1 |
commit: e6fffc5b9d9ed704179a53f98367aa8ebe6f17f0 |
2 |
Author: Joonas Niilola <juippis <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri May 29 13:13:12 2020 +0000 |
4 |
Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri May 29 13:15:09 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e6fffc5b |
7 |
|
8 |
app-emulation/lxc: remove unused patch files |
9 |
|
10 |
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org> |
11 |
|
12 |
.../lxc/files/lxc-2.0.6-bash-completion.patch | 27 ---- |
13 |
...ps-enable-container-without-CAP_SYS_ADMIN.patch | 164 --------------------- |
14 |
.../lxc/files/lxc-2.1.1-cve-2018-6556.patch | 118 --------------- |
15 |
.../files/lxc-2.1.1-fix-cgroup2-detection.patch | 26 ---- |
16 |
4 files changed, 335 deletions(-) |
17 |
|
18 |
diff --git a/app-emulation/lxc/files/lxc-2.0.6-bash-completion.patch b/app-emulation/lxc/files/lxc-2.0.6-bash-completion.patch |
19 |
deleted file mode 100644 |
20 |
index 6033e36c798..00000000000 |
21 |
--- a/app-emulation/lxc/files/lxc-2.0.6-bash-completion.patch |
22 |
+++ /dev/null |
23 |
@@ -1,27 +0,0 @@ |
24 |
-diff --git a/config/bash/lxc.in b/config/bash/lxc.in |
25 |
-index 7dcf302..5927fe2 100644 |
26 |
---- a/config/bash/lxc.in |
27 |
-+++ b/config/bash/lxc.in |
28 |
-@@ -1,4 +1,3 @@ |
29 |
--_have lxc-start && { |
30 |
- _lxc_names() { |
31 |
- COMPREPLY=( $( compgen -W "$( lxc-ls )" "$cur" ) ) |
32 |
- } |
33 |
-@@ -100,4 +99,3 @@ _have lxc-start && { |
34 |
- |
35 |
- complete -o default -F _lxc_generic_o lxc-copy |
36 |
- complete -o default -F _lxc_generic_o lxc-start-ephemeral |
37 |
--} |
38 |
-diff --git a/configure.ac b/configure.ac |
39 |
-index 4640c0d..14ccdd3 100644 |
40 |
---- a/configure.ac |
41 |
-+++ b/configure.ac |
42 |
-@@ -478,7 +478,7 @@ AM_CONDITIONAL([ENABLE_BASH], [test "x$enable_bash" = "xyes"]) |
43 |
- AM_COND_IF([ENABLE_BASH], |
44 |
- [AC_MSG_CHECKING([bash completion directory]) |
45 |
- PKG_CHECK_VAR(bashcompdir, [bash-completion], [completionsdir], , |
46 |
-- bashcompdir="${sysconfdir}/bash_completion.d") |
47 |
-+ bashcompdir="$datadir/bash-completion/completions") |
48 |
- AC_MSG_RESULT([$bashcompdir]) |
49 |
- AC_SUBST(bashcompdir) |
50 |
- ]) |
51 |
|
52 |
diff --git a/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch b/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch |
53 |
deleted file mode 100644 |
54 |
index 8493491d0d6..00000000000 |
55 |
--- a/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch |
56 |
+++ /dev/null |
57 |
@@ -1,164 +0,0 @@ |
58 |
-From b635e92d21d2a4d71a553388f18cfa08f44bf1ba Mon Sep 17 00:00:00 2001 |
59 |
-From: Christian Brauner <christian.brauner@××××××.com> |
60 |
-Date: Mon, 30 Oct 2017 14:16:46 +0100 |
61 |
-Subject: [PATCH] cgroups: enable container without CAP_SYS_ADMIN |
62 |
- |
63 |
-In case cgroup namespaces are supported but we do not have CAP_SYS_ADMIN we |
64 |
-need to mount cgroups for the container. This patch enables both privileged and |
65 |
-unprivileged containers without CAP_SYS_ADMIN. |
66 |
- |
67 |
-Closes #1737. |
68 |
- |
69 |
-Signed-off-by: Christian Brauner <christian.brauner@××××××.com> |
70 |
---- |
71 |
- src/lxc/cgroups/cgfs.c | 3 ++- |
72 |
- src/lxc/cgroups/cgfsng.c | 52 +++++++++++++++++++++++++++++++++++++++++++++--- |
73 |
- src/lxc/cgroups/cgroup.c | 2 +- |
74 |
- src/lxc/conf.c | 3 --- |
75 |
- src/lxc/conf.h | 1 + |
76 |
- 5 files changed, 53 insertions(+), 8 deletions(-) |
77 |
- |
78 |
-diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c |
79 |
-index bcbd6613..efd627f0 100644 |
80 |
---- a/src/lxc/cgroups/cgfs.c |
81 |
-+++ b/src/lxc/cgroups/cgfs.c |
82 |
-@@ -1418,11 +1418,12 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type) |
83 |
- struct cgfs_data *cgfs_d; |
84 |
- struct cgroup_process_info *info, *base_info; |
85 |
- int r, saved_errno = 0; |
86 |
-+ struct lxc_handler *handler = hdata; |
87 |
- |
88 |
- if (cgns_supported()) |
89 |
- return true; |
90 |
- |
91 |
-- cgfs_d = hdata; |
92 |
-+ cgfs_d = handler->cgroup_data; |
93 |
- if (!cgfs_d) |
94 |
- return false; |
95 |
- base_info = cgfs_d->info; |
96 |
-diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c |
97 |
-index e43edd7d..ec6440c1 100644 |
98 |
---- a/src/lxc/cgroups/cgfsng.c |
99 |
-+++ b/src/lxc/cgroups/cgfsng.c |
100 |
-@@ -50,6 +50,7 @@ |
101 |
- #include <linux/types.h> |
102 |
- #include <linux/kdev_t.h> |
103 |
- |
104 |
-+#include "caps.h" |
105 |
- #include "cgroup.h" |
106 |
- #include "cgroup_utils.h" |
107 |
- #include "commands.h" |
108 |
-@@ -1616,17 +1617,49 @@ do_secondstage_mounts_if_needed(int type, struct hierarchy *h, |
109 |
- return 0; |
110 |
- } |
111 |
- |
112 |
-+static int mount_cgroup_cgns_supported(struct hierarchy *h, const char *controllerpath) |
113 |
-+{ |
114 |
-+ int ret; |
115 |
-+ char *controllers = NULL; |
116 |
-+ char *type = "cgroup2"; |
117 |
-+ |
118 |
-+ if (!h->is_cgroup_v2) { |
119 |
-+ controllers = lxc_string_join(",", (const char **)h->controllers, false); |
120 |
-+ if (!controllers) |
121 |
-+ return -ENOMEM; |
122 |
-+ type = "cgroup"; |
123 |
-+ } |
124 |
-+ |
125 |
-+ ret = mount("cgroup", controllerpath, type, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RELATIME, controllers); |
126 |
-+ free(controllers); |
127 |
-+ if (ret < 0) { |
128 |
-+ SYSERROR("Failed to mount %s with cgroup filesystem type %s", controllerpath, type); |
129 |
-+ return -1; |
130 |
-+ } |
131 |
-+ |
132 |
-+ DEBUG("Mounted %s with cgroup filesystem type %s", controllerpath, type); |
133 |
-+ return 0; |
134 |
-+} |
135 |
-+ |
136 |
- static bool cgfsng_mount(void *hdata, const char *root, int type) |
137 |
- { |
138 |
-- struct cgfsng_handler_data *d = hdata; |
139 |
-+ int i; |
140 |
- char *tmpfspath = NULL; |
141 |
- bool retval = false; |
142 |
-- int i; |
143 |
-+ struct lxc_handler *handler = hdata; |
144 |
-+ struct cgfsng_handler_data *d = handler->cgroup_data; |
145 |
-+ bool has_cgns = false, has_sys_admin = true; |
146 |
- |
147 |
- if ((type & LXC_AUTO_CGROUP_MASK) == 0) |
148 |
- return true; |
149 |
- |
150 |
-- if (cgns_supported()) |
151 |
-+ has_cgns = cgns_supported(); |
152 |
-+ if (!lxc_list_empty(&handler->conf->keepcaps)) |
153 |
-+ has_sys_admin = in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps); |
154 |
-+ else |
155 |
-+ has_sys_admin = !in_caplist(CAP_SYS_ADMIN, &handler->conf->caps); |
156 |
-+ |
157 |
-+ if (has_cgns && has_sys_admin) |
158 |
- return true; |
159 |
- |
160 |
- tmpfspath = must_make_path(root, "/sys/fs/cgroup", NULL); |
161 |
-@@ -1662,6 +1695,19 @@ static bool cgfsng_mount(void *hdata, const char *root, int type) |
162 |
- free(controllerpath); |
163 |
- goto bad; |
164 |
- } |
165 |
-+ |
166 |
-+ if (has_cgns && !has_sys_admin) { |
167 |
-+ /* If cgroup namespaces are supported but the container |
168 |
-+ * will not have CAP_SYS_ADMIN after it has started we |
169 |
-+ * need to mount the cgroups manually. |
170 |
-+ */ |
171 |
-+ r = mount_cgroup_cgns_supported(h, controllerpath); |
172 |
-+ free(controllerpath); |
173 |
-+ if (r < 0) |
174 |
-+ goto bad; |
175 |
-+ continue; |
176 |
-+ } |
177 |
-+ |
178 |
- if (mount_cgroup_full(type, h, controllerpath, d->container_cgroup) < 0) { |
179 |
- free(controllerpath); |
180 |
- goto bad; |
181 |
-diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c |
182 |
-index 674e3090..36a665b1 100644 |
183 |
---- a/src/lxc/cgroups/cgroup.c |
184 |
-+++ b/src/lxc/cgroups/cgroup.c |
185 |
-@@ -166,7 +166,7 @@ bool cgroup_chown(struct lxc_handler *handler) |
186 |
- bool cgroup_mount(const char *root, struct lxc_handler *handler, int type) |
187 |
- { |
188 |
- if (ops) |
189 |
-- return ops->mount_cgroup(handler->cgroup_data, root, type); |
190 |
-+ return ops->mount_cgroup(handler, root, type); |
191 |
- |
192 |
- return false; |
193 |
- } |
194 |
-diff --git a/src/lxc/conf.c b/src/lxc/conf.c |
195 |
-index d2fab945..44d97843 100644 |
196 |
---- a/src/lxc/conf.c |
197 |
-+++ b/src/lxc/conf.c |
198 |
-@@ -210,9 +210,6 @@ __thread struct lxc_conf *current_config; |
199 |
- struct lxc_conf *current_config; |
200 |
- #endif |
201 |
- |
202 |
--/* Declare this here, since we don't want to reshuffle the whole file. */ |
203 |
--static int in_caplist(int cap, struct lxc_list *caps); |
204 |
-- |
205 |
- static struct mount_opt mount_opt[] = { |
206 |
- { "async", 1, MS_SYNCHRONOUS }, |
207 |
- { "atime", 1, MS_NOATIME }, |
208 |
-diff --git a/src/lxc/conf.h b/src/lxc/conf.h |
209 |
-index c61f861e..63e71e2d 100644 |
210 |
---- a/src/lxc/conf.h |
211 |
-+++ b/src/lxc/conf.h |
212 |
-@@ -402,5 +402,6 @@ extern unsigned long add_required_remount_flags(const char *s, const char *d, |
213 |
- unsigned long flags); |
214 |
- extern int run_script(const char *name, const char *section, const char *script, |
215 |
- ...); |
216 |
-+extern int in_caplist(int cap, struct lxc_list *caps); |
217 |
- |
218 |
- #endif /* __LXC_CONF_H */ |
219 |
--- |
220 |
-2.13.6 |
221 |
- |
222 |
|
223 |
diff --git a/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch |
224 |
deleted file mode 100644 |
225 |
index bad1e274527..00000000000 |
226 |
--- a/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch |
227 |
+++ /dev/null |
228 |
@@ -1,118 +0,0 @@ |
229 |
-From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001 |
230 |
-From: Christian Brauner <christian.brauner@××××××.com> |
231 |
-Date: Wed, 25 Jul 2018 19:56:54 +0200 |
232 |
-Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic |
233 |
- |
234 |
-Signed-off-by: Christian Brauner <christian.brauner@××××××.com> |
235 |
---- |
236 |
- src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- |
237 |
- src/lxc/utils.c | 12 ++++++++++++ |
238 |
- src/lxc/utils.h | 5 +++++ |
239 |
- 3 files changed, 49 insertions(+), 3 deletions(-) |
240 |
- |
241 |
-ADDENDUM from vdupras@g.o: Original patch from Christian didn't |
242 |
-include LXC_PROC_PID_FD_LEN define, but referenced it. This resulted in |
243 |
-code that doesn't compile. I fetched the definition from the stable-3.0 |
244 |
-branch and included it to this patch. Also, this diff is regenerated |
245 |
-from lxc-2.1.1 tag instead of stable-2.0 branch. |
246 |
- |
247 |
-diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c |
248 |
-index 6f550f0d..09a342ac 100644 |
249 |
---- a/src/lxc/lxc_user_nic.c |
250 |
-+++ b/src/lxc/lxc_user_nic.c |
251 |
-@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[]) |
252 |
- exit(EXIT_FAILURE); |
253 |
- } |
254 |
- } else if (request == LXC_USERNIC_DELETE) { |
255 |
-- netns_fd = open(args.pid, O_RDONLY); |
256 |
-+ char opath[LXC_PROC_PID_FD_LEN]; |
257 |
-+ |
258 |
-+ /* Open the path with O_PATH which will not trigger an actual |
259 |
-+ * open(). Don't report an errno to the caller to not leak |
260 |
-+ * information whether the path exists or not. |
261 |
-+ * When stracing setuid is stripped so this is not a concern |
262 |
-+ * either. |
263 |
-+ */ |
264 |
-+ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); |
265 |
- if (netns_fd < 0) { |
266 |
-- usernic_error("Could not open \"%s\": %s\n", args.pid, |
267 |
-- strerror(errno)); |
268 |
-+ usernic_error("Failed to open \"%s\"\n", args.pid); |
269 |
- exit(EXIT_FAILURE); |
270 |
- } |
271 |
-+ |
272 |
-+ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { |
273 |
-+ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); |
274 |
-+ close(netns_fd); |
275 |
-+ exit(EXIT_FAILURE); |
276 |
-+ } |
277 |
-+ |
278 |
-+ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); |
279 |
-+ if (ret < 0 || (size_t)ret >= sizeof(opath)) { |
280 |
-+ close(netns_fd); |
281 |
-+ exit(EXIT_FAILURE); |
282 |
-+ } |
283 |
-+ |
284 |
-+ /* Now get an fd that we can use in setns() calls. */ |
285 |
-+ ret = open(opath, O_RDONLY | O_CLOEXEC); |
286 |
-+ if (ret < 0) { |
287 |
-+ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); |
288 |
-+ close(netns_fd); |
289 |
-+ exit(EXIT_FAILURE); |
290 |
-+ } |
291 |
-+ close(netns_fd); |
292 |
-+ netns_fd = ret; |
293 |
- } |
294 |
- |
295 |
- if (!create_db_dir(LXC_USERNIC_DB)) { |
296 |
-diff --git a/src/lxc/utils.c b/src/lxc/utils.c |
297 |
-index e6a44a51..c2a08a9d 100644 |
298 |
---- a/src/lxc/utils.c |
299 |
-+++ b/src/lxc/utils.c |
300 |
-@@ -2380,6 +2380,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) |
301 |
- return has_type; |
302 |
- } |
303 |
- |
304 |
-+bool fhas_fs_type(int fd, fs_type_magic magic_val) |
305 |
-+{ |
306 |
-+ int ret; |
307 |
-+ struct statfs sb; |
308 |
-+ |
309 |
-+ ret = fstatfs(fd, &sb); |
310 |
-+ if (ret < 0) |
311 |
-+ return false; |
312 |
-+ |
313 |
-+ return is_fs_type(&sb, magic_val); |
314 |
-+} |
315 |
-+ |
316 |
- bool lxc_nic_exists(char *nic) |
317 |
- { |
318 |
- #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 |
319 |
-diff --git a/src/lxc/utils.h b/src/lxc/utils.h |
320 |
-index e83ed49e..06ec74d7 100644 |
321 |
---- a/src/lxc/utils.h |
322 |
-+++ b/src/lxc/utils.h |
323 |
-@@ -46,11 +46,16 @@ |
324 |
- #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask)) |
325 |
- #endif |
326 |
- |
327 |
-+#ifndef NSFS_MAGIC |
328 |
-+#define NSFS_MAGIC 0x6e736673 |
329 |
-+#endif |
330 |
-+ |
331 |
- /* Useful macros */ |
332 |
- /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ |
333 |
- #define LXC_NUMSTRLEN64 21 |
334 |
- #define LXC_LINELEN 4096 |
335 |
- #define LXC_IDMAPLEN 4096 |
336 |
-+#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1) |
337 |
- |
338 |
- /* returns 1 on success, 0 if there were any failures */ |
339 |
- extern int lxc_rmdir_onedev(char *path, const char *exclude); |
340 |
-@@ -402,6 +407,7 @@ extern void *must_realloc(void *orig, size_t sz); |
341 |
- /* __typeof__ should be safe to use with all compilers. */ |
342 |
- typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; |
343 |
- extern bool has_fs_type(const char *path, fs_type_magic magic_val); |
344 |
-+extern bool fhas_fs_type(int fd, fs_type_magic magic_val); |
345 |
- extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); |
346 |
- extern bool lxc_nic_exists(char *nic); |
347 |
|
348 |
diff --git a/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch b/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch |
349 |
deleted file mode 100644 |
350 |
index c16d28ac303..00000000000 |
351 |
--- a/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch |
352 |
+++ /dev/null |
353 |
@@ -1,26 +0,0 @@ |
354 |
-From cdfe90a49f516b0f1210d181980f14a4765e10da Mon Sep 17 00:00:00 2001 |
355 |
-From: Christian Brauner <christian.brauner@××××××.com> |
356 |
-Date: Mon, 30 Oct 2017 14:17:20 +0100 |
357 |
-Subject: [PATCH] cgfsng: fix cgroup2 detection |
358 |
- |
359 |
-Signed-off-by: Christian Brauner <christian.brauner@××××××.com> |
360 |
---- |
361 |
- src/lxc/cgroups/cgfsng.c | 2 +- |
362 |
- 1 file changed, 1 insertion(+), 1 deletion(-) |
363 |
- |
364 |
-diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c |
365 |
-index 897336f0..e43edd7d 100644 |
366 |
---- a/src/lxc/cgroups/cgfsng.c |
367 |
-+++ b/src/lxc/cgroups/cgfsng.c |
368 |
-@@ -815,7 +815,7 @@ static void add_controller(char **clist, char *mountpoint, char *base_cgroup) |
369 |
- new->fullcgpath = NULL; |
370 |
- |
371 |
- /* record if this is the cgroup v2 hierarchy */ |
372 |
-- if (!strcmp(base_cgroup, "cgroup2")) |
373 |
-+ if (clist && !strcmp(*clist, "cgroup2")) |
374 |
- new->is_cgroup_v2 = true; |
375 |
- else |
376 |
- new->is_cgroup_v2 = false; |
377 |
--- |
378 |
-2.13.6 |
379 |
- |