| 1 |
commit: 29dedb39a6a6587a6d71b11444de28f24a98b0bb |
| 2 |
Author: Virgil Dupras <vdupras <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Sun Aug 5 15:11:40 2018 +0000 |
| 4 |
Commit: Virgil Dupras <vdupras <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Aug 6 16:08:11 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29dedb39 |
| 7 |
|
| 8 |
app-emulation/lxc: fix CVE-2018-6556 |
| 9 |
|
| 10 |
Apply patches from upstream. In the case of the 2.1.1 patch, I had to |
| 11 |
modify it to make the code compile. See ADDENDUM in patch. |
| 12 |
|
| 13 |
Bug: https://bugs.gentoo.org/662780 |
| 14 |
Package-Manager: Portage-2.3.44, Repoman-2.3.10 |
| 15 |
|
| 16 |
.../lxc/files/lxc-2.1.1-cve-2018-6556.patch | 118 +++++++++++ |
| 17 |
.../lxc/files/lxc-3.0.1-cve-2018-6556.patch | 110 +++++++++++ |
| 18 |
app-emulation/lxc/lxc-2.1.1-r1.ebuild | 215 +++++++++++++++++++++ |
| 19 |
app-emulation/lxc/lxc-3.0.1-r1.ebuild | 163 ++++++++++++++++ |
| 20 |
4 files changed, 606 insertions(+) |
| 21 |
|
| 22 |
diff --git a/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch |
| 23 |
new file mode 100644 |
| 24 |
index 00000000000..bad1e274527 |
| 25 |
--- /dev/null |
| 26 |
+++ b/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch |
| 27 |
@@ -0,0 +1,118 @@ |
| 28 |
+From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001 |
| 29 |
+From: Christian Brauner <christian.brauner@××××××.com> |
| 30 |
+Date: Wed, 25 Jul 2018 19:56:54 +0200 |
| 31 |
+Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic |
| 32 |
+ |
| 33 |
+Signed-off-by: Christian Brauner <christian.brauner@××××××.com> |
| 34 |
+--- |
| 35 |
+ src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- |
| 36 |
+ src/lxc/utils.c | 12 ++++++++++++ |
| 37 |
+ src/lxc/utils.h | 5 +++++ |
| 38 |
+ 3 files changed, 49 insertions(+), 3 deletions(-) |
| 39 |
+ |
| 40 |
+ADDENDUM from vdupras@g.o: Original patch from Christian didn't |
| 41 |
+include LXC_PROC_PID_FD_LEN define, but referenced it. This resulted in |
| 42 |
+code that doesn't compile. I fetched the definition from the stable-3.0 |
| 43 |
+branch and included it to this patch. Also, this diff is regenerated |
| 44 |
+from lxc-2.1.1 tag instead of stable-2.0 branch. |
| 45 |
+ |
| 46 |
+diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c |
| 47 |
+index 6f550f0d..09a342ac 100644 |
| 48 |
+--- a/src/lxc/lxc_user_nic.c |
| 49 |
++++ b/src/lxc/lxc_user_nic.c |
| 50 |
+@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[]) |
| 51 |
+ exit(EXIT_FAILURE); |
| 52 |
+ } |
| 53 |
+ } else if (request == LXC_USERNIC_DELETE) { |
| 54 |
+- netns_fd = open(args.pid, O_RDONLY); |
| 55 |
++ char opath[LXC_PROC_PID_FD_LEN]; |
| 56 |
++ |
| 57 |
++ /* Open the path with O_PATH which will not trigger an actual |
| 58 |
++ * open(). Don't report an errno to the caller to not leak |
| 59 |
++ * information whether the path exists or not. |
| 60 |
++ * When stracing setuid is stripped so this is not a concern |
| 61 |
++ * either. |
| 62 |
++ */ |
| 63 |
++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); |
| 64 |
+ if (netns_fd < 0) { |
| 65 |
+- usernic_error("Could not open \"%s\": %s\n", args.pid, |
| 66 |
+- strerror(errno)); |
| 67 |
++ usernic_error("Failed to open \"%s\"\n", args.pid); |
| 68 |
+ exit(EXIT_FAILURE); |
| 69 |
+ } |
| 70 |
++ |
| 71 |
++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { |
| 72 |
++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); |
| 73 |
++ close(netns_fd); |
| 74 |
++ exit(EXIT_FAILURE); |
| 75 |
++ } |
| 76 |
++ |
| 77 |
++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); |
| 78 |
++ if (ret < 0 || (size_t)ret >= sizeof(opath)) { |
| 79 |
++ close(netns_fd); |
| 80 |
++ exit(EXIT_FAILURE); |
| 81 |
++ } |
| 82 |
++ |
| 83 |
++ /* Now get an fd that we can use in setns() calls. */ |
| 84 |
++ ret = open(opath, O_RDONLY | O_CLOEXEC); |
| 85 |
++ if (ret < 0) { |
| 86 |
++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); |
| 87 |
++ close(netns_fd); |
| 88 |
++ exit(EXIT_FAILURE); |
| 89 |
++ } |
| 90 |
++ close(netns_fd); |
| 91 |
++ netns_fd = ret; |
| 92 |
+ } |
| 93 |
+ |
| 94 |
+ if (!create_db_dir(LXC_USERNIC_DB)) { |
| 95 |
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c |
| 96 |
+index e6a44a51..c2a08a9d 100644 |
| 97 |
+--- a/src/lxc/utils.c |
| 98 |
++++ b/src/lxc/utils.c |
| 99 |
+@@ -2380,6 +2380,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) |
| 100 |
+ return has_type; |
| 101 |
+ } |
| 102 |
+ |
| 103 |
++bool fhas_fs_type(int fd, fs_type_magic magic_val) |
| 104 |
++{ |
| 105 |
++ int ret; |
| 106 |
++ struct statfs sb; |
| 107 |
++ |
| 108 |
++ ret = fstatfs(fd, &sb); |
| 109 |
++ if (ret < 0) |
| 110 |
++ return false; |
| 111 |
++ |
| 112 |
++ return is_fs_type(&sb, magic_val); |
| 113 |
++} |
| 114 |
++ |
| 115 |
+ bool lxc_nic_exists(char *nic) |
| 116 |
+ { |
| 117 |
+ #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 |
| 118 |
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h |
| 119 |
+index e83ed49e..06ec74d7 100644 |
| 120 |
+--- a/src/lxc/utils.h |
| 121 |
++++ b/src/lxc/utils.h |
| 122 |
+@@ -46,11 +46,16 @@ |
| 123 |
+ #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask)) |
| 124 |
+ #endif |
| 125 |
+ |
| 126 |
++#ifndef NSFS_MAGIC |
| 127 |
++#define NSFS_MAGIC 0x6e736673 |
| 128 |
++#endif |
| 129 |
++ |
| 130 |
+ /* Useful macros */ |
| 131 |
+ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ |
| 132 |
+ #define LXC_NUMSTRLEN64 21 |
| 133 |
+ #define LXC_LINELEN 4096 |
| 134 |
+ #define LXC_IDMAPLEN 4096 |
| 135 |
++#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1) |
| 136 |
+ |
| 137 |
+ /* returns 1 on success, 0 if there were any failures */ |
| 138 |
+ extern int lxc_rmdir_onedev(char *path, const char *exclude); |
| 139 |
+@@ -402,6 +407,7 @@ extern void *must_realloc(void *orig, size_t sz); |
| 140 |
+ /* __typeof__ should be safe to use with all compilers. */ |
| 141 |
+ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; |
| 142 |
+ extern bool has_fs_type(const char *path, fs_type_magic magic_val); |
| 143 |
++extern bool fhas_fs_type(int fd, fs_type_magic magic_val); |
| 144 |
+ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); |
| 145 |
+ extern bool lxc_nic_exists(char *nic); |
| 146 |
|
| 147 |
diff --git a/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch |
| 148 |
new file mode 100644 |
| 149 |
index 00000000000..198e835e6c5 |
| 150 |
--- /dev/null |
| 151 |
+++ b/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch |
| 152 |
@@ -0,0 +1,110 @@ |
| 153 |
+From f2314625c5702cfd25974929599fa439bdac8bdf Mon Sep 17 00:00:00 2001 |
| 154 |
+From: Christian Brauner <christian.brauner@××××××.com> |
| 155 |
+Date: Wed, 25 Jul 2018 19:56:54 +0200 |
| 156 |
+Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic |
| 157 |
+ |
| 158 |
+Signed-off-by: Christian Brauner <christian.brauner@××××××.com> |
| 159 |
+--- |
| 160 |
+ src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- |
| 161 |
+ src/lxc/utils.c | 12 ++++++++++++ |
| 162 |
+ src/lxc/utils.h | 5 +++++ |
| 163 |
+ 3 files changed, 49 insertions(+), 3 deletions(-) |
| 164 |
+ |
| 165 |
+diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c |
| 166 |
+index ec9cd97e..c5beb6c8 100644 |
| 167 |
+--- a/src/lxc/cmd/lxc_user_nic.c |
| 168 |
++++ b/src/lxc/cmd/lxc_user_nic.c |
| 169 |
+@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[]) |
| 170 |
+ exit(EXIT_FAILURE); |
| 171 |
+ } |
| 172 |
+ } else if (request == LXC_USERNIC_DELETE) { |
| 173 |
+- netns_fd = open(args.pid, O_RDONLY); |
| 174 |
++ char opath[LXC_PROC_PID_FD_LEN]; |
| 175 |
++ |
| 176 |
++ /* Open the path with O_PATH which will not trigger an actual |
| 177 |
++ * open(). Don't report an errno to the caller to not leak |
| 178 |
++ * information whether the path exists or not. |
| 179 |
++ * When stracing setuid is stripped so this is not a concern |
| 180 |
++ * either. |
| 181 |
++ */ |
| 182 |
++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); |
| 183 |
+ if (netns_fd < 0) { |
| 184 |
+- usernic_error("Could not open \"%s\": %s\n", args.pid, |
| 185 |
+- strerror(errno)); |
| 186 |
++ usernic_error("Failed to open \"%s\"\n", args.pid); |
| 187 |
++ exit(EXIT_FAILURE); |
| 188 |
++ } |
| 189 |
++ |
| 190 |
++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { |
| 191 |
++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); |
| 192 |
++ close(netns_fd); |
| 193 |
++ exit(EXIT_FAILURE); |
| 194 |
++ } |
| 195 |
++ |
| 196 |
++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); |
| 197 |
++ if (ret < 0 || (size_t)ret >= sizeof(opath)) { |
| 198 |
++ close(netns_fd); |
| 199 |
++ exit(EXIT_FAILURE); |
| 200 |
++ } |
| 201 |
++ |
| 202 |
++ /* Now get an fd that we can use in setns() calls. */ |
| 203 |
++ ret = open(opath, O_RDONLY | O_CLOEXEC); |
| 204 |
++ if (ret < 0) { |
| 205 |
++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); |
| 206 |
++ close(netns_fd); |
| 207 |
+ exit(EXIT_FAILURE); |
| 208 |
+ } |
| 209 |
++ close(netns_fd); |
| 210 |
++ netns_fd = ret; |
| 211 |
+ } |
| 212 |
+ |
| 213 |
+ if (!create_db_dir(LXC_USERNIC_DB)) { |
| 214 |
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c |
| 215 |
+index 26f1b058..69d362dc 100644 |
| 216 |
+--- a/src/lxc/utils.c |
| 217 |
++++ b/src/lxc/utils.c |
| 218 |
+@@ -2548,6 +2548,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) |
| 219 |
+ return has_type; |
| 220 |
+ } |
| 221 |
+ |
| 222 |
++bool fhas_fs_type(int fd, fs_type_magic magic_val) |
| 223 |
++{ |
| 224 |
++ int ret; |
| 225 |
++ struct statfs sb; |
| 226 |
++ |
| 227 |
++ ret = fstatfs(fd, &sb); |
| 228 |
++ if (ret < 0) |
| 229 |
++ return false; |
| 230 |
++ |
| 231 |
++ return is_fs_type(&sb, magic_val); |
| 232 |
++} |
| 233 |
++ |
| 234 |
+ bool lxc_nic_exists(char *nic) |
| 235 |
+ { |
| 236 |
+ #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 |
| 237 |
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h |
| 238 |
+index 7d672b77..fedc395b 100644 |
| 239 |
+--- a/src/lxc/utils.h |
| 240 |
++++ b/src/lxc/utils.h |
| 241 |
+@@ -95,6 +95,10 @@ |
| 242 |
+ #define CGROUP2_SUPER_MAGIC 0x63677270 |
| 243 |
+ #endif |
| 244 |
+ |
| 245 |
++#ifndef NSFS_MAGIC |
| 246 |
++#define NSFS_MAGIC 0x6e736673 |
| 247 |
++#endif |
| 248 |
++ |
| 249 |
+ /* Useful macros */ |
| 250 |
+ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ |
| 251 |
+ #define LXC_NUMSTRLEN64 21 |
| 252 |
+@@ -581,6 +585,7 @@ extern void *must_realloc(void *orig, size_t sz); |
| 253 |
+ /* __typeof__ should be safe to use with all compilers. */ |
| 254 |
+ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; |
| 255 |
+ extern bool has_fs_type(const char *path, fs_type_magic magic_val); |
| 256 |
++extern bool fhas_fs_type(int fd, fs_type_magic magic_val); |
| 257 |
+ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); |
| 258 |
+ extern bool lxc_nic_exists(char *nic); |
| 259 |
+ extern int lxc_make_tmpfile(char *template, bool rm); |
| 260 |
+-- |
| 261 |
+2.17.1 |
| 262 |
+ |
| 263 |
|
| 264 |
diff --git a/app-emulation/lxc/lxc-2.1.1-r1.ebuild b/app-emulation/lxc/lxc-2.1.1-r1.ebuild |
| 265 |
new file mode 100644 |
| 266 |
index 00000000000..e5915426973 |
| 267 |
--- /dev/null |
| 268 |
+++ b/app-emulation/lxc/lxc-2.1.1-r1.ebuild |
| 269 |
@@ -0,0 +1,215 @@ |
| 270 |
+# Copyright 1999-2018 Gentoo Foundation |
| 271 |
+# Distributed under the terms of the GNU General Public License v2 |
| 272 |
+ |
| 273 |
+EAPI=6 |
| 274 |
+ |
| 275 |
+PYTHON_COMPAT=( python3_{4,5,6} ) |
| 276 |
+DISTUTILS_OPTIONAL=1 |
| 277 |
+ |
| 278 |
+inherit autotools bash-completion-r1 distutils-r1 linux-info versionator flag-o-matic systemd readme.gentoo-r1 |
| 279 |
+DESCRIPTION="LinuX Containers userspace utilities" |
| 280 |
+HOMEPAGE="https://linuxcontainers.org/" |
| 281 |
+SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz" |
| 282 |
+ |
| 283 |
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" |
| 284 |
+ |
| 285 |
+LICENSE="LGPL-3" |
| 286 |
+SLOT="0" |
| 287 |
+IUSE="cgmanager examples lua python seccomp selinux" |
| 288 |
+ |
| 289 |
+RDEPEND=" |
| 290 |
+ net-libs/gnutls |
| 291 |
+ sys-libs/libcap |
| 292 |
+ cgmanager? ( app-admin/cgmanager ) |
| 293 |
+ lua? ( >=dev-lang/lua-5.1:= ) |
| 294 |
+ python? ( ${PYTHON_DEPS} ) |
| 295 |
+ seccomp? ( sys-libs/libseccomp ) |
| 296 |
+ selinux? ( sys-libs/libselinux )" |
| 297 |
+ |
| 298 |
+DEPEND="${RDEPEND} |
| 299 |
+ app-text/docbook-sgml-utils |
| 300 |
+ >=sys-kernel/linux-headers-3.2" |
| 301 |
+ |
| 302 |
+RDEPEND="${RDEPEND} |
| 303 |
+ sys-apps/util-linux |
| 304 |
+ app-misc/pax-utils |
| 305 |
+ virtual/awk" |
| 306 |
+ |
| 307 |
+CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE |
| 308 |
+ ~CPUSETS ~CGROUP_CPUACCT |
| 309 |
+ ~CGROUP_SCHED |
| 310 |
+ |
| 311 |
+ ~NAMESPACES |
| 312 |
+ ~IPC_NS ~USER_NS ~PID_NS |
| 313 |
+ |
| 314 |
+ ~NETLINK_DIAG ~PACKET_DIAG |
| 315 |
+ ~INET_UDP_DIAG ~INET_TCP_DIAG |
| 316 |
+ ~UNIX_DIAG ~CHECKPOINT_RESTORE |
| 317 |
+ |
| 318 |
+ ~CGROUP_FREEZER |
| 319 |
+ ~UTS_NS ~NET_NS |
| 320 |
+ ~VETH ~MACVLAN |
| 321 |
+ |
| 322 |
+ ~POSIX_MQUEUE |
| 323 |
+ ~!NETPRIO_CGROUP |
| 324 |
+ |
| 325 |
+ ~!GRKERNSEC_CHROOT_MOUNT |
| 326 |
+ ~!GRKERNSEC_CHROOT_DOUBLE |
| 327 |
+ ~!GRKERNSEC_CHROOT_PIVOT |
| 328 |
+ ~!GRKERNSEC_CHROOT_CHMOD |
| 329 |
+ ~!GRKERNSEC_CHROOT_CAPS |
| 330 |
+ ~!GRKERNSEC_PROC |
| 331 |
+ ~!GRKERNSEC_SYSFS_RESTRICT |
| 332 |
+" |
| 333 |
+ |
| 334 |
+ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" |
| 335 |
+ |
| 336 |
+ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" |
| 337 |
+ |
| 338 |
+ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" |
| 339 |
+ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" |
| 340 |
+ |
| 341 |
+ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" |
| 342 |
+ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" |
| 343 |
+ |
| 344 |
+ERROR_NETLINK_DIAG="CONFIG_NETLINK_DIAG: needed for lxc-checkpoint" |
| 345 |
+ERROR_PACKET_DIAG="CONFIG_PACKET_DIAG: needed for lxc-checkpoint" |
| 346 |
+ERROR_INET_UDP_DIAG="CONFIG_INET_UDP_DIAG: needed for lxc-checkpoint" |
| 347 |
+ERROR_INET_TCP_DIAG="CONFIG_INET_TCP_DIAG: needed for lxc-checkpoint" |
| 348 |
+ERROR_UNIX_DIAG="CONFIG_UNIX_DIAG: needed for lxc-checkpoint" |
| 349 |
+ERROR_CHECKPOINT_RESTORE="CONFIG_CHECKPOINT_RESTORE: needed for lxc-checkpoint" |
| 350 |
+ |
| 351 |
+ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" |
| 352 |
+ |
| 353 |
+ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting." |
| 354 |
+ |
| 355 |
+ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes" |
| 356 |
+ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes" |
| 357 |
+ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" |
| 358 |
+ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" |
| 359 |
+ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" |
| 360 |
+ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" |
| 361 |
+ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" |
| 362 |
+ |
| 363 |
+DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) |
| 364 |
+ |
| 365 |
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" |
| 366 |
+ |
| 367 |
+pkg_setup() { |
| 368 |
+ kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES" |
| 369 |
+ linux-info_pkg_setup |
| 370 |
+} |
| 371 |
+ |
| 372 |
+src_prepare() { |
| 373 |
+ eapply "${FILESDIR}"/${PN}-2.0.6-bash-completion.patch |
| 374 |
+ #558854 |
| 375 |
+ eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch |
| 376 |
+ eapply "${FILESDIR}"/${PN}-2.1.1-fix-cgroup2-detection.patch |
| 377 |
+ eapply "${FILESDIR}"/${PN}-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch |
| 378 |
+ eapply "${FILESDIR}"/${PN}-2.1.1-cve-2018-6556.patch |
| 379 |
+ eapply_user |
| 380 |
+ eautoreconf |
| 381 |
+} |
| 382 |
+ |
| 383 |
+src_configure() { |
| 384 |
+ append-flags -fno-strict-aliasing |
| 385 |
+ |
| 386 |
+ if use python; then |
| 387 |
+ #541932 |
| 388 |
+ python_setup "python3*" |
| 389 |
+ export PKG_CONFIG_PATH="${T}/${EPYTHON}/pkgconfig:${PKG_CONFIG_PATH}" |
| 390 |
+ fi |
| 391 |
+ |
| 392 |
+ # I am not sure about the --with-rootfs-path |
| 393 |
+ # /var/lib/lxc is probably more appropriate than |
| 394 |
+ # /usr/lib/lxc. |
| 395 |
+ # Note by holgersson: Why is apparmor disabled? |
| 396 |
+ |
| 397 |
+ # --enable-doc is for manpages which is why we don't link it to a "doc" |
| 398 |
+ # USE flag. We always want man pages. |
| 399 |
+ econf \ |
| 400 |
+ --localstatedir=/var \ |
| 401 |
+ --bindir=/usr/bin \ |
| 402 |
+ --sbindir=/usr/bin \ |
| 403 |
+ --with-config-path=/var/lib/lxc \ |
| 404 |
+ --with-rootfs-path=/var/lib/lxc/rootfs \ |
| 405 |
+ --with-distro=gentoo \ |
| 406 |
+ --with-runtime-path=/run \ |
| 407 |
+ --disable-apparmor \ |
| 408 |
+ --disable-werror \ |
| 409 |
+ --enable-doc \ |
| 410 |
+ $(use_enable cgmanager) \ |
| 411 |
+ $(use_enable examples) \ |
| 412 |
+ $(use_enable lua) \ |
| 413 |
+ $(use_enable python) \ |
| 414 |
+ $(use_enable seccomp) \ |
| 415 |
+ $(use_enable selinux) |
| 416 |
+} |
| 417 |
+ |
| 418 |
+python_compile() { |
| 419 |
+ distutils-r1_python_compile build_ext -I.. -L../lxc/.libs --no-pkg-config |
| 420 |
+} |
| 421 |
+ |
| 422 |
+src_compile() { |
| 423 |
+ default |
| 424 |
+ |
| 425 |
+ if use python; then |
| 426 |
+ pushd "${S}/src/python-${PN}" > /dev/null |
| 427 |
+ distutils-r1_src_compile |
| 428 |
+ popd > /dev/null |
| 429 |
+ fi |
| 430 |
+} |
| 431 |
+ |
| 432 |
+src_install() { |
| 433 |
+ default |
| 434 |
+ |
| 435 |
+ mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die |
| 436 |
+ # start-ephemeral is no longer a command but removing it here |
| 437 |
+ # generates QA warnings (still in upstream completion script) |
| 438 |
+ bashcomp_alias ${PN}-start \ |
| 439 |
+ ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,start-ephemeral,stop,unfreeze,wait} |
| 440 |
+ |
| 441 |
+ if use python; then |
| 442 |
+ pushd "${S}/src/python-lxc" > /dev/null |
| 443 |
+ # Unset DOCS. This has been handled by the default target |
| 444 |
+ unset DOCS |
| 445 |
+ distutils-r1_src_install |
| 446 |
+ popd > /dev/null |
| 447 |
+ fi |
| 448 |
+ |
| 449 |
+ keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc |
| 450 |
+ |
| 451 |
+ find "${D}" -name '*.la' -delete |
| 452 |
+ |
| 453 |
+ # Gentoo-specific additions! |
| 454 |
+ newinitd "${FILESDIR}/${PN}.initd.7" ${PN} |
| 455 |
+ |
| 456 |
+ # Remember to compare our systemd unit file with the upstream one |
| 457 |
+ # config/init/systemd/lxc.service.in |
| 458 |
+ systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service" |
| 459 |
+ |
| 460 |
+ DOC_CONTENTS=" |
| 461 |
+ Starting from version ${PN}-1.1.0-r3, the default lxc path has been |
| 462 |
+ moved from /etc/lxc to /var/lib/lxc. If you still want to use /etc/lxc |
| 463 |
+ please add the following to your /etc/lxc/lxc.conf |
| 464 |
+ |
| 465 |
+ lxc.lxcpath = /etc/lxc |
| 466 |
+ |
| 467 |
+ For openrc, there is an init script provided with the package. |
| 468 |
+ You _should_ only need to symlink /etc/init.d/lxc to |
| 469 |
+ /etc/init.d/lxc.configname to start the container defined in |
| 470 |
+ /etc/lxc/configname.conf. |
| 471 |
+ |
| 472 |
+ Correspondingly, for systemd a service file lxc@.service is installed. |
| 473 |
+ Enable and start lxc@configname in order to start the container defined |
| 474 |
+ in /etc/lxc/configname.conf. |
| 475 |
+ |
| 476 |
+ If you want checkpoint/restore functionality, please install criu |
| 477 |
+ (sys-process/criu)." |
| 478 |
+ DISABLE_AUTOFORMATTING=true |
| 479 |
+ readme.gentoo_create_doc |
| 480 |
+} |
| 481 |
+ |
| 482 |
+pkg_postinst() { |
| 483 |
+ readme.gentoo_print_elog |
| 484 |
+} |
| 485 |
|
| 486 |
diff --git a/app-emulation/lxc/lxc-3.0.1-r1.ebuild b/app-emulation/lxc/lxc-3.0.1-r1.ebuild |
| 487 |
new file mode 100644 |
| 488 |
index 00000000000..be0d3a86f25 |
| 489 |
--- /dev/null |
| 490 |
+++ b/app-emulation/lxc/lxc-3.0.1-r1.ebuild |
| 491 |
@@ -0,0 +1,163 @@ |
| 492 |
+# Copyright 1999-2018 Gentoo Foundation |
| 493 |
+# Distributed under the terms of the GNU General Public License v2 |
| 494 |
+ |
| 495 |
+EAPI=6 |
| 496 |
+ |
| 497 |
+inherit autotools bash-completion-r1 linux-info flag-o-matic systemd readme.gentoo-r1 pam |
| 498 |
+ |
| 499 |
+DESCRIPTION="LinuX Containers userspace utilities" |
| 500 |
+HOMEPAGE="https://linuxcontainers.org/" |
| 501 |
+SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz" |
| 502 |
+ |
| 503 |
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" |
| 504 |
+ |
| 505 |
+LICENSE="LGPL-3" |
| 506 |
+SLOT="0" |
| 507 |
+IUSE="examples pam python seccomp selinux +templates" |
| 508 |
+ |
| 509 |
+RDEPEND=" |
| 510 |
+ net-libs/gnutls |
| 511 |
+ sys-libs/libcap |
| 512 |
+ pam? ( virtual/pam ) |
| 513 |
+ seccomp? ( sys-libs/libseccomp ) |
| 514 |
+ selinux? ( sys-libs/libselinux )" |
| 515 |
+ |
| 516 |
+DEPEND="${RDEPEND} |
| 517 |
+ >=app-text/docbook-sgml-utils-0.6.14-r2 |
| 518 |
+ >=sys-kernel/linux-headers-3.2" |
| 519 |
+ |
| 520 |
+RDEPEND="${RDEPEND} |
| 521 |
+ sys-apps/util-linux |
| 522 |
+ app-misc/pax-utils |
| 523 |
+ virtual/awk" |
| 524 |
+ |
| 525 |
+PDEPEND="templates? ( app-emulation/lxc-templates ) |
| 526 |
+ python? ( dev-python/python3-lxc )" |
| 527 |
+ |
| 528 |
+CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE |
| 529 |
+ ~CPUSETS ~CGROUP_CPUACCT |
| 530 |
+ ~CGROUP_SCHED |
| 531 |
+ |
| 532 |
+ ~NAMESPACES |
| 533 |
+ ~IPC_NS ~USER_NS ~PID_NS |
| 534 |
+ |
| 535 |
+ ~CGROUP_FREEZER |
| 536 |
+ ~UTS_NS ~NET_NS |
| 537 |
+ ~VETH ~MACVLAN |
| 538 |
+ |
| 539 |
+ ~POSIX_MQUEUE |
| 540 |
+ ~!NETPRIO_CGROUP |
| 541 |
+ |
| 542 |
+ ~!GRKERNSEC_CHROOT_MOUNT |
| 543 |
+ ~!GRKERNSEC_CHROOT_DOUBLE |
| 544 |
+ ~!GRKERNSEC_CHROOT_PIVOT |
| 545 |
+ ~!GRKERNSEC_CHROOT_CHMOD |
| 546 |
+ ~!GRKERNSEC_CHROOT_CAPS |
| 547 |
+ ~!GRKERNSEC_PROC |
| 548 |
+ ~!GRKERNSEC_SYSFS_RESTRICT |
| 549 |
+" |
| 550 |
+ |
| 551 |
+ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" |
| 552 |
+ |
| 553 |
+ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" |
| 554 |
+ |
| 555 |
+ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" |
| 556 |
+ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" |
| 557 |
+ |
| 558 |
+ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" |
| 559 |
+ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" |
| 560 |
+ |
| 561 |
+ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" |
| 562 |
+ |
| 563 |
+ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting." |
| 564 |
+ |
| 565 |
+ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes" |
| 566 |
+ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes" |
| 567 |
+ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" |
| 568 |
+ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" |
| 569 |
+ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" |
| 570 |
+ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" |
| 571 |
+ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" |
| 572 |
+ |
| 573 |
+DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) |
| 574 |
+ |
| 575 |
+pkg_setup() { |
| 576 |
+ kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES" |
| 577 |
+ linux-info_pkg_setup |
| 578 |
+} |
| 579 |
+ |
| 580 |
+src_prepare() { |
| 581 |
+ eapply "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch |
| 582 |
+ #558854 |
| 583 |
+ eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch |
| 584 |
+ eapply "${FILESDIR}"/${PN}-3.0.1-cve-2018-6556.patch |
| 585 |
+ eapply_user |
| 586 |
+ eautoreconf |
| 587 |
+} |
| 588 |
+ |
| 589 |
+src_configure() { |
| 590 |
+ append-flags -fno-strict-aliasing |
| 591 |
+ |
| 592 |
+ # I am not sure about the --with-rootfs-path |
| 593 |
+ # /var/lib/lxc is probably more appropriate than |
| 594 |
+ # /usr/lib/lxc. |
| 595 |
+ # Note by holgersson: Why is apparmor disabled? |
| 596 |
+ |
| 597 |
+ # --enable-doc is for manpages which is why we don't link it to a "doc" |
| 598 |
+ # USE flag. We always want man pages. |
| 599 |
+ econf \ |
| 600 |
+ --localstatedir=/var \ |
| 601 |
+ --bindir=/usr/bin \ |
| 602 |
+ --sbindir=/usr/bin \ |
| 603 |
+ --with-config-path=/var/lib/lxc \ |
| 604 |
+ --with-rootfs-path=/var/lib/lxc/rootfs \ |
| 605 |
+ --with-distro=gentoo \ |
| 606 |
+ --with-runtime-path=/run \ |
| 607 |
+ --disable-apparmor \ |
| 608 |
+ --disable-werror \ |
| 609 |
+ --enable-doc \ |
| 610 |
+ $(use_enable examples) \ |
| 611 |
+ $(use_enable pam) \ |
| 612 |
+ $(use_with pam pamdir $(getpam_mod_dir)) \ |
| 613 |
+ $(use_enable seccomp) \ |
| 614 |
+ $(use_enable selinux) |
| 615 |
+} |
| 616 |
+ |
| 617 |
+src_install() { |
| 618 |
+ default |
| 619 |
+ |
| 620 |
+ mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die |
| 621 |
+ bashcomp_alias ${PN}-start \ |
| 622 |
+ ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait} |
| 623 |
+ |
| 624 |
+ keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc |
| 625 |
+ rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed" |
| 626 |
+ |
| 627 |
+ find "${D}" -name '*.la' -delete |
| 628 |
+ |
| 629 |
+ # Gentoo-specific additions! |
| 630 |
+ newinitd "${FILESDIR}/${PN}.initd.7" ${PN} |
| 631 |
+ |
| 632 |
+ # Remember to compare our systemd unit file with the upstream one |
| 633 |
+ # config/init/systemd/lxc.service.in |
| 634 |
+ systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service" |
| 635 |
+ |
| 636 |
+ DOC_CONTENTS=" |
| 637 |
+ For openrc, there is an init script provided with the package. |
| 638 |
+ You _should_ only need to symlink /etc/init.d/lxc to |
| 639 |
+ /etc/init.d/lxc.configname to start the container defined in |
| 640 |
+ /etc/lxc/configname.conf. |
| 641 |
+ |
| 642 |
+ Correspondingly, for systemd a service file lxc@.service is installed. |
| 643 |
+ Enable and start lxc@configname in order to start the container defined |
| 644 |
+ in /etc/lxc/configname.conf. |
| 645 |
+ |
| 646 |
+ If you want checkpoint/restore functionality, please install criu |
| 647 |
+ (sys-process/criu)." |
| 648 |
+ DISABLE_AUTOFORMATTING=true |
| 649 |
+ readme.gentoo_create_doc |
| 650 |
+} |
| 651 |
+ |
| 652 |
+pkg_postinst() { |
| 653 |
+ readme.gentoo_print_elog |
| 654 |
+} |
Archives