Add a patch to fix handling of mount points for block devices; also add some warnings related to grsecurity and LXC.

Package-Manager: portage-2.2.0_alpha101/cvs/Linux x86_64

4 files changed, 191 insertions, 10 deletions

diff --git a/app-emulation/lxc/ChangeLog b/app-emulation/lxc/ChangeLog
index 9c49d1e82484..c1eda5d20dcc 100644
--- a/app-emulation/lxc/ChangeLog
+++ b/app-emulation/lxc/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for app-emulation/lxc
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/lxc/ChangeLog,v 1.32 2012/03/27 19:01:25 flameeyes Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/lxc/ChangeLog,v 1.33 2012/04/28 00:17:01 flameeyes Exp $
+
+*lxc-0.8.0_rc1-r2 (28 Apr 2012)
+
+  28 Apr 2012; Diego E. Pettenò <flameeyes@gentoo.org>
+  +files/lxc-0.8.0_rc1-blockmount.patch, +lxc-0.8.0_rc1-r2.ebuild,
+  -lxc-0.8.0_rc1-r1.ebuild:
+  Add a patch to fix handling of mount points for block devices; also add some
+  warnings related to grsecurity and LXC.
 
   27 Mar 2012; Diego E. Pettenò <flameeyes@gentoo.org> -lxc-0.8.0_rc1.ebuild,
   lxc-0.7.5-r3.ebuild, lxc-0.8.0_rc1-r1.ebuild:
diff --git a/app-emulation/lxc/Manifest b/app-emulation/lxc/Manifest
index 1655c387435e..fbc384831d92 100644
--- a/app-emulation/lxc/Manifest
+++ b/app-emulation/lxc/Manifest
@@ -1,19 +1,24 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
+AUX lxc-0.8.0_rc1-blockmount.patch 4374 RMD160 c7efd284d002b821f55d58276b7c266cc1db4e7e SHA1 e71498ac6b44c9cd882d03bccc9f223a4b5e883b SHA256 83736b28e843273ab3287004946c7eb66ff04b87ac100b6481b68d116b039b70
 AUX lxc-0.8.0_rc1-libtoolize.patch 2510 RMD160 56e9a053fcd1b22d7e4424af990e4a28e85631f0 SHA1 086a5548271bad011af5f8b0bcde99a42ca51625 SHA256 44ec4271300785fa7a03384140833db48bf158253fbeec167ccf3dfe0bf8dffa
 AUX lxc.initd 3746 RMD160 3a8749586c3ed6dedce7fc18d908903dfb8bf5a0 SHA1 7308443ab4c99de8604c31d2e3ef9c55a197ee05 SHA256 7c805f22792fd1b26b2ef102b4345479401c9b2f1e6f32622d66717354fb4328
 AUX lxc.initd.2 3298 RMD160 c231a4d3cb3f1aee180f29bb1327c8f212bf7c2d SHA1 d403f21e89e5a5af36d72d9d6619b4c7998efc38 SHA256 da2bdca3ec5d57e40ec06effc68e01628e3dbf44357d6e841fdcdcd21cad7499
 DIST lxc-0.7.5.tar.gz 265562 RMD160 93407be1ebf31bdcfa617e60672d9f86ba2940d1 SHA1 9712dccdcd2c10a522134fa17384a5b9e38fce0e SHA256 019ec63f250c874bf7625b1f1bf555b1a6e3a947937a4fca73100abddf829b1c
 DIST lxc-0.8.0-rc1.tar.gz 301029 RMD160 3480209a82f361f11a1476d5e92d747bcf751e8b SHA1 6e9a641b3ca06ad034712ecf437588c4585ff40e SHA256 32bf83902c07387646c55de440d6d12cf61bd54c97417109c2d1ac47d17cb911
 EBUILD lxc-0.7.5-r3.ebuild 3207 RMD160 698fe796dc5a18d388beada7bc347146ac4569dc SHA1 c852f323f51bf38b724d21e2a94d46ebb1e75822 SHA256 8d0da2a85c47c849d54dc264336c96f386b95a08697387d39c0c8cae0f4db519
-EBUILD lxc-0.8.0_rc1-r1.ebuild 3577 RMD160 332780d5c6d776c1c5ef3a61a68aa27a55f9c784 SHA1 6a42112e5474bccc3ffc1f5575395b1a1d91490a SHA256 94b9efa6f3287aac92c63edbd777a82a4b8067118eb2d40eea2e8678c9ca9816
-MISC ChangeLog 7617 RMD160 d471250e0218b33274ad5aaa2070a35efaa927b4 SHA1 a4f3d35ce8b4a2aa3124f233a9c5a7413e727ed9 SHA256 0e1498ad040fdfcf3c8a639adc78b164b60b168545a43dd5e0b80d6ed9e5d11b
+EBUILD lxc-0.8.0_rc1-r2.ebuild 4658 RMD160 ebe0e679b6868a0ae1ef43a708dc762f2b5f53ca SHA1 ecc50839693db3934b5aaaed8ae653145746247a SHA256 c06d57bb9da55d52295a1d6d24ff16b468e18b8922189169a9752273bf0fdcf2
+MISC ChangeLog 7923 RMD160 076a7c30ed2916a5b36ec2ad690bd7451cff88df SHA1 5757070f4472fa615d5f1e4c45a292b0c1d00bf9 SHA256 afd87cdeeaf49970b267beaa807c2b36ca9c908cf8cd7e41f5da9399ba75e37e
 MISC metadata.xml 653 RMD160 d6139a7ce3a5dab18f33c7f111f2e7827c290723 SHA1 47ba631625b4f2b20e491a964e65c78dd236f6f2 SHA256 35f64761067f47ff7abd0e3f3cb57f4bab888a2546bf3267d59987505101a190
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.18 (GNU/Linux)
+Version: GnuPG v2.0.19 (GNU/Linux)
 
-iEYEARECAAYFAk9yDoEACgkQAiZjviIA2Xhy2QCg8Axll6G15x6btFVphgvXkuJ5
-lsIAoNh8Xf3gnsPB+dK8Uc0yLkecAXLi
-=x5vb
+iQEcBAEBAgAGBQJPmzcFAAoJEBqCrVe7WSRDCgQH/1hOtON0XQxZOh/Zd4LO0AKD
+XjmiD4+Dxmt/zvFFd2TshA7OiolApFm86Zl5FH9qfVLrtmlkJ2y/gUk4+GZAA4KH
+H/1tdfVeCJOtV8vhaFt572Nk0qZnGuCc+mQsAkLIfT9ObERkh6pY18qGa+H5vqEM
+iqYltkDvM3+wHJQV3cCsXFzbvxzxShUo6ue4aCDx8eavDJsqIAO2VXBsjanP8zaY
+0BymFbYlN9wk86lXiqndGqJry+R7GNAQW2/X1pWxvtze94ciFzhMIHpA6tQxGpiH
+0ufgyNf48uFBmBvpNptF8Bts0nMUY7W1LGhtXyGwub83+T2DdScAHs3FpLQkD5A=
+=RWbf
 -----END PGP SIGNATURE-----
diff --git a/app-emulation/lxc/files/lxc-0.8.0_rc1-blockmount.patch b/app-emulation/lxc/files/lxc-0.8.0_rc1-blockmount.patch
new file mode 100644
index 000000000000..f7e6d250ef3d
--- /dev/null
+++ b/app-emulation/lxc/files/lxc-0.8.0_rc1-blockmount.patch
@@ -0,0 +1,148 @@
+From f895fe1ad3aca8fed492df12adcd8710bca8ca32 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Diego=20Elio=20Petten=C3=B2?= <flameeyes@flameeyes.eu>
+Date: Fri, 27 Apr 2012 17:01:33 -0700
+Subject: [PATCH] Workaround requirement to use the realname of the block
+ device.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Instead of checking always the source path, check the source path if
+mounting a directory, and the mount path if mounting a block device or
+file.
+
+Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
+---
+ src/lxc/conf.c |   34 +++++++++++++++++++---------------
+ src/lxc/conf.h |    1 +
+ 2 files changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index e8088bb..593871a 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -350,9 +350,9 @@ static int mount_unknow_fs(const char *rootfs, const char *target, int mntopt)
+ 	return -1;
+ }
+ 
+-static int mount_rootfs_dir(const char *rootfs, const char *target)
++static int mount_rootfs_dir(struct lxc_rootfs *rootfs)
+ {
+-	return mount(rootfs, target, "none", MS_BIND | MS_REC, NULL);
++	return mount(rootfs->path, rootfs->mount, "none", MS_BIND | MS_REC, NULL);
+ }
+ 
+ static int setup_lodev(const char *rootfs, int fd, struct loop_info64 *loinfo)
+@@ -387,7 +387,7 @@ out:
+ 	return ret;
+ }
+ 
+-static int mount_rootfs_file(const char *rootfs, const char *target)
++static int mount_rootfs_file(struct lxc_rootfs *rootfs)
+ {
+ 	struct dirent dirent, *direntp;
+ 	struct loop_info64 loinfo;
+@@ -433,9 +433,9 @@ static int mount_rootfs_file(const char *rootfs, const char *target)
+ 
+ 		DEBUG("found '%s' free lodev", path);
+ 
+-		ret = setup_lodev(rootfs, fd, &loinfo);
++		ret = setup_lodev(rootfs->path, fd, &loinfo);
+ 		if (!ret)
+-			ret = mount_unknow_fs(path, target, 0);
++			ret = mount_unknow_fs(path, rootfs->mount, 0);
+ 		close(fd);
+ 
+ 		break;
+@@ -444,21 +444,23 @@ static int mount_rootfs_file(const char *rootfs, const char *target)
+ 	if (closedir(dir))
+ 		WARN("failed to close directory");
+ 
++	rootfs->isblock = 1;
+ 	return ret;
+ }
+ 
+-static int mount_rootfs_block(const char *rootfs, const char *target)
++static int mount_rootfs_block(struct lxc_rootfs *rootfs)
+ {
+-	return mount_unknow_fs(rootfs, target, 0);
++	rootfs->isblock = 1;
++	return mount_unknow_fs(rootfs->path, rootfs->mount, 0);
+ }
+ 
+-static int mount_rootfs(const char *rootfs, const char *target)
++static int mount_rootfs(struct lxc_rootfs *rootfs)
+ {
+ 	char absrootfs[MAXPATHLEN];
+ 	struct stat s;
+ 	int i;
+ 
+-	typedef int (*rootfs_cb)(const char *, const char *);
++	typedef int (*rootfs_cb)(struct lxc_rootfs *rootfs);
+ 
+ 	struct rootfs_type {
+ 		int type;
+@@ -469,8 +471,8 @@ static int mount_rootfs(const char *rootfs, const char *target)
+ 		{ S_IFREG, mount_rootfs_file },
+ 	};
+ 
+-	if (!realpath(rootfs, absrootfs)) {
+-		SYSERROR("failed to get real path for '%s'", rootfs);
++	if (!realpath(rootfs->path, absrootfs)) {
++		SYSERROR("failed to get real path for '%s'", rootfs->path);
+ 		return -1;
+ 	}
+ 
+@@ -489,7 +491,7 @@ static int mount_rootfs(const char *rootfs, const char *target)
+ 		if (!__S_ISTYPE(s.st_mode, rtfs_type[i].type))
+ 			continue;
+ 
+-		return rtfs_type[i].cb(absrootfs, target);
++		return rtfs_type[i].cb(rootfs);
+ 	}
+ 
+ 	ERROR("unsupported rootfs type for '%s'", absrootfs);
+@@ -756,7 +758,7 @@ static int setup_rootfs_pivot_root(const char *rootfs, const char *pivotdir)
+ 	return 0;
+ }
+ 
+-static int setup_rootfs(const struct lxc_rootfs *rootfs)
++static int setup_rootfs(struct lxc_rootfs *rootfs)
+ {
+ 	if (!rootfs->path)
+ 		return 0;
+@@ -767,7 +769,7 @@ static int setup_rootfs(const struct lxc_rootfs *rootfs)
+ 		return -1;
+ 	}
+ 
+-	if (mount_rootfs(rootfs->path, rootfs->mount)) {
++	if (mount_rootfs(rootfs)) {
+ 		ERROR("failed to mount rootfs");
+ 		return -1;
+ 	}
+@@ -1110,7 +1112,9 @@ static int mount_entry_on_absolute_rootfs(struct mntent *mntent,
+ 		return -1;
+ 	}
+ 
+-	aux = strstr(mntent->mnt_dir, rootfs->path);
++	aux = rootfs->isblock ? rootfs->mount : rootfs->path;
++
++	aux = strstr(mntent->mnt_dir, aux);
+ 	if (!aux) {
+ 		WARN("ignoring mount point '%s'", mntent->mnt_dir);
+ 		goto out;
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index 09f55cb..b70e637 100644
+--- a/src/lxc/conf.h
++++ b/src/lxc/conf.h
+@@ -181,6 +181,7 @@ struct lxc_rootfs {
+ 	char *path;
+ 	char *mount;
+ 	char *pivot;
++	int isblock;
+ };
+ 
+ /*
+-- 
+1.7.8.6
+
diff --git a/app-emulation/lxc/lxc-0.8.0_rc1-r1.ebuild b/app-emulation/lxc/lxc-0.8.0_rc1-r2.ebuild
index 390a5f33572d..36705aeddce3 100644
--- a/app-emulation/lxc/lxc-0.8.0_rc1-r1.ebuild
+++ b/app-emulation/lxc/lxc-0.8.0_rc1-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/lxc/lxc-0.8.0_rc1-r1.ebuild,v 1.2 2012/03/27 19:01:25 flameeyes Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/lxc/lxc-0.8.0_rc1-r2.ebuild,v 1.1 2012/04/28 00:17:01 flameeyes Exp $
 
 EAPI="4"
 
@@ -23,7 +23,8 @@ RDEPEND="sys-libs/libcap"
 
 DEPEND="${RDEPEND}
 	app-text/docbook-sgml-utils
-	>=sys-kernel/linux-headers-2.6.29"
+	>=sys-kernel/linux-headers-2.6.29
+	virtual/linux-sources"
 
 # For init script, so protect with vanilla, they are not strictly
 # needed.
@@ -48,7 +49,14 @@ CONFIG_CHECK="~CGROUPS
 	~VETH ~MACVLAN
 
 	~POSIX_MQUEUE
-	~!NETPRIO_CGROUP"
+	~!NETPRIO_CGROUP
+
+	~!GRKERNSEC_CHROOT_MOUNT
+	~!GRKERNSEC_CHROOT_DOUBLE
+	~!GRKERNSEC_CHROOT_PIVOT
+	~!GRKERNSEC_CHROOT_CHMOD
+	~!GRKERNSEC_CHROOT_CAPS
+"
 
 ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES:	needed for pts inside container"
 
@@ -64,11 +72,18 @@ ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE:	needed for lxc-execute command"
 
 ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP:	as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting."
 
+ERROR_GRKERNSEC_CHROOT_MOUNT=":CONFIG_GRKERNSEC_CHROOT_MOUNT	some GRSEC features make LXC unusable see postinst notes"
+ERROR_GRKERNSEC_CHROOT_DOUBLE=":CONFIG_GRKERNSEC_CHROOT_DOUBLE	some GRSEC features make LXC unusable see postinst notes"
+ERROR_GRKERNSEC_CHROOT_PIVOT=":CONFIG_GRKERNSEC_CHROOT_PIVOT	some GRSEC features make LXC unusable see postinst notes"
+ERROR_GRKERNSEC_CHROOT_CHMOD=":CONFIG_GRKERNSEC_CHROOT_CHMOD	some GRSEC features make LXC unusable see postinst notes"
+ERROR_GRKERNSEC_CHROOT_CAPS=":CONFIG_GRKERNSEC_CHROOT_CAPS	some GRSEC features make LXC unusable see postinst notes"
+
 DOCS=(AUTHORS CONTRIBUTING MAINTAINERS TODO README doc/FAQ.txt)
 
 src_prepare() {
 	if ! use vanilla; then
 		epatch "${FILESDIR}/${P}-libtoolize.patch"
+		epatch "${FILESDIR}/${P}-blockmount.patch"
 
 		eautoreconf
 	fi
@@ -124,4 +139,9 @@ pkg_postinst() {
 	ewarn ""
 	ewarn "To use the Fedora, Debian and (various) Ubuntu auto-configuration scripts, you"
 	ewarn "will need sys-apps/yum or dev-util/debootstrap."
+	ewarn ""
+	ewarn "Some GrSecurity settings in relation to chroot security will cause LXC not to"
+	ewarn "work, while others will actually make it much more secure. Please refer to"
+	ewarn "Diego Elio Pettenò's weblog at http://blog.flameeyes.eu/tag/lxc for further"
+	ewarn "details."
 }