| 1 |
commit: 8d9eb3429c0bf701bde2eb67c43d9147c225dfdd |
| 2 |
Author: Virgil Dupras <vdupras <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Sun Oct 7 02:24:34 2018 +0000 |
| 4 |
Commit: Virgil Dupras <vdupras <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Oct 7 02:24:34 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d9eb342 |
| 7 |
|
| 8 |
app-emulation/lxc: remove old |
| 9 |
|
| 10 |
Signed-off-by: Virgil Dupras <vdupras <AT> gentoo.org> |
| 11 |
Package-Manager: Portage-2.3.50, Repoman-2.3.11 |
| 12 |
|
| 13 |
app-emulation/lxc/Manifest | 1 - |
| 14 |
.../lxc/files/lxc-3.0.1-cve-2018-6556.patch | 110 -------------- |
| 15 |
app-emulation/lxc/lxc-3.0.1-r1.ebuild | 163 --------------------- |
| 16 |
3 files changed, 274 deletions(-) |
| 17 |
|
| 18 |
diff --git a/app-emulation/lxc/Manifest b/app-emulation/lxc/Manifest |
| 19 |
index 8682903f737..06d28c40ad9 100644 |
| 20 |
--- a/app-emulation/lxc/Manifest |
| 21 |
+++ b/app-emulation/lxc/Manifest |
| 22 |
@@ -1,3 +1,2 @@ |
| 23 |
DIST lxc-2.1.1.tar.gz 1378640 BLAKE2B 5fca516540a886729434579ff99acf3baa06977fa0e0b6f24dbf15094626335fc073597d308276e3dd20e27ceabf1477cc8e99d1fd24cf50b9aed2720b887b69 SHA512 2989d57acddfe091adcf8031721c3c9a2f8eff5476bd6155366b76ea7511e0f6120e669276e056e3963863e0f0acf3b095d44c36fa6652e67c197671f28cbdd4 |
| 24 |
-DIST lxc-3.0.1.tar.gz 1239920 BLAKE2B 7be668c11d7211540fe7e2fb6318d38eac0d8d493914f4705d097fca4c004a8d2191609d02bd9e1d9204c3c0b9ea937084d3f9050fc841f6d777768067af3d19 SHA512 f51b0844f61f64d4efc530454eae1fa499f7f1b908bd3b40d7031e7f311a402893a7504bddbc53f2ef9da2b3154d1b047fc4d876b99f0d487d7c79de64eea505 |
| 25 |
DIST lxc-3.0.2.tar.gz 1236975 BLAKE2B 68047f6374b9081fb308586726797ed94fa66b5e94eb3fc12ad1a0aedc15ac1ee518ca5a341db79a715015e34ad38659200ad6aaf21f74639ebb55e7e1360645 SHA512 d7f5e3f91e5c8800e3e092ab209158a4d3e3c2816623249aeaaf2e0950428484ac5d1432d71298787721e1419cd962c0798ba14979e62161299fa15a299efde8 |
| 26 |
|
| 27 |
diff --git a/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch |
| 28 |
deleted file mode 100644 |
| 29 |
index 198e835e6c5..00000000000 |
| 30 |
--- a/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch |
| 31 |
+++ /dev/null |
| 32 |
@@ -1,110 +0,0 @@ |
| 33 |
-From f2314625c5702cfd25974929599fa439bdac8bdf Mon Sep 17 00:00:00 2001 |
| 34 |
-From: Christian Brauner <christian.brauner@××××××.com> |
| 35 |
-Date: Wed, 25 Jul 2018 19:56:54 +0200 |
| 36 |
-Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic |
| 37 |
- |
| 38 |
-Signed-off-by: Christian Brauner <christian.brauner@××××××.com> |
| 39 |
---- |
| 40 |
- src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- |
| 41 |
- src/lxc/utils.c | 12 ++++++++++++ |
| 42 |
- src/lxc/utils.h | 5 +++++ |
| 43 |
- 3 files changed, 49 insertions(+), 3 deletions(-) |
| 44 |
- |
| 45 |
-diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c |
| 46 |
-index ec9cd97e..c5beb6c8 100644 |
| 47 |
---- a/src/lxc/cmd/lxc_user_nic.c |
| 48 |
-+++ b/src/lxc/cmd/lxc_user_nic.c |
| 49 |
-@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[]) |
| 50 |
- exit(EXIT_FAILURE); |
| 51 |
- } |
| 52 |
- } else if (request == LXC_USERNIC_DELETE) { |
| 53 |
-- netns_fd = open(args.pid, O_RDONLY); |
| 54 |
-+ char opath[LXC_PROC_PID_FD_LEN]; |
| 55 |
-+ |
| 56 |
-+ /* Open the path with O_PATH which will not trigger an actual |
| 57 |
-+ * open(). Don't report an errno to the caller to not leak |
| 58 |
-+ * information whether the path exists or not. |
| 59 |
-+ * When stracing setuid is stripped so this is not a concern |
| 60 |
-+ * either. |
| 61 |
-+ */ |
| 62 |
-+ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); |
| 63 |
- if (netns_fd < 0) { |
| 64 |
-- usernic_error("Could not open \"%s\": %s\n", args.pid, |
| 65 |
-- strerror(errno)); |
| 66 |
-+ usernic_error("Failed to open \"%s\"\n", args.pid); |
| 67 |
-+ exit(EXIT_FAILURE); |
| 68 |
-+ } |
| 69 |
-+ |
| 70 |
-+ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { |
| 71 |
-+ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); |
| 72 |
-+ close(netns_fd); |
| 73 |
-+ exit(EXIT_FAILURE); |
| 74 |
-+ } |
| 75 |
-+ |
| 76 |
-+ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); |
| 77 |
-+ if (ret < 0 || (size_t)ret >= sizeof(opath)) { |
| 78 |
-+ close(netns_fd); |
| 79 |
-+ exit(EXIT_FAILURE); |
| 80 |
-+ } |
| 81 |
-+ |
| 82 |
-+ /* Now get an fd that we can use in setns() calls. */ |
| 83 |
-+ ret = open(opath, O_RDONLY | O_CLOEXEC); |
| 84 |
-+ if (ret < 0) { |
| 85 |
-+ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); |
| 86 |
-+ close(netns_fd); |
| 87 |
- exit(EXIT_FAILURE); |
| 88 |
- } |
| 89 |
-+ close(netns_fd); |
| 90 |
-+ netns_fd = ret; |
| 91 |
- } |
| 92 |
- |
| 93 |
- if (!create_db_dir(LXC_USERNIC_DB)) { |
| 94 |
-diff --git a/src/lxc/utils.c b/src/lxc/utils.c |
| 95 |
-index 26f1b058..69d362dc 100644 |
| 96 |
---- a/src/lxc/utils.c |
| 97 |
-+++ b/src/lxc/utils.c |
| 98 |
-@@ -2548,6 +2548,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) |
| 99 |
- return has_type; |
| 100 |
- } |
| 101 |
- |
| 102 |
-+bool fhas_fs_type(int fd, fs_type_magic magic_val) |
| 103 |
-+{ |
| 104 |
-+ int ret; |
| 105 |
-+ struct statfs sb; |
| 106 |
-+ |
| 107 |
-+ ret = fstatfs(fd, &sb); |
| 108 |
-+ if (ret < 0) |
| 109 |
-+ return false; |
| 110 |
-+ |
| 111 |
-+ return is_fs_type(&sb, magic_val); |
| 112 |
-+} |
| 113 |
-+ |
| 114 |
- bool lxc_nic_exists(char *nic) |
| 115 |
- { |
| 116 |
- #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 |
| 117 |
-diff --git a/src/lxc/utils.h b/src/lxc/utils.h |
| 118 |
-index 7d672b77..fedc395b 100644 |
| 119 |
---- a/src/lxc/utils.h |
| 120 |
-+++ b/src/lxc/utils.h |
| 121 |
-@@ -95,6 +95,10 @@ |
| 122 |
- #define CGROUP2_SUPER_MAGIC 0x63677270 |
| 123 |
- #endif |
| 124 |
- |
| 125 |
-+#ifndef NSFS_MAGIC |
| 126 |
-+#define NSFS_MAGIC 0x6e736673 |
| 127 |
-+#endif |
| 128 |
-+ |
| 129 |
- /* Useful macros */ |
| 130 |
- /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ |
| 131 |
- #define LXC_NUMSTRLEN64 21 |
| 132 |
-@@ -581,6 +585,7 @@ extern void *must_realloc(void *orig, size_t sz); |
| 133 |
- /* __typeof__ should be safe to use with all compilers. */ |
| 134 |
- typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; |
| 135 |
- extern bool has_fs_type(const char *path, fs_type_magic magic_val); |
| 136 |
-+extern bool fhas_fs_type(int fd, fs_type_magic magic_val); |
| 137 |
- extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); |
| 138 |
- extern bool lxc_nic_exists(char *nic); |
| 139 |
- extern int lxc_make_tmpfile(char *template, bool rm); |
| 140 |
--- |
| 141 |
-2.17.1 |
| 142 |
- |
| 143 |
|
| 144 |
diff --git a/app-emulation/lxc/lxc-3.0.1-r1.ebuild b/app-emulation/lxc/lxc-3.0.1-r1.ebuild |
| 145 |
deleted file mode 100644 |
| 146 |
index bf2c75e44b8..00000000000 |
| 147 |
--- a/app-emulation/lxc/lxc-3.0.1-r1.ebuild |
| 148 |
+++ /dev/null |
| 149 |
@@ -1,163 +0,0 @@ |
| 150 |
-# Copyright 1999-2018 Gentoo Foundation |
| 151 |
-# Distributed under the terms of the GNU General Public License v2 |
| 152 |
- |
| 153 |
-EAPI=6 |
| 154 |
- |
| 155 |
-inherit autotools bash-completion-r1 linux-info flag-o-matic systemd readme.gentoo-r1 pam |
| 156 |
- |
| 157 |
-DESCRIPTION="LinuX Containers userspace utilities" |
| 158 |
-HOMEPAGE="https://linuxcontainers.org/" |
| 159 |
-SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz" |
| 160 |
- |
| 161 |
-KEYWORDS="amd64 ~arm ~arm64 ~ppc64 x86" |
| 162 |
- |
| 163 |
-LICENSE="LGPL-3" |
| 164 |
-SLOT="0" |
| 165 |
-IUSE="examples pam python seccomp selinux +templates" |
| 166 |
- |
| 167 |
-RDEPEND=" |
| 168 |
- net-libs/gnutls |
| 169 |
- sys-libs/libcap |
| 170 |
- pam? ( virtual/pam ) |
| 171 |
- seccomp? ( sys-libs/libseccomp ) |
| 172 |
- selinux? ( sys-libs/libselinux )" |
| 173 |
- |
| 174 |
-DEPEND="${RDEPEND} |
| 175 |
- >=app-text/docbook-sgml-utils-0.6.14-r2 |
| 176 |
- >=sys-kernel/linux-headers-3.2" |
| 177 |
- |
| 178 |
-RDEPEND="${RDEPEND} |
| 179 |
- sys-apps/util-linux |
| 180 |
- app-misc/pax-utils |
| 181 |
- virtual/awk" |
| 182 |
- |
| 183 |
-PDEPEND="templates? ( app-emulation/lxc-templates ) |
| 184 |
- python? ( dev-python/python3-lxc )" |
| 185 |
- |
| 186 |
-CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE |
| 187 |
- ~CPUSETS ~CGROUP_CPUACCT |
| 188 |
- ~CGROUP_SCHED |
| 189 |
- |
| 190 |
- ~NAMESPACES |
| 191 |
- ~IPC_NS ~USER_NS ~PID_NS |
| 192 |
- |
| 193 |
- ~CGROUP_FREEZER |
| 194 |
- ~UTS_NS ~NET_NS |
| 195 |
- ~VETH ~MACVLAN |
| 196 |
- |
| 197 |
- ~POSIX_MQUEUE |
| 198 |
- ~!NETPRIO_CGROUP |
| 199 |
- |
| 200 |
- ~!GRKERNSEC_CHROOT_MOUNT |
| 201 |
- ~!GRKERNSEC_CHROOT_DOUBLE |
| 202 |
- ~!GRKERNSEC_CHROOT_PIVOT |
| 203 |
- ~!GRKERNSEC_CHROOT_CHMOD |
| 204 |
- ~!GRKERNSEC_CHROOT_CAPS |
| 205 |
- ~!GRKERNSEC_PROC |
| 206 |
- ~!GRKERNSEC_SYSFS_RESTRICT |
| 207 |
-" |
| 208 |
- |
| 209 |
-ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" |
| 210 |
- |
| 211 |
-ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" |
| 212 |
- |
| 213 |
-ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" |
| 214 |
-ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" |
| 215 |
- |
| 216 |
-ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" |
| 217 |
-ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" |
| 218 |
- |
| 219 |
-ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" |
| 220 |
- |
| 221 |
-ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting." |
| 222 |
- |
| 223 |
-ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes" |
| 224 |
-ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes" |
| 225 |
-ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" |
| 226 |
-ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" |
| 227 |
-ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" |
| 228 |
-ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" |
| 229 |
-ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" |
| 230 |
- |
| 231 |
-DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) |
| 232 |
- |
| 233 |
-pkg_setup() { |
| 234 |
- kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES" |
| 235 |
- linux-info_pkg_setup |
| 236 |
-} |
| 237 |
- |
| 238 |
-src_prepare() { |
| 239 |
- eapply "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch |
| 240 |
- #558854 |
| 241 |
- eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch |
| 242 |
- eapply "${FILESDIR}"/${PN}-3.0.1-cve-2018-6556.patch |
| 243 |
- eapply_user |
| 244 |
- eautoreconf |
| 245 |
-} |
| 246 |
- |
| 247 |
-src_configure() { |
| 248 |
- append-flags -fno-strict-aliasing |
| 249 |
- |
| 250 |
- # I am not sure about the --with-rootfs-path |
| 251 |
- # /var/lib/lxc is probably more appropriate than |
| 252 |
- # /usr/lib/lxc. |
| 253 |
- # Note by holgersson: Why is apparmor disabled? |
| 254 |
- |
| 255 |
- # --enable-doc is for manpages which is why we don't link it to a "doc" |
| 256 |
- # USE flag. We always want man pages. |
| 257 |
- econf \ |
| 258 |
- --localstatedir=/var \ |
| 259 |
- --bindir=/usr/bin \ |
| 260 |
- --sbindir=/usr/bin \ |
| 261 |
- --with-config-path=/var/lib/lxc \ |
| 262 |
- --with-rootfs-path=/var/lib/lxc/rootfs \ |
| 263 |
- --with-distro=gentoo \ |
| 264 |
- --with-runtime-path=/run \ |
| 265 |
- --disable-apparmor \ |
| 266 |
- --disable-werror \ |
| 267 |
- --enable-doc \ |
| 268 |
- $(use_enable examples) \ |
| 269 |
- $(use_enable pam) \ |
| 270 |
- $(use_with pam pamdir $(getpam_mod_dir)) \ |
| 271 |
- $(use_enable seccomp) \ |
| 272 |
- $(use_enable selinux) |
| 273 |
-} |
| 274 |
- |
| 275 |
-src_install() { |
| 276 |
- default |
| 277 |
- |
| 278 |
- mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die |
| 279 |
- bashcomp_alias ${PN}-start \ |
| 280 |
- ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait} |
| 281 |
- |
| 282 |
- keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc |
| 283 |
- rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed" |
| 284 |
- |
| 285 |
- find "${D}" -name '*.la' -delete |
| 286 |
- |
| 287 |
- # Gentoo-specific additions! |
| 288 |
- newinitd "${FILESDIR}/${PN}.initd.7" ${PN} |
| 289 |
- |
| 290 |
- # Remember to compare our systemd unit file with the upstream one |
| 291 |
- # config/init/systemd/lxc.service.in |
| 292 |
- systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service" |
| 293 |
- |
| 294 |
- DOC_CONTENTS=" |
| 295 |
- For openrc, there is an init script provided with the package. |
| 296 |
- You _should_ only need to symlink /etc/init.d/lxc to |
| 297 |
- /etc/init.d/lxc.configname to start the container defined in |
| 298 |
- /etc/lxc/configname.conf. |
| 299 |
- |
| 300 |
- Correspondingly, for systemd a service file lxc@.service is installed. |
| 301 |
- Enable and start lxc@configname in order to start the container defined |
| 302 |
- in /etc/lxc/configname.conf. |
| 303 |
- |
| 304 |
- If you want checkpoint/restore functionality, please install criu |
| 305 |
- (sys-process/criu)." |
| 306 |
- DISABLE_AUTOFORMATTING=true |
| 307 |
- readme.gentoo_create_doc |
| 308 |
-} |
| 309 |
- |
| 310 |
-pkg_postinst() { |
| 311 |
- readme.gentoo_print_elog |
| 312 |
-} |
Archives