From d989e708fffe34dedb517ef61464dad873c9f017 Mon Sep 17 00:00:00 2001 From: Georgy Yakovlev Date: Sun, 19 Dec 2021 23:38:59 -0800 Subject: Move {app-emulation -> app-containers}/runc Signed-off-by: Georgy Yakovlev --- app-containers/containerd/containerd-1.4.11.ebuild | 2 +- app-containers/containerd/containerd-1.4.12.ebuild | 2 +- app-containers/containerd/containerd-1.5.7.ebuild | 2 +- app-containers/cri-o/cri-o-1.21.0.ebuild | 2 +- app-containers/cri-o/cri-o-1.21.4.ebuild | 2 +- app-containers/cri-o/cri-o-1.22.1.ebuild | 2 +- app-containers/img/img-0.5.11.ebuild | 2 +- app-containers/podman/podman-3.3.1.ebuild | 2 +- app-containers/podman/podman-3.4.0.ebuild | 2 +- app-containers/podman/podman-3.4.1.ebuild | 2 +- app-containers/podman/podman-3.4.2.ebuild | 2 +- app-containers/podman/podman-3.4.3.ebuild | 2 +- app-containers/podman/podman-3.4.4.ebuild | 2 +- app-containers/runc/Manifest | 2 + app-containers/runc/files/CVE-2021-43784.patch | 86 ++++++++++++++++++++++ app-containers/runc/metadata.xml | 28 +++++++ app-containers/runc/runc-1.0.2-r1.ebuild | 80 ++++++++++++++++++++ app-containers/runc/runc-1.0.3.ebuild | 78 ++++++++++++++++++++ app-emulation/runc/Manifest | 2 - app-emulation/runc/files/CVE-2021-43784.patch | 86 ---------------------- app-emulation/runc/metadata.xml | 28 ------- app-emulation/runc/runc-1.0.2-r1.ebuild | 80 -------------------- app-emulation/runc/runc-1.0.3.ebuild | 78 -------------------- profiles/updates/4Q-2021 | 1 + 24 files changed, 288 insertions(+), 287 deletions(-) create mode 100644 app-containers/runc/Manifest create mode 100644 app-containers/runc/files/CVE-2021-43784.patch create mode 100644 app-containers/runc/metadata.xml create mode 100644 app-containers/runc/runc-1.0.2-r1.ebuild create mode 100644 app-containers/runc/runc-1.0.3.ebuild delete mode 100644 app-emulation/runc/Manifest delete mode 100644 app-emulation/runc/files/CVE-2021-43784.patch delete mode 100644 app-emulation/runc/metadata.xml delete mode 100644 app-emulation/runc/runc-1.0.2-r1.ebuild delete mode 100644 app-emulation/runc/runc-1.0.3.ebuild diff --git a/app-containers/containerd/containerd-1.4.11.ebuild b/app-containers/containerd/containerd-1.4.11.ebuild index d2038dd4a85c..44e419c33326 100644 --- a/app-containers/containerd/containerd-1.4.11.ebuild +++ b/app-containers/containerd/containerd-1.4.11.ebuild @@ -24,7 +24,7 @@ DEPEND=" # recommended version of runc is found in script/setup/runc-version RDEPEND=" ${DEPEND} - ~app-emulation/runc-1.0.2 + ~app-containers/runc-1.0.2 " BDEPEND=" diff --git a/app-containers/containerd/containerd-1.4.12.ebuild b/app-containers/containerd/containerd-1.4.12.ebuild index 10c53e0472be..a738accf70b9 100644 --- a/app-containers/containerd/containerd-1.4.12.ebuild +++ b/app-containers/containerd/containerd-1.4.12.ebuild @@ -24,7 +24,7 @@ DEPEND=" # recommended version of runc is found in script/setup/runc-version RDEPEND=" ${DEPEND} - ~app-emulation/runc-1.0.2 + ~app-containers/runc-1.0.2 " BDEPEND=" diff --git a/app-containers/containerd/containerd-1.5.7.ebuild b/app-containers/containerd/containerd-1.5.7.ebuild index 03b79d4159d6..de23ad71b908 100644 --- a/app-containers/containerd/containerd-1.5.7.ebuild +++ b/app-containers/containerd/containerd-1.5.7.ebuild @@ -22,7 +22,7 @@ DEPEND=" # recommended version of runc is found in script/setup/runc-version RDEPEND=" ${DEPEND} - ~app-emulation/runc-1.0.2 + ~app-containers/runc-1.0.2 " BDEPEND=" diff --git a/app-containers/cri-o/cri-o-1.21.0.ebuild b/app-containers/cri-o/cri-o-1.21.0.ebuild index 51699a1ed417..bd5def52cce5 100644 --- a/app-containers/cri-o/cri-o-1.21.0.ebuild +++ b/app-containers/cri-o/cri-o-1.21.0.ebuild @@ -1915,7 +1915,7 @@ IUSE="btrfs +device-mapper selinux systemd" COMMON_DEPEND=" app-crypt/gpgme:= app-containers/conmon - app-emulation/runc + app-containers/runc dev-libs/glib:= dev-libs/libassuan:= dev-libs/libgpg-error:= diff --git a/app-containers/cri-o/cri-o-1.21.4.ebuild b/app-containers/cri-o/cri-o-1.21.4.ebuild index a7724cecf4ef..68c28e6f0190 100644 --- a/app-containers/cri-o/cri-o-1.21.4.ebuild +++ b/app-containers/cri-o/cri-o-1.21.4.ebuild @@ -1959,7 +1959,7 @@ IUSE="btrfs +device-mapper selinux systemd" COMMON_DEPEND=" app-crypt/gpgme:= app-containers/conmon - app-emulation/runc + app-containers/runc dev-libs/glib:= dev-libs/libassuan:= dev-libs/libgpg-error:= diff --git a/app-containers/cri-o/cri-o-1.22.1.ebuild b/app-containers/cri-o/cri-o-1.22.1.ebuild index b7d6765090d4..4d339e8f124f 100644 --- a/app-containers/cri-o/cri-o-1.22.1.ebuild +++ b/app-containers/cri-o/cri-o-1.22.1.ebuild @@ -1997,7 +1997,7 @@ IUSE="btrfs +device-mapper selinux systemd" COMMON_DEPEND=" app-crypt/gpgme:= app-containers/conmon - app-emulation/runc + app-containers/runc dev-libs/glib:= dev-libs/libassuan:= dev-libs/libgpg-error:= diff --git a/app-containers/img/img-0.5.11.ebuild b/app-containers/img/img-0.5.11.ebuild index cd92124e2d1f..a01cea3b2268 100644 --- a/app-containers/img/img-0.5.11.ebuild +++ b/app-containers/img/img-0.5.11.ebuild @@ -533,7 +533,7 @@ IUSE="seccomp" DEPEND="seccomp? ( sys-libs/libseccomp )" RDEPEND="${DEPEND} - app-emulation/runc" + app-containers/runc" src_compile() { IMG_DISABLE_EMBEDDED_RUNC=1 \ diff --git a/app-containers/podman/podman-3.3.1.ebuild b/app-containers/podman/podman-3.3.1.ebuild index ac44c72cf14e..0d45638721e4 100644 --- a/app-containers/podman/podman-3.3.1.ebuild +++ b/app-containers/podman/podman-3.3.1.ebuild @@ -21,7 +21,7 @@ RESTRICT="test" COMMON_DEPEND=" app-crypt/gpgme:= >=app-containers/conmon-2.0.0 - || ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun ) + || ( >=app-containers/runc-1.0.0_rc6 app-containers/crun ) dev-libs/libassuan:= dev-libs/libgpg-error:= >=net-misc/cni-plugins-0.8.6 diff --git a/app-containers/podman/podman-3.4.0.ebuild b/app-containers/podman/podman-3.4.0.ebuild index d58eb39fe82d..cbad65d0e440 100644 --- a/app-containers/podman/podman-3.4.0.ebuild +++ b/app-containers/podman/podman-3.4.0.ebuild @@ -21,7 +21,7 @@ RESTRICT+=" test" COMMON_DEPEND=" app-crypt/gpgme:= >=app-containers/conmon-2.0.0 - || ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun ) + || ( >=app-containers/runc-1.0.0_rc6 app-containers/crun ) dev-libs/libassuan:= dev-libs/libgpg-error:= >=net-misc/cni-plugins-0.8.6 diff --git a/app-containers/podman/podman-3.4.1.ebuild b/app-containers/podman/podman-3.4.1.ebuild index 4097b7d5adb1..44cbb7034662 100644 --- a/app-containers/podman/podman-3.4.1.ebuild +++ b/app-containers/podman/podman-3.4.1.ebuild @@ -21,7 +21,7 @@ RESTRICT+=" test" COMMON_DEPEND=" app-crypt/gpgme:= >=app-containers/conmon-2.0.0 - || ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun ) + || ( >=app-containers/runc-1.0.0_rc6 app-containers/crun ) dev-libs/libassuan:= dev-libs/libgpg-error:= >=net-misc/cni-plugins-0.8.6 diff --git a/app-containers/podman/podman-3.4.2.ebuild b/app-containers/podman/podman-3.4.2.ebuild index 9ce7f02cfc06..f27fd5123313 100644 --- a/app-containers/podman/podman-3.4.2.ebuild +++ b/app-containers/podman/podman-3.4.2.ebuild @@ -21,7 +21,7 @@ RESTRICT+=" test" COMMON_DEPEND=" app-crypt/gpgme:= >=app-containers/conmon-2.0.0 - || ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun ) + || ( >=app-containers/runc-1.0.0_rc6 app-containers/crun ) dev-libs/libassuan:= dev-libs/libgpg-error:= >=net-misc/cni-plugins-0.8.6 diff --git a/app-containers/podman/podman-3.4.3.ebuild b/app-containers/podman/podman-3.4.3.ebuild index bdd678320e5f..419c47b5d16f 100644 --- a/app-containers/podman/podman-3.4.3.ebuild +++ b/app-containers/podman/podman-3.4.3.ebuild @@ -21,7 +21,7 @@ RESTRICT+=" test" COMMON_DEPEND=" app-crypt/gpgme:= >=app-containers/conmon-2.0.0 - || ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun ) + || ( >=app-containers/runc-1.0.0_rc6 app-containers/crun ) dev-libs/libassuan:= dev-libs/libgpg-error:= >=net-misc/cni-plugins-0.8.6 diff --git a/app-containers/podman/podman-3.4.4.ebuild b/app-containers/podman/podman-3.4.4.ebuild index bdd678320e5f..419c47b5d16f 100644 --- a/app-containers/podman/podman-3.4.4.ebuild +++ b/app-containers/podman/podman-3.4.4.ebuild @@ -21,7 +21,7 @@ RESTRICT+=" test" COMMON_DEPEND=" app-crypt/gpgme:= >=app-containers/conmon-2.0.0 - || ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun ) + || ( >=app-containers/runc-1.0.0_rc6 app-containers/crun ) dev-libs/libassuan:= dev-libs/libgpg-error:= >=net-misc/cni-plugins-0.8.6 diff --git a/app-containers/runc/Manifest b/app-containers/runc/Manifest new file mode 100644 index 000000000000..e896bdf3b837 --- /dev/null +++ b/app-containers/runc/Manifest @@ -0,0 +1,2 @@ +DIST runc-1.0.2.tar.gz 2374156 BLAKE2B 526520adb7127e46e7258de75e66a15a5aac216a2a2fcb91f4d9c5da393892242c4d93c5f5483ab111bf29eed7d8f0c8c138ae83a22809d72802a981dcda0395 SHA512 434abd6d7ad2508c2272b627d8aeeb28ecd8461899bff463e7d2c7abbc0f0cbb2e0bafbfe81fc534fad506b1acb4bda3e05639ecd908bc9d0d2e9356f1e56e26 +DIST runc-1.0.3.tar.gz 2375241 BLAKE2B 0fb9368ab5442462001c15a67a71821133ad90d16cac5aac760e52b2477db69c0a5dd59df42601119b19ede508889796c994a24624f88ec6a1a29dad19e0bf33 SHA512 64a1894c2b4ed5a68b185e88548fc9fbbd01d8a9495feed59fb196aa06763d64cfb71ca6cbc09d1defa26a0d94ad58626296585741f23df2e290147ba6c4c26e diff --git a/app-containers/runc/files/CVE-2021-43784.patch b/app-containers/runc/files/CVE-2021-43784.patch new file mode 100644 index 000000000000..ab3886ee9ba7 --- /dev/null +++ b/app-containers/runc/files/CVE-2021-43784.patch @@ -0,0 +1,86 @@ +From b8dbe46687c2a96efa9252b69d3fc1ce33bdc416 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 18 Nov 2021 16:12:59 +1100 +Subject: [PATCH] runc init: avoid netlink message length overflows + +When writing netlink messages, it is possible to have a byte array +larger than UINT16_MAX which would result in the length field +overflowing and allowing user-controlled data to be parsed as control +characters (such as creating custom mount points, changing which set of +namespaces to allow, and so on). + +Co-authored-by: Kir Kolyshkin +Signed-off-by: Kir Kolyshkin +Signed-off-by: Aleksa Sarai +--- + libcontainer/container_linux.go | 20 +++++++++++++++++++- + libcontainer/message_linux.go | 9 +++++++++ + 2 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go +index 6ce1854f68..1484703b0c 100644 +--- a/libcontainer/container_linux.go ++++ b/libcontainer/container_linux.go +@@ -2028,16 +2028,34 @@ func encodeIDMapping(idMap []configs.IDMap) ([]byte, error) { + return data.Bytes(), nil + } + ++// netlinkError is an error wrapper type for use by custom netlink message ++// types. Panics with errors are wrapped in netlinkError so that the recover ++// in bootstrapData can distinguish intentional panics. ++type netlinkError struct{ error } ++ + // bootstrapData encodes the necessary data in netlink binary format + // as a io.Reader. + // Consumer can write the data to a bootstrap program + // such as one that uses nsenter package to bootstrap the container's + // init process correctly, i.e. with correct namespaces, uid/gid + // mapping etc. +-func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (io.Reader, error) { ++func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (_ io.Reader, Err error) { + // create the netlink message + r := nl.NewNetlinkRequest(int(InitMsg), 0) + ++ // Our custom messages cannot bubble up an error using returns, instead ++ // they will panic with the specific error type, netlinkError. In that ++ // case, recover from the panic and return that as an error. ++ defer func() { ++ if r := recover(); r != nil { ++ if e, ok := r.(netlinkError); ok { ++ Err = e.error ++ } else { ++ panic(r) ++ } ++ } ++ }() ++ + // write cloneFlags + r.AddData(&Int32msg{ + Type: CloneFlagsAttr, +diff --git a/libcontainer/message_linux.go b/libcontainer/message_linux.go +index 1d4f5033aa..e4107ce39f 100644 +--- a/libcontainer/message_linux.go ++++ b/libcontainer/message_linux.go +@@ -3,6 +3,9 @@ + package libcontainer + + import ( ++ "fmt" ++ "math" ++ + "github.com/vishvananda/netlink/nl" + "golang.org/x/sys/unix" + ) +@@ -54,6 +57,12 @@ type Bytemsg struct { + + func (msg *Bytemsg) Serialize() []byte { + l := msg.Len() ++ if l > math.MaxUint16 { ++ // We cannot return nil nor an error here, so we panic with ++ // a specific type instead, which is handled via recover in ++ // bootstrapData. ++ panic(netlinkError{fmt.Errorf("netlink: cannot serialize bytemsg of length %d (larger than UINT16_MAX)", l)}) ++ } + buf := make([]byte, (l+unix.NLA_ALIGNTO-1) & ^(unix.NLA_ALIGNTO-1)) + native := nl.NativeEndian() + native.PutUint16(buf[0:2], uint16(l)) diff --git a/app-containers/runc/metadata.xml b/app-containers/runc/metadata.xml new file mode 100644 index 000000000000..d27ad6413b06 --- /dev/null +++ b/app-containers/runc/metadata.xml @@ -0,0 +1,28 @@ + + + + + runc is a CLI tool for spawning and running containers according + to the OCF (Open Container Format) specification. + + + williamh@gentoo.org + William Hubbs + + + gyakovlev@gentoo.org + Georgy Yakovlev + + + + Enable AppArmor support. + + + Enable Kernel Memory Accounting. + + + + opencontainers/runc + cpe:/a:linuxfoundation:runc + + diff --git a/app-containers/runc/runc-1.0.2-r1.ebuild b/app-containers/runc/runc-1.0.2-r1.ebuild new file mode 100644 index 000000000000..38b6da62493d --- /dev/null +++ b/app-containers/runc/runc-1.0.2-r1.ebuild @@ -0,0 +1,80 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit go-module linux-info + +# update on bump, look for https://github.com/docker\ +# docker-ce/blob//components/engine/hack/dockerfile/install/runc.installer +RUNC_COMMIT=52b36a2dd837e8462de8e01458bf02cf9eea47dd +CONFIG_CHECK="~USER_NS" + +DESCRIPTION="runc container cli tools" +HOMEPAGE="http://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" +IUSE="apparmor hardened +kmem +seccomp test" + +DEPEND="seccomp? ( sys-libs/libseccomp )" + +RDEPEND=" + ${DEPEND} + !app-emulation/docker-runc + apparmor? ( sys-libs/libapparmor ) +" + +BDEPEND=" + dev-go/go-md2man + test? ( "${RDEPEND}" ) +" + +PATCHES=( "${FILESDIR}/CVE-2021-43784.patch" ) + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT+=" test" + +S="${WORKDIR}/${PN}-${MY_PV}" + +src_compile() { + # Taken from app-emulation/docker-1.7.0-r1 + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') + -L${ESYSROOT}/usr/$(get_libdir)" + + # build up optional flags + local options=( + $(usev apparmor) + $(usev seccomp) + $(usex kmem '' 'nokmem') + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} diff --git a/app-containers/runc/runc-1.0.3.ebuild b/app-containers/runc/runc-1.0.3.ebuild new file mode 100644 index 000000000000..db1d0c6af602 --- /dev/null +++ b/app-containers/runc/runc-1.0.3.ebuild @@ -0,0 +1,78 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit go-module linux-info + +# update on bump, look for https://github.com/docker\ +# docker-ce/blob//components/engine/hack/dockerfile/install/runc.installer +RUNC_COMMIT=f46b6ba2c9314cfc8caae24a32ec5fe9ef1059fe +CONFIG_CHECK="~USER_NS" + +DESCRIPTION="runc container cli tools" +HOMEPAGE="http://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor hardened +kmem +seccomp test" + +DEPEND="seccomp? ( sys-libs/libseccomp )" + +RDEPEND=" + ${DEPEND} + !app-emulation/docker-runc + apparmor? ( sys-libs/libapparmor ) +" + +BDEPEND=" + dev-go/go-md2man + test? ( "${RDEPEND}" ) +" + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT+=" test" + +S="${WORKDIR}/${PN}-${MY_PV}" + +src_compile() { + # Taken from app-emulation/docker-1.7.0-r1 + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') + -L${ESYSROOT}/usr/$(get_libdir)" + + # build up optional flags + local options=( + $(usev apparmor) + $(usev seccomp) + $(usex kmem '' 'nokmem') + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} diff --git a/app-emulation/runc/Manifest b/app-emulation/runc/Manifest deleted file mode 100644 index e896bdf3b837..000000000000 --- a/app-emulation/runc/Manifest +++ /dev/null @@ -1,2 +0,0 @@ -DIST runc-1.0.2.tar.gz 2374156 BLAKE2B 526520adb7127e46e7258de75e66a15a5aac216a2a2fcb91f4d9c5da393892242c4d93c5f5483ab111bf29eed7d8f0c8c138ae83a22809d72802a981dcda0395 SHA512 434abd6d7ad2508c2272b627d8aeeb28ecd8461899bff463e7d2c7abbc0f0cbb2e0bafbfe81fc534fad506b1acb4bda3e05639ecd908bc9d0d2e9356f1e56e26 -DIST runc-1.0.3.tar.gz 2375241 BLAKE2B 0fb9368ab5442462001c15a67a71821133ad90d16cac5aac760e52b2477db69c0a5dd59df42601119b19ede508889796c994a24624f88ec6a1a29dad19e0bf33 SHA512 64a1894c2b4ed5a68b185e88548fc9fbbd01d8a9495feed59fb196aa06763d64cfb71ca6cbc09d1defa26a0d94ad58626296585741f23df2e290147ba6c4c26e diff --git a/app-emulation/runc/files/CVE-2021-43784.patch b/app-emulation/runc/files/CVE-2021-43784.patch deleted file mode 100644 index ab3886ee9ba7..000000000000 --- a/app-emulation/runc/files/CVE-2021-43784.patch +++ /dev/null @@ -1,86 +0,0 @@ -From b8dbe46687c2a96efa9252b69d3fc1ce33bdc416 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Thu, 18 Nov 2021 16:12:59 +1100 -Subject: [PATCH] runc init: avoid netlink message length overflows - -When writing netlink messages, it is possible to have a byte array -larger than UINT16_MAX which would result in the length field -overflowing and allowing user-controlled data to be parsed as control -characters (such as creating custom mount points, changing which set of -namespaces to allow, and so on). - -Co-authored-by: Kir Kolyshkin -Signed-off-by: Kir Kolyshkin -Signed-off-by: Aleksa Sarai ---- - libcontainer/container_linux.go | 20 +++++++++++++++++++- - libcontainer/message_linux.go | 9 +++++++++ - 2 files changed, 28 insertions(+), 1 deletion(-) - -diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go -index 6ce1854f68..1484703b0c 100644 ---- a/libcontainer/container_linux.go -+++ b/libcontainer/container_linux.go -@@ -2028,16 +2028,34 @@ func encodeIDMapping(idMap []configs.IDMap) ([]byte, error) { - return data.Bytes(), nil - } - -+// netlinkError is an error wrapper type for use by custom netlink message -+// types. Panics with errors are wrapped in netlinkError so that the recover -+// in bootstrapData can distinguish intentional panics. -+type netlinkError struct{ error } -+ - // bootstrapData encodes the necessary data in netlink binary format - // as a io.Reader. - // Consumer can write the data to a bootstrap program - // such as one that uses nsenter package to bootstrap the container's - // init process correctly, i.e. with correct namespaces, uid/gid - // mapping etc. --func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (io.Reader, error) { -+func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (_ io.Reader, Err error) { - // create the netlink message - r := nl.NewNetlinkRequest(int(InitMsg), 0) - -+ // Our custom messages cannot bubble up an error using returns, instead -+ // they will panic with the specific error type, netlinkError. In that -+ // case, recover from the panic and return that as an error. -+ defer func() { -+ if r := recover(); r != nil { -+ if e, ok := r.(netlinkError); ok { -+ Err = e.error -+ } else { -+ panic(r) -+ } -+ } -+ }() -+ - // write cloneFlags - r.AddData(&Int32msg{ - Type: CloneFlagsAttr, -diff --git a/libcontainer/message_linux.go b/libcontainer/message_linux.go -index 1d4f5033aa..e4107ce39f 100644 ---- a/libcontainer/message_linux.go -+++ b/libcontainer/message_linux.go -@@ -3,6 +3,9 @@ - package libcontainer - - import ( -+ "fmt" -+ "math" -+ - "github.com/vishvananda/netlink/nl" - "golang.org/x/sys/unix" - ) -@@ -54,6 +57,12 @@ type Bytemsg struct { - - func (msg *Bytemsg) Serialize() []byte { - l := msg.Len() -+ if l > math.MaxUint16 { -+ // We cannot return nil nor an error here, so we panic with -+ // a specific type instead, which is handled via recover in -+ // bootstrapData. -+ panic(netlinkError{fmt.Errorf("netlink: cannot serialize bytemsg of length %d (larger than UINT16_MAX)", l)}) -+ } - buf := make([]byte, (l+unix.NLA_ALIGNTO-1) & ^(unix.NLA_ALIGNTO-1)) - native := nl.NativeEndian() - native.PutUint16(buf[0:2], uint16(l)) diff --git a/app-emulation/runc/metadata.xml b/app-emulation/runc/metadata.xml deleted file mode 100644 index d27ad6413b06..000000000000 --- a/app-emulation/runc/metadata.xml +++ /dev/null @@ -1,28 +0,0 @@ - - - - - runc is a CLI tool for spawning and running containers according - to the OCF (Open Container Format) specification. - - - williamh@gentoo.org - William Hubbs - - - gyakovlev@gentoo.org - Georgy Yakovlev - - - - Enable AppArmor support. - - - Enable Kernel Memory Accounting. - - - - opencontainers/runc - cpe:/a:linuxfoundation:runc - - diff --git a/app-emulation/runc/runc-1.0.2-r1.ebuild b/app-emulation/runc/runc-1.0.2-r1.ebuild deleted file mode 100644 index 38b6da62493d..000000000000 --- a/app-emulation/runc/runc-1.0.2-r1.ebuild +++ /dev/null @@ -1,80 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit go-module linux-info - -# update on bump, look for https://github.com/docker\ -# docker-ce/blob//components/engine/hack/dockerfile/install/runc.installer -RUNC_COMMIT=52b36a2dd837e8462de8e01458bf02cf9eea47dd -CONFIG_CHECK="~USER_NS" - -DESCRIPTION="runc container cli tools" -HOMEPAGE="http://github.com/opencontainers/runc/" -MY_PV="${PV/_/-}" -SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" - -LICENSE="Apache-2.0 BSD-2 BSD MIT" -SLOT="0" -KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" -IUSE="apparmor hardened +kmem +seccomp test" - -DEPEND="seccomp? ( sys-libs/libseccomp )" - -RDEPEND=" - ${DEPEND} - !app-emulation/docker-runc - apparmor? ( sys-libs/libapparmor ) -" - -BDEPEND=" - dev-go/go-md2man - test? ( "${RDEPEND}" ) -" - -PATCHES=( "${FILESDIR}/CVE-2021-43784.patch" ) - -# tests need busybox binary, and portage namespace -# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox -# majority of tests pass -RESTRICT+=" test" - -S="${WORKDIR}/${PN}-${MY_PV}" - -src_compile() { - # Taken from app-emulation/docker-1.7.0-r1 - export CGO_CFLAGS="-I${ESYSROOT}/usr/include" - export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') - -L${ESYSROOT}/usr/$(get_libdir)" - - # build up optional flags - local options=( - $(usev apparmor) - $(usev seccomp) - $(usex kmem '' 'nokmem') - ) - - myemakeargs=( - BUILDTAGS="${options[*]}" - COMMIT="${RUNC_COMMIT}" - ) - - emake "${myemakeargs[@]}" runc man -} - -src_install() { - myemakeargs+=( - PREFIX="${ED}/usr" - BINDIR="${ED}/usr/bin" - MANDIR="${ED}/usr/share/man" - ) - emake "${myemakeargs[@]}" install install-man install-bash - - local DOCS=( README.md PRINCIPLES.md docs/. ) - einstalldocs -} - -src_test() { - emake "${myemakeargs[@]}" localunittest -} diff --git a/app-emulation/runc/runc-1.0.3.ebuild b/app-emulation/runc/runc-1.0.3.ebuild deleted file mode 100644 index db1d0c6af602..000000000000 --- a/app-emulation/runc/runc-1.0.3.ebuild +++ /dev/null @@ -1,78 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit go-module linux-info - -# update on bump, look for https://github.com/docker\ -# docker-ce/blob//components/engine/hack/dockerfile/install/runc.installer -RUNC_COMMIT=f46b6ba2c9314cfc8caae24a32ec5fe9ef1059fe -CONFIG_CHECK="~USER_NS" - -DESCRIPTION="runc container cli tools" -HOMEPAGE="http://github.com/opencontainers/runc/" -MY_PV="${PV/_/-}" -SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" - -LICENSE="Apache-2.0 BSD-2 BSD MIT" -SLOT="0" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" -IUSE="apparmor hardened +kmem +seccomp test" - -DEPEND="seccomp? ( sys-libs/libseccomp )" - -RDEPEND=" - ${DEPEND} - !app-emulation/docker-runc - apparmor? ( sys-libs/libapparmor ) -" - -BDEPEND=" - dev-go/go-md2man - test? ( "${RDEPEND}" ) -" - -# tests need busybox binary, and portage namespace -# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox -# majority of tests pass -RESTRICT+=" test" - -S="${WORKDIR}/${PN}-${MY_PV}" - -src_compile() { - # Taken from app-emulation/docker-1.7.0-r1 - export CGO_CFLAGS="-I${ESYSROOT}/usr/include" - export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') - -L${ESYSROOT}/usr/$(get_libdir)" - - # build up optional flags - local options=( - $(usev apparmor) - $(usev seccomp) - $(usex kmem '' 'nokmem') - ) - - myemakeargs=( - BUILDTAGS="${options[*]}" - COMMIT="${RUNC_COMMIT}" - ) - - emake "${myemakeargs[@]}" runc man -} - -src_install() { - myemakeargs+=( - PREFIX="${ED}/usr" - BINDIR="${ED}/usr/bin" - MANDIR="${ED}/usr/share/man" - ) - emake "${myemakeargs[@]}" install install-man install-bash - - local DOCS=( README.md PRINCIPLES.md docs/. ) - einstalldocs -} - -src_test() { - emake "${myemakeargs[@]}" localunittest -} diff --git a/profiles/updates/4Q-2021 b/profiles/updates/4Q-2021 index eb17c7df98b0..ba26a6e5ea22 100644 --- a/profiles/updates/4Q-2021 +++ b/profiles/updates/4Q-2021 @@ -55,3 +55,4 @@ move app-emulation/skopeo app-containers/skopeo move app-emulation/sen app-containers/sen move app-emulation/img app-containers/img move app-emulation/kompose app-containers/kompose +move app-emulation/runc app-containers/runc -- cgit v1.2.3-65-gdbad