From 185fa19bbf68a4d4dca534d2b46729207a177f16 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Tue, 11 May 2021 19:55:43 +0100 Subject: gentoo resync : 11.05.2021 --- app-emulation/lxc/Manifest | 3 +- ...lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch | 93 +++++++++++ app-emulation/lxc/lxc-4.0.9-r1.ebuild | 174 +++++++++++++++++++++ app-emulation/lxc/lxc-4.0.9.ebuild | 173 -------------------- 4 files changed, 269 insertions(+), 174 deletions(-) create mode 100644 app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch create mode 100644 app-emulation/lxc/lxc-4.0.9-r1.ebuild delete mode 100644 app-emulation/lxc/lxc-4.0.9.ebuild (limited to 'app-emulation/lxc') diff --git a/app-emulation/lxc/Manifest b/app-emulation/lxc/Manifest index 9e6e6e86fc6c..c9f2d5195797 100644 --- a/app-emulation/lxc/Manifest +++ b/app-emulation/lxc/Manifest @@ -1,5 +1,6 @@ AUX lxc-2.0.5-omit-sysconfig.patch 259 BLAKE2B 977e151fbb8c9d98e89aaa5ee0426e64ab4286b4440af1582086a0ced8c6568efb470ccf68786da6ea52c82d1f4e81feac45bec411febc04fc31d108f05ccde2 SHA512 0aed9aca687accc6df79e97f48ab333043256e8ae68c8643f2b2452cc8013191238867d64ec71f7d399c59a43d3ba698b35d965090c5cb149b4f41302432e6e7 AUX lxc-3.0.0-bash-completion.patch 915 BLAKE2B 8bb879e391cec349d211b47d321c64ea091c8475ac9a8c4adfb45918c044f6c49d9b9bce546082907d696f697baf0870893c4427abeafa496db89f99190cd091 SHA512 2f3728fcf5e88eecc1ae05bf038ef83baa375194c5bef0d0ef68feaf4d8092cdd8efef6b3c27207c4abd28b085f087af517242c65747b47d0a8fa840f6b9d279 +AUX lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch 3529 BLAKE2B 6a9ac29e1c38643383df135981a3893e8bea631af85271499f687614a3c779d5a2adfee7d20ca3eca5358ac8b123ee1c969af9d41b1d5bc85749a91937f1845d SHA512 62640563ec638b9a2c9e66c533a604585d8289b7f71362b70fb1110ec2e840b68758cc217b1953d181cd34e1b8881bb24ff7fca6d2c3145ac2b973d157d1a979 AUX lxc.initd.8 3669 BLAKE2B 50d41e0923ba26b9653ca3b5b559dd0905e61ec81969e709650fe7f1b26a4dcdc17158b7e449d666e2103047d9f196e53df8beca15fffd529fa8e743de97bd82 SHA512 1182b53a65399746f6d6bced0df5c1fde09c1ede4a28bfe95b5ed0bbd969d6f6423f63021d4b6f1dc62c7b2703f6963c03d881291650bdf21cfcf8432586c1b4 AUX lxc_at.service.4.0.0 284 BLAKE2B 1adc76b9861f2499b7b703f7076782a258f9b21a3d1e32b69334f753faca9ecd8c6fb2a03baf04698e765f079e73ee683434d8c7c6d3b3082427a6af74ab33b1 SHA512 4c2f9846ca60bb78df7e652309900c0e788b45d569f268a9e5b98842518542b35fce253e2aedeb0eded3d37274390988ef887b01d1d37859ccddf6225286b4bb DIST lxc-4.0.6.tar.gz 1363162 BLAKE2B e2d9d281cf521575aeecefbcba0c7b7f336ab73193be94e760b37eb6f3423ec3520f194549def6f64c1662f22b7df5a03dfc6b4e6dac1bf229c5f726f51b4d43 SHA512 98514796ef2091a291516ed7fde737df07ccfe374a0f8b4314e0ee992837e98ed02aa9f7809f8808a2f5ee1c7ae2dcea163531cdaedbb577211eeb9beff90c15 @@ -7,5 +8,5 @@ DIST lxc-4.0.6.tar.gz.asc 833 BLAKE2B 04b6bda0ed52a6ab8eebde4d3d5f1f6cb19eea017a DIST lxc-4.0.9.tar.gz 1500310 BLAKE2B 3796d36b6f76ec595dc28207e66ec9f5a7c1a39f5c5ebc851638c519be35f59b4ec06a71b2866cd8fef0a6140f61fd4b70c900f5a8ffd42d7da7a30d3ff59975 SHA512 4ef9d9efdd4118fdffde8b49c6ae71cf5eb060be51daaa4f4ceb804c743fbf3278e6518e6a694faefc720f2834f98ac48d67842d589a2120b8f7ec4c3b61fa84 DIST lxc-4.0.9.tar.gz.asc 833 BLAKE2B 2d275c968831410d987aa7f8062f4e35ba15043f92f38fd3bdd6bf80964906741d05ccd93789132d421ee1c8778cec6a2e76c4f0eb2165cf0107261495fa6856 SHA512 4c90dfbdba90959ee8df5da8ca8b240f65ab03ab91637833c677e2a73592c09f9c5a55b9a261be6efb0888156c916223ff1aa9003b18d46e667908aaa550c944 EBUILD lxc-4.0.6.ebuild 4641 BLAKE2B 7344c4c288841bf83d9e55cf80487927fe5faa329d9eddbf6ca9009fe16aaf26957d7e5fb5dd61735b20bc1b93a81cfc3a06b52d53ecff51c869a280add09ca0 SHA512 9882e81775f6c5b3fa0075ce3c0b143419b4b11e838f16160d2466e19c82c5bd20fee58a25a64d72f613e08719339cdf47a15ff5e801d260e5cbd664f841ffd8 -EBUILD lxc-4.0.9.ebuild 4671 BLAKE2B 445b62d24e7b11fe9aff915ff52edc5fce05076e4c725b69ff8c2de2f694669ddbb70fbe58980bb9935d619015569482eafd1ed7a7c8f60a5f3f43abb0ec7b30 SHA512 7f2b725301619dc29b8376976dfa34e8d8ac1a728be2080717991b054e4e8f9b824db067f44d4dbe94400f5f12ba8c3a5ad2b1c7abd55330678575057327ddc6 +EBUILD lxc-4.0.9-r1.ebuild 4747 BLAKE2B c2dc493c2b7130884f76af358e12d8a84faeecdcd15c86fec6cbe7a1d5326406d2a6117588d85eebf0e0d8a1f24c51d0f691086e1a3405f5a2adf2702aa5b804 SHA512 6a3a7764a35493d99bc1d8ae9e00f27f3c4e316b39cec79256cb7d8e4ceb36c4eb5097c3744c27aba2feaef4529d38aac63e238117df675d354ff6aebd563f2b MISC metadata.xml 620 BLAKE2B 459aa85a0e432faff7d0a2a1e61d536bde2e07e057ce8da642e07582219605643740f1241f83d19335a96de568841234bc2505273570bafbd187bb51da64a674 SHA512 303ca453f18cdbeef118e6a452b1a0e56d2466cba47fec8d021c1b8e4a9998ba743a729fdadc71e27e98f1fe12f43d17d76820986aeb93f286e74565c1a852f6 diff --git a/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch b/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch new file mode 100644 index 000000000000..6fba3c4154a4 --- /dev/null +++ b/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch @@ -0,0 +1,93 @@ +From 91ad9b94bcd964adfbaa8d84d8f39304d39835d0 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Thu, 6 May 2021 18:16:45 +0200 +Subject: [PATCH] conf: handle kernels with CAP_SETFCAP + +LXC is being very clever and sometimes maps the caller's uid into the +child userns. This means that the caller can technically write fscaps +that are valid in the ancestor userns (which can be a security issue in +some scenarios) so newer kernels require CAP_SETFCAP to do this. Until +newuidmap/newgidmap are updated to account for this simply write the +mapping directly in this case. + +Cc: stable-4.0 +Signed-off-by: Christian Brauner +--- + src/lxc/conf.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 72e21b5300..f388946970 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2978,6 +2978,9 @@ static int lxc_map_ids_exec_wrapper(void *args) + return -1; + } + ++static struct id_map *find_mapped_hostid_entry(const struct lxc_list *idmap, ++ unsigned id, enum idtype idtype); ++ + int lxc_map_ids(struct lxc_list *idmap, pid_t pid) + { + int fill, left; +@@ -2991,12 +2994,22 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) + char mapbuf[STRLITERALLEN("new@idmap") + STRLITERALLEN(" ") + + INTTYPE_TO_STRLEN(pid_t) + STRLITERALLEN(" ") + + LXC_IDMAPLEN] = {0}; +- bool had_entry = false, use_shadow = false; ++ bool had_entry = false, maps_host_root = false, use_shadow = false; + int hostuid, hostgid; + + hostuid = geteuid(); + hostgid = getegid(); + ++ /* ++ * Check whether caller wants to map host root. ++ * Due to a security fix newer kernels require CAP_SETFCAP when mapping ++ * host root into the child userns as you would be able to write fscaps ++ * that would be valid in the ancestor userns. Mapping host root should ++ * rarely be the case but LXC is being clever in a bunch of cases. ++ */ ++ if (find_mapped_hostid_entry(idmap, 0, ID_TYPE_UID)) ++ maps_host_root = true; ++ + /* If new{g,u}idmap exists, that is, if shadow is handing out subuid + * ranges, then insist that root also reserve ranges in subuid. This + * will protected it by preventing another user from being handed the +@@ -3014,7 +3027,9 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) + else if (!gidmap) + WARN("newgidmap is lacking necessary privileges"); + +- if (uidmap > 0 && gidmap > 0) { ++ if (maps_host_root) { ++ INFO("Caller maps host root. Writing mapping directly"); ++ } else if (uidmap > 0 && gidmap > 0) { + DEBUG("Functional newuidmap and newgidmap binary found"); + use_shadow = true; + } else { +@@ -4229,14 +4244,14 @@ static struct id_map *mapped_nsid_add(const struct lxc_conf *conf, unsigned id, + return retmap; + } + +-static struct id_map *find_mapped_hostid_entry(const struct lxc_conf *conf, ++static struct id_map *find_mapped_hostid_entry(const struct lxc_list *idmap, + unsigned id, enum idtype idtype) + { + struct id_map *map; + struct lxc_list *it; + struct id_map *retmap = NULL; + +- lxc_list_for_each (it, &conf->id_map) { ++ lxc_list_for_each (it, idmap) { + map = it->elem; + if (map->idtype != idtype) + continue; +@@ -4265,7 +4280,7 @@ static struct id_map *mapped_hostid_add(const struct lxc_conf *conf, uid_t id, + return NULL; + + /* Reuse existing mapping. */ +- tmp = find_mapped_hostid_entry(conf, id, type); ++ tmp = find_mapped_hostid_entry(&conf->id_map, id, type); + if (tmp) { + memcpy(entry, tmp, sizeof(*entry)); + } else { diff --git a/app-emulation/lxc/lxc-4.0.9-r1.ebuild b/app-emulation/lxc/lxc-4.0.9-r1.ebuild new file mode 100644 index 000000000000..8fbfeda5aca7 --- /dev/null +++ b/app-emulation/lxc/lxc-4.0.9-r1.ebuild @@ -0,0 +1,174 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit autotools bash-completion-r1 linux-info flag-o-matic optfeature pam readme.gentoo-r1 systemd verify-sig + +DESCRIPTION="A userspace interface for the Linux kernel containment features" +HOMEPAGE="https://linuxcontainers.org/ https://github.com/lxc/lxc" +SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz + verify-sig? ( https://linuxcontainers.org/downloads/lxc/${P}.tar.gz.asc )" + +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" + +LICENSE="LGPL-3" +SLOT="0" +IUSE="apparmor +caps doc man pam selinux +ssl +tools verify-sig" + +RDEPEND="acct-group/lxc + acct-user/lxc + app-misc/pax-utils + sys-apps/util-linux + sys-libs/libcap + sys-libs/libseccomp + virtual/awk + caps? ( sys-libs/libcap ) + pam? ( sys-libs/pam ) + selinux? ( sys-libs/libselinux ) + ssl? ( + dev-libs/openssl:0= + )" +DEPEND="${RDEPEND} + >=sys-kernel/linux-headers-4 + apparmor? ( sys-apps/apparmor )" +BDEPEND="doc? ( app-doc/doxygen ) + man? ( app-text/docbook-sgml-utils ) + verify-sig? ( app-crypt/openpgp-keys-linuxcontainers )" + +CONFIG_CHECK="~!NETPRIO_CGROUP + ~CGROUPS + ~CGROUP_CPUACCT + ~CGROUP_DEVICE + ~CGROUP_FREEZER + + ~CGROUP_SCHED + ~CPUSETS + ~IPC_NS + ~MACVLAN + + ~MEMCG + ~NAMESPACES + ~NET_NS + ~PID_NS + + ~POSIX_MQUEUE + ~USER_NS + ~UTS_NS + ~VETH" + +ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" +ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" +ERROR_MEMCG="CONFIG_MEMCG: needed for memory resource control in containers" +ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" +ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" +ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" +ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" + +DOCS=( AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt ) + +pkg_setup() { + linux-info_pkg_setup +} + +PATCHES=( + "${FILESDIR}"/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch # bug 789012 + "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch + "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch # bug 558854 +) + +VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/linuxcontainers.asc + +src_prepare() { + default + eautoreconf +} + +src_configure() { + append-flags -fno-strict-aliasing + + local myeconfargs=( + --bindir=/usr/bin + --localstatedir=/var + --sbindir=/usr/bin + + --with-config-path=/var/lib/lxc + --with-distro=gentoo + --with-init-script=systemd + --with-rootfs-path=/var/lib/lxc/rootfs + --with-runtime-path=/run + --with-systemdsystemunitdir=$(systemd_get_systemunitdir) + + --disable-coverity-build + --disable-dlog + --disable-fuzzers + --disable-mutex-debugging + --disable-no-undefined + --disable-rpath + --disable-sanitizers + --disable-tests + --disable-werror + + --enable-bash + --enable-commands + --enable-memfd-rexec + --enable-seccomp + --enable-thread-safety + + $(use_enable apparmor) + $(use_enable caps capabilities) + $(use_enable doc api-docs) + $(use_enable doc examples) + $(use_enable man doc) + $(use_enable pam) + $(use_enable selinux) + $(use_enable ssl openssl) + $(use_enable tools) + + $(use_with pam pamdir $(getpam_mod_dir)) + ) + + econf "${myeconfargs[@]}" +} + +src_install() { + default + + mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die + bashcomp_alias ${PN}-start \ + ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait} + + keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc + rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed" + + find "${D}" -name '*.la' -delete -o -name '*.a' -delete || die + + # Gentoo-specific additions! + newinitd "${FILESDIR}/${PN}.initd.8" ${PN} + + # Remember to compare our systemd unit file with the upstream one + # config/init/systemd/lxc.service.in + systemd_newunit "${FILESDIR}"/${PN}_at.service.4.0.0 "lxc@.service" + + DOC_CONTENTS=" + For openrc, there is an init script provided with the package. + You should only need to symlink /etc/init.d/lxc to + /etc/init.d/lxc.configname to start the container defined in + /etc/lxc/configname.conf. + + Correspondingly, for systemd a service file lxc@.service is installed. + Enable and start lxc@configname in order to start the container defined + in /etc/lxc/configname.conf." + DISABLE_AUTOFORMATTING=true + readme.gentoo_create_doc +} + +pkg_postinst() { + readme.gentoo_print_elog + + elog "Please run 'lxc-checkconfig' to see optional kernel features." + elog + optfeature "automatic template scripts" app-emulation/lxc-templates + optfeature "Debian-based distribution container image support" dev-util/debootstrap + optfeature "snapshot & restore functionality" sys-process/criu +} diff --git a/app-emulation/lxc/lxc-4.0.9.ebuild b/app-emulation/lxc/lxc-4.0.9.ebuild deleted file mode 100644 index 89a0b2e2b2df..000000000000 --- a/app-emulation/lxc/lxc-4.0.9.ebuild +++ /dev/null @@ -1,173 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit autotools bash-completion-r1 linux-info flag-o-matic optfeature pam readme.gentoo-r1 systemd verify-sig - -DESCRIPTION="A userspace interface for the Linux kernel containment features" -HOMEPAGE="https://linuxcontainers.org/ https://github.com/lxc/lxc" -SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz - verify-sig? ( https://linuxcontainers.org/downloads/lxc/${P}.tar.gz.asc )" - -KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" - -LICENSE="LGPL-3" -SLOT="0" -IUSE="apparmor +caps doc man pam selinux +ssl +tools verify-sig" - -RDEPEND="acct-group/lxc - acct-user/lxc - app-misc/pax-utils - sys-apps/util-linux - sys-libs/libcap - sys-libs/libseccomp - virtual/awk - caps? ( sys-libs/libcap ) - pam? ( sys-libs/pam ) - selinux? ( sys-libs/libselinux ) - ssl? ( - dev-libs/openssl:0= - )" -DEPEND="${RDEPEND} - >=sys-kernel/linux-headers-4 - apparmor? ( sys-apps/apparmor )" -BDEPEND="doc? ( app-doc/doxygen ) - man? ( app-text/docbook-sgml-utils ) - verify-sig? ( app-crypt/openpgp-keys-linuxcontainers )" - -CONFIG_CHECK="~!NETPRIO_CGROUP - ~CGROUPS - ~CGROUP_CPUACCT - ~CGROUP_DEVICE - ~CGROUP_FREEZER - - ~CGROUP_SCHED - ~CPUSETS - ~IPC_NS - ~MACVLAN - - ~MEMCG - ~NAMESPACES - ~NET_NS - ~PID_NS - - ~POSIX_MQUEUE - ~USER_NS - ~UTS_NS - ~VETH" - -ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" -ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" -ERROR_MEMCG="CONFIG_MEMCG: needed for memory resource control in containers" -ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" -ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" -ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" -ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" - -DOCS=( AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt ) - -pkg_setup() { - linux-info_pkg_setup -} - -PATCHES=( - "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch - "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch # bug 558854 -) - -VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/linuxcontainers.asc - -src_prepare() { - default - eautoreconf -} - -src_configure() { - append-flags -fno-strict-aliasing - - local myeconfargs=( - --bindir=/usr/bin - --localstatedir=/var - --sbindir=/usr/bin - - --with-config-path=/var/lib/lxc - --with-distro=gentoo - --with-init-script=systemd - --with-rootfs-path=/var/lib/lxc/rootfs - --with-runtime-path=/run - --with-systemdsystemunitdir=$(systemd_get_systemunitdir) - - --disable-coverity-build - --disable-dlog - --disable-fuzzers - --disable-mutex-debugging - --disable-no-undefined - --disable-rpath - --disable-sanitizers - --disable-tests - --disable-werror - - --enable-bash - --enable-commands - --enable-memfd-rexec - --enable-seccomp - --enable-thread-safety - - $(use_enable apparmor) - $(use_enable caps capabilities) - $(use_enable doc api-docs) - $(use_enable doc examples) - $(use_enable man doc) - $(use_enable pam) - $(use_enable selinux) - $(use_enable ssl openssl) - $(use_enable tools) - - $(use_with pam pamdir $(getpam_mod_dir)) - ) - - econf "${myeconfargs[@]}" -} - -src_install() { - default - - mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die - bashcomp_alias ${PN}-start \ - ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait} - - keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc - rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed" - - find "${D}" -name '*.la' -delete -o -name '*.a' -delete || die - - # Gentoo-specific additions! - newinitd "${FILESDIR}/${PN}.initd.8" ${PN} - - # Remember to compare our systemd unit file with the upstream one - # config/init/systemd/lxc.service.in - systemd_newunit "${FILESDIR}"/${PN}_at.service.4.0.0 "lxc@.service" - - DOC_CONTENTS=" - For openrc, there is an init script provided with the package. - You should only need to symlink /etc/init.d/lxc to - /etc/init.d/lxc.configname to start the container defined in - /etc/lxc/configname.conf. - - Correspondingly, for systemd a service file lxc@.service is installed. - Enable and start lxc@configname in order to start the container defined - in /etc/lxc/configname.conf." - DISABLE_AUTOFORMATTING=true - readme.gentoo_create_doc -} - -pkg_postinst() { - readme.gentoo_print_elog - - elog "Please run 'lxc-checkconfig' to see optional kernel features." - elog - optfeature "automatic template scripts" app-emulation/lxc-templates - optfeature "Debian-based distribution container image support" dev-util/debootstrap - optfeature "snapshot & restore functionality" sys-process/criu -} -- cgit v1.2.3