1 |
commit: 4dc7966809327f076560b08c54b9823c05a53472 |
2 |
Author: Joonas Niilola <juippis <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Oct 4 05:35:35 2021 +0000 |
4 |
Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Oct 4 05:40:20 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4dc79668 |
7 |
|
8 |
app-emulation/lxc: drop 4.0.9-r1 |
9 |
|
10 |
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org> |
11 |
|
12 |
app-emulation/lxc/Manifest | 2 - |
13 |
...lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch | 93 ----------- |
14 |
app-emulation/lxc/lxc-4.0.9-r1.ebuild | 174 --------------------- |
15 |
3 files changed, 269 deletions(-) |
16 |
|
17 |
diff --git a/app-emulation/lxc/Manifest b/app-emulation/lxc/Manifest |
18 |
index 09e200675c9..4733a92e509 100644 |
19 |
--- a/app-emulation/lxc/Manifest |
20 |
+++ b/app-emulation/lxc/Manifest |
21 |
@@ -1,4 +1,2 @@ |
22 |
DIST lxc-4.0.10.tar.gz 1515002 BLAKE2B 2a5b94ad767c8a11a5c34d19f12d812bd284337045ad5021c80a5f69be608085ac465edde8c385cc558e45638c9f061793c0c9db616ccbe0614554b4fbf62005 SHA512 ec3ccf344a91b50b30985562c54ad93d2db2d29c24d31da8e3a69e801c8bd23c1560274c1850c39eb7e984940ba86d3ebae75db136320d6bbc5eb03bda4c5318 |
23 |
DIST lxc-4.0.10.tar.gz.asc 833 BLAKE2B 3dd6e8793d1b725ab9eb73d4fa78ce2767bf830fb70d6cc7052e70d2adbc46e4fcf6d986595322b64cb9c71417b801ef6ee3c7612c46dbeb10acba01a5bd69e0 SHA512 dd2d3ac4e066eca4e0358c9a2c371a227d3a0b5cf6e452fe34fa5c8cff46e25fa0555c9f707511a8603348fa969c1e7abf85ad7d27fdcaff613b733066861608 |
24 |
-DIST lxc-4.0.9.tar.gz 1500310 BLAKE2B 3796d36b6f76ec595dc28207e66ec9f5a7c1a39f5c5ebc851638c519be35f59b4ec06a71b2866cd8fef0a6140f61fd4b70c900f5a8ffd42d7da7a30d3ff59975 SHA512 4ef9d9efdd4118fdffde8b49c6ae71cf5eb060be51daaa4f4ceb804c743fbf3278e6518e6a694faefc720f2834f98ac48d67842d589a2120b8f7ec4c3b61fa84 |
25 |
-DIST lxc-4.0.9.tar.gz.asc 833 BLAKE2B 2d275c968831410d987aa7f8062f4e35ba15043f92f38fd3bdd6bf80964906741d05ccd93789132d421ee1c8778cec6a2e76c4f0eb2165cf0107261495fa6856 SHA512 4c90dfbdba90959ee8df5da8ca8b240f65ab03ab91637833c677e2a73592c09f9c5a55b9a261be6efb0888156c916223ff1aa9003b18d46e667908aaa550c944 |
26 |
|
27 |
diff --git a/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch b/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch |
28 |
deleted file mode 100644 |
29 |
index 6fba3c4154a..00000000000 |
30 |
--- a/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch |
31 |
+++ /dev/null |
32 |
@@ -1,93 +0,0 @@ |
33 |
-From 91ad9b94bcd964adfbaa8d84d8f39304d39835d0 Mon Sep 17 00:00:00 2001 |
34 |
-From: Christian Brauner <christian.brauner@××××××.com> |
35 |
-Date: Thu, 6 May 2021 18:16:45 +0200 |
36 |
-Subject: [PATCH] conf: handle kernels with CAP_SETFCAP |
37 |
- |
38 |
-LXC is being very clever and sometimes maps the caller's uid into the |
39 |
-child userns. This means that the caller can technically write fscaps |
40 |
-that are valid in the ancestor userns (which can be a security issue in |
41 |
-some scenarios) so newer kernels require CAP_SETFCAP to do this. Until |
42 |
-newuidmap/newgidmap are updated to account for this simply write the |
43 |
-mapping directly in this case. |
44 |
- |
45 |
-Cc: stable-4.0 |
46 |
-Signed-off-by: Christian Brauner <christian.brauner@××××××.com> |
47 |
---- |
48 |
- src/lxc/conf.c | 25 ++++++++++++++++++++----- |
49 |
- 1 file changed, 20 insertions(+), 5 deletions(-) |
50 |
- |
51 |
-diff --git a/src/lxc/conf.c b/src/lxc/conf.c |
52 |
-index 72e21b5300..f388946970 100644 |
53 |
---- a/src/lxc/conf.c |
54 |
-+++ b/src/lxc/conf.c |
55 |
-@@ -2978,6 +2978,9 @@ static int lxc_map_ids_exec_wrapper(void *args) |
56 |
- return -1; |
57 |
- } |
58 |
- |
59 |
-+static struct id_map *find_mapped_hostid_entry(const struct lxc_list *idmap, |
60 |
-+ unsigned id, enum idtype idtype); |
61 |
-+ |
62 |
- int lxc_map_ids(struct lxc_list *idmap, pid_t pid) |
63 |
- { |
64 |
- int fill, left; |
65 |
-@@ -2991,12 +2994,22 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) |
66 |
- char mapbuf[STRLITERALLEN("new@idmap") + STRLITERALLEN(" ") + |
67 |
- INTTYPE_TO_STRLEN(pid_t) + STRLITERALLEN(" ") + |
68 |
- LXC_IDMAPLEN] = {0}; |
69 |
-- bool had_entry = false, use_shadow = false; |
70 |
-+ bool had_entry = false, maps_host_root = false, use_shadow = false; |
71 |
- int hostuid, hostgid; |
72 |
- |
73 |
- hostuid = geteuid(); |
74 |
- hostgid = getegid(); |
75 |
- |
76 |
-+ /* |
77 |
-+ * Check whether caller wants to map host root. |
78 |
-+ * Due to a security fix newer kernels require CAP_SETFCAP when mapping |
79 |
-+ * host root into the child userns as you would be able to write fscaps |
80 |
-+ * that would be valid in the ancestor userns. Mapping host root should |
81 |
-+ * rarely be the case but LXC is being clever in a bunch of cases. |
82 |
-+ */ |
83 |
-+ if (find_mapped_hostid_entry(idmap, 0, ID_TYPE_UID)) |
84 |
-+ maps_host_root = true; |
85 |
-+ |
86 |
- /* If new{g,u}idmap exists, that is, if shadow is handing out subuid |
87 |
- * ranges, then insist that root also reserve ranges in subuid. This |
88 |
- * will protected it by preventing another user from being handed the |
89 |
-@@ -3014,7 +3027,9 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) |
90 |
- else if (!gidmap) |
91 |
- WARN("newgidmap is lacking necessary privileges"); |
92 |
- |
93 |
-- if (uidmap > 0 && gidmap > 0) { |
94 |
-+ if (maps_host_root) { |
95 |
-+ INFO("Caller maps host root. Writing mapping directly"); |
96 |
-+ } else if (uidmap > 0 && gidmap > 0) { |
97 |
- DEBUG("Functional newuidmap and newgidmap binary found"); |
98 |
- use_shadow = true; |
99 |
- } else { |
100 |
-@@ -4229,14 +4244,14 @@ static struct id_map *mapped_nsid_add(const struct lxc_conf *conf, unsigned id, |
101 |
- return retmap; |
102 |
- } |
103 |
- |
104 |
--static struct id_map *find_mapped_hostid_entry(const struct lxc_conf *conf, |
105 |
-+static struct id_map *find_mapped_hostid_entry(const struct lxc_list *idmap, |
106 |
- unsigned id, enum idtype idtype) |
107 |
- { |
108 |
- struct id_map *map; |
109 |
- struct lxc_list *it; |
110 |
- struct id_map *retmap = NULL; |
111 |
- |
112 |
-- lxc_list_for_each (it, &conf->id_map) { |
113 |
-+ lxc_list_for_each (it, idmap) { |
114 |
- map = it->elem; |
115 |
- if (map->idtype != idtype) |
116 |
- continue; |
117 |
-@@ -4265,7 +4280,7 @@ static struct id_map *mapped_hostid_add(const struct lxc_conf *conf, uid_t id, |
118 |
- return NULL; |
119 |
- |
120 |
- /* Reuse existing mapping. */ |
121 |
-- tmp = find_mapped_hostid_entry(conf, id, type); |
122 |
-+ tmp = find_mapped_hostid_entry(&conf->id_map, id, type); |
123 |
- if (tmp) { |
124 |
- memcpy(entry, tmp, sizeof(*entry)); |
125 |
- } else { |
126 |
|
127 |
diff --git a/app-emulation/lxc/lxc-4.0.9-r1.ebuild b/app-emulation/lxc/lxc-4.0.9-r1.ebuild |
128 |
deleted file mode 100644 |
129 |
index 243fd583e98..00000000000 |
130 |
--- a/app-emulation/lxc/lxc-4.0.9-r1.ebuild |
131 |
+++ /dev/null |
132 |
@@ -1,174 +0,0 @@ |
133 |
-# Copyright 1999-2021 Gentoo Authors |
134 |
-# Distributed under the terms of the GNU General Public License v2 |
135 |
- |
136 |
-EAPI=7 |
137 |
- |
138 |
-inherit autotools bash-completion-r1 linux-info flag-o-matic optfeature pam readme.gentoo-r1 systemd verify-sig |
139 |
- |
140 |
-DESCRIPTION="A userspace interface for the Linux kernel containment features" |
141 |
-HOMEPAGE="https://linuxcontainers.org/ https://github.com/lxc/lxc" |
142 |
-SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz |
143 |
- verify-sig? ( https://linuxcontainers.org/downloads/lxc/${P}.tar.gz.asc )" |
144 |
- |
145 |
-KEYWORDS="amd64 ~arm ~arm64 ~ppc64 x86" |
146 |
- |
147 |
-LICENSE="LGPL-3" |
148 |
-SLOT="0" |
149 |
-IUSE="apparmor +caps doc man pam selinux +ssl +tools verify-sig" |
150 |
- |
151 |
-RDEPEND="acct-group/lxc |
152 |
- acct-user/lxc |
153 |
- app-misc/pax-utils |
154 |
- sys-apps/util-linux |
155 |
- sys-libs/libcap |
156 |
- sys-libs/libseccomp |
157 |
- virtual/awk |
158 |
- caps? ( sys-libs/libcap ) |
159 |
- pam? ( sys-libs/pam ) |
160 |
- selinux? ( sys-libs/libselinux ) |
161 |
- ssl? ( |
162 |
- dev-libs/openssl:0= |
163 |
- )" |
164 |
-DEPEND="${RDEPEND} |
165 |
- >=sys-kernel/linux-headers-4 |
166 |
- apparmor? ( sys-apps/apparmor )" |
167 |
-BDEPEND="doc? ( app-doc/doxygen ) |
168 |
- man? ( app-text/docbook-sgml-utils ) |
169 |
- verify-sig? ( app-crypt/openpgp-keys-linuxcontainers )" |
170 |
- |
171 |
-CONFIG_CHECK="~!NETPRIO_CGROUP |
172 |
- ~CGROUPS |
173 |
- ~CGROUP_CPUACCT |
174 |
- ~CGROUP_DEVICE |
175 |
- ~CGROUP_FREEZER |
176 |
- |
177 |
- ~CGROUP_SCHED |
178 |
- ~CPUSETS |
179 |
- ~IPC_NS |
180 |
- ~MACVLAN |
181 |
- |
182 |
- ~MEMCG |
183 |
- ~NAMESPACES |
184 |
- ~NET_NS |
185 |
- ~PID_NS |
186 |
- |
187 |
- ~POSIX_MQUEUE |
188 |
- ~USER_NS |
189 |
- ~UTS_NS |
190 |
- ~VETH" |
191 |
- |
192 |
-ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" |
193 |
-ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" |
194 |
-ERROR_MEMCG="CONFIG_MEMCG: needed for memory resource control in containers" |
195 |
-ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" |
196 |
-ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" |
197 |
-ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" |
198 |
-ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" |
199 |
- |
200 |
-DOCS=( AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt ) |
201 |
- |
202 |
-pkg_setup() { |
203 |
- linux-info_pkg_setup |
204 |
-} |
205 |
- |
206 |
-PATCHES=( |
207 |
- "${FILESDIR}"/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch # bug 789012 |
208 |
- "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch |
209 |
- "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch # bug 558854 |
210 |
-) |
211 |
- |
212 |
-VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/linuxcontainers.asc |
213 |
- |
214 |
-src_prepare() { |
215 |
- default |
216 |
- eautoreconf |
217 |
-} |
218 |
- |
219 |
-src_configure() { |
220 |
- append-flags -fno-strict-aliasing |
221 |
- |
222 |
- local myeconfargs=( |
223 |
- --bindir=/usr/bin |
224 |
- --localstatedir=/var |
225 |
- --sbindir=/usr/bin |
226 |
- |
227 |
- --with-config-path=/var/lib/lxc |
228 |
- --with-distro=gentoo |
229 |
- --with-init-script=systemd |
230 |
- --with-rootfs-path=/var/lib/lxc/rootfs |
231 |
- --with-runtime-path=/run |
232 |
- --with-systemdsystemunitdir=$(systemd_get_systemunitdir) |
233 |
- |
234 |
- --disable-coverity-build |
235 |
- --disable-dlog |
236 |
- --disable-fuzzers |
237 |
- --disable-mutex-debugging |
238 |
- --disable-no-undefined |
239 |
- --disable-rpath |
240 |
- --disable-sanitizers |
241 |
- --disable-tests |
242 |
- --disable-werror |
243 |
- |
244 |
- --enable-bash |
245 |
- --enable-commands |
246 |
- --enable-memfd-rexec |
247 |
- --enable-seccomp |
248 |
- --enable-thread-safety |
249 |
- |
250 |
- $(use_enable apparmor) |
251 |
- $(use_enable caps capabilities) |
252 |
- $(use_enable doc api-docs) |
253 |
- $(use_enable doc examples) |
254 |
- $(use_enable man doc) |
255 |
- $(use_enable pam) |
256 |
- $(use_enable selinux) |
257 |
- $(use_enable ssl openssl) |
258 |
- $(use_enable tools) |
259 |
- |
260 |
- $(use_with pam pamdir $(getpam_mod_dir)) |
261 |
- ) |
262 |
- |
263 |
- econf "${myeconfargs[@]}" |
264 |
-} |
265 |
- |
266 |
-src_install() { |
267 |
- default |
268 |
- |
269 |
- mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die |
270 |
- bashcomp_alias ${PN}-start \ |
271 |
- ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait} |
272 |
- |
273 |
- keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc |
274 |
- rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed" |
275 |
- |
276 |
- find "${D}" -name '*.la' -delete -o -name '*.a' -delete || die |
277 |
- |
278 |
- # Gentoo-specific additions! |
279 |
- newinitd "${FILESDIR}/${PN}.initd.8" ${PN} |
280 |
- |
281 |
- # Remember to compare our systemd unit file with the upstream one |
282 |
- # config/init/systemd/lxc.service.in |
283 |
- systemd_newunit "${FILESDIR}"/${PN}_at.service.4.0.0 "lxc@.service" |
284 |
- |
285 |
- DOC_CONTENTS=" |
286 |
- For openrc, there is an init script provided with the package. |
287 |
- You should only need to symlink /etc/init.d/lxc to |
288 |
- /etc/init.d/lxc.configname to start the container defined in |
289 |
- /etc/lxc/configname.conf. |
290 |
- |
291 |
- Correspondingly, for systemd a service file lxc@.service is installed. |
292 |
- Enable and start lxc@configname in order to start the container defined |
293 |
- in /etc/lxc/configname.conf." |
294 |
- DISABLE_AUTOFORMATTING=true |
295 |
- readme.gentoo_create_doc |
296 |
-} |
297 |
- |
298 |
-pkg_postinst() { |
299 |
- readme.gentoo_print_elog |
300 |
- |
301 |
- elog "Please run 'lxc-checkconfig' to see optional kernel features." |
302 |
- elog |
303 |
- optfeature "automatic template scripts" app-emulation/lxc-templates |
304 |
- optfeature "Debian-based distribution container image support" dev-util/debootstrap |
305 |
- optfeature "snapshot & restore functionality" sys-process/criu |
306 |
-} |