3d19 SHA512 f51b0844f61f64d4efc530454eae1fa499f7f1b908bd3b40d7031e7f311a402893a7504bddbc53f2ef9da2b3154d1b047fc4d876b99f0d487d7c79de64eea505 |
25 |
DIST lxc-3.0.2.tar.gz 1236975 BLAKE2B 68047f6374b9081fb308586726797ed94fa66b5e94eb3fc12ad1a0aedc15ac1ee518ca5a341db79a715015e34ad38659200ad6aaf21f74639ebb55e7e1360645 SHA512 d7f5e3f91e5c8800e3e092ab209158a4d3e3c2816623249aeaaf2e0950428484ac5d1432d71298787721e1419cd962c0798ba14979e62161299fa15a299efde8 |
26 |
|
27 |
diff --git a/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch |
28 |
deleted file mode 100644 |
29 |
index 198e835e6c5..00000000000 |
30 |
--- a/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch |
31 |
+++ /dev/null |
32 |
@@ -1,110 +0,0 @@ |
33 |
-From f2314625c5702cfd25974929599fa439bdac8bdf Mon Sep 17 00:00:00 2001 |
34 |
-From: Christian Brauner <christian.brauner@××××××.com> |
35 |
-Date: Wed, 25 Jul 2018 19:56:54 +0200 |
36 |
-Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic |
37 |
- |
38 |
-Signed-off-by: Christian Brauner <christian.brauner@××××××.com> |
39 |
---- |
40 |
- src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- |
41 |
- src/lxc/utils.c | 12 ++++++++++++ |
42 |
- src/lxc/utils.h | 5 +++++ |
43 |
- 3 files changed, 49 insertions(+), 3 deletions(-) |
44 |
- |
45 |
-diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c |
46 |
-index ec9cd97e..c5beb6c8 100644 |
47 |
---- a/src/lxc/cmd/lxc_user_nic.c |
48 |
-+++ b/src/lxc/cmd/lxc_user_nic.c |
49 |
-@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[]) |
50 |
- exit(EXIT_FAILURE); |
51 |
- } |
52 |
- } else if (request == LXC_USERNIC_DELETE) { |
53 |
-- netns_fd = open(args.pid, O_RDONLY); |
54 |
-+ char opath[LXC_PROC_PID_FD_LEN]; |
55 |
-+ |
56 |
-+ /* Open the path with O_PATH which will not trigger an actual |
57 |
-+ * open(). Don't report an errno to the caller to not leak |
58 |
-+ * information whether the path exists or not. |
59 |
-+ * When stracing setuid is stripped so this is not a concern |
60 |
-+ * either. |
61 |
-+ */ |
62 |
-+ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); |
63 |
- if (netns_fd < 0) { |
64 |
-- usernic_error("Could not open \"%s\": %s\n", args.pid, |
65 |
-- strerror(errno)); |
66 |
-+ usernic_error("Failed to open \"%s\"\n", args.pid); |
67 |
-+ exit(EXIT_FAILURE); |
68 |
-+ } |
69 |
-+ |
70 |
-+ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { |
71 |
-+ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); |
72 |
-+ close(netns_fd); |
73 |
-+ exit(EXIT_FAILURE); |
74 |
-+ } |
75 |
-+ |
76 |
-+ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); |
77 |
-+ if (ret < 0 || (size_t)ret >= sizeof(opath)) { |
78 |
-+ close(netns_fd); |
79 |
-+ exit(EXIT_FAILURE); |
80 |
-+ } |
81 |
-+ |
82 |
-+ /* Now get an fd that we can use in setns() calls. */ |
83 |
-+ ret = open(opath, O_RDONLY | O_CLOEXEC); |
84 |
-+ if (ret < 0) { |
85 |
-+ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); |
86 |
-+ close(netns_fd); |
87 |
- exit(EXIT_FAILURE); |
88 |
- } |
89 |
-+ close(netns_fd); |
90 |
-+ netns_fd = ret; |
91 |
- } |
92 |
- |
93 |
- if (!create_db_dir(LXC_USERNIC_DB)) { |
94 |
-diff --git a/src/lxc/utils.c b/src/lxc/utils.c |
95 |
-index 26f1b058..69d362dc 100644 |
96 |
---- a/src/lxc/utils.c |
97 |
-+++ b/src/lxc/utils.c |
98 |
-@@ -2548,6 +2548,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) |
99 |
- return has_type; |
100 |
- } |
101 |
- |
102 |
-+bool fhas_fs_type(int fd, fs_type_magic magic_val) |
103 |
-+{ |
104 |
-+ int ret; |
105 |
-+ struct statfs sb; |
106 |
-+ |
107 |
-+ ret = fstatfs(fd, &sb); |
108 |
-+ if (ret < 0) |
109 |
-+ return false; |
110 |
-+ |
111 |
-+ return is_fs_type(&sb, magic_val); |
112 |
-+} |
113 |
-+ |
114 |
- bool lxc_nic_exists(char *nic) |
115 |
- { |
116 |
- #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 |
117 |
-diff --git a/src/lxc/utils.h b/src/lxc/utils.h |
118 |
-index 7d672b77..fedc395b 100644 |
119 |
---- a/src/lxc/utils.h |
120 |
-+++ b/src/lxc/utils.h |
121 |
-@@ -95,6 +95,10 @@ |
122 |
- #define CGROUP2_SUPER_MAGIC 0x63677270 |
123 |
- #endif |
124 |
- |
125 |
-+#ifndef NSFS_MAGIC |
126 |
-+#define NSFS_MAGIC 0x6e736673 |
127 |
-+#endif |
128 |
-+ |
129 |
- /* Useful macros */ |
130 |
- /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ |
131 |
- #define LXC_NUMSTRLEN64 21 |
132 |
-@@ -581,6 +585,7 @@ extern void *must_realloc(void *orig, size_t sz); |
133 |
- /* __typeof__ should be safe to use with all compilers. */ |
134 |
- typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; |
135 |
- extern bool has_fs_type(const char *path, fs_type_magic magic_val); |
136 |
-+extern bool fhas_fs_type(int fd, fs_type_magic magic_val); |
137 |
- extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); |
138 |
- extern bool lxc_nic_exists(char *nic); |
139 |
- extern int lxc_make_tmpfile(char *template, bool rm); |
140 |
--- |
141 |
-2.17.1 |
142 |
- |
143 |
|
144 |
diff --git a/app-emulation/lxc/lxc-3.0.1-r1.ebuild b/app-emulation/lxc/lxc-3.0.1-r1.ebuild |
145 |
deleted file mode 100644 |
146 |
index bf2c75e44b8..00000000000 |
147 |
--- a/app-emulation/lxc/lxc-3.0.1-r1.ebuild |
148 |
+++ /dev/null |
149 |
@@ -1,163 +0,0 @@ |
150 |
-# Copyright 1999-2018 Gentoo Foundation |
151 |
-# Distributed under the terms of the GNU General Public License v2 |
152 |
- |
153 |
-EAPI=6 |
154 |
- |
155 |
-inherit autotools bash-completion-r1 linux-info flag-o-matic systemd readme.gentoo-r1 pam |
156 |
- |
157 |
-DESCRIPTION="LinuX Containers userspace utilities" |
158 |
-HOMEPAGE="https://linuxcontainers.org/" |
159 |
-SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz" |
160 |
- |
161 |
-KEYWORDS="amd64 ~arm ~arm64 ~ppc64 x86" |
162 |
- |
163 |
-LICENSE="LGPL-3" |
164 |
-SLOT="0" |
165 |
-IUSE="examples pam python seccomp selinux +templates" |
166 |
- |
167 |
-RDEPEND=" |
168 |
- net-libs/gnutls |
169 |
- sys-libs/libcap |
170 |
- pam? ( virtual/pam ) |
171 |
- seccomp? ( sys-libs/libseccomp ) |
172 |
- selinux? ( sys-libs/libselinux )" |
173 |
- |
174 |
-DEPEND="${RDEPEND} |
175 |
- >=app-text/docbook-sgml-utils-0.6.14-r2 |
176 |
- >=sys-kernel/linux-headers-3.2" |
177 |
- |
178 |
-RDEPEND="${RDEPEND} |
179 |
- sys-apps/util-linux |
180 |
- app-misc/pax-utils |
181 |
- virtual/awk" |
182 |
- |
183 |
-PDEPEND="templates? ( app-emulation/lxc-templates ) |
184 |
- python? ( dev-python/python3-lxc )" |
185 |
- |
186 |
-CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE |
187 |
- ~CPUSETS ~CGROUP_CPUACCT |
188 |
- ~CGROUP_SCHED |
189 |
- |
190 |
- ~NAMESPACES |
191 |
- ~IPC_NS ~USER_NS ~PID_NS |
192 |
- |
193 |
- ~CGROUP_FREEZER |
194 |
- ~UTS_NS ~NET_NS |
195 |
- ~VETH ~MACVLAN |
196 |
- |
197 |
- ~POSIX_MQUEUE |
198 |
- ~!NETPRIO_CGROUP |
199 |
- |
200 |
- ~!GRKERNSEC_CHROOT_MOUNT |
201 |
- ~!GRKERNSEC_CHROOT_DOUBLE |
202 |
- ~!GRKERNSEC_CHROOT_PIVOT |
203 |
- ~!GRKERNSEC_CHROOT_CHMOD |
204 |
- ~!GRKERNSEC_CHROOT_CAPS |
205 |
- ~!GRKERNSEC_PROC |
206 |
- ~!GRKERNSEC_SYSFS_RESTRICT |
207 |
-" |
208 |
- |
209 |
-ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" |
210 |
- |
211 |
-ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" |
212 |
- |
213 |
-ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" |
214 |
-ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" |
215 |
- |
216 |
-ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" |
217 |
-ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" |
218 |
- |
219 |
-ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" |
220 |
- |
221 |
-ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting." |
222 |
- |
223 |
-ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes" |
224 |
-ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes" |
225 |
-ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" |
226 |
-ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" |
227 |
-ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" |
228 |
-ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" |
229 |
-ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" |
230 |
- |
231 |
-DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) |
232 |
- |
233 |
-pkg_setup() { |
234 |
- kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES" |
235 |
- linux-info_pkg_setup |
236 |
-} |
237 |
- |
238 |
-src_prepare() { |
239 |
- eapply "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch |
240 |
- #558854 |
241 |
- eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch |
242 |
- eapply "${FILESDIR}"/${PN}-3.0.1-cve-2018-6556.patch |
243 |
- eapply_user |
244 |
- eautoreconf |
245 |
-} |
246 |
- |
247 |
-src_configure() { |
248 |
- append-flags -fno-strict-aliasing |
249 |
- |
250 |
- # I am not sure about the --with-rootfs-path |
251 |
- # /var/lib/lxc is probably more appropriate than |
252 |
- # /usr/lib/lxc. |
253 |
- # Note by holgersson: Why is apparmor disabled? |
254 |
- |
255 |
- # --enable-doc is for manpages which is why we don't link it to a "doc" |
256 |
- # USE flag. We always want man pages. |
257 |
- econf \ |
258 |
- --localstatedir=/var \ |
259 |
- --bindir=/usr/bin \ |
260 |
- --sbindir=/usr/bin \ |
261 |
- --with-config-path=/var/lib/lxc \ |
262 |
- --with-rootfs-path=/var/lib/lxc/rootfs \ |
263 |
- --with-distro=gentoo \ |
264 |
- --with-runtime-path=/run \ |
265 |
- --disable-apparmor \ |
266 |
- --disable-werror \ |
267 |
- --enable-doc \ |
268 |
- $(use_enable examples) \ |
269 |
- $(use_enable pam) \ |
270 |
- $(use_with pam pamdir $(getpam_mod_dir)) \ |
271 |
- $(use_enable seccomp) \ |
272 |
- $(use_enable selinux) |
273 |
-} |
274 |
- |
275 |
-src_install() { |
276 |
- default |
277 |
- |
278 |
- mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die |
279 |
- bashcomp_alias ${PN}-start \ |
280 |
- ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait} |
281 |
- |
282 |
- keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc |
283 |
- rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed" |
284 |
- |
285 |
- find "${D}" -name '*.la' -delete |
286 |
- |
287 |
- # Gentoo-specific additions! |
288 |
- newinitd "${FILESDIR}/${PN}.initd.7" ${PN} |
289 |
- |
290 |
- # Remember to compare our systemd unit file with the upstream one |
291 |
- # config/init/systemd/lxc.service.in |
292 |
- systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service" |
293 |
- |
294 |
- DOC_CONTENTS=" |
295 |
- For openrc, there is an init script provided with the package. |
296 |
- You _should_ only need to symlink /etc/init.d/lxc to |
297 |
- /etc/init.d/lxc.configname to start the container defined in |
298 |
- /etc/lxc/configname.conf. |
299 |
- |
300 |
- Correspondingly, for systemd a service file lxc@.service is installed. |
301 |
- Enable and start lxc@configname in order to start the container defined |
302 |
- in /etc/lxc/configname.conf. |
303 |
- |
304 |
- If you want checkpoint/restore functionality, please install criu |
305 |
- (sys-process/criu)." |
306 |
- DISABLE_AUTOFORMATTING=true |
307 |
- readme.gentoo_create_doc |
308 |
-} |
309 |
- |
310 |
-pkg_postinst() { |
311 |
- readme.gentoo_print_elog |
312 |
-} |