Gentoo Archives: gentoo-commits

From: Virgil Dupras <vdupras@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/lxc/, app-emulation/lxc/files/
Date: Sun, 07 Oct 2018 02:24:52
Message-Id: 1538879074.8d9eb3429c0bf701bde2eb67c43d9147c225dfdd.vdupras@gentoo
1 commit: 8d9eb3429c0bf701bde2eb67c43d9147c225dfdd
2 Author: Virgil Dupras <vdupras <AT> gentoo <DOT> org>
3 AuthorDate: Sun Oct 7 02:24:34 2018 +0000
4 Commit: Virgil Dupras <vdupras <AT> gentoo <DOT> org>
5 CommitDate: Sun Oct 7 02:24:34 2018 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d9eb342
7
8 app-emulation/lxc: remove old
9
10 Signed-off-by: Virgil Dupras <vdupras <AT> gentoo.org>
11 Package-Manager: Portage-2.3.50, Repoman-2.3.11
12
13 app-emulation/lxc/Manifest | 1 -
14 .../lxc/files/lxc-3.0.1-cve-2018-6556.patch | 110 --------------
15 app-emulation/lxc/lxc-3.0.1-r1.ebuild | 163 ---------------------
16 3 files changed, 274 deletions(-)
17
18 diff --git a/app-emulation/lxc/Manifest b/app-emulation/lxc/Manifest
19 index 8682903f737..06d28c40ad9 100644
20 --- a/app-emulation/lxc/Manifest
21 +++ b/app-emulation/lxc/Manifest
22 @@ -1,3 +1,2 @@
23 DIST lxc-2.1.1.tar.gz 1378640 BLAKE2B 5fca516540a886729434579ff99acf3baa06977fa0e0b6f24dbf15094626335fc073597d308276e3dd20e27ceabf1477cc8e99d1fd24cf50b9aed2720b887b69 SHA512 2989d57acddfe091adcf8031721c3c9a2f8eff5476bd6155366b76ea7511e0f6120e669276e056e3963863e0f0acf3b095d44c36fa6652e67c197671f28cbdd4
24 -DIST lxc-3.0.1.tar.gz 1239920 BLAKE2B 7be668c11d7211540fe7e2fb6318d38eac0d8d493914f4705d097fca4c004a8d2191609d02bd9e1d9204c3c0b9ea937084d3f9050fc841f6d777768067af3d19 SHA512 f51b0844f61f64d4efc530454eae1fa499f7f1b908bd3b40d7031e7f311a402893a7504bddbc53f2ef9da2b3154d1b047fc4d876b99f0d487d7c79de64eea505
25 DIST lxc-3.0.2.tar.gz 1236975 BLAKE2B 68047f6374b9081fb308586726797ed94fa66b5e94eb3fc12ad1a0aedc15ac1ee518ca5a341db79a715015e34ad38659200ad6aaf21f74639ebb55e7e1360645 SHA512 d7f5e3f91e5c8800e3e092ab209158a4d3e3c2816623249aeaaf2e0950428484ac5d1432d71298787721e1419cd962c0798ba14979e62161299fa15a299efde8
26
27 diff --git a/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch
28 deleted file mode 100644
29 index 198e835e6c5..00000000000
30 --- a/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch
31 +++ /dev/null
32 @@ -1,110 +0,0 @@
33 -From f2314625c5702cfd25974929599fa439bdac8bdf Mon Sep 17 00:00:00 2001
34 -From: Christian Brauner <christian.brauner@××××××.com>
35 -Date: Wed, 25 Jul 2018 19:56:54 +0200
36 -Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
37 -
38 -Signed-off-by: Christian Brauner <christian.brauner@××××××.com>
39 ----
40 - src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
41 - src/lxc/utils.c | 12 ++++++++++++
42 - src/lxc/utils.h | 5 +++++
43 - 3 files changed, 49 insertions(+), 3 deletions(-)
44 -
45 -diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c
46 -index ec9cd97e..c5beb6c8 100644
47 ---- a/src/lxc/cmd/lxc_user_nic.c
48 -+++ b/src/lxc/cmd/lxc_user_nic.c
49 -@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[])
50 - exit(EXIT_FAILURE);
51 - }
52 - } else if (request == LXC_USERNIC_DELETE) {
53 -- netns_fd = open(args.pid, O_RDONLY);
54 -+ char opath[LXC_PROC_PID_FD_LEN];
55 -+
56 -+ /* Open the path with O_PATH which will not trigger an actual
57 -+ * open(). Don't report an errno to the caller to not leak
58 -+ * information whether the path exists or not.
59 -+ * When stracing setuid is stripped so this is not a concern
60 -+ * either.
61 -+ */
62 -+ netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
63 - if (netns_fd < 0) {
64 -- usernic_error("Could not open \"%s\": %s\n", args.pid,
65 -- strerror(errno));
66 -+ usernic_error("Failed to open \"%s\"\n", args.pid);
67 -+ exit(EXIT_FAILURE);
68 -+ }
69 -+
70 -+ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
71 -+ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
72 -+ close(netns_fd);
73 -+ exit(EXIT_FAILURE);
74 -+ }
75 -+
76 -+ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
77 -+ if (ret < 0 || (size_t)ret >= sizeof(opath)) {
78 -+ close(netns_fd);
79 -+ exit(EXIT_FAILURE);
80 -+ }
81 -+
82 -+ /* Now get an fd that we can use in setns() calls. */
83 -+ ret = open(opath, O_RDONLY | O_CLOEXEC);
84 -+ if (ret < 0) {
85 -+ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
86 -+ close(netns_fd);
87 - exit(EXIT_FAILURE);
88 - }
89 -+ close(netns_fd);
90 -+ netns_fd = ret;
91 - }
92 -
93 - if (!create_db_dir(LXC_USERNIC_DB)) {
94 -diff --git a/src/lxc/utils.c b/src/lxc/utils.c
95 -index 26f1b058..69d362dc 100644
96 ---- a/src/lxc/utils.c
97 -+++ b/src/lxc/utils.c
98 -@@ -2548,6 +2548,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
99 - return has_type;
100 - }
101 -
102 -+bool fhas_fs_type(int fd, fs_type_magic magic_val)
103 -+{
104 -+ int ret;
105 -+ struct statfs sb;
106 -+
107 -+ ret = fstatfs(fd, &sb);
108 -+ if (ret < 0)
109 -+ return false;
110 -+
111 -+ return is_fs_type(&sb, magic_val);
112 -+}
113 -+
114 - bool lxc_nic_exists(char *nic)
115 - {
116 - #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
117 -diff --git a/src/lxc/utils.h b/src/lxc/utils.h
118 -index 7d672b77..fedc395b 100644
119 ---- a/src/lxc/utils.h
120 -+++ b/src/lxc/utils.h
121 -@@ -95,6 +95,10 @@
122 - #define CGROUP2_SUPER_MAGIC 0x63677270
123 - #endif
124 -
125 -+#ifndef NSFS_MAGIC
126 -+#define NSFS_MAGIC 0x6e736673
127 -+#endif
128 -+
129 - /* Useful macros */
130 - /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
131 - #define LXC_NUMSTRLEN64 21
132 -@@ -581,6 +585,7 @@ extern void *must_realloc(void *orig, size_t sz);
133 - /* __typeof__ should be safe to use with all compilers. */
134 - typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
135 - extern bool has_fs_type(const char *path, fs_type_magic magic_val);
136 -+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
137 - extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
138 - extern bool lxc_nic_exists(char *nic);
139 - extern int lxc_make_tmpfile(char *template, bool rm);
140 ---
141 -2.17.1
142 -
143
144 diff --git a/app-emulation/lxc/lxc-3.0.1-r1.ebuild b/app-emulation/lxc/lxc-3.0.1-r1.ebuild
145 deleted file mode 100644
146 index bf2c75e44b8..00000000000
147 --- a/app-emulation/lxc/lxc-3.0.1-r1.ebuild
148 +++ /dev/null
149 @@ -1,163 +0,0 @@
150 -# Copyright 1999-2018 Gentoo Foundation
151 -# Distributed under the terms of the GNU General Public License v2
152 -
153 -EAPI=6
154 -
155 -inherit autotools bash-completion-r1 linux-info flag-o-matic systemd readme.gentoo-r1 pam
156 -
157 -DESCRIPTION="LinuX Containers userspace utilities"
158 -HOMEPAGE="https://linuxcontainers.org/"
159 -SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz"
160 -
161 -KEYWORDS="amd64 ~arm ~arm64 ~ppc64 x86"
162 -
163 -LICENSE="LGPL-3"
164 -SLOT="0"
165 -IUSE="examples pam python seccomp selinux +templates"
166 -
167 -RDEPEND="
168 - net-libs/gnutls
169 - sys-libs/libcap
170 - pam? ( virtual/pam )
171 - seccomp? ( sys-libs/libseccomp )
172 - selinux? ( sys-libs/libselinux )"
173 -
174 -DEPEND="${RDEPEND}
175 - >=app-text/docbook-sgml-utils-0.6.14-r2
176 - >=sys-kernel/linux-headers-3.2"
177 -
178 -RDEPEND="${RDEPEND}
179 - sys-apps/util-linux
180 - app-misc/pax-utils
181 - virtual/awk"
182 -
183 -PDEPEND="templates? ( app-emulation/lxc-templates )
184 - python? ( dev-python/python3-lxc )"
185 -
186 -CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE
187 - ~CPUSETS ~CGROUP_CPUACCT
188 - ~CGROUP_SCHED
189 -
190 - ~NAMESPACES
191 - ~IPC_NS ~USER_NS ~PID_NS
192 -
193 - ~CGROUP_FREEZER
194 - ~UTS_NS ~NET_NS
195 - ~VETH ~MACVLAN
196 -
197 - ~POSIX_MQUEUE
198 - ~!NETPRIO_CGROUP
199 -
200 - ~!GRKERNSEC_CHROOT_MOUNT
201 - ~!GRKERNSEC_CHROOT_DOUBLE
202 - ~!GRKERNSEC_CHROOT_PIVOT
203 - ~!GRKERNSEC_CHROOT_CHMOD
204 - ~!GRKERNSEC_CHROOT_CAPS
205 - ~!GRKERNSEC_PROC
206 - ~!GRKERNSEC_SYSFS_RESTRICT
207 -"
208 -
209 -ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container"
210 -
211 -ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers"
212 -
213 -ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info"
214 -ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network"
215 -
216 -ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking"
217 -ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking"
218 -
219 -ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command"
220 -
221 -ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting."
222 -
223 -ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes"
224 -ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes"
225 -ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes"
226 -ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes"
227 -ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes"
228 -ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers"
229 -ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers"
230 -
231 -DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt)
232 -
233 -pkg_setup() {
234 - kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES"
235 - linux-info_pkg_setup
236 -}
237 -
238 -src_prepare() {
239 - eapply "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch
240 - #558854
241 - eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch
242 - eapply "${FILESDIR}"/${PN}-3.0.1-cve-2018-6556.patch
243 - eapply_user
244 - eautoreconf
245 -}
246 -
247 -src_configure() {
248 - append-flags -fno-strict-aliasing
249 -
250 - # I am not sure about the --with-rootfs-path
251 - # /var/lib/lxc is probably more appropriate than
252 - # /usr/lib/lxc.
253 - # Note by holgersson: Why is apparmor disabled?
254 -
255 - # --enable-doc is for manpages which is why we don't link it to a "doc"
256 - # USE flag. We always want man pages.
257 - econf \
258 - --localstatedir=/var \
259 - --bindir=/usr/bin \
260 - --sbindir=/usr/bin \
261 - --with-config-path=/var/lib/lxc \
262 - --with-rootfs-path=/var/lib/lxc/rootfs \
263 - --with-distro=gentoo \
264 - --with-runtime-path=/run \
265 - --disable-apparmor \
266 - --disable-werror \
267 - --enable-doc \
268 - $(use_enable examples) \
269 - $(use_enable pam) \
270 - $(use_with pam pamdir $(getpam_mod_dir)) \
271 - $(use_enable seccomp) \
272 - $(use_enable selinux)
273 -}
274 -
275 -src_install() {
276 - default
277 -
278 - mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die
279 - bashcomp_alias ${PN}-start \
280 - ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait}
281 -
282 - keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc
283 - rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed"
284 -
285 - find "${D}" -name '*.la' -delete
286 -
287 - # Gentoo-specific additions!
288 - newinitd "${FILESDIR}/${PN}.initd.7" ${PN}
289 -
290 - # Remember to compare our systemd unit file with the upstream one
291 - # config/init/systemd/lxc.service.in
292 - systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service"
293 -
294 - DOC_CONTENTS="
295 - For openrc, there is an init script provided with the package.
296 - You _should_ only need to symlink /etc/init.d/lxc to
297 - /etc/init.d/lxc.configname to start the container defined in
298 - /etc/lxc/configname.conf.
299 -
300 - Correspondingly, for systemd a service file lxc@.service is installed.
301 - Enable and start lxc@configname in order to start the container defined
302 - in /etc/lxc/configname.conf.
303 -
304 - If you want checkpoint/restore functionality, please install criu
305 - (sys-process/criu)."
306 - DISABLE_AUTOFORMATTING=true
307 - readme.gentoo_create_doc
308 -}
309 -
310 -pkg_postinst() {
311 - readme.gentoo_print_elog
312 -}