From 79599515788b85b18aa655e7b7f8cc05c1bbddd8 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 16 Feb 2019 12:59:29 +0000 Subject: gentoo resync : 16.02.1018 --- app-emulation/runc/Manifest | 7 +- app-emulation/runc/files/runc-fix-cve.patch | 334 +++++++++++++++++++++ .../runc/runc-1.0.0_rc5_p20180509-r1.ebuild | 62 ++++ app-emulation/runc/runc-1.0.0_rc5_p20180509.ebuild | 54 ---- app-emulation/runc/runc-1.0.0_rc6.ebuild | 61 ---- .../runc/runc-1.0.0_rc6_p20181203-r1.ebuild | 65 ++++ app-emulation/runc/runc-1.0.0_rc6_p20181203.ebuild | 61 ---- 7 files changed, 464 insertions(+), 180 deletions(-) create mode 100644 app-emulation/runc/files/runc-fix-cve.patch create mode 100644 app-emulation/runc/runc-1.0.0_rc5_p20180509-r1.ebuild delete mode 100644 app-emulation/runc/runc-1.0.0_rc5_p20180509.ebuild delete mode 100644 app-emulation/runc/runc-1.0.0_rc6.ebuild create mode 100644 app-emulation/runc/runc-1.0.0_rc6_p20181203-r1.ebuild delete mode 100644 app-emulation/runc/runc-1.0.0_rc6_p20181203.ebuild (limited to 'app-emulation/runc') diff --git a/app-emulation/runc/Manifest b/app-emulation/runc/Manifest index ae566c7280b3..1d3e43b86db6 100644 --- a/app-emulation/runc/Manifest +++ b/app-emulation/runc/Manifest @@ -1,10 +1,9 @@ +AUX runc-fix-cve.patch 8949 BLAKE2B b968b811c139a15d39daf78bbffac35aad583f1ca1cfe4c24ecf150588269d757329cc64643084a869593faae8c1a8e56b998985be7b94c7a4a98679292aab03 SHA512 51c87fc5d3584c86d6a9f92ffd2c9f66c2d9b9f0373370e910069e778f9acd10bfb4ae450b0ec1722f80d601810057402884992d9f8b7608f13e3bf9c007a28a DIST runc-1.0.0_rc5.tar.gz 1183902 BLAKE2B 46d0ffd9aa79a6f74b3194fa9e1932390115a43c903ae553acb7749d6be41220874a1ff9bae9706b5fecb9495dd6686c38ee1e9baf6118a14990f142baf6f64d SHA512 714230887ff9706c29b0656c5cdb253698bde6252a23e7f48aa690747fb57abd7884c2da1c4d0e314f9f301c5962417351557d15d986e45fcc336e98069aeac6 DIST runc-1.0.0_rc5_p20180509.tar.gz 1185576 BLAKE2B b56f9c185c061f51a1fd81c19d378b06c71d06c6eddcbc1c946b234814eb469ea4af37bf42ef3889e4d37bc430e69d0a563281b13055f855f1bc15935531fe28 SHA512 9a55bdb8e39830f46cceff48970b7688139927552e3d268b9ef4a6e640ffc3d95164b99c5b05d07d295bedc2ea22daf6062fd520df1548d78b1d481fd928f1e3 -DIST runc-1.0.0_rc6.tar.gz 1202212 BLAKE2B 2795b6e88a9587fac61a50bfea52a9df8524eb87aae66129d7ea83e8c3ca586efc60a46d24af857f7ba50f8e4d7021cbd2845d322a8c0ad08be3e0f19d80ba3b SHA512 2f7ed5e835f000d9810a116a27300336f424ac2c370dd1c7d158e26a4997d1e8398612387be27cc22cc25fdd52cc4cff7963ef88ce9c41d337321b75d9be2334 DIST runc-1.0.0_rc6_p20181203.tar.gz 1202869 BLAKE2B 5b5808fc65f3725e5cc22794c5ff6c5eba6016110358b0f60dd3378df2e5b64afb5631e5652f45e9721838dd02745b8c5a88abfcd244de202196ac16bfccd5a7 SHA512 ec3d3fec773f2f9df714b0813efb110e21e328634e0b4ae77f323a892d0327aea5d4b6f9ae2a549aa06fda5b27431f4514fd663c7033dc170ca1a03627931f9d EBUILD runc-1.0.0_rc5-r1.ebuild 1296 BLAKE2B 837b2acae2f5b76fea1e49c4a49b8149e9f6fe5ac06555f1ec23720ab947d5586f00d333165a2fc200a22caa7a3616976f856bf45db6769db4b991c7d27ec0f5 SHA512 746a2751e39deebac58542a5a4687fd53523046e2b12f5f543a7ef7d891adc145bd4deaaf2e42535651eb608d2b58e5ee2f9c7db64c8c32bd5805934cc8c4c39 -EBUILD runc-1.0.0_rc5_p20180509.ebuild 1293 BLAKE2B fb959be90dcd20df0504a031ee478235cc3b7da2b2638441af00fd25036472ac9724682d54e6b1e7c66adf92dd40ea341c586cebc00a81860cf5be19b001c3f4 SHA512 f779767205e310998bd58f456c6a31670b6ac36fa859fda489c11f9053995890dca5473a27dbf229ad9c21776cde75a749cb9d787d8476e7207a33b2e601fcf8 -EBUILD runc-1.0.0_rc6.ebuild 1468 BLAKE2B 555c76381e17abcdb4c24d95602817a54bd5cdacb867de12b100842da272e1c076d85db961b2394c9781d05528d59863544a69a000598c928bc0871b0b94096e SHA512 867a0495da8d9c5ec78d9480b9ee053d26d5edd15eb57cf2777812040aa86fd41b3c471e2cd6acf61c1f5fd1c97ae2227995549121773a3b0d7c2ee319a0a410 -EBUILD runc-1.0.0_rc6_p20181203.ebuild 1468 BLAKE2B 28e60cfb54e02204e13eb28af02e7bce670bd6213c7d9a45b90980639391fbbe2b1b96de74ff806d4a19e464641e02317b1cec0330b3775b4251dd56cd2ea6d5 SHA512 2c58e0a87a84de3a524b0abf863f3398f1193fcbbf1da7ea2f6d85f26776055cb39deebbb9b21a7a54ca358b12d5d50f98d4f5cad8b75729079045c1fef33b04 +EBUILD runc-1.0.0_rc5_p20180509-r1.ebuild 1408 BLAKE2B c5dde23793e7966a4d89a58d14b086e2d4a93825ac4385638b58739b583cceacd557cffb053f87de4029c55adf8ae982b1a761f7f1688fe3b49a16e94446bf34 SHA512 0cbe830942bee1b4e8dd229c29ace4a5f41244a6b1c1be1ca9e12d69bbecfb9179d7119f52fb0ec9cfbf74940f58bee57a5ae4ee0cf795fa969f5c925694a869 +EBUILD runc-1.0.0_rc6_p20181203-r1.ebuild 1534 BLAKE2B d907412e7df715865af6a5208f78b83134e2130fc00a29397b5881a74622cc9f4a0a396f7b132245840e2dccb0ffc41ceaa597070a2a8f6b66168fc4e41c2c3b SHA512 bb21bdbb24cf9ccc62c99a378efd6fe15f71587abdc487ee556e155fa33d041e3ea8e3cabca7a8c3af6154884bbc2508d9cf978c1c786bb87661bb266d93cd82 EBUILD runc-9999.ebuild 1080 BLAKE2B 09034744e5842eb2a340b3095ee3098c58b0853d81ee899b2b8e84c15ffe59638bfc6fb89d158edd4271f1e630c97dafdb4cbe7fb9286049dfe2bbf5eef213ed SHA512 b026b5cbfd44e110a2c2cd72125c757c6b957137fe9491b85e1f25014b564226a3e76c23ea463fd4d7ad742228b2b7bc533aa6b2539b43ca5c37aa2dd07218e3 MISC metadata.xml 870 BLAKE2B e7fdbbe8bd178b4781f9a1345cb3473b9b2371db7f824ec3351a117d8c07c4dfa208eb1d1ef946576a6aa972bb055eba03c934f2388538998bee0e742e31151f SHA512 090b4cdf0cf933ad782e9b68df78aec48265222083a17c5f8e387943b9b535fe3d3ba751629f5c3978987572a2f1e821514e54a7f5327164f0ee8f5ce48efcdd diff --git a/app-emulation/runc/files/runc-fix-cve.patch b/app-emulation/runc/files/runc-fix-cve.patch new file mode 100644 index 000000000000..fa85cb0444f3 --- /dev/null +++ b/app-emulation/runc/files/runc-fix-cve.patch @@ -0,0 +1,334 @@ +From 0a8e4117e7f715d5fbeef398405813ce8e88558b Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Wed, 9 Jan 2019 13:40:01 +1100 +Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary + to container + +There are quite a few circumstances where /proc/self/exe pointing to a +pretty important container binary is a _bad_ thing, so to avoid this we +have to make a copy (preferably doing self-clean-up and not being +writeable). + +We require memfd_create(2) -- though there is an O_TMPFILE fallback -- +but we can always extend this to use a scratch MNT_DETACH overlayfs or +tmpfs. The main downside to this approach is no page-cache sharing for +the runc binary (which overlayfs would give us) but this is far less +complicated. + +This is only done during nsenter so that it happens transparently to the +Go code, and any libcontainer users benefit from it. This also makes +ExtraFiles and --preserve-fds handling trivial (because we don't need to +worry about it). + +Fixes: CVE-2019-5736 +Co-developed-by: Christian Brauner +Signed-off-by: Aleksa Sarai +--- + libcontainer/nsenter/cloned_binary.c | 268 +++++++++++++++++++++++++++ + libcontainer/nsenter/nsexec.c | 11 ++ + 2 files changed, 279 insertions(+) + create mode 100644 libcontainer/nsenter/cloned_binary.c + +diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c +new file mode 100644 +index 000000000..c8a42c23f +--- /dev/null ++++ b/libcontainer/nsenter/cloned_binary.c +@@ -0,0 +1,268 @@ ++/* ++ * Copyright (C) 2019 Aleksa Sarai ++ * Copyright (C) 2019 SUSE LLC ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* Use our own wrapper for memfd_create. */ ++#if !defined(SYS_memfd_create) && defined(__NR_memfd_create) ++# define SYS_memfd_create __NR_memfd_create ++#endif ++#ifdef SYS_memfd_create ++# define HAVE_MEMFD_CREATE ++/* memfd_create(2) flags -- copied from . */ ++# ifndef MFD_CLOEXEC ++# define MFD_CLOEXEC 0x0001U ++# define MFD_ALLOW_SEALING 0x0002U ++# endif ++int memfd_create(const char *name, unsigned int flags) ++{ ++ return syscall(SYS_memfd_create, name, flags); ++} ++#endif ++ ++/* This comes directly from . */ ++#ifndef F_LINUX_SPECIFIC_BASE ++# define F_LINUX_SPECIFIC_BASE 1024 ++#endif ++#ifndef F_ADD_SEALS ++# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) ++# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) ++#endif ++#ifndef F_SEAL_SEAL ++# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */ ++# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */ ++# define F_SEAL_GROW 0x0004 /* prevent file from growing */ ++# define F_SEAL_WRITE 0x0008 /* prevent writes */ ++#endif ++ ++#define RUNC_SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */ ++#ifdef HAVE_MEMFD_CREATE ++# define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe" ++# define RUNC_MEMFD_SEALS \ ++ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) ++#endif ++ ++static void *must_realloc(void *ptr, size_t size) ++{ ++ void *old = ptr; ++ do { ++ ptr = realloc(old, size); ++ } while(!ptr); ++ return ptr; ++} ++ ++/* ++ * Verify whether we are currently in a self-cloned program (namely, is ++ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather ++ * for shmem files), and we want to be sure it's actually sealed. ++ */ ++static int is_self_cloned(void) ++{ ++ int fd, ret, is_cloned = 0; ++ ++ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC); ++ if (fd < 0) ++ return -ENOTRECOVERABLE; ++ ++#ifdef HAVE_MEMFD_CREATE ++ ret = fcntl(fd, F_GET_SEALS); ++ is_cloned = (ret == RUNC_MEMFD_SEALS); ++#else ++ struct stat statbuf = {0}; ++ ret = fstat(fd, &statbuf); ++ if (ret >= 0) ++ is_cloned = (statbuf.st_nlink == 0); ++#endif ++ close(fd); ++ return is_cloned; ++} ++ ++/* ++ * Basic wrapper around mmap(2) that gives you the file length so you can ++ * safely treat it as an ordinary buffer. Only gives you read access. ++ */ ++static char *read_file(char *path, size_t *length) ++{ ++ int fd; ++ char buf[4096], *copy = NULL; ++ ++ if (!length) ++ return NULL; ++ ++ fd = open(path, O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ return NULL; ++ ++ *length = 0; ++ for (;;) { ++ int n; ++ ++ n = read(fd, buf, sizeof(buf)); ++ if (n < 0) ++ goto error; ++ if (!n) ++ break; ++ ++ copy = must_realloc(copy, (*length + n) * sizeof(*copy)); ++ memcpy(copy + *length, buf, n); ++ *length += n; ++ } ++ close(fd); ++ return copy; ++ ++error: ++ close(fd); ++ free(copy); ++ return NULL; ++} ++ ++/* ++ * A poor-man's version of "xargs -0". Basically parses a given block of ++ * NUL-delimited data, within the given length and adds a pointer to each entry ++ * to the array of pointers. ++ */ ++static int parse_xargs(char *data, int data_length, char ***output) ++{ ++ int num = 0; ++ char *cur = data; ++ ++ if (!data || *output != NULL) ++ return -1; ++ ++ while (cur < data + data_length) { ++ num++; ++ *output = must_realloc(*output, (num + 1) * sizeof(**output)); ++ (*output)[num - 1] = cur; ++ cur += strlen(cur) + 1; ++ } ++ (*output)[num] = NULL; ++ return num; ++} ++ ++/* ++ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ. ++ * This is necessary because we are running in a context where we don't have a ++ * main() that we can just get the arguments from. ++ */ ++static int fetchve(char ***argv, char ***envp) ++{ ++ char *cmdline = NULL, *environ = NULL; ++ size_t cmdline_size, environ_size; ++ ++ cmdline = read_file("/proc/self/cmdline", &cmdline_size); ++ if (!cmdline) ++ goto error; ++ environ = read_file("/proc/self/environ", &environ_size); ++ if (!environ) ++ goto error; ++ ++ if (parse_xargs(cmdline, cmdline_size, argv) <= 0) ++ goto error; ++ if (parse_xargs(environ, environ_size, envp) <= 0) ++ goto error; ++ ++ return 0; ++ ++error: ++ free(environ); ++ free(cmdline); ++ return -EINVAL; ++} ++ ++static int clone_binary(void) ++{ ++ int binfd, memfd; ++ ssize_t sent = 0; ++ ++#ifdef HAVE_MEMFD_CREATE ++ memfd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING); ++#else ++ memfd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0711); ++#endif ++ if (memfd < 0) ++ return -ENOTRECOVERABLE; ++ ++ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); ++ if (binfd < 0) ++ goto error; ++ ++ sent = sendfile(memfd, binfd, NULL, RUNC_SENDFILE_MAX); ++ close(binfd); ++ if (sent < 0) ++ goto error; ++ ++#ifdef HAVE_MEMFD_CREATE ++ int err = fcntl(memfd, F_ADD_SEALS, RUNC_MEMFD_SEALS); ++ if (err < 0) ++ goto error; ++#else ++ /* Need to re-open "memfd" as read-only to avoid execve(2) giving -EXTBUSY. */ ++ int newfd; ++ char *fdpath = NULL; ++ ++ if (asprintf(&fdpath, "/proc/self/fd/%d", memfd) < 0) ++ goto error; ++ newfd = open(fdpath, O_RDONLY | O_CLOEXEC); ++ free(fdpath); ++ if (newfd < 0) ++ goto error; ++ ++ close(memfd); ++ memfd = newfd; ++#endif ++ return memfd; ++ ++error: ++ close(memfd); ++ return -EIO; ++} ++ ++int ensure_cloned_binary(void) ++{ ++ int execfd; ++ char **argv = NULL, **envp = NULL; ++ ++ /* Check that we're not self-cloned, and if we are then bail. */ ++ int cloned = is_self_cloned(); ++ if (cloned > 0 || cloned == -ENOTRECOVERABLE) ++ return cloned; ++ ++ if (fetchve(&argv, &envp) < 0) ++ return -EINVAL; ++ ++ execfd = clone_binary(); ++ if (execfd < 0) ++ return -EIO; ++ ++ fexecve(execfd, argv, envp); ++ return -ENOEXEC; ++} +diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c +index 28269dfc0..7750af35e 100644 +--- a/libcontainer/nsenter/nsexec.c ++++ b/libcontainer/nsenter/nsexec.c +@@ -534,6 +534,9 @@ void join_namespaces(char *nslist) + free(namespaces); + } + ++/* Defined in cloned_binary.c. */ ++extern int ensure_cloned_binary(void); ++ + void nsexec(void) + { + int pipenum; +@@ -549,6 +552,14 @@ void nsexec(void) + if (pipenum == -1) + return; + ++ /* ++ * We need to re-exec if we are not in a cloned binary. This is necessary ++ * to ensure that containers won't be able to access the host binary ++ * through /proc/self/exe. See CVE-2019-5736. ++ */ ++ if (ensure_cloned_binary() < 0) ++ bail("could not ensure we are a cloned binary"); ++ + /* Parse all of the netlink configuration. */ + nl_parse(pipenum, &config); + diff --git a/app-emulation/runc/runc-1.0.0_rc5_p20180509-r1.ebuild b/app-emulation/runc/runc-1.0.0_rc5_p20180509-r1.ebuild new file mode 100644 index 000000000000..992fdf609d60 --- /dev/null +++ b/app-emulation/runc/runc-1.0.0_rc5_p20180509-r1.ebuild @@ -0,0 +1,62 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +EGO_PN="github.com/opencontainers/${PN}" + +if [[ ${PV} == *9999 ]]; then + inherit golang-build golang-vcs +else + MY_PV="${PV/_/-}" + EGIT_COMMIT="v${MY_PV}" + RUNC_COMMIT="69663f0bd4b60df09991c08812a60108003fa340" # Change this when you update the ebuild + SRC_URI="https://${EGO_PN}/archive/${RUNC_COMMIT}.tar.gz -> ${P}.tar.gz" + KEYWORDS="amd64 ~arm ~arm64 ~ppc64" + inherit golang-build golang-vcs-snapshot +fi + +DESCRIPTION="runc container cli tools" +HOMEPAGE="http://runc.io" + +LICENSE="Apache-2.0" +SLOT="0" +IUSE="+ambient apparmor hardened +seccomp" + +RDEPEND=" + apparmor? ( sys-libs/libapparmor ) + seccomp? ( sys-libs/libseccomp ) + !app-emulation/docker-runc +" + +PATCHES=( "${FILESDIR}"/runc-fix-cve.patch ) + +src_prepare() { + pushd src/${EGO_PN} || die + default + popd || die +} + +src_compile() { + # Taken from app-emulation/docker-1.7.0-r1 + export CGO_CFLAGS="-I${ROOT}/usr/include" + export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') + -L${ROOT}/usr/$(get_libdir)" + + # build up optional flags + local options=( + $(usex ambient 'ambient') + $(usex apparmor 'apparmor') + $(usex seccomp 'seccomp') + ) + + GOPATH="${S}"\ + emake BUILDTAGS="${options[*]}" \ + COMMIT="${RUNC_COMMIT}" -C src/${EGO_PN} +} + +src_install() { + pushd src/${EGO_PN} || die + dobin runc + dodoc README.md PRINCIPLES.md + popd || die +} diff --git a/app-emulation/runc/runc-1.0.0_rc5_p20180509.ebuild b/app-emulation/runc/runc-1.0.0_rc5_p20180509.ebuild deleted file mode 100644 index eb9cce7cf94b..000000000000 --- a/app-emulation/runc/runc-1.0.0_rc5_p20180509.ebuild +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 1999-2018 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 -EGO_PN="github.com/opencontainers/${PN}" - -if [[ ${PV} == *9999 ]]; then - inherit golang-build golang-vcs -else - MY_PV="${PV/_/-}" - EGIT_COMMIT="v${MY_PV}" - RUNC_COMMIT="69663f0bd4b60df09991c08812a60108003fa340" # Change this when you update the ebuild - SRC_URI="https://${EGO_PN}/archive/${RUNC_COMMIT}.tar.gz -> ${P}.tar.gz" - KEYWORDS="amd64 ~arm ~arm64 ~ppc64" - inherit golang-build golang-vcs-snapshot -fi - -DESCRIPTION="runc container cli tools" -HOMEPAGE="http://runc.io" - -LICENSE="Apache-2.0" -SLOT="0" -IUSE="+ambient apparmor hardened +seccomp" - -RDEPEND=" - apparmor? ( sys-libs/libapparmor ) - seccomp? ( sys-libs/libseccomp ) - !app-emulation/docker-runc -" - -src_compile() { - # Taken from app-emulation/docker-1.7.0-r1 - export CGO_CFLAGS="-I${ROOT}/usr/include" - export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') - -L${ROOT}/usr/$(get_libdir)" - - # build up optional flags - local options=( - $(usex ambient 'ambient') - $(usex apparmor 'apparmor') - $(usex seccomp 'seccomp') - ) - - GOPATH="${S}"\ - emake BUILDTAGS="${options[*]}" \ - COMMIT="${RUNC_COMMIT}" -C src/${EGO_PN} -} - -src_install() { - pushd src/${EGO_PN} || die - dobin runc - dodoc README.md PRINCIPLES.md - popd || die -} diff --git a/app-emulation/runc/runc-1.0.0_rc6.ebuild b/app-emulation/runc/runc-1.0.0_rc6.ebuild deleted file mode 100644 index cb15bc43aaf8..000000000000 --- a/app-emulation/runc/runc-1.0.0_rc6.ebuild +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright 1999-2018 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 -EGO_PN="github.com/opencontainers/${PN}" - -if [[ ${PV} == *9999 ]]; then - inherit golang-build golang-vcs -else - MY_PV="${PV/_/-}" - RUNC_COMMIT="ccb5efd37fb7c86364786e9137e22948751de7ed" # Change this when you update the ebuild - SRC_URI="https://${EGO_PN}/archive/${RUNC_COMMIT}.tar.gz -> ${P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~ppc64" - inherit golang-build golang-vcs-snapshot -fi - -DESCRIPTION="runc container cli tools" -HOMEPAGE="http://runc.io" - -LICENSE="Apache-2.0" -SLOT="0" -IUSE="+ambient apparmor hardened +kmem +seccomp" - -RDEPEND=" - apparmor? ( sys-libs/libapparmor ) - seccomp? ( sys-libs/libseccomp ) - !app-emulation/docker-runc -" - -src_prepare() { - default - sed -i -e "/^GIT_BRANCH/d"\ - -e "/^GIT_BRANCH_CLEAN/d"\ - -e "/^COMMIT_NO/d"\ - -e "s/COMMIT :=.*/COMMIT := ${RUNC_COMMIT}/"\ - src/${EGO_PN}/Makefile || die -} - -src_compile() { - # Taken from app-emulation/docker-1.7.0-r1 - export CGO_CFLAGS="-I${ROOT}/usr/include" - export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') - -L${ROOT}/usr/$(get_libdir)" - - # build up optional flags - local options=( - $(usex ambient 'ambient' '') - $(usex apparmor 'apparmor' '') - $(usex seccomp 'seccomp' '') - $(usex kmem '' 'nokmem') - ) - - GOPATH="${S}" emake BUILDTAGS="${options[*]}" -C src/${EGO_PN} -} - -src_install() { - pushd src/${EGO_PN} || die - dobin runc - dodoc README.md PRINCIPLES.md - popd || die -} diff --git a/app-emulation/runc/runc-1.0.0_rc6_p20181203-r1.ebuild b/app-emulation/runc/runc-1.0.0_rc6_p20181203-r1.ebuild new file mode 100644 index 000000000000..893c249793a5 --- /dev/null +++ b/app-emulation/runc/runc-1.0.0_rc6_p20181203-r1.ebuild @@ -0,0 +1,65 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +EGO_PN="github.com/opencontainers/${PN}" + +if [[ ${PV} == *9999 ]]; then + inherit golang-build golang-vcs +else + MY_PV="${PV/_/-}" + RUNC_COMMIT="96ec2177ae841256168fcf76954f7177af9446eb" # Change this when you update the ebuild + SRC_URI="https://${EGO_PN}/archive/${RUNC_COMMIT}.tar.gz -> ${P}.tar.gz" + KEYWORDS="amd64 ~arm ~arm64 ~ppc64" + inherit golang-build golang-vcs-snapshot +fi + +DESCRIPTION="runc container cli tools" +HOMEPAGE="http://runc.io" + +LICENSE="Apache-2.0" +SLOT="0" +IUSE="+ambient apparmor hardened +kmem +seccomp" + +RDEPEND=" + apparmor? ( sys-libs/libapparmor ) + seccomp? ( sys-libs/libseccomp ) + !app-emulation/docker-runc +" + +PATCHES=( "${FILESDIR}/${PN}-fix-cve.patch" ) + +src_prepare() { + pushd src/${EGO_PN} + default + sed -i -e "/^GIT_BRANCH/d"\ + -e "/^GIT_BRANCH_CLEAN/d"\ + -e "/^COMMIT_NO/d"\ + -e "s/COMMIT :=.*/COMMIT := ${RUNC_COMMIT}/"\ + Makefile || die + popd || die +} + +src_compile() { + # Taken from app-emulation/docker-1.7.0-r1 + export CGO_CFLAGS="-I${ROOT}/usr/include" + export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') + -L${ROOT}/usr/$(get_libdir)" + + # build up optional flags + local options=( + $(usex ambient 'ambient' '') + $(usex apparmor 'apparmor' '') + $(usex seccomp 'seccomp' '') + $(usex kmem '' 'nokmem') + ) + + GOPATH="${S}" emake BUILDTAGS="${options[*]}" -C src/${EGO_PN} +} + +src_install() { + pushd src/${EGO_PN} || die + dobin runc + dodoc README.md PRINCIPLES.md + popd || die +} diff --git a/app-emulation/runc/runc-1.0.0_rc6_p20181203.ebuild b/app-emulation/runc/runc-1.0.0_rc6_p20181203.ebuild deleted file mode 100644 index c422609ace86..000000000000 --- a/app-emulation/runc/runc-1.0.0_rc6_p20181203.ebuild +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright 1999-2019 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 -EGO_PN="github.com/opencontainers/${PN}" - -if [[ ${PV} == *9999 ]]; then - inherit golang-build golang-vcs -else - MY_PV="${PV/_/-}" - RUNC_COMMIT="96ec2177ae841256168fcf76954f7177af9446eb" # Change this when you update the ebuild - SRC_URI="https://${EGO_PN}/archive/${RUNC_COMMIT}.tar.gz -> ${P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~ppc64" - inherit golang-build golang-vcs-snapshot -fi - -DESCRIPTION="runc container cli tools" -HOMEPAGE="http://runc.io" - -LICENSE="Apache-2.0" -SLOT="0" -IUSE="+ambient apparmor hardened +kmem +seccomp" - -RDEPEND=" - apparmor? ( sys-libs/libapparmor ) - seccomp? ( sys-libs/libseccomp ) - !app-emulation/docker-runc -" - -src_prepare() { - default - sed -i -e "/^GIT_BRANCH/d"\ - -e "/^GIT_BRANCH_CLEAN/d"\ - -e "/^COMMIT_NO/d"\ - -e "s/COMMIT :=.*/COMMIT := ${RUNC_COMMIT}/"\ - src/${EGO_PN}/Makefile || die -} - -src_compile() { - # Taken from app-emulation/docker-1.7.0-r1 - export CGO_CFLAGS="-I${ROOT}/usr/include" - export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') - -L${ROOT}/usr/$(get_libdir)" - - # build up optional flags - local options=( - $(usex ambient 'ambient' '') - $(usex apparmor 'apparmor' '') - $(usex seccomp 'seccomp' '') - $(usex kmem '' 'nokmem') - ) - - GOPATH="${S}" emake BUILDTAGS="${options[*]}" -C src/${EGO_PN} -} - -src_install() { - pushd src/${EGO_PN} || die - dobin runc - dodoc README.md PRINCIPLES.md - popd || die -} -- cgit v1.2.3