gentoo resync : 30.05.2020

author: V3n3RiX <venerix@redcorelinux.org> 2020-05-30 11:44:06 +0100
committer: V3n3RiX <venerix@redcorelinux.org> 2020-05-30 11:44:06 +0100
commit: f516638b7fe9592837389826a6152a7e1b251c54 (patch)
tree: 8bfecb640b7b6403d7a3d662d923eed630033da7 /app-emulation/lxc
parent: 1a61119f9f7b057830e2ce0563f913ec86f282ad (diff)
9 files changed, 66 insertions, 607 deletions
diff --git a/app-emulation/lxc/Manifest b/app-emulation/lxc/Manifest
index 308f1276049a..42351bc40f05 100644
--- a/app-emulation/lxc/Manifest
+++ b/app-emulation/lxc/Manifest
@@ -1,16 +1,11 @@
 AUX lxc-2.0.5-omit-sysconfig.patch 259 BLAKE2B 977e151fbb8c9d98e89aaa5ee0426e64ab4286b4440af1582086a0ced8c6568efb470ccf68786da6ea52c82d1f4e81feac45bec411febc04fc31d108f05ccde2 SHA512 0aed9aca687accc6df79e97f48ab333043256e8ae68c8643f2b2452cc8013191238867d64ec71f7d399c59a43d3ba698b35d965090c5cb149b4f41302432e6e7
-AUX lxc-2.0.6-bash-completion.patch 919 BLAKE2B a364398ad6fe44213ba1097e961813d4cbc71efbaf25f90a44201dc95151b7676dbe1c086b3a34fb38ffb9ef2a5ebb25f9885e809c11ec1b1e9a6516f48a3ae1 SHA512 caa90c8bad2a79b4e42b781f00d6f2a7be37fc5c5301592b026c88db2652c90871be940c86a9156f03bc186f76cf2068a2d3084e9abc7a5896ea081885085d41
-AUX lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch 5145 BLAKE2B 5e4c73811b6f912cc721606603ba69b225655c343eb51ecec7110e8bc477ddd08704aa4b892203cfe539c441cc7437959606e0a196ec26e313859253d088c007 SHA512 49494eb1a7d21c3755a5301cc3bec75832588ba9bd598f0d40be90b84426332567c6b525ca089b77a92629b953b89f42a2e4ed2834e5a125e6079a35e1a17a04
-AUX lxc-2.1.1-cve-2018-6556.patch 3994 BLAKE2B 791b80852408df5f325465a6ceea5bf7986641da4c988db1f61bebabe656554aa5032186f4e5409093c14b9c9fb3ee3d7bf06e338c5f4c19cb4e2eb9d8d1db36 SHA512 fcce5387cc1d67fcb035073a5295e15570b114d202f4b077363a5059813a28b7165b5ea3e32beb4b1be8d45613bc5d7d8223ed2ebff45d5e95b5fd1e87dbd490
-AUX lxc-2.1.1-fix-cgroup2-detection.patch 856 BLAKE2B e877e8a968d059c2034a2b5c23946241a6b45172f893e313bff30a7f798e3b1440e5a1e8ee277816308fb509901b52584a44021a156a91671e299964dd69b1bd SHA512 eb0fc8dee5a59d1641e8b3024bf79be2273aa15131fd7eaee98d80585c39ddb93d8d9cfe98c7f866ab2461fe8c6c7e3c038ec1a1263a6f9b02ed323a267b87f2
 AUX lxc-3.0.0-bash-completion.patch 915 BLAKE2B 8bb879e391cec349d211b47d321c64ea091c8475ac9a8c4adfb45918c044f6c49d9b9bce546082907d696f697baf0870893c4427abeafa496db89f99190cd091 SHA512 2f3728fcf5e88eecc1ae05bf038ef83baa375194c5bef0d0ef68feaf4d8092cdd8efef6b3c27207c4abd28b085f087af517242c65747b47d0a8fa840f6b9d279
 AUX lxc.initd.7 3468 BLAKE2B 37b0d044594f1c66631f991315e49c4ceea4640bf6c459e6bba713fb76ef9a8ee1fcbc49da68bd0f1e2929cf9904e0113a3b321166f7c3d360fcebeab6665e5a SHA512 c5841cff7d8b58d4283a26719e8a5db1be2c4add0f31065393b863b6626460180d91632106bc50cde4d3e74ae46a57d581fa1f01140dfa95522aba12277f9eaa
 AUX lxc.initd.8 3669 BLAKE2B 50d41e0923ba26b9653ca3b5b559dd0905e61ec81969e709650fe7f1b26a4dcdc17158b7e449d666e2103047d9f196e53df8beca15fffd529fa8e743de97bd82 SHA512 1182b53a65399746f6d6bced0df5c1fde09c1ede4a28bfe95b5ed0bbd969d6f6423f63021d4b6f1dc62c7b2703f6963c03d881291650bdf21cfcf8432586c1b4
 AUX lxc_at.service.4 265 BLAKE2B 4454528e69a5c986c23c0c4ccc10ebe03a0650e47cd30208355d2f4a70a4cb46392473eccddd736988f1b72954948876601aaf99977d8e6014a7c774a416160f SHA512 d61e7103e90e6ffb3202533e7d7555d8c02b943f06ec6c0d673713c1c0ede58641312c65d6dd6a15907c1171522e6148c2313d7b11acbd85d59fe65758cd52b3
-DIST lxc-2.1.1.tar.gz 1378640 BLAKE2B 5fca516540a886729434579ff99acf3baa06977fa0e0b6f24dbf15094626335fc073597d308276e3dd20e27ceabf1477cc8e99d1fd24cf50b9aed2720b887b69 SHA512 2989d57acddfe091adcf8031721c3c9a2f8eff5476bd6155366b76ea7511e0f6120e669276e056e3963863e0f0acf3b095d44c36fa6652e67c197671f28cbdd4
+AUX lxc_at.service.4.0.0 284 BLAKE2B 1adc76b9861f2499b7b703f7076782a258f9b21a3d1e32b69334f753faca9ecd8c6fb2a03baf04698e765f079e73ee683434d8c7c6d3b3082427a6af74ab33b1 SHA512 4c2f9846ca60bb78df7e652309900c0e788b45d569f268a9e5b98842518542b35fce253e2aedeb0eded3d37274390988ef887b01d1d37859ccddf6225286b4bb
 DIST lxc-3.0.3.tar.gz 1263371 BLAKE2B 77d0f593119654f570ae748d305e86c27117fd4e9ec7bdab1110f5356afb4a00d81c105ae9757d9da5827f6883a4a5d8ddc43b5b6e56a2927ed990e757f7c7b6 SHA512 cdc411364153d7ed494bab604260f5cbdfd5bd7734a59af970b3198c7b3cb340b6736856a2189d5989e169945a817ac8b531bc3ab62217a4285dd63a851f9c8a
-DIST lxc-3.1.0.tar.gz 1277877 BLAKE2B e114855659c8199378d14bc23f667ce1927bb32c55d336fa9c222a60198da51e7ded6aeb6d1c89cbeb1e9edc101e424a847be1e4a2330d2a0bceda52d0df5e30 SHA512 706cee9bc8ac57300574b59d728437e41baa4eb16c68f8548142e53b4e13679ef6698df30a4fbf8617e4f07338f898464e9f818e80d32648fe9717370dcbbb20
-EBUILD lxc-2.1.1-r1.ebuild 6809 BLAKE2B 1f0f75321095e99d4002f06659c1d2fe172995e32b3c3a9b402dabb147f29c37fbb67b871ccb6313dfa297a6af11a84cc00f3bcaa73a1871257e108108eaa00d SHA512 8e9305aee26956f2944f3bc66e36e7cae33450fae0dd8e2f5e2e7c4833a39172faf11f97ef9634912296a9d13c24c7faacb5591f84b0e74ce50106eda4bce36f
+DIST lxc-4.0.2.tar.gz 1352667 BLAKE2B 2ecc076bacb9bb1c2a808422f7b2e0cbfc74bf3bec6ca89ea58eb6ef4a414353c2e58163bff17b3304beb39f4980d10f54365f739645c1581bfca9f6079bf57c SHA512 0de6c1f9649d161579b45fc28a735f703c4498eff9c588462b838220aeab73f91921db628f77bc461eff38c7583cac10a38951263181956e2d33412a406f3ef3
 EBUILD lxc-3.0.3.ebuild 5047 BLAKE2B a648bfd8160f61c1798a6540350ad2b45ae38b5ac8587a5b1a7db7a4f750756b2d65f798c022500c7ea1bfef312aa083f403e8cb61dc116f6ebc91ae5510b077 SHA512 273ff2df6188f58bdc55efb702bd6c92f276bee3baa2cfe0ec550f7ee9707ce6dc2db0bd0ec60276fcfb137c5963dfc7840a6b750a3036a65378bb108d17f47e
-EBUILD lxc-3.1.0-r1.ebuild 4927 BLAKE2B 8787be6be89d6400da0150fca03eb50ac383b89691484c0baae71a4f0f81e3126050753c23791c88d74fe39b00d5465619020a5101ab3111217efd3b1ed9c4b1 SHA512 7d4989b49c96ff2a5df1ac7ba3807ab168955daacb8214651bd169f2077f1dbf2175196a6e1535622a97679440ae510c027bcd9774483e0738bf9e328916772a
-MISC metadata.xml 644 BLAKE2B a8bb7f99e51e8380244f625feac1752536bbca7fe07a40afc47698e4a831f4d44ece2820c5e73e04a978cea7abcb5789df3d5898d55df0298d6787af1260ea96 SHA512 aa11f327c8ac4f98f7f5ac6357b7fc2eac18521507b27df531db5ae09d7608ae526917430afe00f110889f391a12d1bac110c7c7377bad6e9c07ff22020d97d9
+EBUILD lxc-4.0.2-r2.ebuild 4415 BLAKE2B 13a6aec708e20cc54dfd3d48e34183ed760367fa18f9c3f7ac36e9491f166350fc91f66fc1c3656e1fcbf89bf0f1120e9675561caf1c523d4214daf2be51c578 SHA512 4420cb4a4856408d66f49b15348e6cafde2efc68300b188c89ce752f337bab1bb9dd368146fdb38ef0cfc9c9a0e448667d806199401ec0d4f8acdfb7239b383a
+MISC metadata.xml 614 BLAKE2B 8c637599d38ecb5fd975fbb4385998886e450cd01d71c342a212258acf6fa0de3a377189544ab744da55b1d85ad5dd8fd2bbbb2daef7389ce61dd7d17bab7f00 SHA512 a14166b818647f0c5c6bb8402f82b333ce52591645c7ec86c8fff953889d61d00db0bcf46faca630a2f472c2918484a230b7b3fcc06099fbdbe4e31ec6bb9270
diff --git a/app-emulation/lxc/files/lxc-2.0.6-bash-completion.patch b/app-emulation/lxc/files/lxc-2.0.6-bash-completion.patch
deleted file mode 100644
index 6033e36c7985..000000000000
--- a/app-emulation/lxc/files/lxc-2.0.6-bash-completion.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff --git a/config/bash/lxc.in b/config/bash/lxc.in
-index 7dcf302..5927fe2 100644
---- a/config/bash/lxc.in
-+++ b/config/bash/lxc.in
-@@ -1,4 +1,3 @@
--_have lxc-start && {
-     _lxc_names() {
-         COMPREPLY=( $( compgen -W "$( lxc-ls )" "$cur" ) )
-     }
-@@ -100,4 +99,3 @@ _have lxc-start && {
- 
-     complete -o default -F _lxc_generic_o lxc-copy
-     complete -o default -F _lxc_generic_o lxc-start-ephemeral
--}
-diff --git a/configure.ac b/configure.ac
-index 4640c0d..14ccdd3 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -478,7 +478,7 @@ AM_CONDITIONAL([ENABLE_BASH], [test "x$enable_bash" = "xyes"])
- AM_COND_IF([ENABLE_BASH],
- 	[AC_MSG_CHECKING([bash completion directory])
- 	PKG_CHECK_VAR(bashcompdir, [bash-completion], [completionsdir], ,
--		bashcompdir="${sysconfdir}/bash_completion.d")
-+		bashcompdir="$datadir/bash-completion/completions")
- 	AC_MSG_RESULT([$bashcompdir])
- 	AC_SUBST(bashcompdir)
- 	])
diff --git a/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch b/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch
deleted file mode 100644
index 8493491d0d65..000000000000
--- a/app-emulation/lxc/files/lxc-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-From b635e92d21d2a4d71a553388f18cfa08f44bf1ba Mon Sep 17 00:00:00 2001
-From: Christian Brauner <christian.brauner@ubuntu.com>
-Date: Mon, 30 Oct 2017 14:16:46 +0100
-Subject: [PATCH] cgroups: enable container without CAP_SYS_ADMIN
-
-In case cgroup namespaces are supported but we do not have CAP_SYS_ADMIN we
-need to mount cgroups for the container. This patch enables both privileged and
-unprivileged containers without CAP_SYS_ADMIN.
-
-Closes #1737.
-
-Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
----
- src/lxc/cgroups/cgfs.c   |  3 ++-
- src/lxc/cgroups/cgfsng.c | 52 +++++++++++++++++++++++++++++++++++++++++++++---
- src/lxc/cgroups/cgroup.c |  2 +-
- src/lxc/conf.c           |  3 ---
- src/lxc/conf.h           |  1 +
- 5 files changed, 53 insertions(+), 8 deletions(-)
-
-diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c
-index bcbd6613..efd627f0 100644
---- a/src/lxc/cgroups/cgfs.c
-+++ b/src/lxc/cgroups/cgfs.c
-@@ -1418,11 +1418,12 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type)
- 	struct cgfs_data *cgfs_d;
- 	struct cgroup_process_info *info, *base_info;
- 	int r, saved_errno = 0;
-+	struct lxc_handler *handler = hdata;
- 
- 	if (cgns_supported())
- 		return true;
- 
--	cgfs_d = hdata;
-+	cgfs_d = handler->cgroup_data;
- 	if (!cgfs_d)
- 		return false;
- 	base_info = cgfs_d->info;
-diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index e43edd7d..ec6440c1 100644
---- a/src/lxc/cgroups/cgfsng.c
-+++ b/src/lxc/cgroups/cgfsng.c
-@@ -50,6 +50,7 @@
- #include <linux/types.h>
- #include <linux/kdev_t.h>
- 
-+#include "caps.h"
- #include "cgroup.h"
- #include "cgroup_utils.h"
- #include "commands.h"
-@@ -1616,17 +1617,49 @@ do_secondstage_mounts_if_needed(int type, struct hierarchy *h,
- 	return 0;
- }
- 
-+static int mount_cgroup_cgns_supported(struct hierarchy *h, const char *controllerpath)
-+{
-+	 int ret;
-+	 char *controllers = NULL;
-+	 char *type = "cgroup2";
-+
-+	if (!h->is_cgroup_v2) {
-+		controllers = lxc_string_join(",", (const char **)h->controllers, false);
-+		if (!controllers)
-+			return -ENOMEM;
-+		type = "cgroup";
-+	}
-+
-+	ret = mount("cgroup", controllerpath, type, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RELATIME, controllers);
-+	free(controllers);
-+	if (ret < 0) {
-+		SYSERROR("Failed to mount %s with cgroup filesystem type %s", controllerpath, type);
-+		return -1;
-+	}
-+
-+	DEBUG("Mounted %s with cgroup filesystem type %s", controllerpath, type);
-+	return 0;
-+}
-+
- static bool cgfsng_mount(void *hdata, const char *root, int type)
- {
--	struct cgfsng_handler_data *d = hdata;
-+	int i;
- 	char *tmpfspath = NULL;
- 	bool retval = false;
--	int i;
-+	struct lxc_handler *handler = hdata;
-+	struct cgfsng_handler_data *d = handler->cgroup_data;
-+	bool has_cgns = false, has_sys_admin = true;
- 
- 	if ((type & LXC_AUTO_CGROUP_MASK) == 0)
- 		return true;
- 
--	if (cgns_supported())
-+	has_cgns = cgns_supported();
-+	if (!lxc_list_empty(&handler->conf->keepcaps))
-+		has_sys_admin = in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps);
-+	else
-+		has_sys_admin = !in_caplist(CAP_SYS_ADMIN, &handler->conf->caps);
-+
-+	if (has_cgns && has_sys_admin)
- 		return true;
- 
- 	tmpfspath = must_make_path(root, "/sys/fs/cgroup", NULL);
-@@ -1662,6 +1695,19 @@ static bool cgfsng_mount(void *hdata, const char *root, int type)
- 			free(controllerpath);
- 			goto bad;
- 		}
-+
-+		if (has_cgns && !has_sys_admin) {
-+			/* If cgroup namespaces are supported but the container
-+			 * will not have CAP_SYS_ADMIN after it has started we
-+			 * need to mount the cgroups manually.
-+			 */
-+			r = mount_cgroup_cgns_supported(h, controllerpath);
-+			free(controllerpath);
-+			if (r < 0)
-+				goto bad;
-+			continue;
-+		}
-+
- 		if (mount_cgroup_full(type, h, controllerpath, d->container_cgroup) < 0) {
- 			free(controllerpath);
- 			goto bad;
-diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c
-index 674e3090..36a665b1 100644
---- a/src/lxc/cgroups/cgroup.c
-+++ b/src/lxc/cgroups/cgroup.c
-@@ -166,7 +166,7 @@ bool cgroup_chown(struct lxc_handler *handler)
- bool cgroup_mount(const char *root, struct lxc_handler *handler, int type)
- {
- 	if (ops)
--		return ops->mount_cgroup(handler->cgroup_data, root, type);
-+		return ops->mount_cgroup(handler, root, type);
- 
- 	return false;
- }
-diff --git a/src/lxc/conf.c b/src/lxc/conf.c
-index d2fab945..44d97843 100644
---- a/src/lxc/conf.c
-+++ b/src/lxc/conf.c
-@@ -210,9 +210,6 @@ __thread struct lxc_conf *current_config;
- struct lxc_conf *current_config;
- #endif
- 
--/* Declare this here, since we don't want to reshuffle the whole file. */
--static int in_caplist(int cap, struct lxc_list *caps);
--
- static struct mount_opt mount_opt[] = {
- 	{ "async",         1, MS_SYNCHRONOUS },
- 	{ "atime",         1, MS_NOATIME     },
-diff --git a/src/lxc/conf.h b/src/lxc/conf.h
-index c61f861e..63e71e2d 100644
---- a/src/lxc/conf.h
-+++ b/src/lxc/conf.h
-@@ -402,5 +402,6 @@ extern unsigned long add_required_remount_flags(const char *s, const char *d,
- 						unsigned long flags);
- extern int run_script(const char *name, const char *section, const char *script,
- 		      ...);
-+extern int in_caplist(int cap, struct lxc_list *caps);
- 
- #endif /* __LXC_CONF_H */
--- 
-2.13.6
-
diff --git a/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch
deleted file mode 100644
index bad1e274527e..000000000000
--- a/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001
-From: Christian Brauner <christian.brauner@ubuntu.com>
-Date: Wed, 25 Jul 2018 19:56:54 +0200
-Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
-
-Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
----
- src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
- src/lxc/utils.c        | 12 ++++++++++++
- src/lxc/utils.h        |  5 +++++
- 3 files changed, 49 insertions(+), 3 deletions(-)
-
-ADDENDUM from vdupras@gentoo.org: Original patch from Christian didn't
-include LXC_PROC_PID_FD_LEN define, but referenced it. This resulted in
-code that doesn't compile. I fetched the definition from the stable-3.0
-branch and included it to this patch. Also, this diff is regenerated
-from lxc-2.1.1 tag instead of stable-2.0 branch.
-
-diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
-index 6f550f0d..09a342ac 100644
---- a/src/lxc/lxc_user_nic.c
-+++ b/src/lxc/lxc_user_nic.c
-@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[])
- 			exit(EXIT_FAILURE);
- 		}
- 	} else if (request == LXC_USERNIC_DELETE) {
--		netns_fd = open(args.pid, O_RDONLY);
-+		char opath[LXC_PROC_PID_FD_LEN];
-+
-+		/* Open the path with O_PATH which will not trigger an actual
-+		 * open(). Don't report an errno to the caller to not leak
-+		 * information whether the path exists or not.
-+		 * When stracing setuid is stripped so this is not a concern
-+		 * either.
-+		 */
-+		netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
- 		if (netns_fd < 0) {
--			usernic_error("Could not open \"%s\": %s\n", args.pid,
--				      strerror(errno));
-+			usernic_error("Failed to open \"%s\"\n", args.pid);
- 			exit(EXIT_FAILURE);
- 		}
-+
-+		if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
-+			usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
-+			close(netns_fd);
-+			exit(EXIT_FAILURE);
-+		}
-+
-+		ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
-+		if (ret < 0 || (size_t)ret >= sizeof(opath)) {
-+			close(netns_fd);
-+			exit(EXIT_FAILURE);
-+		}
-+
-+		/* Now get an fd that we can use in setns() calls. */
-+		ret = open(opath, O_RDONLY | O_CLOEXEC);
-+		if (ret < 0) {
-+			usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
-+			close(netns_fd);
-+			exit(EXIT_FAILURE);
-+		}
-+		close(netns_fd);
-+		netns_fd = ret;
- 	}
- 
- 	if (!create_db_dir(LXC_USERNIC_DB)) {
-diff --git a/src/lxc/utils.c b/src/lxc/utils.c
-index e6a44a51..c2a08a9d 100644
---- a/src/lxc/utils.c
-+++ b/src/lxc/utils.c
-@@ -2380,6 +2380,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
- 	return has_type;
- }
- 
-+bool fhas_fs_type(int fd, fs_type_magic magic_val)
-+{
-+	int ret;
-+	struct statfs sb;
-+
-+	ret = fstatfs(fd, &sb);
-+	if (ret < 0)
-+		return false;
-+
-+	return is_fs_type(&sb, magic_val);
-+}
-+
- bool lxc_nic_exists(char *nic)
- {
- #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
-diff --git a/src/lxc/utils.h b/src/lxc/utils.h
-index e83ed49e..06ec74d7 100644
---- a/src/lxc/utils.h
-+++ b/src/lxc/utils.h
-@@ -46,11 +46,16 @@
- #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask))
- #endif
- 
-+#ifndef NSFS_MAGIC
-+#define NSFS_MAGIC 0x6e736673
-+#endif
-+
- /* Useful macros */
- /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
- #define LXC_NUMSTRLEN64 21
- #define LXC_LINELEN 4096
- #define LXC_IDMAPLEN 4096
-+#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1)
- 
- /* returns 1 on success, 0 if there were any failures */
- extern int lxc_rmdir_onedev(char *path, const char *exclude);
-@@ -402,6 +407,7 @@ extern void *must_realloc(void *orig, size_t sz);
- /* __typeof__ should be safe to use with all compilers. */
- typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
- extern bool has_fs_type(const char *path, fs_type_magic magic_val);
-+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
- extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
- extern bool lxc_nic_exists(char *nic);
diff --git a/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch b/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch
deleted file mode 100644
index c16d28ac3033..000000000000
--- a/app-emulation/lxc/files/lxc-2.1.1-fix-cgroup2-detection.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From cdfe90a49f516b0f1210d181980f14a4765e10da Mon Sep 17 00:00:00 2001
-From: Christian Brauner <christian.brauner@ubuntu.com>
-Date: Mon, 30 Oct 2017 14:17:20 +0100
-Subject: [PATCH] cgfsng: fix cgroup2 detection
-
-Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
----
- src/lxc/cgroups/cgfsng.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index 897336f0..e43edd7d 100644
---- a/src/lxc/cgroups/cgfsng.c
-+++ b/src/lxc/cgroups/cgfsng.c
-@@ -815,7 +815,7 @@ static void add_controller(char **clist, char *mountpoint, char *base_cgroup)
- 	new->fullcgpath = NULL;
- 
- 	/* record if this is the cgroup v2 hierarchy */
--	if (!strcmp(base_cgroup, "cgroup2"))
-+	if (clist && !strcmp(*clist, "cgroup2"))
- 		new->is_cgroup_v2 = true;
- 	else
- 		new->is_cgroup_v2 = false;
--- 
-2.13.6
-
diff --git a/app-emulation/lxc/files/lxc_at.service.4.0.0 b/app-emulation/lxc/files/lxc_at.service.4.0.0
new file mode 100644
index 000000000000..b354bc53e080
--- /dev/null
+++ b/app-emulation/lxc/files/lxc_at.service.4.0.0
@@ -0,0 +1,15 @@
+[Unit]
+Description=Linux Container %i
+After=network.target
+Wants=lxcfs.service
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/lxc-start -d -n %i -p /run/lxc-%i.pid
+PIDFile=/run/lxc-%i.pid
+ExecStop=/usr/bin/lxc-stop -n %i
+Delegate=true
+TasksMax=32768
+
+[Install]
+WantedBy=multi-user.target
diff --git a/app-emulation/lxc/lxc-2.1.1-r1.ebuild b/app-emulation/lxc/lxc-2.1.1-r1.ebuild
deleted file mode 100644
index 57389b97c896..000000000000
--- a/app-emulation/lxc/lxc-2.1.1-r1.ebuild
+++ /dev/null
@@ -1,215 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-PYTHON_COMPAT=( python3_6 )
-DISTUTILS_OPTIONAL=1
-
-inherit autotools bash-completion-r1 distutils-r1 linux-info versionator flag-o-matic systemd readme.gentoo-r1
-DESCRIPTION="LinuX Containers userspace utilities"
-HOMEPAGE="https://linuxcontainers.org/"
-SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz"
-
-KEYWORDS="amd64 ~arm ~arm64 ~ppc64 x86"
-
-LICENSE="LGPL-3"
-SLOT="0"
-IUSE="cgmanager examples lua python seccomp selinux"
-
-RDEPEND="
-	net-libs/gnutls
-	sys-libs/libcap
-	cgmanager? ( app-admin/cgmanager )
-	lua? ( >=dev-lang/lua-5.1:= )
-	python? ( ${PYTHON_DEPS} )
-	seccomp? ( sys-libs/libseccomp )
-	selinux? ( sys-libs/libselinux )"
-
-DEPEND="${RDEPEND}
-	app-text/docbook-sgml-utils
-	>=sys-kernel/linux-headers-3.2"
-
-RDEPEND="${RDEPEND}
-	sys-apps/util-linux
-	app-misc/pax-utils
-	virtual/awk"
-
-CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE
-	~CPUSETS ~CGROUP_CPUACCT
-	~CGROUP_SCHED
-
-	~NAMESPACES
-	~IPC_NS ~USER_NS ~PID_NS
-
-	~NETLINK_DIAG ~PACKET_DIAG
-	~INET_UDP_DIAG ~INET_TCP_DIAG
-	~UNIX_DIAG ~CHECKPOINT_RESTORE
-
-	~CGROUP_FREEZER
-	~UTS_NS ~NET_NS
-	~VETH ~MACVLAN
-
-	~POSIX_MQUEUE
-	~!NETPRIO_CGROUP
-
-	~!GRKERNSEC_CHROOT_MOUNT
-	~!GRKERNSEC_CHROOT_DOUBLE
-	~!GRKERNSEC_CHROOT_PIVOT
-	~!GRKERNSEC_CHROOT_CHMOD
-	~!GRKERNSEC_CHROOT_CAPS
-	~!GRKERNSEC_PROC
-	~!GRKERNSEC_SYSFS_RESTRICT
-"
-
-ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES:  needed for pts inside container"
-
-ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER:  needed to freeze containers"
-
-ERROR_UTS_NS="CONFIG_UTS_NS:  needed to unshare hostnames and uname info"
-ERROR_NET_NS="CONFIG_NET_NS:  needed for unshared network"
-
-ERROR_VETH="CONFIG_VETH:  needed for internal (host-to-container) networking"
-ERROR_MACVLAN="CONFIG_MACVLAN:  needed for internal (inter-container) networking"
-
-ERROR_NETLINK_DIAG="CONFIG_NETLINK_DIAG:  needed for lxc-checkpoint"
-ERROR_PACKET_DIAG="CONFIG_PACKET_DIAG:  needed for lxc-checkpoint"
-ERROR_INET_UDP_DIAG="CONFIG_INET_UDP_DIAG:  needed for lxc-checkpoint"
-ERROR_INET_TCP_DIAG="CONFIG_INET_TCP_DIAG:  needed for lxc-checkpoint"
-ERROR_UNIX_DIAG="CONFIG_UNIX_DIAG:  needed for lxc-checkpoint"
-ERROR_CHECKPOINT_RESTORE="CONFIG_CHECKPOINT_RESTORE:  needed for lxc-checkpoint"
-
-ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE:  needed for lxc-execute command"
-
-ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP:  as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting."
-
-ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT:  some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE:  some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT:  some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD:  some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS:  some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC:  this GRSEC feature is incompatible with unprivileged containers"
-ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT:  this GRSEC feature is incompatible with unprivileged containers"
-
-DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt)
-
-REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
-
-pkg_setup() {
-	kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES"
-	linux-info_pkg_setup
-}
-
-src_prepare() {
-	eapply "${FILESDIR}"/${PN}-2.0.6-bash-completion.patch
-	#558854
-	eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch
-	eapply "${FILESDIR}"/${PN}-2.1.1-fix-cgroup2-detection.patch
-	eapply "${FILESDIR}"/${PN}-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch
-	eapply "${FILESDIR}"/${PN}-2.1.1-cve-2018-6556.patch
-	eapply_user
-	eautoreconf
-}
-
-src_configure() {
-	append-flags -fno-strict-aliasing
-
-	if use python; then
-		#541932
-		python_setup "python3*"
-		export PKG_CONFIG_PATH="${T}/${EPYTHON}/pkgconfig:${PKG_CONFIG_PATH}"
-	fi
-
-	# I am not sure about the --with-rootfs-path
-	# /var/lib/lxc is probably more appropriate than
-	# /usr/lib/lxc.
-	# Note by holgersson: Why is apparmor disabled?
-
-	# --enable-doc is for manpages which is why we don't link it to a "doc"
-	# USE flag. We always want man pages.
-	econf \
-		--localstatedir=/var \
-		--bindir=/usr/bin \
-		--sbindir=/usr/bin \
-		--with-config-path=/var/lib/lxc	\
-		--with-rootfs-path=/var/lib/lxc/rootfs \
-		--with-distro=gentoo \
-		--with-runtime-path=/run \
-		--disable-apparmor \
-		--disable-werror \
-		--enable-doc \
-		$(use_enable cgmanager) \
-		$(use_enable examples) \
-		$(use_enable lua) \
-		$(use_enable python) \
-		$(use_enable seccomp) \
-		$(use_enable selinux)
-}
-
-python_compile() {
-	distutils-r1_python_compile build_ext -I.. -L../lxc/.libs --no-pkg-config
-}
-
-src_compile() {
-	default
-
-	if use python; then
-		pushd "${S}/src/python-${PN}" > /dev/null
-		distutils-r1_src_compile
-		popd > /dev/null
-	fi
-}
-
-src_install() {
-	default
-
-	mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die
-	# start-ephemeral is no longer a command but removing it here
-	# generates QA warnings (still in upstream completion script)
-	bashcomp_alias ${PN}-start \
-		${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,start-ephemeral,stop,unfreeze,wait}
-
-	if use python; then
-		pushd "${S}/src/python-lxc" > /dev/null
-		# Unset DOCS. This has been handled by the default target
-		unset DOCS
-		distutils-r1_src_install
-		popd > /dev/null
-	fi
-
-	keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc
-
-	find "${D}" -name '*.la' -delete
-
-	# Gentoo-specific additions!
-	newinitd "${FILESDIR}/${PN}.initd.7" ${PN}
-
-	# Remember to compare our systemd unit file with the upstream one
-	# config/init/systemd/lxc.service.in
-	systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service"
-
-	DOC_CONTENTS="
-	Starting from version ${PN}-1.1.0-r3, the default lxc path has been
-	moved from /etc/lxc to /var/lib/lxc. If you still want to use /etc/lxc
-	please add the following to your /etc/lxc/lxc.conf
-
-	  lxc.lxcpath = /etc/lxc
-
-	For openrc, there is an init script provided with the package.
-	You _should_ only need to symlink /etc/init.d/lxc to
-	/etc/init.d/lxc.configname to start the container defined in
-	/etc/lxc/configname.conf.
-
-	Correspondingly, for systemd a service file lxc@.service is installed.
-	Enable and start lxc@configname in order to start the container defined
-	in /etc/lxc/configname.conf.
-
-	If you want checkpoint/restore functionality, please install criu
-	(sys-process/criu)."
-	DISABLE_AUTOFORMATTING=true
-	readme.gentoo_create_doc
-}
-
-pkg_postinst() {
-	readme.gentoo_print_elog
-}
diff --git a/app-emulation/lxc/lxc-3.1.0-r1.ebuild b/app-emulation/lxc/lxc-4.0.2-r2.ebuild
index 138938369b9d..9f71458a5e7e 100644
--- a/app-emulation/lxc/lxc-3.1.0-r1.ebuild
+++ b/app-emulation/lxc/lxc-4.0.2-r2.ebuild
@@ -1,36 +1,37 @@
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
-inherit autotools bash-completion-r1 linux-info flag-o-matic systemd readme.gentoo-r1 pam
+inherit autotools bash-completion-r1 linux-info flag-o-matic pam readme.gentoo-r1 systemd
 
 DESCRIPTION="LinuX Containers userspace utilities"
-HOMEPAGE="https://linuxcontainers.org/"
+HOMEPAGE="https://linuxcontainers.org/ https://github.com/lxc/lxc"
 SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz"
 
 KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86"
 
 LICENSE="LGPL-3"
 SLOT="0"
-IUSE="apparmor examples pam seccomp selinux +templates"
+IUSE="apparmor +caps doc examples libressl pam seccomp selinux +ssl +templates +tools"
 
-RDEPEND="
-	net-libs/gnutls
+RDEPEND="app-misc/pax-utils
+	sys-apps/util-linux
 	sys-libs/libcap
+	virtual/awk
+	caps? ( sys-libs/libcap )
 	pam? ( sys-libs/pam )
 	seccomp? ( sys-libs/libseccomp )
-	selinux? ( sys-libs/libselinux )"
-
+	selinux? ( sys-libs/libselinux )
+	ssl? (
+		!libressl? ( dev-libs/openssl:0= )
+		libressl? ( dev-libs/libressl:0= )
+	)"
 DEPEND="${RDEPEND}
 	>=app-text/docbook-sgml-utils-0.6.14-r2
-	>=sys-kernel/linux-headers-3.2"
-
-RDEPEND="${RDEPEND}
-	sys-apps/util-linux
-	app-misc/pax-utils
-	virtual/awk"
-
+	>=sys-kernel/linux-headers-3.2
+	apparmor? ( sys-apps/apparmor )"
+BDEPEND="doc? ( app-doc/doxygen )"
 PDEPEND="templates? ( app-emulation/lxc-templates )"
 
 CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE
@@ -45,41 +46,17 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE
 	~VETH ~MACVLAN
 
 	~POSIX_MQUEUE
-	~!NETPRIO_CGROUP
-
-	~!GRKERNSEC_CHROOT_MOUNT
-	~!GRKERNSEC_CHROOT_DOUBLE
-	~!GRKERNSEC_CHROOT_PIVOT
-	~!GRKERNSEC_CHROOT_CHMOD
-	~!GRKERNSEC_CHROOT_CAPS
-	~!GRKERNSEC_PROC
-	~!GRKERNSEC_SYSFS_RESTRICT
-	~!GRKERNSEC_CHROOT_FINDTASK
-"
-
-ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES:  needed for pts inside container"
+	~!NETPRIO_CGROUP"
 
 ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER:  needed to freeze containers"
-
 ERROR_UTS_NS="CONFIG_UTS_NS:  needed to unshare hostnames and uname info"
 ERROR_NET_NS="CONFIG_NET_NS:  needed for unshared network"
-
 ERROR_VETH="CONFIG_VETH:  needed for internal (host-to-container) networking"
 ERROR_MACVLAN="CONFIG_MACVLAN:  needed for internal (inter-container) networking"
-
 ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE:  needed for lxc-execute command"
-
 ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP:  as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting."
 
-ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT:  some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE:  some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT:  some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD:  some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS:  some GRSEC features make LXC unusable see postinst notes"
-ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC:  this GRSEC feature is incompatible with unprivileged containers"
-ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT:  this GRSEC feature is incompatible with unprivileged containers"
-
-DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt)
+DOCS=( AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt )
 
 pkg_setup() {
 	linux-info_pkg_setup
@@ -101,23 +78,45 @@ src_configure() {
 	# --enable-doc is for manpages which is why we don't link it to a "doc"
 	# USE flag. We always want man pages.
 	local myeconfargs=(
-		--localstatedir=/var
 		--bindir=/usr/bin
+		--localstatedir=/var
 		--sbindir=/usr/bin
+
 		--with-config-path=/var/lib/lxc
-		--with-rootfs-path=/var/lib/lxc/rootfs
 		--with-distro=gentoo
+		--with-init-script=systemd
+		--with-rootfs-path=/var/lib/lxc/rootfs
 		--with-runtime-path=/run
-		--disable-apparmor
+		--with-systemdsystemunitdir=$(systemd_get_systemunitdir)
+
+		--disable-asan
+		--disable-coverity-build
+		--disable-dlog
+		--disable-mutex-debugging
+		--disable-rpath
+		--disable-tests
+		--disable-ubsan
 		--disable-werror
+
+		--enable-bash
+		--enable-commands
 		--enable-doc
+		--enable-memfd-rexec
+		--enable-thread-safety
+
 		$(use_enable apparmor)
+		$(use_enable caps capabilities)
+		$(use_enable doc api-docs)
 		$(use_enable examples)
 		$(use_enable pam)
-		$(use_with pam pamdir $(getpam_mod_dir))
 		$(use_enable seccomp)
 		$(use_enable selinux)
+		$(use_enable ssl openssl)
+		$(use_enable tools)
+
+		$(use_with pam pamdir $(getpam_mod_dir))
 	)
+
 	econf "${myeconfargs[@]}"
 }
 
@@ -131,14 +130,14 @@ src_install() {
 	keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc
 	rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed"
 
-	find "${D}" -name '*.la' -delete
+	find "${D}" -name '*.la' -delete -o -name '*.a' -delete || die
 
 	# Gentoo-specific additions!
 	newinitd "${FILESDIR}/${PN}.initd.8" ${PN}
 
 	# Remember to compare our systemd unit file with the upstream one
 	# config/init/systemd/lxc.service.in
-	systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service"
+	systemd_newunit "${FILESDIR}"/${PN}_at.service.4.0.0 "lxc@.service"
 
 	DOC_CONTENTS="
 	For openrc, there is an init script provided with the package.
diff --git a/app-emulation/lxc/metadata.xml b/app-emulation/lxc/metadata.xml
index c5f8986b9117..ca4eb37df6c9 100644
--- a/app-emulation/lxc/metadata.xml
+++ b/app-emulation/lxc/metadata.xml
@@ -7,8 +7,8 @@
   </maintainer>
   <use>
     <flag name="apparmor">Enable AppArmor support</flag>
-    <flag name="cgmanager">Enable support for cgroup management using <pkg>app-admin/cgmanager</pkg></flag>
     <flag name="templates">Install old style templates through <pkg>app-emulation/lxc-templates</pkg></flag>
+    <flag name="tools">Build and install additional command line tools</flag>
   </use>
   <upstream>
     <remote-id type="github">lxc/lxc</remote-id>
author	V3n3RiX <venerix@redcorelinux.org>	2020-05-30 11:44:06 +0100
committer	V3n3RiX <venerix@redcorelinux.org>	2020-05-30 11:44:06 +0100
commit	f516638b7fe9592837389826a6152a7e1b251c54 (patch)
tree	8bfecb640b7b6403d7a3d662d923eed630033da7 /app-emulation/lxc
parent	1a61119f9f7b057830e2ce0563f913ec86f282ad (diff)