diff options
Diffstat (limited to 'app-emulation')
-rw-r--r-- | app-emulation/lxc/Manifest | 2 | ||||
-rw-r--r-- | app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch | 93 | ||||
-rw-r--r-- | app-emulation/lxc/lxc-4.0.9-r1.ebuild | 174 |
3 files changed, 0 insertions, 269 deletions
diff --git a/app-emulation/lxc/Manifest b/app-emulation/lxc/Manifest index 09e200675c98..4733a92e509a 100644 --- a/app-emulation/lxc/Manifest +++ b/app-emulation/lxc/Manifest @@ -1,4 +1,2 @@ DIST lxc-4.0.10.tar.gz 1515002 BLAKE2B 2a5b94ad767c8a11a5c34d19f12d812bd284337045ad5021c80a5f69be608085ac465edde8c385cc558e45638c9f061793c0c9db616ccbe0614554b4fbf62005 SHA512 ec3ccf344a91b50b30985562c54ad93d2db2d29c24d31da8e3a69e801c8bd23c1560274c1850c39eb7e984940ba86d3ebae75db136320d6bbc5eb03bda4c5318 DIST lxc-4.0.10.tar.gz.asc 833 BLAKE2B 3dd6e8793d1b725ab9eb73d4fa78ce2767bf830fb70d6cc7052e70d2adbc46e4fcf6d986595322b64cb9c71417b801ef6ee3c7612c46dbeb10acba01a5bd69e0 SHA512 dd2d3ac4e066eca4e0358c9a2c371a227d3a0b5cf6e452fe34fa5c8cff46e25fa0555c9f707511a8603348fa969c1e7abf85ad7d27fdcaff613b733066861608 -DIST lxc-4.0.9.tar.gz 1500310 BLAKE2B 3796d36b6f76ec595dc28207e66ec9f5a7c1a39f5c5ebc851638c519be35f59b4ec06a71b2866cd8fef0a6140f61fd4b70c900f5a8ffd42d7da7a30d3ff59975 SHA512 4ef9d9efdd4118fdffde8b49c6ae71cf5eb060be51daaa4f4ceb804c743fbf3278e6518e6a694faefc720f2834f98ac48d67842d589a2120b8f7ec4c3b61fa84 -DIST lxc-4.0.9.tar.gz.asc 833 BLAKE2B 2d275c968831410d987aa7f8062f4e35ba15043f92f38fd3bdd6bf80964906741d05ccd93789132d421ee1c8778cec6a2e76c4f0eb2165cf0107261495fa6856 SHA512 4c90dfbdba90959ee8df5da8ca8b240f65ab03ab91637833c677e2a73592c09f9c5a55b9a261be6efb0888156c916223ff1aa9003b18d46e667908aaa550c944 diff --git a/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch b/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch deleted file mode 100644 index 6fba3c4154a4..000000000000 --- a/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 91ad9b94bcd964adfbaa8d84d8f39304d39835d0 Mon Sep 17 00:00:00 2001 -From: Christian Brauner <christian.brauner@ubuntu.com> -Date: Thu, 6 May 2021 18:16:45 +0200 -Subject: [PATCH] conf: handle kernels with CAP_SETFCAP - -LXC is being very clever and sometimes maps the caller's uid into the -child userns. This means that the caller can technically write fscaps -that are valid in the ancestor userns (which can be a security issue in -some scenarios) so newer kernels require CAP_SETFCAP to do this. Until -newuidmap/newgidmap are updated to account for this simply write the -mapping directly in this case. - -Cc: stable-4.0 -Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> ---- - src/lxc/conf.c | 25 ++++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) - -diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index 72e21b5300..f388946970 100644 ---- a/src/lxc/conf.c -+++ b/src/lxc/conf.c -@@ -2978,6 +2978,9 @@ static int lxc_map_ids_exec_wrapper(void *args) - return -1; - } - -+static struct id_map *find_mapped_hostid_entry(const struct lxc_list *idmap, -+ unsigned id, enum idtype idtype); -+ - int lxc_map_ids(struct lxc_list *idmap, pid_t pid) - { - int fill, left; -@@ -2991,12 +2994,22 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) - char mapbuf[STRLITERALLEN("new@idmap") + STRLITERALLEN(" ") + - INTTYPE_TO_STRLEN(pid_t) + STRLITERALLEN(" ") + - LXC_IDMAPLEN] = {0}; -- bool had_entry = false, use_shadow = false; -+ bool had_entry = false, maps_host_root = false, use_shadow = false; - int hostuid, hostgid; - - hostuid = geteuid(); - hostgid = getegid(); - -+ /* -+ * Check whether caller wants to map host root. -+ * Due to a security fix newer kernels require CAP_SETFCAP when mapping -+ * host root into the child userns as you would be able to write fscaps -+ * that would be valid in the ancestor userns. Mapping host root should -+ * rarely be the case but LXC is being clever in a bunch of cases. -+ */ -+ if (find_mapped_hostid_entry(idmap, 0, ID_TYPE_UID)) -+ maps_host_root = true; -+ - /* If new{g,u}idmap exists, that is, if shadow is handing out subuid - * ranges, then insist that root also reserve ranges in subuid. This - * will protected it by preventing another user from being handed the -@@ -3014,7 +3027,9 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) - else if (!gidmap) - WARN("newgidmap is lacking necessary privileges"); - -- if (uidmap > 0 && gidmap > 0) { -+ if (maps_host_root) { -+ INFO("Caller maps host root. Writing mapping directly"); -+ } else if (uidmap > 0 && gidmap > 0) { - DEBUG("Functional newuidmap and newgidmap binary found"); - use_shadow = true; - } else { -@@ -4229,14 +4244,14 @@ static struct id_map *mapped_nsid_add(const struct lxc_conf *conf, unsigned id, - return retmap; - } - --static struct id_map *find_mapped_hostid_entry(const struct lxc_conf *conf, -+static struct id_map *find_mapped_hostid_entry(const struct lxc_list *idmap, - unsigned id, enum idtype idtype) - { - struct id_map *map; - struct lxc_list *it; - struct id_map *retmap = NULL; - -- lxc_list_for_each (it, &conf->id_map) { -+ lxc_list_for_each (it, idmap) { - map = it->elem; - if (map->idtype != idtype) - continue; -@@ -4265,7 +4280,7 @@ static struct id_map *mapped_hostid_add(const struct lxc_conf *conf, uid_t id, - return NULL; - - /* Reuse existing mapping. */ -- tmp = find_mapped_hostid_entry(conf, id, type); -+ tmp = find_mapped_hostid_entry(&conf->id_map, id, type); - if (tmp) { - memcpy(entry, tmp, sizeof(*entry)); - } else { diff --git a/app-emulation/lxc/lxc-4.0.9-r1.ebuild b/app-emulation/lxc/lxc-4.0.9-r1.ebuild deleted file mode 100644 index 243fd583e982..000000000000 --- a/app-emulation/lxc/lxc-4.0.9-r1.ebuild +++ /dev/null @@ -1,174 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit autotools bash-completion-r1 linux-info flag-o-matic optfeature pam readme.gentoo-r1 systemd verify-sig - -DESCRIPTION="A userspace interface for the Linux kernel containment features" -HOMEPAGE="https://linuxcontainers.org/ https://github.com/lxc/lxc" -SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz - verify-sig? ( https://linuxcontainers.org/downloads/lxc/${P}.tar.gz.asc )" - -KEYWORDS="amd64 ~arm ~arm64 ~ppc64 x86" - -LICENSE="LGPL-3" -SLOT="0" -IUSE="apparmor +caps doc man pam selinux +ssl +tools verify-sig" - -RDEPEND="acct-group/lxc - acct-user/lxc - app-misc/pax-utils - sys-apps/util-linux - sys-libs/libcap - sys-libs/libseccomp - virtual/awk - caps? ( sys-libs/libcap ) - pam? ( sys-libs/pam ) - selinux? ( sys-libs/libselinux ) - ssl? ( - dev-libs/openssl:0= - )" -DEPEND="${RDEPEND} - >=sys-kernel/linux-headers-4 - apparmor? ( sys-apps/apparmor )" -BDEPEND="doc? ( app-doc/doxygen ) - man? ( app-text/docbook-sgml-utils ) - verify-sig? ( app-crypt/openpgp-keys-linuxcontainers )" - -CONFIG_CHECK="~!NETPRIO_CGROUP - ~CGROUPS - ~CGROUP_CPUACCT - ~CGROUP_DEVICE - ~CGROUP_FREEZER - - ~CGROUP_SCHED - ~CPUSETS - ~IPC_NS - ~MACVLAN - - ~MEMCG - ~NAMESPACES - ~NET_NS - ~PID_NS - - ~POSIX_MQUEUE - ~USER_NS - ~UTS_NS - ~VETH" - -ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" -ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" -ERROR_MEMCG="CONFIG_MEMCG: needed for memory resource control in containers" -ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" -ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" -ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" -ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" - -DOCS=( AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt ) - -pkg_setup() { - linux-info_pkg_setup -} - -PATCHES=( - "${FILESDIR}"/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch # bug 789012 - "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch - "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch # bug 558854 -) - -VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/linuxcontainers.asc - -src_prepare() { - default - eautoreconf -} - -src_configure() { - append-flags -fno-strict-aliasing - - local myeconfargs=( - --bindir=/usr/bin - --localstatedir=/var - --sbindir=/usr/bin - - --with-config-path=/var/lib/lxc - --with-distro=gentoo - --with-init-script=systemd - --with-rootfs-path=/var/lib/lxc/rootfs - --with-runtime-path=/run - --with-systemdsystemunitdir=$(systemd_get_systemunitdir) - - --disable-coverity-build - --disable-dlog - --disable-fuzzers - --disable-mutex-debugging - --disable-no-undefined - --disable-rpath - --disable-sanitizers - --disable-tests - --disable-werror - - --enable-bash - --enable-commands - --enable-memfd-rexec - --enable-seccomp - --enable-thread-safety - - $(use_enable apparmor) - $(use_enable caps capabilities) - $(use_enable doc api-docs) - $(use_enable doc examples) - $(use_enable man doc) - $(use_enable pam) - $(use_enable selinux) - $(use_enable ssl openssl) - $(use_enable tools) - - $(use_with pam pamdir $(getpam_mod_dir)) - ) - - econf "${myeconfargs[@]}" -} - -src_install() { - default - - mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die - bashcomp_alias ${PN}-start \ - ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait} - - keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc - rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed" - - find "${D}" -name '*.la' -delete -o -name '*.a' -delete || die - - # Gentoo-specific additions! - newinitd "${FILESDIR}/${PN}.initd.8" ${PN} - - # Remember to compare our systemd unit file with the upstream one - # config/init/systemd/lxc.service.in - systemd_newunit "${FILESDIR}"/${PN}_at.service.4.0.0 "lxc@.service" - - DOC_CONTENTS=" - For openrc, there is an init script provided with the package. - You should only need to symlink /etc/init.d/lxc to - /etc/init.d/lxc.configname to start the container defined in - /etc/lxc/configname.conf. - - Correspondingly, for systemd a service file lxc@.service is installed. - Enable and start lxc@configname in order to start the container defined - in /etc/lxc/configname.conf." - DISABLE_AUTOFORMATTING=true - readme.gentoo_create_doc -} - -pkg_postinst() { - readme.gentoo_print_elog - - elog "Please run 'lxc-checkconfig' to see optional kernel features." - elog - optfeature "automatic template scripts" app-emulation/lxc-templates - optfeature "Debian-based distribution container image support" dev-util/debootstrap - optfeature "snapshot & restore functionality" sys-process/criu -} |