7 files changed, 369 insertions, 0 deletions
diff --git a/app-emulation/runc/Manifest b/app-emulation/runc/Manifest
new file mode 100644
index 000000000000..f2842d9f827c
--- /dev/null
+++ b/app-emulation/runc/Manifest
@@ -0,0 +1,11 @@
+AUX runc-1.0.0_rc2-init-non-dumpable.patch 4016 SHA256 d26ab99d557547312a3c9d069c188392204536bedeb8b22762cc1f2bb2e66159 SHA512 2e10cc4ea85f0a95c53a4de6922b8a20395b6225f06449b9f3a994a79113f476563bb6acf365ba12de7896fc537141130790e14de1c612b97e283eeb82877139 WHIRLPOOL d43754d5ab03a5c56a62cd8128184aa55aa1cc23604cece4ca9810a4051f32f3970f09f4dc73265c4ccc4ed1855e3d7e5bbc74f1affe97384741d91b0e107580
+DIST runc-1.0.0_rc2.tar.gz 550449 SHA256 638742c48426b9a3281aeb619e27513d972de228bdbd43b478baea99c186d491 SHA512 83a3d45efbb86d3d583b96062202b9e60121d250af2c0dd37d07fda574b642aa6f05e29cac6644ad3d624647400db694082e280383e41ca9f31dc0a33b87ed76 WHIRLPOOL 990a45739689db80bbeed43b0fd3a4ce4d0563ea833361b9112e750782313f19e638c4bfbd455f5dd1882d64c724dcf0213701322029c2c9f98f624863c744f3
+DIST runc-1.0.0_rc2_p20170222.tar.gz 576999 SHA256 1ee6491b9c14e0ce9e0546ed92e3eb4bdc60cf4b5e58b6de0455dbe3b03145cb SHA512 fe293057f55eee4f3821004af730ad57f512d610d7cf3693b26e69ffa068c8c28da5426b9f4988627c0803ecd1d46b6e427db8f1703649f5861859d61cd24bbd WHIRLPOOL 561c09ffc7d3e0f1dd73f3711adb85b74d5fea265181cdd1535a83d23a164c1e4cb884053c0b46c968b0b582feeb2ccc9eb99e3e086b1fcbcce0813f4444172c
+DIST runc-1.0.0_rc3.tar.gz 453694 SHA256 77dc6c48704da4005896acf369d0ee306f8af684c54a815f589fd87043221380 SHA512 298a176db119a02c1dbe5c095897f34955d6d0d7ea3cb21496258a23225bae35603a818c13f7adc4be1c1f4e2b3a8a540fb2fc1b2828a59f29a53e3c8b13c354 WHIRLPOOL 649aba93a24eff37042cc08d55cff0d97d6e4fe6b2c35053b36a4a186040e8772b8f63be488f3cb8d75e7daa61193669a79b2ed1f04a13ae47695c98dccb17ec
+EBUILD runc-1.0.0_rc2-r2.ebuild 1365 SHA256 26c208b727a67fbfc7c0b67fbfc7196726d9deb2db2eb52f683c5c5eaa5f4696 SHA512 6e5d05c224d4851c3b92b9da5fa4cc3934093bc74742c1b8cb3b50652014aaef46bdfbd17abd7fab4729b37cb7a8c3c9fa0e98ddd3725ae4c4e3ac5b1ae22c1b WHIRLPOOL 567e8b88ebb376f0d6ef249d3751eb0eb50eefba34d8e6d405d54bdbf7e881e19f781decc5e7d1d8ec0b6b90c3071ef84c3f8595263f467b3e28b3782adf6cfb
+EBUILD runc-1.0.0_rc2_p20170222.ebuild 1340 SHA256 d6502a88b2dd0819346a907bb8869a0b8bf430722d5d6bb4490a465a52f268a1 SHA512 a15a9e312132aca2df78ac1c1e33f013656d2ddf1f4a75dcbf48c62f69444aa2390c91365869127f257eb09cca380e130342991f7c81859bf69a3eae7965ad15 WHIRLPOOL 2a5ddb35c8847bfdf598d861b792b2bce35e66293029e887c0c61ab1b68d05b31ee5bb2a7c0b0ec9b9e5910a42deabb1f7a19a6f17517b12c139f71c6504f6d4
+EBUILD runc-1.0.0_rc3.ebuild 1266 SHA256 2df82c9436c85fb07bde1e4747533ad021b8afd4c0f2f21e05e91945e9e35a1d SHA512 9ef8329dbb95720807c54fb9f4569393dd2b820a3bd9420c4327a68e8fcfd258dc8cb78def5cde66a9d1519fbd20b7baed7b566ed76630b301856901980e2436 WHIRLPOOL 2896faf66f077ce0e6e2832fe6443619ead207a73d5306eb14fc35237229f6eafdc8042f5b60d2da1e0fbd91a5122ee99df1e4e69c9d885ef148372ccac7dbfe
+EBUILD runc-9999.ebuild 1080 SHA256 63705ef8690e9a2ca0775fff05eeaf2ce5689fb00ec49b5b76ee3a9f91cc7d28 SHA512 b026b5cbfd44e110a2c2cd72125c757c6b957137fe9491b85e1f25014b564226a3e76c23ea463fd4d7ad742228b2b7bc533aa6b2539b43ca5c37aa2dd07218e3 WHIRLPOOL 07a121e9e56a48ec91f6151004bc542281fcd286835dbfb1f7ce8bbb66539675dac95ef5a1f12ed9e89ecb23cb1ea2a287bbe95a5133c629abbca6ee6caacd4d
+MISC ChangeLog 4964 SHA256 075febec76fb540580034cddb4ad5b0f728e5161acafef2854ef90feee89f620 SHA512 475232c13b479d2922cf85103be0dc423d1a577224f2a3ffb802f549af0a707155d9f3ca84176faa9b535e7b52ccaa5790333e6a037046331a95a3cefbf35362 WHIRLPOOL 76f2787b04bfe485fbde81470d5f75ccf5c2acb0cd83e4ff2fde77d8cbcfd32963246f90a9432d7e0b08c8bcb089ae6303d8c57943d753198a0319f72e303ed1
+MISC ChangeLog-2015 501 SHA256 ca70c2eb991fe8699aed29b6746b3ef94573e951002974c4d6fcd03efd50c3fa SHA512 ecd3b2e441cfcc1d0a917b3dea36f1a1c8215712ff95338ec3e68f5f4750af512249590337636d2ac44851b245a24ce43637ae5f681ae6d27ca88c3b974514ad WHIRLPOOL c4a0280467e9afe1c664c5d81cf16bce07ff7dacf143b9cbd25bb4515b0fc6da735110333904d5cfa07825655efe24e4962051abba43e14f379a2ff4f240edd5
+MISC metadata.xml 911 SHA256 29df1085f7a190af96af84acedbb9b38b5e0a5c0bcb7ee5f731ce32901c724e0 SHA512 f142b0f774e96873a78da61de3826c967912dcf081ae6849e7a9b9c02ba621ce3637987b53ec54fd51858ba492f34c891e4b1eabcd568eaebcf665937f36701c WHIRLPOOL bb5ea7d2795e915e38ed01fa002f58d01a578489ef344d3fa5c2e7d36642d611b838589e18d53a82d176c302108a6e9aebd6ee70b9629880f9f723e983febb5a
diff --git a/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch b/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch
new file mode 100644
index 000000000000..486835ad826c
--- /dev/null
+++ b/app-emulation/runc/files/runc-1.0.0_rc2-init-non-dumpable.patch
@@ -0,0 +1,108 @@
+From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001
+From: Michael Crosby <crosbymichael@gmail.com>
+Date: Wed, 7 Dec 2016 15:05:51 -0800
+Subject: [PATCH] Set init processes as non-dumpable
+
+This sets the init processes that join and setup the container's
+namespaces as non-dumpable before they setns to the container's pid (or
+any other ) namespace.
+
+This settings is automatically reset to the default after the Exec in
+the container so that it does not change functionality for the
+applications that are running inside, just our init processes.
+
+This prevents parent processes, the pid 1 of the container, to ptrace
+the init process before it drops caps and other sets LSMs.
+
+This patch also ensures that the stateDirFD being used is still closed
+prior to exec, even though it is set as O_CLOEXEC, because of the order
+in the kernel.
+
+https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
+
+The order during the exec syscall is that the process is set back to
+dumpable before O_CLOEXEC are processed.
+
+Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
+---
+ libcontainer/init_linux.go          | 3 ++-
+ libcontainer/nsenter/nsexec.c       | 5 +++++
+ libcontainer/setns_init_linux.go    | 7 ++++++-
+ libcontainer/standard_init_linux.go | 3 +++
+ 4 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
+index b1e6762..4043d51 100644
+--- a/libcontainer/init_linux.go
++++ b/libcontainer/init_linux.go
+@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error)
+ 	switch t {
+ 	case initSetns:
+ 		return &linuxSetnsInit{
+-			config: config,
++			config:     config,
++			stateDirFD: stateDirFD,
+ 		}, nil
+ 	case initStandard:
+ 		return &linuxStandardInit{
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index b93f827..4b5398b 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
+@@ -408,6 +408,11 @@ void nsexec(void)
+ 	if (pipenum == -1)
+ 		return;
+ 
++	/* make the process non-dumpable */
++	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
++		bail("failed to set process as non-dumpable");
++	}
++
+ 	/* Parse all of the netlink configuration. */
+ 	nl_parse(pipenum, &config);
+ 
+diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
+index 2a8f345..7f5f182 100644
+--- a/libcontainer/setns_init_linux.go
++++ b/libcontainer/setns_init_linux.go
+@@ -5,6 +5,7 @@ package libcontainer
+ import (
+ 	"fmt"
+ 	"os"
++	"syscall"
+ 
+ 	"github.com/opencontainers/runc/libcontainer/apparmor"
+ 	"github.com/opencontainers/runc/libcontainer/keys"
+@@ -16,7 +17,8 @@ import (
+ // linuxSetnsInit performs the container's initialization for running a new process
+ // inside an existing container.
+ type linuxSetnsInit struct {
+-	config *initConfig
++	config     *initConfig
++	stateDirFD int
+ }
+ 
+ func (l *linuxSetnsInit) getSessionRingName() string {
+@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error {
+ 	if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
+ 		return err
+ 	}
++	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
++	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
++	syscall.Close(l.stateDirFD)
+ 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
+ }
+diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
+index 2104f1a..6a65154 100644
+--- a/libcontainer/standard_init_linux.go
++++ b/libcontainer/standard_init_linux.go
+@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error {
+ 			return newSystemErrorWithCause(err, "init seccomp")
+ 		}
+ 	}
++	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
++	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
++	syscall.Close(l.stateDirFD)
+ 	if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
+ 		return newSystemErrorWithCause(err, "exec user process")
+ 	}
diff --git a/app-emulation/runc/metadata.xml b/app-emulation/runc/metadata.xml
new file mode 100644
index 000000000000..91b38bdea9d1
--- /dev/null
+++ b/app-emulation/runc/metadata.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<longdescription lang="en">
+		runc is a CLI tool for spawning and running containers according
+		to the OCF (Open Container Format) specification.
+	</longdescription>
+	<maintainer type="person">
+		<email>cardoe@gentoo.org</email>
+		<name>Doug Goldstein</name>
+	</maintainer>
+	<maintainer type="person">
+		<email>williamh@gentoo.org</email>
+		<name>William Hubbs</name>
+	</maintainer>
+	<maintainer type="person">
+		<email>mrueg@gentoo.org</email>
+		<name>Manuel Rüger</name>
+	</maintainer>
+	<use>
+		<flag name="ambient">
+			Enable support for ambient capabilities set (Requires Linux kernel 4.3 or later).
+		</flag>
+		<flag name="apparmor">
+			Enable AppArmor support.
+		</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">opencontainers/runc</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/app-emulation/runc/runc-1.0.0_rc2-r2.ebuild b/app-emulation/runc/runc-1.0.0_rc2-r2.ebuild
new file mode 100644
index 000000000000..0ecb0b79d1f7
--- /dev/null
+++ b/app-emulation/runc/runc-1.0.0_rc2-r2.ebuild
@@ -0,0 +1,59 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+EGO_PN="github.com/opencontainers/${PN}"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit golang-vcs
+else
+	MY_PV="${PV/_/-}"
+	EGIT_COMMIT="v${MY_PV}"
+	RUNC_COMMIT="c91b5be" # Change this when you update the ebuild
+	SRC_URI="https://${EGO_PN}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="amd64 ~ppc64"
+	inherit golang-vcs-snapshot
+fi
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="http://runc.io"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="apparmor hardened +seccomp"
+
+RDEPEND="
+	apparmor? ( sys-libs/libapparmor )
+	seccomp? ( sys-libs/libseccomp )
+	!app-emulation/docker-runc
+"
+
+S=${WORKDIR}/${P}/src/${EGO_PN}
+
+PATCHES=( "${FILESDIR}"/${P}-init-non-dumpable.patch )
+
+src_compile() {
+	# Taken from app-emulation/docker-1.7.0-r1
+	export CGO_CFLAGS="-I${ROOT}/usr/include"
+	export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
+		-L${ROOT}/usr/$(get_libdir)"
+
+	# Setup GOPATH so things build
+	rm -rf .gopath
+	mkdir -p .gopath/src/"$(dirname "${GITHUB_URI}")"
+	ln -sf ../../../.. .gopath/src/"${GITHUB_URI}"
+	export GOPATH="${PWD}/.gopath:${PWD}/vendor"
+
+	# build up optional flags
+	local options=(
+		$(usex apparmor 'apparmor')
+		$(usex seccomp 'seccomp')
+	)
+
+	emake BUILDTAGS="${options[*]}" \
+		COMMIT="${RUNC_COMMIT}"
+}
+
+src_install() {
+	dobin runc
+}
diff --git a/app-emulation/runc/runc-1.0.0_rc2_p20170222.ebuild b/app-emulation/runc/runc-1.0.0_rc2_p20170222.ebuild
new file mode 100644
index 000000000000..50ad9ca1ac32
--- /dev/null
+++ b/app-emulation/runc/runc-1.0.0_rc2_p20170222.ebuild
@@ -0,0 +1,57 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+EGO_PN="github.com/opencontainers/${PN}"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit golang-vcs
+else
+	MY_PV="${PV/_/-}"
+	EGIT_COMMIT="bd2f9c52cd3b766d993924ae6eba72b82998f3bd"
+	RUNC_COMMIT="bd2f9c" # Change this when you update the ebuild
+	SRC_URI="https://${EGO_PN}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="~amd64 ~ppc64"
+	inherit golang-vcs-snapshot
+fi
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="http://runc.io"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="apparmor hardened +seccomp"
+
+RDEPEND="
+	apparmor? ( sys-libs/libapparmor )
+	seccomp? ( sys-libs/libseccomp )
+	!app-emulation/docker-runc
+"
+
+S=${WORKDIR}/${P}/src/${EGO_PN}
+
+src_compile() {
+	# Taken from app-emulation/docker-1.7.0-r1
+	export CGO_CFLAGS="-I${ROOT}/usr/include"
+	export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
+		-L${ROOT}/usr/$(get_libdir)"
+
+	# Setup GOPATH so things build
+	rm -rf .gopath
+	mkdir -p .gopath/src/"$(dirname "${GITHUB_URI}")"
+	ln -sf ../../../.. .gopath/src/"${GITHUB_URI}"
+	export GOPATH="${PWD}/.gopath:${PWD}/vendor"
+
+	# build up optional flags
+	local options=(
+		$(usex apparmor 'apparmor')
+		$(usex seccomp 'seccomp')
+	)
+
+	emake BUILDTAGS="${options[*]}" \
+		COMMIT="${RUNC_COMMIT}"
+}
+
+src_install() {
+	dobin runc
+}
diff --git a/app-emulation/runc/runc-1.0.0_rc3.ebuild b/app-emulation/runc/runc-1.0.0_rc3.ebuild
new file mode 100644
index 000000000000..ed12e14ff1bd
--- /dev/null
+++ b/app-emulation/runc/runc-1.0.0_rc3.ebuild
@@ -0,0 +1,55 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+EGO_PN="github.com/opencontainers/${PN}/..."
+
+if [[ ${PV} == *9999 ]]; then
+	inherit golang-build golang-vcs
+else
+	MY_PV="${PV/_/-}"
+	EGIT_COMMIT="v${MY_PV}"
+	RUNC_COMMIT="75f8da7" # Change this when you update the ebuild
+	SRC_URI="https://${EGO_PN%/*}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="~amd64 ~ppc64"
+	inherit golang-build golang-vcs-snapshot
+fi
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="http://runc.io"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="+ambient apparmor hardened +seccomp"
+
+RDEPEND="
+	apparmor? ( sys-libs/libapparmor )
+	seccomp? ( sys-libs/libseccomp )
+	!app-emulation/docker-runc
+"
+
+src_compile() {
+	# Taken from app-emulation/docker-1.7.0-r1
+	export CGO_CFLAGS="-I${ROOT}/usr/include"
+	export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
+		-L${ROOT}/usr/$(get_libdir)"
+
+	# build up optional flags
+	local options=(
+		$(usex ambient 'ambient')
+		$(usex apparmor 'apparmor')
+		$(usex seccomp 'seccomp')
+	)
+
+	GOPATH="${S}"\
+		emake BUILDTAGS="${options[*]}" \
+		COMMIT="${RUNC_COMMIT}" -C src/${EGO_PN%/*}
+}
+
+src_install() {
+	pushd src/${EGO_PN%/*} || die
+	dobin runc
+	dodoc README.md PRINCIPLES.md
+	popd || die
+
+}
diff --git a/app-emulation/runc/runc-9999.ebuild b/app-emulation/runc/runc-9999.ebuild
new file mode 100644
index 000000000000..8973c7491259
--- /dev/null
+++ b/app-emulation/runc/runc-9999.ebuild
@@ -0,0 +1,48 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit eutils multilib
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="http://runc.io"
+
+GITHUB_URI="github.com/opencontainers/runc"
+
+if [[ ${PV} == *9999* ]]; then
+	EGIT_REPO_URI="git://${GITHUB_URI}.git"
+	inherit git-r3
+else
+	SRC_URI="https://${GITHUB_URI}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="~amd64 ~ppc64"
+fi
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="+seccomp"
+
+DEPEND=">=dev-lang/go-1.4:="
+RDEPEND="seccomp? ( sys-libs/libseccomp )
+	!app-emulation/docker-runc"
+
+src_compile() {
+	# Taken from app-emulation/docker-1.7.0-r1
+	export CGO_CFLAGS="-I${ROOT}/usr/include"
+	export CGO_LDFLAGS="-L${ROOT}/usr/$(get_libdir)"
+
+	# Setup GOPATH so things build
+	rm -rf .gopath
+	mkdir -p .gopath/src/"$(dirname "${GITHUB_URI}")"
+	ln -sf ../../../.. .gopath/src/"${GITHUB_URI}"
+	export GOPATH="${PWD}/.gopath:${PWD}/vendor"
+
+	# build up optional flags
+	local options=( $(usex seccomp "seccomp") )
+
+	emake BUILDTAGS="${options[@]}"
+}
+
+src_install() {
+	dobin runc
+}