Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 542532 Details for
Bug 662780
<app-emulation/lxc-{2.1.1-r1,3.0.1-r1}: lxc-user-nic allows unprivileged users to open arbitrary files (CVE-2018-6556)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Security patch for current LXC ebuilds
0001-app-emulation-lxc-fix-CVE-2018-6556.patch (text/plain), 21.58 KB, created by
Virgil Dupras (RETIRED)
on 2018-08-06 11:07:39 UTC
(
hide
)
Description:
Security patch for current LXC ebuilds
Filename:
MIME Type:
Creator:
Virgil Dupras (RETIRED)
Created:
2018-08-06 11:07:39 UTC
Size:
21.58 KB
patch
obsolete
>From 69b222d4719c7a20a5eddfef70469a41e63324f1 Mon Sep 17 00:00:00 2001 >From: Virgil Dupras <vdupras@gentoo.org> >Date: Sun, 5 Aug 2018 11:11:40 -0400 >Subject: [PATCH] app-emulation/lxc: fix CVE-2018-6556 > >Apply patches from upstream. In the case of the 2.1.1 patch, I had to >modify it to make the code compile. See ADDENDUM in patch. > >Bug: https://bugs.gentoo.org/662780 >Package-Manager: Portage-2.3.44, Repoman-2.3.10 >--- > .../lxc/files/lxc-2.1.1-cve-2018-6556.patch | 118 +++++++++++ > .../lxc/files/lxc-3.0.1-cve-2018-6556.patch | 110 +++++++++++ > app-emulation/lxc/lxc-2.1.1-r1.ebuild | 215 +++++++++++++++++++++ > app-emulation/lxc/lxc-3.0.1-r1.ebuild | 163 ++++++++++++++++ > 4 files changed, 606 insertions(+) > create mode 100644 app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch > create mode 100644 app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch > create mode 100644 app-emulation/lxc/lxc-2.1.1-r1.ebuild > create mode 100644 app-emulation/lxc/lxc-3.0.1-r1.ebuild > >diff --git a/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch >new file mode 100644 >index 00000000000..bad1e274527 >--- /dev/null >+++ b/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch >@@ -0,0 +1,118 @@ >+From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001 >+From: Christian Brauner <christian.brauner@ubuntu.com> >+Date: Wed, 25 Jul 2018 19:56:54 +0200 >+Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic >+ >+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> >+--- >+ src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- >+ src/lxc/utils.c | 12 ++++++++++++ >+ src/lxc/utils.h | 5 +++++ >+ 3 files changed, 49 insertions(+), 3 deletions(-) >+ >+ADDENDUM from vdupras@gentoo.org: Original patch from Christian didn't >+include LXC_PROC_PID_FD_LEN define, but referenced it. This resulted in >+code that doesn't compile. I fetched the definition from the stable-3.0 >+branch and included it to this patch. Also, this diff is regenerated >+from lxc-2.1.1 tag instead of stable-2.0 branch. >+ >+diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c >+index 6f550f0d..09a342ac 100644 >+--- a/src/lxc/lxc_user_nic.c >++++ b/src/lxc/lxc_user_nic.c >+@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[]) >+ exit(EXIT_FAILURE); >+ } >+ } else if (request == LXC_USERNIC_DELETE) { >+- netns_fd = open(args.pid, O_RDONLY); >++ char opath[LXC_PROC_PID_FD_LEN]; >++ >++ /* Open the path with O_PATH which will not trigger an actual >++ * open(). Don't report an errno to the caller to not leak >++ * information whether the path exists or not. >++ * When stracing setuid is stripped so this is not a concern >++ * either. >++ */ >++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); >+ if (netns_fd < 0) { >+- usernic_error("Could not open \"%s\": %s\n", args.pid, >+- strerror(errno)); >++ usernic_error("Failed to open \"%s\"\n", args.pid); >+ exit(EXIT_FAILURE); >+ } >++ >++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { >++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); >++ close(netns_fd); >++ exit(EXIT_FAILURE); >++ } >++ >++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); >++ if (ret < 0 || (size_t)ret >= sizeof(opath)) { >++ close(netns_fd); >++ exit(EXIT_FAILURE); >++ } >++ >++ /* Now get an fd that we can use in setns() calls. */ >++ ret = open(opath, O_RDONLY | O_CLOEXEC); >++ if (ret < 0) { >++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); >++ close(netns_fd); >++ exit(EXIT_FAILURE); >++ } >++ close(netns_fd); >++ netns_fd = ret; >+ } >+ >+ if (!create_db_dir(LXC_USERNIC_DB)) { >+diff --git a/src/lxc/utils.c b/src/lxc/utils.c >+index e6a44a51..c2a08a9d 100644 >+--- a/src/lxc/utils.c >++++ b/src/lxc/utils.c >+@@ -2380,6 +2380,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) >+ return has_type; >+ } >+ >++bool fhas_fs_type(int fd, fs_type_magic magic_val) >++{ >++ int ret; >++ struct statfs sb; >++ >++ ret = fstatfs(fd, &sb); >++ if (ret < 0) >++ return false; >++ >++ return is_fs_type(&sb, magic_val); >++} >++ >+ bool lxc_nic_exists(char *nic) >+ { >+ #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 >+diff --git a/src/lxc/utils.h b/src/lxc/utils.h >+index e83ed49e..06ec74d7 100644 >+--- a/src/lxc/utils.h >++++ b/src/lxc/utils.h >+@@ -46,11 +46,16 @@ >+ #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask)) >+ #endif >+ >++#ifndef NSFS_MAGIC >++#define NSFS_MAGIC 0x6e736673 >++#endif >++ >+ /* Useful macros */ >+ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ >+ #define LXC_NUMSTRLEN64 21 >+ #define LXC_LINELEN 4096 >+ #define LXC_IDMAPLEN 4096 >++#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1) >+ >+ /* returns 1 on success, 0 if there were any failures */ >+ extern int lxc_rmdir_onedev(char *path, const char *exclude); >+@@ -402,6 +407,7 @@ extern void *must_realloc(void *orig, size_t sz); >+ /* __typeof__ should be safe to use with all compilers. */ >+ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; >+ extern bool has_fs_type(const char *path, fs_type_magic magic_val); >++extern bool fhas_fs_type(int fd, fs_type_magic magic_val); >+ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); >+ extern bool lxc_nic_exists(char *nic); >diff --git a/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch >new file mode 100644 >index 00000000000..198e835e6c5 >--- /dev/null >+++ b/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch >@@ -0,0 +1,110 @@ >+From f2314625c5702cfd25974929599fa439bdac8bdf Mon Sep 17 00:00:00 2001 >+From: Christian Brauner <christian.brauner@ubuntu.com> >+Date: Wed, 25 Jul 2018 19:56:54 +0200 >+Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic >+ >+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> >+--- >+ src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- >+ src/lxc/utils.c | 12 ++++++++++++ >+ src/lxc/utils.h | 5 +++++ >+ 3 files changed, 49 insertions(+), 3 deletions(-) >+ >+diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c >+index ec9cd97e..c5beb6c8 100644 >+--- a/src/lxc/cmd/lxc_user_nic.c >++++ b/src/lxc/cmd/lxc_user_nic.c >+@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[]) >+ exit(EXIT_FAILURE); >+ } >+ } else if (request == LXC_USERNIC_DELETE) { >+- netns_fd = open(args.pid, O_RDONLY); >++ char opath[LXC_PROC_PID_FD_LEN]; >++ >++ /* Open the path with O_PATH which will not trigger an actual >++ * open(). Don't report an errno to the caller to not leak >++ * information whether the path exists or not. >++ * When stracing setuid is stripped so this is not a concern >++ * either. >++ */ >++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); >+ if (netns_fd < 0) { >+- usernic_error("Could not open \"%s\": %s\n", args.pid, >+- strerror(errno)); >++ usernic_error("Failed to open \"%s\"\n", args.pid); >++ exit(EXIT_FAILURE); >++ } >++ >++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { >++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); >++ close(netns_fd); >++ exit(EXIT_FAILURE); >++ } >++ >++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); >++ if (ret < 0 || (size_t)ret >= sizeof(opath)) { >++ close(netns_fd); >++ exit(EXIT_FAILURE); >++ } >++ >++ /* Now get an fd that we can use in setns() calls. */ >++ ret = open(opath, O_RDONLY | O_CLOEXEC); >++ if (ret < 0) { >++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); >++ close(netns_fd); >+ exit(EXIT_FAILURE); >+ } >++ close(netns_fd); >++ netns_fd = ret; >+ } >+ >+ if (!create_db_dir(LXC_USERNIC_DB)) { >+diff --git a/src/lxc/utils.c b/src/lxc/utils.c >+index 26f1b058..69d362dc 100644 >+--- a/src/lxc/utils.c >++++ b/src/lxc/utils.c >+@@ -2548,6 +2548,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) >+ return has_type; >+ } >+ >++bool fhas_fs_type(int fd, fs_type_magic magic_val) >++{ >++ int ret; >++ struct statfs sb; >++ >++ ret = fstatfs(fd, &sb); >++ if (ret < 0) >++ return false; >++ >++ return is_fs_type(&sb, magic_val); >++} >++ >+ bool lxc_nic_exists(char *nic) >+ { >+ #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 >+diff --git a/src/lxc/utils.h b/src/lxc/utils.h >+index 7d672b77..fedc395b 100644 >+--- a/src/lxc/utils.h >++++ b/src/lxc/utils.h >+@@ -95,6 +95,10 @@ >+ #define CGROUP2_SUPER_MAGIC 0x63677270 >+ #endif >+ >++#ifndef NSFS_MAGIC >++#define NSFS_MAGIC 0x6e736673 >++#endif >++ >+ /* Useful macros */ >+ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ >+ #define LXC_NUMSTRLEN64 21 >+@@ -581,6 +585,7 @@ extern void *must_realloc(void *orig, size_t sz); >+ /* __typeof__ should be safe to use with all compilers. */ >+ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; >+ extern bool has_fs_type(const char *path, fs_type_magic magic_val); >++extern bool fhas_fs_type(int fd, fs_type_magic magic_val); >+ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); >+ extern bool lxc_nic_exists(char *nic); >+ extern int lxc_make_tmpfile(char *template, bool rm); >+-- >+2.17.1 >+ >diff --git a/app-emulation/lxc/lxc-2.1.1-r1.ebuild b/app-emulation/lxc/lxc-2.1.1-r1.ebuild >new file mode 100644 >index 00000000000..e5915426973 >--- /dev/null >+++ b/app-emulation/lxc/lxc-2.1.1-r1.ebuild >@@ -0,0 +1,215 @@ >+# Copyright 1999-2018 Gentoo Foundation >+# Distributed under the terms of the GNU General Public License v2 >+ >+EAPI=6 >+ >+PYTHON_COMPAT=( python3_{4,5,6} ) >+DISTUTILS_OPTIONAL=1 >+ >+inherit autotools bash-completion-r1 distutils-r1 linux-info versionator flag-o-matic systemd readme.gentoo-r1 >+DESCRIPTION="LinuX Containers userspace utilities" >+HOMEPAGE="https://linuxcontainers.org/" >+SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz" >+ >+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" >+ >+LICENSE="LGPL-3" >+SLOT="0" >+IUSE="cgmanager examples lua python seccomp selinux" >+ >+RDEPEND=" >+ net-libs/gnutls >+ sys-libs/libcap >+ cgmanager? ( app-admin/cgmanager ) >+ lua? ( >=dev-lang/lua-5.1:= ) >+ python? ( ${PYTHON_DEPS} ) >+ seccomp? ( sys-libs/libseccomp ) >+ selinux? ( sys-libs/libselinux )" >+ >+DEPEND="${RDEPEND} >+ app-text/docbook-sgml-utils >+ >=sys-kernel/linux-headers-3.2" >+ >+RDEPEND="${RDEPEND} >+ sys-apps/util-linux >+ app-misc/pax-utils >+ virtual/awk" >+ >+CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE >+ ~CPUSETS ~CGROUP_CPUACCT >+ ~CGROUP_SCHED >+ >+ ~NAMESPACES >+ ~IPC_NS ~USER_NS ~PID_NS >+ >+ ~NETLINK_DIAG ~PACKET_DIAG >+ ~INET_UDP_DIAG ~INET_TCP_DIAG >+ ~UNIX_DIAG ~CHECKPOINT_RESTORE >+ >+ ~CGROUP_FREEZER >+ ~UTS_NS ~NET_NS >+ ~VETH ~MACVLAN >+ >+ ~POSIX_MQUEUE >+ ~!NETPRIO_CGROUP >+ >+ ~!GRKERNSEC_CHROOT_MOUNT >+ ~!GRKERNSEC_CHROOT_DOUBLE >+ ~!GRKERNSEC_CHROOT_PIVOT >+ ~!GRKERNSEC_CHROOT_CHMOD >+ ~!GRKERNSEC_CHROOT_CAPS >+ ~!GRKERNSEC_PROC >+ ~!GRKERNSEC_SYSFS_RESTRICT >+" >+ >+ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" >+ >+ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" >+ >+ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" >+ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" >+ >+ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" >+ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" >+ >+ERROR_NETLINK_DIAG="CONFIG_NETLINK_DIAG: needed for lxc-checkpoint" >+ERROR_PACKET_DIAG="CONFIG_PACKET_DIAG: needed for lxc-checkpoint" >+ERROR_INET_UDP_DIAG="CONFIG_INET_UDP_DIAG: needed for lxc-checkpoint" >+ERROR_INET_TCP_DIAG="CONFIG_INET_TCP_DIAG: needed for lxc-checkpoint" >+ERROR_UNIX_DIAG="CONFIG_UNIX_DIAG: needed for lxc-checkpoint" >+ERROR_CHECKPOINT_RESTORE="CONFIG_CHECKPOINT_RESTORE: needed for lxc-checkpoint" >+ >+ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" >+ >+ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting." >+ >+ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes" >+ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes" >+ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" >+ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" >+ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" >+ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" >+ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" >+ >+DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) >+ >+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" >+ >+pkg_setup() { >+ kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES" >+ linux-info_pkg_setup >+} >+ >+src_prepare() { >+ eapply "${FILESDIR}"/${PN}-2.0.6-bash-completion.patch >+ #558854 >+ eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch >+ eapply "${FILESDIR}"/${PN}-2.1.1-fix-cgroup2-detection.patch >+ eapply "${FILESDIR}"/${PN}-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch >+ eapply "${FILESDIR}"/${PN}-2.1.1-cve-2018-6556.patch >+ eapply_user >+ eautoreconf >+} >+ >+src_configure() { >+ append-flags -fno-strict-aliasing >+ >+ if use python; then >+ #541932 >+ python_setup "python3*" >+ export PKG_CONFIG_PATH="${T}/${EPYTHON}/pkgconfig:${PKG_CONFIG_PATH}" >+ fi >+ >+ # I am not sure about the --with-rootfs-path >+ # /var/lib/lxc is probably more appropriate than >+ # /usr/lib/lxc. >+ # Note by holgersson: Why is apparmor disabled? >+ >+ # --enable-doc is for manpages which is why we don't link it to a "doc" >+ # USE flag. We always want man pages. >+ econf \ >+ --localstatedir=/var \ >+ --bindir=/usr/bin \ >+ --sbindir=/usr/bin \ >+ --with-config-path=/var/lib/lxc \ >+ --with-rootfs-path=/var/lib/lxc/rootfs \ >+ --with-distro=gentoo \ >+ --with-runtime-path=/run \ >+ --disable-apparmor \ >+ --disable-werror \ >+ --enable-doc \ >+ $(use_enable cgmanager) \ >+ $(use_enable examples) \ >+ $(use_enable lua) \ >+ $(use_enable python) \ >+ $(use_enable seccomp) \ >+ $(use_enable selinux) >+} >+ >+python_compile() { >+ distutils-r1_python_compile build_ext -I.. -L../lxc/.libs --no-pkg-config >+} >+ >+src_compile() { >+ default >+ >+ if use python; then >+ pushd "${S}/src/python-${PN}" > /dev/null >+ distutils-r1_src_compile >+ popd > /dev/null >+ fi >+} >+ >+src_install() { >+ default >+ >+ mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die >+ # start-ephemeral is no longer a command but removing it here >+ # generates QA warnings (still in upstream completion script) >+ bashcomp_alias ${PN}-start \ >+ ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,start-ephemeral,stop,unfreeze,wait} >+ >+ if use python; then >+ pushd "${S}/src/python-lxc" > /dev/null >+ # Unset DOCS. This has been handled by the default target >+ unset DOCS >+ distutils-r1_src_install >+ popd > /dev/null >+ fi >+ >+ keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc >+ >+ find "${D}" -name '*.la' -delete >+ >+ # Gentoo-specific additions! >+ newinitd "${FILESDIR}/${PN}.initd.7" ${PN} >+ >+ # Remember to compare our systemd unit file with the upstream one >+ # config/init/systemd/lxc.service.in >+ systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service" >+ >+ DOC_CONTENTS=" >+ Starting from version ${PN}-1.1.0-r3, the default lxc path has been >+ moved from /etc/lxc to /var/lib/lxc. If you still want to use /etc/lxc >+ please add the following to your /etc/lxc/lxc.conf >+ >+ lxc.lxcpath = /etc/lxc >+ >+ For openrc, there is an init script provided with the package. >+ You _should_ only need to symlink /etc/init.d/lxc to >+ /etc/init.d/lxc.configname to start the container defined in >+ /etc/lxc/configname.conf. >+ >+ Correspondingly, for systemd a service file lxc@.service is installed. >+ Enable and start lxc@configname in order to start the container defined >+ in /etc/lxc/configname.conf. >+ >+ If you want checkpoint/restore functionality, please install criu >+ (sys-process/criu)." >+ DISABLE_AUTOFORMATTING=true >+ readme.gentoo_create_doc >+} >+ >+pkg_postinst() { >+ readme.gentoo_print_elog >+} >diff --git a/app-emulation/lxc/lxc-3.0.1-r1.ebuild b/app-emulation/lxc/lxc-3.0.1-r1.ebuild >new file mode 100644 >index 00000000000..be0d3a86f25 >--- /dev/null >+++ b/app-emulation/lxc/lxc-3.0.1-r1.ebuild >@@ -0,0 +1,163 @@ >+# Copyright 1999-2018 Gentoo Foundation >+# Distributed under the terms of the GNU General Public License v2 >+ >+EAPI=6 >+ >+inherit autotools bash-completion-r1 linux-info flag-o-matic systemd readme.gentoo-r1 pam >+ >+DESCRIPTION="LinuX Containers userspace utilities" >+HOMEPAGE="https://linuxcontainers.org/" >+SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz" >+ >+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" >+ >+LICENSE="LGPL-3" >+SLOT="0" >+IUSE="examples pam python seccomp selinux +templates" >+ >+RDEPEND=" >+ net-libs/gnutls >+ sys-libs/libcap >+ pam? ( virtual/pam ) >+ seccomp? ( sys-libs/libseccomp ) >+ selinux? ( sys-libs/libselinux )" >+ >+DEPEND="${RDEPEND} >+ >=app-text/docbook-sgml-utils-0.6.14-r2 >+ >=sys-kernel/linux-headers-3.2" >+ >+RDEPEND="${RDEPEND} >+ sys-apps/util-linux >+ app-misc/pax-utils >+ virtual/awk" >+ >+PDEPEND="templates? ( app-emulation/lxc-templates ) >+ python? ( dev-python/python3-lxc )" >+ >+CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE >+ ~CPUSETS ~CGROUP_CPUACCT >+ ~CGROUP_SCHED >+ >+ ~NAMESPACES >+ ~IPC_NS ~USER_NS ~PID_NS >+ >+ ~CGROUP_FREEZER >+ ~UTS_NS ~NET_NS >+ ~VETH ~MACVLAN >+ >+ ~POSIX_MQUEUE >+ ~!NETPRIO_CGROUP >+ >+ ~!GRKERNSEC_CHROOT_MOUNT >+ ~!GRKERNSEC_CHROOT_DOUBLE >+ ~!GRKERNSEC_CHROOT_PIVOT >+ ~!GRKERNSEC_CHROOT_CHMOD >+ ~!GRKERNSEC_CHROOT_CAPS >+ ~!GRKERNSEC_PROC >+ ~!GRKERNSEC_SYSFS_RESTRICT >+" >+ >+ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" >+ >+ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" >+ >+ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" >+ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" >+ >+ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" >+ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" >+ >+ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" >+ >+ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting." >+ >+ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes" >+ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes" >+ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" >+ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" >+ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" >+ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" >+ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" >+ >+DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) >+ >+pkg_setup() { >+ kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES" >+ linux-info_pkg_setup >+} >+ >+src_prepare() { >+ eapply "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch >+ #558854 >+ eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch >+ eapply "${FILESDIR}"/${PN}-3.0.1-cve-2018-6556.patch >+ eapply_user >+ eautoreconf >+} >+ >+src_configure() { >+ append-flags -fno-strict-aliasing >+ >+ # I am not sure about the --with-rootfs-path >+ # /var/lib/lxc is probably more appropriate than >+ # /usr/lib/lxc. >+ # Note by holgersson: Why is apparmor disabled? >+ >+ # --enable-doc is for manpages which is why we don't link it to a "doc" >+ # USE flag. We always want man pages. >+ econf \ >+ --localstatedir=/var \ >+ --bindir=/usr/bin \ >+ --sbindir=/usr/bin \ >+ --with-config-path=/var/lib/lxc \ >+ --with-rootfs-path=/var/lib/lxc/rootfs \ >+ --with-distro=gentoo \ >+ --with-runtime-path=/run \ >+ --disable-apparmor \ >+ --disable-werror \ >+ --enable-doc \ >+ $(use_enable examples) \ >+ $(use_enable pam) \ >+ $(use_with pam pamdir $(getpam_mod_dir)) \ >+ $(use_enable seccomp) \ >+ $(use_enable selinux) >+} >+ >+src_install() { >+ default >+ >+ mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die >+ bashcomp_alias ${PN}-start \ >+ ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait} >+ >+ keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc >+ rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed" >+ >+ find "${D}" -name '*.la' -delete >+ >+ # Gentoo-specific additions! >+ newinitd "${FILESDIR}/${PN}.initd.7" ${PN} >+ >+ # Remember to compare our systemd unit file with the upstream one >+ # config/init/systemd/lxc.service.in >+ systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "lxc@.service" >+ >+ DOC_CONTENTS=" >+ For openrc, there is an init script provided with the package. >+ You _should_ only need to symlink /etc/init.d/lxc to >+ /etc/init.d/lxc.configname to start the container defined in >+ /etc/lxc/configname.conf. >+ >+ Correspondingly, for systemd a service file lxc@.service is installed. >+ Enable and start lxc@configname in order to start the container defined >+ in /etc/lxc/configname.conf. >+ >+ If you want checkpoint/restore functionality, please install criu >+ (sys-process/criu)." >+ DISABLE_AUTOFORMATTING=true >+ readme.gentoo_create_doc >+} >+ >+pkg_postinst() { >+ readme.gentoo_print_elog >+} >-- >2.16.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=542532">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 662780
: 542532
