Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Joonas Niilola <juippis@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/lxc/files/
Date: Fri, 29 May 2020 13:15:22
Message-Id: 1590758109.e6fffc5b9d9ed704179a53f98367aa8ebe6f17f0.juippis@gentoo
1 commit: e6fffc5b9d9ed704179a53f98367aa8ebe6f17f0
2 Author: Joonas Niilola <juippis <AT> gentoo <DOT> org>
3 AuthorDate: Fri May 29 13:13:12 2020 +0000
4 Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org>
5 CommitDate: Fri May 29 13:15:09 2020 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e6fffc5b
7
8 app-emulation/lxc: remove unused patch files
9
10 Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>
11
12 .../lxc/files/lxc-2.0.6-bash-completion.patch | 27 ----
13 ...ps-enable-container-without-CAP_SYS_ADMIN.patch | 164 ---------------------
14 .../lxc/files/lxc-2.1.1-cve-2018-6556.patch | 118 ---------------
15 .../files/lxc-2.1.1-fix-cgroup2-detection.patch | 26 ----
16 4 files changed, 335 deletions(-)
17
18 diff --git a/app-emulation/lxc/files/lxc-2.0.6-bash-completion.patch b/app-emulation/lxc/files/lxc-2.0.6-bash-completion.patch
19 deleted file mode 100644
20 index 6033e36c798..00000000000
21 --- a/app-emulation/lxc/files/lxc-2.0.6-bash-completion.patch
22 +++ /dev/null
23 @@ -1,27 +0,0 @@
24 -diff --git a/config/bash/lxc.in b/config/bash/lxc.in
25 -index 7dcf302..5927fe2 100644
26 ---- a/config/bash/lxc.in
27 -+++ b/config/bash/lxc.in
28 -@@ -1,4 +1,3 @@
29 --_have lxc-start && {
30 - _lxc_names() {
31 - COMPREPLY=( $( compgen -W "$( lxc-ls )" "$cur" ) )
32 - }
33 -@@ -100,4 +99,3 @@ _have lxc-start && {
34 -
35 - complete -o default -F _lxc_generic_o lxc-copy
36 - complete -o default -F _lxc_generic_o lxc-start-ephemeral
37 --}
38 -diff --git a/configure.ac b/configure.ac
39 -index 4640c0d..14ccdd3 100644
40 ---- a/configure.ac
41 -+++ b/configure.ac
42 -@@ -478,7 +478,7 @@ AM_CONDITIONAL([ENABLE_BASH], [test "x$enable_bash" = "xyes"])
43 - AM_COND_IF([ENABLE_BASH],
44 - [AC_MSG_CHECKING([bash completion directory])
45 - PKG_CHECK_VAR(bashcompdir, [bash-completion], [completionsdir], ,
46 -- bashcompdir="${sysconfdir}/bash_completion.d")
47 -+ bashcompdir="$datadir/bash-completion/completions")
48 - AC_MSG_RESULT([$bashcompdir])
49 - AC_SUBST(bashcompdir)
50 - ])
51
52 diff --git a/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch b/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch
53 deleted file mode 100644
54 index 8493491d0d6..00000000000
55 --- a/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch
56 +++ /dev/null
57 @@ -1,164 +0,0 @@
58 -From b635e92d21d2a4d71a553388f18cfa08f44bf1ba Mon Sep 17 00:00:00 2001
59 -From: Christian Brauner <christian.brauner@××××××.com>
60 -Date: Mon, 30 Oct 2017 14:16:46 +0100
61 -Subject: [PATCH] cgroups: enable container without CAP_SYS_ADMIN
62 -
63 -In case cgroup namespaces are supported but we do not have CAP_SYS_ADMIN we
64 -need to mount cgroups for the container. This patch enables both privileged and
65 -unprivileged containers without CAP_SYS_ADMIN.
66 -
67 -Closes #1737.
68 -
69 -Signed-off-by: Christian Brauner <christian.brauner@××××××.com>
70 ----
71 - src/lxc/cgroups/cgfs.c | 3 ++-
72 - src/lxc/cgroups/cgfsng.c | 52 +++++++++++++++++++++++++++++++++++++++++++++---
73 - src/lxc/cgroups/cgroup.c | 2 +-
74 - src/lxc/conf.c | 3 ---
75 - src/lxc/conf.h | 1 +
76 - 5 files changed, 53 insertions(+), 8 deletions(-)
77 -
78 -diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c
79 -index bcbd6613..efd627f0 100644
80 ---- a/src/lxc/cgroups/cgfs.c
81 -+++ b/src/lxc/cgroups/cgfs.c
82 -@@ -1418,11 +1418,12 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type)
83 - struct cgfs_data *cgfs_d;
84 - struct cgroup_process_info *info, *base_info;
85 - int r, saved_errno = 0;
86 -+ struct lxc_handler *handler = hdata;
87 -
88 - if (cgns_supported())
89 - return true;
90 -
91 -- cgfs_d = hdata;
92 -+ cgfs_d = handler->cgroup_data;
93 - if (!cgfs_d)
94 - return false;
95 - base_info = cgfs_d->info;
96 -diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
97 -index e43edd7d..ec6440c1 100644
98 ---- a/src/lxc/cgroups/cgfsng.c
99 -+++ b/src/lxc/cgroups/cgfsng.c
100 -@@ -50,6 +50,7 @@
101 - #include <linux/types.h>
102 - #include <linux/kdev_t.h>
103 -
104 -+#include "caps.h"
105 - #include "cgroup.h"
106 - #include "cgroup_utils.h"
107 - #include "commands.h"
108 -@@ -1616,17 +1617,49 @@ do_secondstage_mounts_if_needed(int type, struct hierarchy *h,
109 - return 0;
110 - }
111 -
112 -+static int mount_cgroup_cgns_supported(struct hierarchy *h, const char *controllerpath)
113 -+{
114 -+ int ret;
115 -+ char *controllers = NULL;
116 -+ char *type = "cgroup2";
117 -+
118 -+ if (!h->is_cgroup_v2) {
119 -+ controllers = lxc_string_join(",", (const char **)h->controllers, false);
120 -+ if (!controllers)
121 -+ return -ENOMEM;
122 -+ type = "cgroup";
123 -+ }
124 -+
125 -+ ret = mount("cgroup", controllerpath, type, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RELATIME, controllers);
126 -+ free(controllers);
127 -+ if (ret < 0) {
128 -+ SYSERROR("Failed to mount %s with cgroup filesystem type %s", controllerpath, type);
129 -+ return -1;
130 -+ }
131 -+
132 -+ DEBUG("Mounted %s with cgroup filesystem type %s", controllerpath, type);
133 -+ return 0;
134 -+}
135 -+
136 - static bool cgfsng_mount(void *hdata, const char *root, int type)
137 - {
138 -- struct cgfsng_handler_data *d = hdata;
139 -+ int i;
140 - char *tmpfspath = NULL;
141 - bool retval = false;
142 -- int i;
143 -+ struct lxc_handler *handler = hdata;
144 -+ struct cgfsng_handler_data *d = handler->cgroup_data;
145 -+ bool has_cgns = false, has_sys_admin = true;
146 -
147 - if ((type & LXC_AUTO_CGROUP_MASK) == 0)
148 - return true;
149 -
150 -- if (cgns_supported())
151 -+ has_cgns = cgns_supported();
152 -+ if (!lxc_list_empty(&handler->conf->keepcaps))
153 -+ has_sys_admin = in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps);
154 -+ else
155 -+ has_sys_admin = !in_caplist(CAP_SYS_ADMIN, &handler->conf->caps);
156 -+
157 -+ if (has_cgns && has_sys_admin)
158 - return true;
159 -
160 - tmpfspath = must_make_path(root, "/sys/fs/cgroup", NULL);
161 -@@ -1662,6 +1695,19 @@ static bool cgfsng_mount(void *hdata, const char *root, int type)
162 - free(controllerpath);
163 - goto bad;
164 - }
165 -+
166 -+ if (has_cgns && !has_sys_admin) {
167 -+ /* If cgroup namespaces are supported but the container
168 -+ * will not have CAP_SYS_ADMIN after it has started we
169 -+ * need to mount the cgroups manually.
170 -+ */
171 -+ r = mount_cgroup_cgns_supported(h, controllerpath);
172 -+ free(controllerpath);
173 -+ if (r < 0)
174 -+ goto bad;
175 -+ continue;
176 -+ }
177 -+
178 - if (mount_cgroup_full(type, h, controllerpath, d->container_cgroup) < 0) {
179 - free(controllerpath);
180 - goto bad;
181 -diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c
182 -index 674e3090..36a665b1 100644
183 ---- a/src/lxc/cgroups/cgroup.c
184 -+++ b/src/lxc/cgroups/cgroup.c
185 -@@ -166,7 +166,7 @@ bool cgroup_chown(struct lxc_handler *handler)
186 - bool cgroup_mount(const char *root, struct lxc_handler *handler, int type)
187 - {
188 - if (ops)
189 -- return ops->mount_cgroup(handler->cgroup_data, root, type);
190 -+ return ops->mount_cgroup(handler, root, type);
191 -
192 - return false;
193 - }
194 -diff --git a/src/lxc/conf.c b/src/lxc/conf.c
195 -index d2fab945..44d97843 100644
196 ---- a/src/lxc/conf.c
197 -+++ b/src/lxc/conf.c
198 -@@ -210,9 +210,6 @@ __thread struct lxc_conf *current_config;
199 - struct lxc_conf *current_config;
200 - #endif
201 -
202 --/* Declare this here, since we don't want to reshuffle the whole file. */
203 --static int in_caplist(int cap, struct lxc_list *caps);
204 --
205 - static struct mount_opt mount_opt[] = {
206 - { "async", 1, MS_SYNCHRONOUS },
207 - { "atime", 1, MS_NOATIME },
208 -diff --git a/src/lxc/conf.h b/src/lxc/conf.h
209 -index c61f861e..63e71e2d 100644
210 ---- a/src/lxc/conf.h
211 -+++ b/src/lxc/conf.h
212 -@@ -402,5 +402,6 @@ extern unsigned long add_required_remount_flags(const char *s, const char *d,
213 - unsigned long flags);
214 - extern int run_script(const char *name, const char *section, const char *script,
215 - ...);
216 -+extern int in_caplist(int cap, struct lxc_list *caps);
217 -
218 - #endif /* __LXC_CONF_H */
219 ---
220 -2.13.6
221 -
222
223 diff --git a/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch
224 deleted file mode 100644
225 index bad1e274527..00000000000
226 --- a/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch
227 +++ /dev/null
228 @@ -1,118 +0,0 @@
229 -From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001
230 -From: Christian Brauner <christian.brauner@××××××.com>
231 -Date: Wed, 25 Jul 2018 19:56:54 +0200
232 -Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
233 -
234 -Signed-off-by: Christian Brauner <christian.brauner@××××××.com>
235 ----
236 - src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
237 - src/lxc/utils.c | 12 ++++++++++++
238 - src/lxc/utils.h | 5 +++++
239 - 3 files changed, 49 insertions(+), 3 deletions(-)
240 -
241 -ADDENDUM from vdupras@g.o: Original patch from Christian didn't
242 -include LXC_PROC_PID_FD_LEN define, but referenced it. This resulted in
243 -code that doesn't compile. I fetched the definition from the stable-3.0
244 -branch and included it to this patch. Also, this diff is regenerated
245 -from lxc-2.1.1 tag instead of stable-2.0 branch.
246 -
247 -diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
248 -index 6f550f0d..09a342ac 100644
249 ---- a/src/lxc/lxc_user_nic.c
250 -+++ b/src/lxc/lxc_user_nic.c
251 -@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[])
252 - exit(EXIT_FAILURE);
253 - }
254 - } else if (request == LXC_USERNIC_DELETE) {
255 -- netns_fd = open(args.pid, O_RDONLY);
256 -+ char opath[LXC_PROC_PID_FD_LEN];
257 -+
258 -+ /* Open the path with O_PATH which will not trigger an actual
259 -+ * open(). Don't report an errno to the caller to not leak
260 -+ * information whether the path exists or not.
261 -+ * When stracing setuid is stripped so this is not a concern
262 -+ * either.
263 -+ */
264 -+ netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
265 - if (netns_fd < 0) {
266 -- usernic_error("Could not open \"%s\": %s\n", args.pid,
267 -- strerror(errno));
268 -+ usernic_error("Failed to open \"%s\"\n", args.pid);
269 - exit(EXIT_FAILURE);
270 - }
271 -+
272 -+ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
273 -+ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
274 -+ close(netns_fd);
275 -+ exit(EXIT_FAILURE);
276 -+ }
277 -+
278 -+ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
279 -+ if (ret < 0 || (size_t)ret >= sizeof(opath)) {
280 -+ close(netns_fd);
281 -+ exit(EXIT_FAILURE);
282 -+ }
283 -+
284 -+ /* Now get an fd that we can use in setns() calls. */
285 -+ ret = open(opath, O_RDONLY | O_CLOEXEC);
286 -+ if (ret < 0) {
287 -+ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
288 -+ close(netns_fd);
289 -+ exit(EXIT_FAILURE);
290 -+ }
291 -+ close(netns_fd);
292 -+ netns_fd = ret;
293 - }
294 -
295 - if (!create_db_dir(LXC_USERNIC_DB)) {
296 -diff --git a/src/lxc/utils.c b/src/lxc/utils.c
297 -index e6a44a51..c2a08a9d 100644
298 ---- a/src/lxc/utils.c
299 -+++ b/src/lxc/utils.c
300 -@@ -2380,6 +2380,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
301 - return has_type;
302 - }
303 -
304 -+bool fhas_fs_type(int fd, fs_type_magic magic_val)
305 -+{
306 -+ int ret;
307 -+ struct statfs sb;
308 -+
309 -+ ret = fstatfs(fd, &sb);
310 -+ if (ret < 0)
311 -+ return false;
312 -+
313 -+ return is_fs_type(&sb, magic_val);
314 -+}
315 -+
316 - bool lxc_nic_exists(char *nic)
317 - {
318 - #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
319 -diff --git a/src/lxc/utils.h b/src/lxc/utils.h
320 -index e83ed49e..06ec74d7 100644
321 ---- a/src/lxc/utils.h
322 -+++ b/src/lxc/utils.h
323 -@@ -46,11 +46,16 @@
324 - #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask))
325 - #endif
326 -
327 -+#ifndef NSFS_MAGIC
328 -+#define NSFS_MAGIC 0x6e736673
329 -+#endif
330 -+
331 - /* Useful macros */
332 - /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
333 - #define LXC_NUMSTRLEN64 21
334 - #define LXC_LINELEN 4096
335 - #define LXC_IDMAPLEN 4096
336 -+#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1)
337 -
338 - /* returns 1 on success, 0 if there were any failures */
339 - extern int lxc_rmdir_onedev(char *path, const char *exclude);
340 -@@ -402,6 +407,7 @@ extern void *must_realloc(void *orig, size_t sz);
341 - /* __typeof__ should be safe to use with all compilers. */
342 - typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
343 - extern bool has_fs_type(const char *path, fs_type_magic magic_val);
344 -+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
345 - extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
346 - extern bool lxc_nic_exists(char *nic);
347
348 diff --git a/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch b/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch
349 deleted file mode 100644
350 index c16d28ac303..00000000000
351 --- a/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch
352 +++ /dev/null
353 @@ -1,26 +0,0 @@
354 -From cdfe90a49f516b0f1210d181980f14a4765e10da Mon Sep 17 00:00:00 2001
355 -From: Christian Brauner <christian.brauner@××××××.com>
356 -Date: Mon, 30 Oct 2017 14:17:20 +0100
357 -Subject: [PATCH] cgfsng: fix cgroup2 detection
358 -
359 -Signed-off-by: Christian Brauner <christian.brauner@××××××.com>
360 ----
361 - src/lxc/cgroups/cgfsng.c | 2 +-
362 - 1 file changed, 1 insertion(+), 1 deletion(-)
363 -
364 -diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
365 -index 897336f0..e43edd7d 100644
366 ---- a/src/lxc/cgroups/cgfsng.c
367 -+++ b/src/lxc/cgroups/cgfsng.c
368 -@@ -815,7 +815,7 @@ static void add_controller(char **clist, char *mountpoint, char *base_cgroup)
369 - new->fullcgpath = NULL;
370 -
371 - /* record if this is the cgroup v2 hierarchy */
372 -- if (!strcmp(base_cgroup, "cgroup2"))
373 -+ if (clist && !strcmp(*clist, "cgroup2"))
374 - new->is_cgroup_v2 = true;
375 - else
376 - new->is_cgroup_v2 = false;
377 ---
378 -2.13.6
379 -
Report Message
Find on MARC Find on Google Groups