commit: 29dedb39a6a6587a6d71b11444de28f24a98b0bb Author: Virgil Dupras <vdupras <AT> gentoo <DOT> org> AuthorDate: Sun Aug 5 15:11:40 2018 +0000 Commit: Virgil Dupras <vdupras <AT> gentoo <DOT> org> CommitDate: Mon Aug 6 16:08:11 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29dedb39
app-emulation/lxc: fix CVE-2018-6556 Apply patches from upstream. In the case of the 2.1.1 patch, I had to modify it to make the code compile. See ADDENDUM in patch. Bug: https://bugs.gentoo.org/662780 Package-Manager: Portage-2.3.44, Repoman-2.3.10 .../lxc/files/lxc-2.1.1-cve-2018-6556.patch | 118 +++++++++++ .../lxc/files/lxc-3.0.1-cve-2018-6556.patch | 110 +++++++++++ app-emulation/lxc/lxc-2.1.1-r1.ebuild | 215 +++++++++++++++++++++ app-emulation/lxc/lxc-3.0.1-r1.ebuild | 163 ++++++++++++++++ 4 files changed, 606 insertions(+) diff --git a/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch new file mode 100644 index 00000000000..bad1e274527 --- /dev/null +++ b/app-emulation/lxc/files/lxc-2.1.1-cve-2018-6556.patch @@ -0,0 +1,118 @@ +From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001 +From: Christian Brauner <[email protected]> +Date: Wed, 25 Jul 2018 19:56:54 +0200 +Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic + +Signed-off-by: Christian Brauner <[email protected]> +--- + src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- + src/lxc/utils.c | 12 ++++++++++++ + src/lxc/utils.h | 5 +++++ + 3 files changed, 49 insertions(+), 3 deletions(-) + +ADDENDUM from [email protected]: Original patch from Christian didn't +include LXC_PROC_PID_FD_LEN define, but referenced it. This resulted in +code that doesn't compile. I fetched the definition from the stable-3.0 +branch and included it to this patch. Also, this diff is regenerated +from lxc-2.1.1 tag instead of stable-2.0 branch. + +diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c +index 6f550f0d..09a342ac 100644 +--- a/src/lxc/lxc_user_nic.c ++++ b/src/lxc/lxc_user_nic.c +@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[]) + exit(EXIT_FAILURE); + } + } else if (request == LXC_USERNIC_DELETE) { +- netns_fd = open(args.pid, O_RDONLY); ++ char opath[LXC_PROC_PID_FD_LEN]; ++ ++ /* Open the path with O_PATH which will not trigger an actual ++ * open(). Don't report an errno to the caller to not leak ++ * information whether the path exists or not. ++ * When stracing setuid is stripped so this is not a concern ++ * either. ++ */ ++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); + if (netns_fd < 0) { +- usernic_error("Could not open \"%s\": %s\n", args.pid, +- strerror(errno)); ++ usernic_error("Failed to open \"%s\"\n", args.pid); + exit(EXIT_FAILURE); + } ++ ++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { ++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); ++ if (ret < 0 || (size_t)ret >= sizeof(opath)) { ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* Now get an fd that we can use in setns() calls. */ ++ ret = open(opath, O_RDONLY | O_CLOEXEC); ++ if (ret < 0) { ++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ close(netns_fd); ++ netns_fd = ret; + } + + if (!create_db_dir(LXC_USERNIC_DB)) { +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index e6a44a51..c2a08a9d 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2380,6 +2380,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) + return has_type; + } + ++bool fhas_fs_type(int fd, fs_type_magic magic_val) ++{ ++ int ret; ++ struct statfs sb; ++ ++ ret = fstatfs(fd, &sb); ++ if (ret < 0) ++ return false; ++ ++ return is_fs_type(&sb, magic_val); ++} ++ + bool lxc_nic_exists(char *nic) + { + #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index e83ed49e..06ec74d7 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -46,11 +46,16 @@ + #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask)) + #endif + ++#ifndef NSFS_MAGIC ++#define NSFS_MAGIC 0x6e736673 ++#endif ++ + /* Useful macros */ + /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ + #define LXC_NUMSTRLEN64 21 + #define LXC_LINELEN 4096 + #define LXC_IDMAPLEN 4096 ++#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1) + + /* returns 1 on success, 0 if there were any failures */ + extern int lxc_rmdir_onedev(char *path, const char *exclude); +@@ -402,6 +407,7 @@ extern void *must_realloc(void *orig, size_t sz); + /* __typeof__ should be safe to use with all compilers. */ + typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; + extern bool has_fs_type(const char *path, fs_type_magic magic_val); ++extern bool fhas_fs_type(int fd, fs_type_magic magic_val); + extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); + extern bool lxc_nic_exists(char *nic); diff --git a/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch b/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch new file mode 100644 index 00000000000..198e835e6c5 --- /dev/null +++ b/app-emulation/lxc/files/lxc-3.0.1-cve-2018-6556.patch @@ -0,0 +1,110 @@ +From f2314625c5702cfd25974929599fa439bdac8bdf Mon Sep 17 00:00:00 2001 +From: Christian Brauner <[email protected]> +Date: Wed, 25 Jul 2018 19:56:54 +0200 +Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic + +Signed-off-by: Christian Brauner <[email protected]> +--- + src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- + src/lxc/utils.c | 12 ++++++++++++ + src/lxc/utils.h | 5 +++++ + 3 files changed, 49 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c +index ec9cd97e..c5beb6c8 100644 +--- a/src/lxc/cmd/lxc_user_nic.c ++++ b/src/lxc/cmd/lxc_user_nic.c +@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[]) + exit(EXIT_FAILURE); + } + } else if (request == LXC_USERNIC_DELETE) { +- netns_fd = open(args.pid, O_RDONLY); ++ char opath[LXC_PROC_PID_FD_LEN]; ++ ++ /* Open the path with O_PATH which will not trigger an actual ++ * open(). Don't report an errno to the caller to not leak ++ * information whether the path exists or not. ++ * When stracing setuid is stripped so this is not a concern ++ * either. ++ */ ++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); + if (netns_fd < 0) { +- usernic_error("Could not open \"%s\": %s\n", args.pid, +- strerror(errno)); ++ usernic_error("Failed to open \"%s\"\n", args.pid); ++ exit(EXIT_FAILURE); ++ } ++ ++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { ++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); ++ if (ret < 0 || (size_t)ret >= sizeof(opath)) { ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* Now get an fd that we can use in setns() calls. */ ++ ret = open(opath, O_RDONLY | O_CLOEXEC); ++ if (ret < 0) { ++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); ++ close(netns_fd); + exit(EXIT_FAILURE); + } ++ close(netns_fd); ++ netns_fd = ret; + } + + if (!create_db_dir(LXC_USERNIC_DB)) { +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 26f1b058..69d362dc 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2548,6 +2548,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) + return has_type; + } + ++bool fhas_fs_type(int fd, fs_type_magic magic_val) ++{ ++ int ret; ++ struct statfs sb; ++ ++ ret = fstatfs(fd, &sb); ++ if (ret < 0) ++ return false; ++ ++ return is_fs_type(&sb, magic_val); ++} ++ + bool lxc_nic_exists(char *nic) + { + #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 7d672b77..fedc395b 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -95,6 +95,10 @@ + #define CGROUP2_SUPER_MAGIC 0x63677270 + #endif + ++#ifndef NSFS_MAGIC ++#define NSFS_MAGIC 0x6e736673 ++#endif ++ + /* Useful macros */ + /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ + #define LXC_NUMSTRLEN64 21 +@@ -581,6 +585,7 @@ extern void *must_realloc(void *orig, size_t sz); + /* __typeof__ should be safe to use with all compilers. */ + typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; + extern bool has_fs_type(const char *path, fs_type_magic magic_val); ++extern bool fhas_fs_type(int fd, fs_type_magic magic_val); + extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); + extern bool lxc_nic_exists(char *nic); + extern int lxc_make_tmpfile(char *template, bool rm); +-- +2.17.1 + diff --git a/app-emulation/lxc/lxc-2.1.1-r1.ebuild b/app-emulation/lxc/lxc-2.1.1-r1.ebuild new file mode 100644 index 00000000000..e5915426973 --- /dev/null +++ b/app-emulation/lxc/lxc-2.1.1-r1.ebuild @@ -0,0 +1,215 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +PYTHON_COMPAT=( python3_{4,5,6} ) +DISTUTILS_OPTIONAL=1 + +inherit autotools bash-completion-r1 distutils-r1 linux-info versionator flag-o-matic systemd readme.gentoo-r1 +DESCRIPTION="LinuX Containers userspace utilities" +HOMEPAGE="https://linuxcontainers.org/"; +SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz"; + +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" + +LICENSE="LGPL-3" +SLOT="0" +IUSE="cgmanager examples lua python seccomp selinux" + +RDEPEND=" + net-libs/gnutls + sys-libs/libcap + cgmanager? ( app-admin/cgmanager ) + lua? ( >=dev-lang/lua-5.1:= ) + python? ( ${PYTHON_DEPS} ) + seccomp? ( sys-libs/libseccomp ) + selinux? ( sys-libs/libselinux )" + +DEPEND="${RDEPEND} + app-text/docbook-sgml-utils + >=sys-kernel/linux-headers-3.2" + +RDEPEND="${RDEPEND} + sys-apps/util-linux + app-misc/pax-utils + virtual/awk" + +CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE + ~CPUSETS ~CGROUP_CPUACCT + ~CGROUP_SCHED + + ~NAMESPACES + ~IPC_NS ~USER_NS ~PID_NS + + ~NETLINK_DIAG ~PACKET_DIAG + ~INET_UDP_DIAG ~INET_TCP_DIAG + ~UNIX_DIAG ~CHECKPOINT_RESTORE + + ~CGROUP_FREEZER + ~UTS_NS ~NET_NS + ~VETH ~MACVLAN + + ~POSIX_MQUEUE + ~!NETPRIO_CGROUP + + ~!GRKERNSEC_CHROOT_MOUNT + ~!GRKERNSEC_CHROOT_DOUBLE + ~!GRKERNSEC_CHROOT_PIVOT + ~!GRKERNSEC_CHROOT_CHMOD + ~!GRKERNSEC_CHROOT_CAPS + ~!GRKERNSEC_PROC + ~!GRKERNSEC_SYSFS_RESTRICT +" + +ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" + +ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" + +ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" +ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" + +ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" +ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" + +ERROR_NETLINK_DIAG="CONFIG_NETLINK_DIAG: needed for lxc-checkpoint" +ERROR_PACKET_DIAG="CONFIG_PACKET_DIAG: needed for lxc-checkpoint" +ERROR_INET_UDP_DIAG="CONFIG_INET_UDP_DIAG: needed for lxc-checkpoint" +ERROR_INET_TCP_DIAG="CONFIG_INET_TCP_DIAG: needed for lxc-checkpoint" +ERROR_UNIX_DIAG="CONFIG_UNIX_DIAG: needed for lxc-checkpoint" +ERROR_CHECKPOINT_RESTORE="CONFIG_CHECKPOINT_RESTORE: needed for lxc-checkpoint" + +ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" + +ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting." + +ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" +ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" + +DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) + +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" + +pkg_setup() { + kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES" + linux-info_pkg_setup +} + +src_prepare() { + eapply "${FILESDIR}"/${PN}-2.0.6-bash-completion.patch + #558854 + eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch + eapply "${FILESDIR}"/${PN}-2.1.1-fix-cgroup2-detection.patch + eapply "${FILESDIR}"/${PN}-2.1.1-cgroups-enable-container-without-CAP_SYS_ADMIN.patch + eapply "${FILESDIR}"/${PN}-2.1.1-cve-2018-6556.patch + eapply_user + eautoreconf +} + +src_configure() { + append-flags -fno-strict-aliasing + + if use python; then + #541932 + python_setup "python3*" + export PKG_CONFIG_PATH="${T}/${EPYTHON}/pkgconfig:${PKG_CONFIG_PATH}" + fi + + # I am not sure about the --with-rootfs-path + # /var/lib/lxc is probably more appropriate than + # /usr/lib/lxc. + # Note by holgersson: Why is apparmor disabled? + + # --enable-doc is for manpages which is why we don't link it to a "doc" + # USE flag. We always want man pages. + econf \ + --localstatedir=/var \ + --bindir=/usr/bin \ + --sbindir=/usr/bin \ + --with-config-path=/var/lib/lxc \ + --with-rootfs-path=/var/lib/lxc/rootfs \ + --with-distro=gentoo \ + --with-runtime-path=/run \ + --disable-apparmor \ + --disable-werror \ + --enable-doc \ + $(use_enable cgmanager) \ + $(use_enable examples) \ + $(use_enable lua) \ + $(use_enable python) \ + $(use_enable seccomp) \ + $(use_enable selinux) +} + +python_compile() { + distutils-r1_python_compile build_ext -I.. -L../lxc/.libs --no-pkg-config +} + +src_compile() { + default + + if use python; then + pushd "${S}/src/python-${PN}" > /dev/null + distutils-r1_src_compile + popd > /dev/null + fi +} + +src_install() { + default + + mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die + # start-ephemeral is no longer a command but removing it here + # generates QA warnings (still in upstream completion script) + bashcomp_alias ${PN}-start \ + ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,start-ephemeral,stop,unfreeze,wait} + + if use python; then + pushd "${S}/src/python-lxc" > /dev/null + # Unset DOCS. This has been handled by the default target + unset DOCS + distutils-r1_src_install + popd > /dev/null + fi + + keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc + + find "${D}" -name '*.la' -delete + + # Gentoo-specific additions! + newinitd "${FILESDIR}/${PN}.initd.7" ${PN} + + # Remember to compare our systemd unit file with the upstream one + # config/init/systemd/lxc.service.in + systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "[email protected]" + + DOC_CONTENTS=" + Starting from version ${PN}-1.1.0-r3, the default lxc path has been + moved from /etc/lxc to /var/lib/lxc. If you still want to use /etc/lxc + please add the following to your /etc/lxc/lxc.conf + + lxc.lxcpath = /etc/lxc + + For openrc, there is an init script provided with the package. + You _should_ only need to symlink /etc/init.d/lxc to + /etc/init.d/lxc.configname to start the container defined in + /etc/lxc/configname.conf. + + Correspondingly, for systemd a service file [email protected] is installed. + Enable and start lxc@configname in order to start the container defined + in /etc/lxc/configname.conf. + + If you want checkpoint/restore functionality, please install criu + (sys-process/criu)." + DISABLE_AUTOFORMATTING=true + readme.gentoo_create_doc +} + +pkg_postinst() { + readme.gentoo_print_elog +} diff --git a/app-emulation/lxc/lxc-3.0.1-r1.ebuild b/app-emulation/lxc/lxc-3.0.1-r1.ebuild new file mode 100644 index 00000000000..be0d3a86f25 --- /dev/null +++ b/app-emulation/lxc/lxc-3.0.1-r1.ebuild @@ -0,0 +1,163 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit autotools bash-completion-r1 linux-info flag-o-matic systemd readme.gentoo-r1 pam + +DESCRIPTION="LinuX Containers userspace utilities" +HOMEPAGE="https://linuxcontainers.org/"; +SRC_URI="https://linuxcontainers.org/downloads/lxc/${P}.tar.gz"; + +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" + +LICENSE="LGPL-3" +SLOT="0" +IUSE="examples pam python seccomp selinux +templates" + +RDEPEND=" + net-libs/gnutls + sys-libs/libcap + pam? ( virtual/pam ) + seccomp? ( sys-libs/libseccomp ) + selinux? ( sys-libs/libselinux )" + +DEPEND="${RDEPEND} + >=app-text/docbook-sgml-utils-0.6.14-r2 + >=sys-kernel/linux-headers-3.2" + +RDEPEND="${RDEPEND} + sys-apps/util-linux + app-misc/pax-utils + virtual/awk" + +PDEPEND="templates? ( app-emulation/lxc-templates ) + python? ( dev-python/python3-lxc )" + +CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE + ~CPUSETS ~CGROUP_CPUACCT + ~CGROUP_SCHED + + ~NAMESPACES + ~IPC_NS ~USER_NS ~PID_NS + + ~CGROUP_FREEZER + ~UTS_NS ~NET_NS + ~VETH ~MACVLAN + + ~POSIX_MQUEUE + ~!NETPRIO_CGROUP + + ~!GRKERNSEC_CHROOT_MOUNT + ~!GRKERNSEC_CHROOT_DOUBLE + ~!GRKERNSEC_CHROOT_PIVOT + ~!GRKERNSEC_CHROOT_CHMOD + ~!GRKERNSEC_CHROOT_CAPS + ~!GRKERNSEC_PROC + ~!GRKERNSEC_SYSFS_RESTRICT +" + +ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" + +ERROR_CGROUP_FREEZER="CONFIG_CGROUP_FREEZER: needed to freeze containers" + +ERROR_UTS_NS="CONFIG_UTS_NS: needed to unshare hostnames and uname info" +ERROR_NET_NS="CONFIG_NET_NS: needed for unshared network" + +ERROR_VETH="CONFIG_VETH: needed for internal (host-to-container) networking" +ERROR_MACVLAN="CONFIG_MACVLAN: needed for internal (inter-container) networking" + +ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: needed for lxc-execute command" + +ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting." + +ERROR_GRKERNSEC_CHROOT_MOUNT="CONFIG_GRKERNSEC_CHROOT_MOUNT: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" +ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" + +DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) + +pkg_setup() { + kernel_is -lt 4 7 && CONFIG_CHECK="${CONFIG_CHECK} ~DEVPTS_MULTIPLE_INSTANCES" + linux-info_pkg_setup +} + +src_prepare() { + eapply "${FILESDIR}"/${PN}-3.0.0-bash-completion.patch + #558854 + eapply "${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch + eapply "${FILESDIR}"/${PN}-3.0.1-cve-2018-6556.patch + eapply_user + eautoreconf +} + +src_configure() { + append-flags -fno-strict-aliasing + + # I am not sure about the --with-rootfs-path + # /var/lib/lxc is probably more appropriate than + # /usr/lib/lxc. + # Note by holgersson: Why is apparmor disabled? + + # --enable-doc is for manpages which is why we don't link it to a "doc" + # USE flag. We always want man pages. + econf \ + --localstatedir=/var \ + --bindir=/usr/bin \ + --sbindir=/usr/bin \ + --with-config-path=/var/lib/lxc \ + --with-rootfs-path=/var/lib/lxc/rootfs \ + --with-distro=gentoo \ + --with-runtime-path=/run \ + --disable-apparmor \ + --disable-werror \ + --enable-doc \ + $(use_enable examples) \ + $(use_enable pam) \ + $(use_with pam pamdir $(getpam_mod_dir)) \ + $(use_enable seccomp) \ + $(use_enable selinux) +} + +src_install() { + default + + mv "${ED}"/usr/share/bash-completion/completions/${PN} "${ED}"/$(get_bashcompdir)/${PN}-start || die + bashcomp_alias ${PN}-start \ + ${PN}-{attach,cgroup,copy,console,create,destroy,device,execute,freeze,info,monitor,snapshot,stop,unfreeze,wait} + + keepdir /etc/lxc /var/lib/lxc/rootfs /var/log/lxc + rmdir "${D}"/var/cache/lxc "${D}"/var/cache || die "rmdir failed" + + find "${D}" -name '*.la' -delete + + # Gentoo-specific additions! + newinitd "${FILESDIR}/${PN}.initd.7" ${PN} + + # Remember to compare our systemd unit file with the upstream one + # config/init/systemd/lxc.service.in + systemd_newunit "${FILESDIR}"/${PN}_at.service.4 "[email protected]" + + DOC_CONTENTS=" + For openrc, there is an init script provided with the package. + You _should_ only need to symlink /etc/init.d/lxc to + /etc/init.d/lxc.configname to start the container defined in + /etc/lxc/configname.conf. + + Correspondingly, for systemd a service file [email protected] is installed. + Enable and start lxc@configname in order to start the container defined + in /etc/lxc/configname.conf. + + If you want checkpoint/restore functionality, please install criu + (sys-process/criu)." + DISABLE_AUTOFORMATTING=true + readme.gentoo_create_doc +} + +pkg_postinst() { + readme.gentoo_print_elog +}
