diff options
Diffstat (limited to 'app-containers/runc')
| -rw-r--r-- | app-containers/runc/Manifest | 5 | ||||
| -rw-r--r-- | app-containers/runc/files/CVE-2021-43784.patch | 86 | ||||
| -rw-r--r-- | app-containers/runc/metadata.xml | 7 | ||||
| -rw-r--r-- | app-containers/runc/runc-1.1.12.ebuild | 78 | ||||
| -rw-r--r-- | app-containers/runc/runc-1.1.7.ebuild (renamed from app-containers/runc/runc-1.0.2-r1.ebuild) | 12 | ||||
| -rw-r--r-- | app-containers/runc/runc-1.1.9.ebuild (renamed from app-containers/runc/runc-1.0.3.ebuild) | 12 |
6 files changed, 92 insertions, 108 deletions
diff --git a/app-containers/runc/Manifest b/app-containers/runc/Manifest index e896bdf3b837..acb6c17123e9 100644 --- a/app-containers/runc/Manifest +++ b/app-containers/runc/Manifest @@ -1,2 +1,3 @@ -DIST runc-1.0.2.tar.gz 2374156 BLAKE2B 526520adb7127e46e7258de75e66a15a5aac216a2a2fcb91f4d9c5da393892242c4d93c5f5483ab111bf29eed7d8f0c8c138ae83a22809d72802a981dcda0395 SHA512 434abd6d7ad2508c2272b627d8aeeb28ecd8461899bff463e7d2c7abbc0f0cbb2e0bafbfe81fc534fad506b1acb4bda3e05639ecd908bc9d0d2e9356f1e56e26 -DIST runc-1.0.3.tar.gz 2375241 BLAKE2B 0fb9368ab5442462001c15a67a71821133ad90d16cac5aac760e52b2477db69c0a5dd59df42601119b19ede508889796c994a24624f88ec6a1a29dad19e0bf33 SHA512 64a1894c2b4ed5a68b185e88548fc9fbbd01d8a9495feed59fb196aa06763d64cfb71ca6cbc09d1defa26a0d94ad58626296585741f23df2e290147ba6c4c26e +DIST runc-1.1.12.tar.gz 2522196 BLAKE2B 14fe8d5f82d5b4d7f6b4bb9111c5d258e74f6a44aeb51fc87c69104e95b9bf24a3d503f4cc5dedb40d542fbd4b6e27273f456bda4fcf3bc298eb93ae292d9663 SHA512 92e8ac54a77d7ebcc76b5a9cc08d9a064211f12e9d26f064070cc203a5afb11c3af28d8f556f297513f797a2933d50bf10a8f22e307724041d66aa8c5ca1d9d3 +DIST runc-1.1.7.tar.gz 2511464 BLAKE2B 63f09052659636b62185abbb178f7e104d22125190899e80e71ed2ba35567eb855abf786d3c7fff3dd9a1ab43ee282fcaecb6650cd8a1ce49c05acefd7c12cde SHA512 e3a18f04ac2c3553a815074ca64e04cfd71af54d78edbd4a13819f187476f96d7311c23bb63fb5c311b91865db4540985a6f9daa84819b0bac5f023b3b2a832c +DIST runc-1.1.9.tar.gz 2512231 BLAKE2B 4e8e2a454231492f83de34bf66ba25a02b8925b6ef0af2206cdf4ab3299173d3452cea4d51fcfeb02026df288dd8ca6c44ecd35fb075f25f56fd7bc07f873af7 SHA512 020986f2df49c45394d0acbfa4da62663353004550d9b4409f6cfe8369972a090fb8020e4a05342754bde5c1fbe9fcf3868faed2dceed5d54460c3373cdd2278 diff --git a/app-containers/runc/files/CVE-2021-43784.patch b/app-containers/runc/files/CVE-2021-43784.patch deleted file mode 100644 index ab3886ee9ba7..000000000000 --- a/app-containers/runc/files/CVE-2021-43784.patch +++ /dev/null @@ -1,86 +0,0 @@ -From b8dbe46687c2a96efa9252b69d3fc1ce33bdc416 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai <cyphar@cyphar.com> -Date: Thu, 18 Nov 2021 16:12:59 +1100 -Subject: [PATCH] runc init: avoid netlink message length overflows - -When writing netlink messages, it is possible to have a byte array -larger than UINT16_MAX which would result in the length field -overflowing and allowing user-controlled data to be parsed as control -characters (such as creating custom mount points, changing which set of -namespaces to allow, and so on). - -Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com> -Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> -Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> ---- - libcontainer/container_linux.go | 20 +++++++++++++++++++- - libcontainer/message_linux.go | 9 +++++++++ - 2 files changed, 28 insertions(+), 1 deletion(-) - -diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go -index 6ce1854f68..1484703b0c 100644 ---- a/libcontainer/container_linux.go -+++ b/libcontainer/container_linux.go -@@ -2028,16 +2028,34 @@ func encodeIDMapping(idMap []configs.IDMap) ([]byte, error) { - return data.Bytes(), nil - } - -+// netlinkError is an error wrapper type for use by custom netlink message -+// types. Panics with errors are wrapped in netlinkError so that the recover -+// in bootstrapData can distinguish intentional panics. -+type netlinkError struct{ error } -+ - // bootstrapData encodes the necessary data in netlink binary format - // as a io.Reader. - // Consumer can write the data to a bootstrap program - // such as one that uses nsenter package to bootstrap the container's - // init process correctly, i.e. with correct namespaces, uid/gid - // mapping etc. --func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (io.Reader, error) { -+func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (_ io.Reader, Err error) { - // create the netlink message - r := nl.NewNetlinkRequest(int(InitMsg), 0) - -+ // Our custom messages cannot bubble up an error using returns, instead -+ // they will panic with the specific error type, netlinkError. In that -+ // case, recover from the panic and return that as an error. -+ defer func() { -+ if r := recover(); r != nil { -+ if e, ok := r.(netlinkError); ok { -+ Err = e.error -+ } else { -+ panic(r) -+ } -+ } -+ }() -+ - // write cloneFlags - r.AddData(&Int32msg{ - Type: CloneFlagsAttr, -diff --git a/libcontainer/message_linux.go b/libcontainer/message_linux.go -index 1d4f5033aa..e4107ce39f 100644 ---- a/libcontainer/message_linux.go -+++ b/libcontainer/message_linux.go -@@ -3,6 +3,9 @@ - package libcontainer - - import ( -+ "fmt" -+ "math" -+ - "github.com/vishvananda/netlink/nl" - "golang.org/x/sys/unix" - ) -@@ -54,6 +57,12 @@ type Bytemsg struct { - - func (msg *Bytemsg) Serialize() []byte { - l := msg.Len() -+ if l > math.MaxUint16 { -+ // We cannot return nil nor an error here, so we panic with -+ // a specific type instead, which is handled via recover in -+ // bootstrapData. -+ panic(netlinkError{fmt.Errorf("netlink: cannot serialize bytemsg of length %d (larger than UINT16_MAX)", l)}) -+ } - buf := make([]byte, (l+unix.NLA_ALIGNTO-1) & ^(unix.NLA_ALIGNTO-1)) - native := nl.NativeEndian() - native.PutUint16(buf[0:2], uint16(l)) diff --git a/app-containers/runc/metadata.xml b/app-containers/runc/metadata.xml index d27ad6413b06..09cd07da70ce 100644 --- a/app-containers/runc/metadata.xml +++ b/app-containers/runc/metadata.xml @@ -9,14 +9,7 @@ <email>williamh@gentoo.org</email> <name>William Hubbs</name> </maintainer> - <maintainer type="person"> - <email>gyakovlev@gentoo.org</email> - <name>Georgy Yakovlev</name> - </maintainer> <use> - <flag name="apparmor"> - Enable AppArmor support. - </flag> <flag name="kmem"> Enable Kernel Memory Accounting. </flag> diff --git a/app-containers/runc/runc-1.1.12.ebuild b/app-containers/runc/runc-1.1.12.ebuild new file mode 100644 index 000000000000..c605e6d0a2c3 --- /dev/null +++ b/app-containers/runc/runc-1.1.12.ebuild @@ -0,0 +1,78 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module linux-info + +# update on bump, look for https://github.com/docker\ +# docker-ce/blob/<docker ver OR branch>/components/engine/hack/dockerfile/install/runc.installer +RUNC_COMMIT=51d5e94601ceffbbd85688df1c928ecccbfa4685 +CONFIG_CHECK="~USER_NS" + +DESCRIPTION="runc container cli tools" +HOMEPAGE="http://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor hardened +kmem +seccomp selinux test" + +DEPEND="seccomp? ( sys-libs/libseccomp )" + +RDEPEND=" + ${DEPEND} + !app-emulation/docker-runc + apparmor? ( sys-libs/libapparmor ) + selinux? ( sec-policy/selinux-container ) +" + +BDEPEND=" + dev-go/go-md2man + test? ( "${RDEPEND}" ) +" + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT+=" test" + +S="${WORKDIR}/${PN}-${MY_PV}" + +src_compile() { + # Taken from app-containers/docker-1.7.0-r1 + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') + -L${ESYSROOT}/usr/$(get_libdir)" + + # build up optional flags + local options=( + $(usev apparmor) + $(usev seccomp) + $(usex kmem '' 'nokmem') + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} diff --git a/app-containers/runc/runc-1.0.2-r1.ebuild b/app-containers/runc/runc-1.1.7.ebuild index d31a90d65a0d..01b66cb34800 100644 --- a/app-containers/runc/runc-1.0.2-r1.ebuild +++ b/app-containers/runc/runc-1.1.7.ebuild @@ -1,13 +1,12 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 - +EAPI=8 inherit go-module linux-info # update on bump, look for https://github.com/docker\ # docker-ce/blob/<docker ver OR branch>/components/engine/hack/dockerfile/install/runc.installer -RUNC_COMMIT=52b36a2dd837e8462de8e01458bf02cf9eea47dd +RUNC_COMMIT=4ffc61430bbe6d3d405bdf357b766bf303ff3cc5 CONFIG_CHECK="~USER_NS" DESCRIPTION="runc container cli tools" @@ -18,7 +17,7 @@ SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P LICENSE="Apache-2.0 BSD-2 BSD MIT" SLOT="0" KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" -IUSE="apparmor hardened +kmem +seccomp test" +IUSE="apparmor hardened +kmem +seccomp selinux test" DEPEND="seccomp? ( sys-libs/libseccomp )" @@ -26,6 +25,7 @@ RDEPEND=" ${DEPEND} !app-emulation/docker-runc apparmor? ( sys-libs/libapparmor ) + selinux? ( sec-policy/selinux-container ) " BDEPEND=" @@ -33,8 +33,6 @@ BDEPEND=" test? ( "${RDEPEND}" ) " -PATCHES=( "${FILESDIR}/CVE-2021-43784.patch" ) - # tests need busybox binary, and portage namespace # sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox # majority of tests pass diff --git a/app-containers/runc/runc-1.0.3.ebuild b/app-containers/runc/runc-1.1.9.ebuild index 283dd8ed7811..3d5796186404 100644 --- a/app-containers/runc/runc-1.0.3.ebuild +++ b/app-containers/runc/runc-1.1.9.ebuild @@ -1,13 +1,12 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 - +EAPI=8 inherit go-module linux-info # update on bump, look for https://github.com/docker\ # docker-ce/blob/<docker ver OR branch>/components/engine/hack/dockerfile/install/runc.installer -RUNC_COMMIT=f46b6ba2c9314cfc8caae24a32ec5fe9ef1059fe +RUNC_COMMIT=ccaecfcbc907d70a7aa870a6650887b901b25b82 CONFIG_CHECK="~USER_NS" DESCRIPTION="runc container cli tools" @@ -17,8 +16,8 @@ SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P LICENSE="Apache-2.0 BSD-2 BSD MIT" SLOT="0" -KEYWORDS="~amd64 ~arm arm64 ppc64 ~riscv ~x86" -IUSE="apparmor hardened +kmem +seccomp test" +KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" +IUSE="apparmor hardened +kmem +seccomp selinux test" DEPEND="seccomp? ( sys-libs/libseccomp )" @@ -26,6 +25,7 @@ RDEPEND=" ${DEPEND} !app-emulation/docker-runc apparmor? ( sys-libs/libapparmor ) + selinux? ( sec-policy/selinux-container ) " BDEPEND=" |