1 files changed, 0 insertions, 93 deletions

diff --git a/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch b/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch
deleted file mode 100644
index 6fba3c4154a4..000000000000
--- a/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 91ad9b94bcd964adfbaa8d84d8f39304d39835d0 Mon Sep 17 00:00:00 2001
-From: Christian Brauner <christian.brauner@ubuntu.com>
-Date: Thu, 6 May 2021 18:16:45 +0200
-Subject: [PATCH] conf: handle kernels with CAP_SETFCAP
-
-LXC is being very clever and sometimes maps the caller's uid into the
-child userns. This means that the caller can technically write fscaps
-that are valid in the ancestor userns (which can be a security issue in
-some scenarios) so newer kernels require CAP_SETFCAP to do this. Until
-newuidmap/newgidmap are updated to account for this simply write the
-mapping directly in this case.
-
-Cc: stable-4.0
-Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
----
- src/lxc/conf.c | 25 ++++++++++++++++++++-----
- 1 file changed, 20 insertions(+), 5 deletions(-)
-
-diff --git a/src/lxc/conf.c b/src/lxc/conf.c
-index 72e21b5300..f388946970 100644
---- a/src/lxc/conf.c
-+++ b/src/lxc/conf.c
-@@ -2978,6 +2978,9 @@ static int lxc_map_ids_exec_wrapper(void *args)
- 	return -1;
- }
- 
-+static struct id_map *find_mapped_hostid_entry(const struct lxc_list *idmap,
-+					       unsigned id, enum idtype idtype);
-+
- int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
- {
- 	int fill, left;
-@@ -2991,12 +2994,22 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
- 	char mapbuf[STRLITERALLEN("new@idmap") + STRLITERALLEN(" ") +
- 		    INTTYPE_TO_STRLEN(pid_t) + STRLITERALLEN(" ") +
- 		    LXC_IDMAPLEN] = {0};
--	bool had_entry = false, use_shadow = false;
-+	bool had_entry = false, maps_host_root = false, use_shadow = false;
- 	int hostuid, hostgid;
- 
- 	hostuid = geteuid();
- 	hostgid = getegid();
- 
-+	/*
-+	 * Check whether caller wants to map host root.
-+	 * Due to a security fix newer kernels require CAP_SETFCAP when mapping
-+	 * host root into the child userns as you would be able to write fscaps
-+	 * that would be valid in the ancestor userns. Mapping host root should
-+	 * rarely be the case but LXC is being clever in a bunch of cases.
-+	 */
-+	if (find_mapped_hostid_entry(idmap, 0, ID_TYPE_UID))
-+		maps_host_root = true;
-+
- 	/* If new{g,u}idmap exists, that is, if shadow is handing out subuid
- 	 * ranges, then insist that root also reserve ranges in subuid. This
- 	 * will protected it by preventing another user from being handed the
-@@ -3014,7 +3027,9 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
- 	else if (!gidmap)
- 		WARN("newgidmap is lacking necessary privileges");
- 
--	if (uidmap > 0 && gidmap > 0) {
-+	if (maps_host_root) {
-+		INFO("Caller maps host root. Writing mapping directly");
-+	} else if (uidmap > 0 && gidmap > 0) {
- 		DEBUG("Functional newuidmap and newgidmap binary found");
- 		use_shadow = true;
- 	} else {
-@@ -4229,14 +4244,14 @@ static struct id_map *mapped_nsid_add(const struct lxc_conf *conf, unsigned id,
- 	return retmap;
- }
- 
--static struct id_map *find_mapped_hostid_entry(const struct lxc_conf *conf,
-+static struct id_map *find_mapped_hostid_entry(const struct lxc_list *idmap,
- 					       unsigned id, enum idtype idtype)
- {
- 	struct id_map *map;
- 	struct lxc_list *it;
- 	struct id_map *retmap = NULL;
- 
--	lxc_list_for_each (it, &conf->id_map) {
-+	lxc_list_for_each (it, idmap) {
- 		map = it->elem;
- 		if (map->idtype != idtype)
- 			continue;
-@@ -4265,7 +4280,7 @@ static struct id_map *mapped_hostid_add(const struct lxc_conf *conf, uid_t id,
- 		return NULL;
- 
- 	/* Reuse existing mapping. */
--	tmp = find_mapped_hostid_entry(conf, id, type);
-+	tmp = find_mapped_hostid_entry(&conf->id_map, id, type);
- 	if (tmp) {
- 		memcpy(entry, tmp, sizeof(*entry));
- 	} else {