gentoo resync : 11.05.2021

3 files changed, 96 insertions, 1 deletions

diff --git a/app-emulation/lxc/Manifest b/app-emulation/lxc/Manifest
index 9e6e6e86fc6c..c9f2d5195797 100644
--- a/app-emulation/lxc/Manifest
+++ b/app-emulation/lxc/Manifest
@@ -1,5 +1,6 @@
 AUX lxc-2.0.5-omit-sysconfig.patch 259 BLAKE2B 977e151fbb8c9d98e89aaa5ee0426e64ab4286b4440af1582086a0ced8c6568efb470ccf68786da6ea52c82d1f4e81feac45bec411febc04fc31d108f05ccde2 SHA512 0aed9aca687accc6df79e97f48ab333043256e8ae68c8643f2b2452cc8013191238867d64ec71f7d399c59a43d3ba698b35d965090c5cb149b4f41302432e6e7
 AUX lxc-3.0.0-bash-completion.patch 915 BLAKE2B 8bb879e391cec349d211b47d321c64ea091c8475ac9a8c4adfb45918c044f6c49d9b9bce546082907d696f697baf0870893c4427abeafa496db89f99190cd091 SHA512 2f3728fcf5e88eecc1ae05bf038ef83baa375194c5bef0d0ef68feaf4d8092cdd8efef6b3c27207c4abd28b085f087af517242c65747b47d0a8fa840f6b9d279
+AUX lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch 3529 BLAKE2B 6a9ac29e1c38643383df135981a3893e8bea631af85271499f687614a3c779d5a2adfee7d20ca3eca5358ac8b123ee1c969af9d41b1d5bc85749a91937f1845d SHA512 62640563ec638b9a2c9e66c533a604585d8289b7f71362b70fb1110ec2e840b68758cc217b1953d181cd34e1b8881bb24ff7fca6d2c3145ac2b973d157d1a979
 AUX lxc.initd.8 3669 BLAKE2B 50d41e0923ba26b9653ca3b5b559dd0905e61ec81969e709650fe7f1b26a4dcdc17158b7e449d666e2103047d9f196e53df8beca15fffd529fa8e743de97bd82 SHA512 1182b53a65399746f6d6bced0df5c1fde09c1ede4a28bfe95b5ed0bbd969d6f6423f63021d4b6f1dc62c7b2703f6963c03d881291650bdf21cfcf8432586c1b4
 AUX lxc_at.service.4.0.0 284 BLAKE2B 1adc76b9861f2499b7b703f7076782a258f9b21a3d1e32b69334f753faca9ecd8c6fb2a03baf04698e765f079e73ee683434d8c7c6d3b3082427a6af74ab33b1 SHA512 4c2f9846ca60bb78df7e652309900c0e788b45d569f268a9e5b98842518542b35fce253e2aedeb0eded3d37274390988ef887b01d1d37859ccddf6225286b4bb
 DIST lxc-4.0.6.tar.gz 1363162 BLAKE2B e2d9d281cf521575aeecefbcba0c7b7f336ab73193be94e760b37eb6f3423ec3520f194549def6f64c1662f22b7df5a03dfc6b4e6dac1bf229c5f726f51b4d43 SHA512 98514796ef2091a291516ed7fde737df07ccfe374a0f8b4314e0ee992837e98ed02aa9f7809f8808a2f5ee1c7ae2dcea163531cdaedbb577211eeb9beff90c15
@@ -7,5 +8,5 @@ DIST lxc-4.0.6.tar.gz.asc 833 BLAKE2B 04b6bda0ed52a6ab8eebde4d3d5f1f6cb19eea017a
 DIST lxc-4.0.9.tar.gz 1500310 BLAKE2B 3796d36b6f76ec595dc28207e66ec9f5a7c1a39f5c5ebc851638c519be35f59b4ec06a71b2866cd8fef0a6140f61fd4b70c900f5a8ffd42d7da7a30d3ff59975 SHA512 4ef9d9efdd4118fdffde8b49c6ae71cf5eb060be51daaa4f4ceb804c743fbf3278e6518e6a694faefc720f2834f98ac48d67842d589a2120b8f7ec4c3b61fa84
 DIST lxc-4.0.9.tar.gz.asc 833 BLAKE2B 2d275c968831410d987aa7f8062f4e35ba15043f92f38fd3bdd6bf80964906741d05ccd93789132d421ee1c8778cec6a2e76c4f0eb2165cf0107261495fa6856 SHA512 4c90dfbdba90959ee8df5da8ca8b240f65ab03ab91637833c677e2a73592c09f9c5a55b9a261be6efb0888156c916223ff1aa9003b18d46e667908aaa550c944
 EBUILD lxc-4.0.6.ebuild 4641 BLAKE2B 7344c4c288841bf83d9e55cf80487927fe5faa329d9eddbf6ca9009fe16aaf26957d7e5fb5dd61735b20bc1b93a81cfc3a06b52d53ecff51c869a280add09ca0 SHA512 9882e81775f6c5b3fa0075ce3c0b143419b4b11e838f16160d2466e19c82c5bd20fee58a25a64d72f613e08719339cdf47a15ff5e801d260e5cbd664f841ffd8
-EBUILD lxc-4.0.9.ebuild 4671 BLAKE2B 445b62d24e7b11fe9aff915ff52edc5fce05076e4c725b69ff8c2de2f694669ddbb70fbe58980bb9935d619015569482eafd1ed7a7c8f60a5f3f43abb0ec7b30 SHA512 7f2b725301619dc29b8376976dfa34e8d8ac1a728be2080717991b054e4e8f9b824db067f44d4dbe94400f5f12ba8c3a5ad2b1c7abd55330678575057327ddc6
+EBUILD lxc-4.0.9-r1.ebuild 4747 BLAKE2B c2dc493c2b7130884f76af358e12d8a84faeecdcd15c86fec6cbe7a1d5326406d2a6117588d85eebf0e0d8a1f24c51d0f691086e1a3405f5a2adf2702aa5b804 SHA512 6a3a7764a35493d99bc1d8ae9e00f27f3c4e316b39cec79256cb7d8e4ceb36c4eb5097c3744c27aba2feaef4529d38aac63e238117df675d354ff6aebd563f2b
 MISC metadata.xml 620 BLAKE2B 459aa85a0e432faff7d0a2a1e61d536bde2e07e057ce8da642e07582219605643740f1241f83d19335a96de568841234bc2505273570bafbd187bb51da64a674 SHA512 303ca453f18cdbeef118e6a452b1a0e56d2466cba47fec8d021c1b8e4a9998ba743a729fdadc71e27e98f1fe12f43d17d76820986aeb93f286e74565c1a852f6
diff --git a/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch b/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch
new file mode 100644
index 000000000000..6fba3c4154a4
--- /dev/null
+++ b/app-emulation/lxc/files/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch
@@ -0,0 +1,93 @@
+From 91ad9b94bcd964adfbaa8d84d8f39304d39835d0 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Thu, 6 May 2021 18:16:45 +0200
+Subject: [PATCH] conf: handle kernels with CAP_SETFCAP
+
+LXC is being very clever and sometimes maps the caller's uid into the
+child userns. This means that the caller can technically write fscaps
+that are valid in the ancestor userns (which can be a security issue in
+some scenarios) so newer kernels require CAP_SETFCAP to do this. Until
+newuidmap/newgidmap are updated to account for this simply write the
+mapping directly in this case.
+
+Cc: stable-4.0
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/conf.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 72e21b5300..f388946970 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -2978,6 +2978,9 @@ static int lxc_map_ids_exec_wrapper(void *args)
+ 	return -1;
+ }
+ 
++static struct id_map *find_mapped_hostid_entry(const struct lxc_list *idmap,
++					       unsigned id, enum idtype idtype);
++
+ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
+ {
+ 	int fill, left;
+@@ -2991,12 +2994,22 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
+ 	char mapbuf[STRLITERALLEN("new@idmap") + STRLITERALLEN(" ") +
+ 		    INTTYPE_TO_STRLEN(pid_t) + STRLITERALLEN(" ") +
+ 		    LXC_IDMAPLEN] = {0};
+-	bool had_entry = false, use_shadow = false;
++	bool had_entry = false, maps_host_root = false, use_shadow = false;
+ 	int hostuid, hostgid;
+ 
+ 	hostuid = geteuid();
+ 	hostgid = getegid();
+ 
++	/*
++	 * Check whether caller wants to map host root.
++	 * Due to a security fix newer kernels require CAP_SETFCAP when mapping
++	 * host root into the child userns as you would be able to write fscaps
++	 * that would be valid in the ancestor userns. Mapping host root should
++	 * rarely be the case but LXC is being clever in a bunch of cases.
++	 */
++	if (find_mapped_hostid_entry(idmap, 0, ID_TYPE_UID))
++		maps_host_root = true;
++
+ 	/* If new{g,u}idmap exists, that is, if shadow is handing out subuid
+ 	 * ranges, then insist that root also reserve ranges in subuid. This
+ 	 * will protected it by preventing another user from being handed the
+@@ -3014,7 +3027,9 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
+ 	else if (!gidmap)
+ 		WARN("newgidmap is lacking necessary privileges");
+ 
+-	if (uidmap > 0 && gidmap > 0) {
++	if (maps_host_root) {
++		INFO("Caller maps host root. Writing mapping directly");
++	} else if (uidmap > 0 && gidmap > 0) {
+ 		DEBUG("Functional newuidmap and newgidmap binary found");
+ 		use_shadow = true;
+ 	} else {
+@@ -4229,14 +4244,14 @@ static struct id_map *mapped_nsid_add(const struct lxc_conf *conf, unsigned id,
+ 	return retmap;
+ }
+ 
+-static struct id_map *find_mapped_hostid_entry(const struct lxc_conf *conf,
++static struct id_map *find_mapped_hostid_entry(const struct lxc_list *idmap,
+ 					       unsigned id, enum idtype idtype)
+ {
+ 	struct id_map *map;
+ 	struct lxc_list *it;
+ 	struct id_map *retmap = NULL;
+ 
+-	lxc_list_for_each (it, &conf->id_map) {
++	lxc_list_for_each (it, idmap) {
+ 		map = it->elem;
+ 		if (map->idtype != idtype)
+ 			continue;
+@@ -4265,7 +4280,7 @@ static struct id_map *mapped_hostid_add(const struct lxc_conf *conf, uid_t id,
+ 		return NULL;
+ 
+ 	/* Reuse existing mapping. */
+-	tmp = find_mapped_hostid_entry(conf, id, type);
++	tmp = find_mapped_hostid_entry(&conf->id_map, id, type);
+ 	if (tmp) {
+ 		memcpy(entry, tmp, sizeof(*entry));
+ 	} else {
diff --git a/app-emulation/lxc/lxc-4.0.9.ebuild b/app-emulation/lxc/lxc-4.0.9-r1.ebuild
index 89a0b2e2b2df..8fbfeda5aca7 100644
--- a/app-emulation/lxc/lxc-4.0.9.ebuild
+++ b/app-emulation/lxc/lxc-4.0.9-r1.ebuild
@@ -72,6 +72,7 @@ pkg_setup() {
 }
 
 PATCHES=(
+	"${FILESDIR}"/lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch # bug 789012
 	"${FILESDIR}"/${PN}-3.0.0-bash-completion.patch
 	"${FILESDIR}"/${PN}-2.0.5-omit-sysconfig.patch # bug 558854
 )