summaryrefslogtreecommitdiff
path: root/app-containers/runc
diff options
context:
space:
mode:
Diffstat (limited to 'app-containers/runc')
-rw-r--r--app-containers/runc/Manifest6
-rw-r--r--app-containers/runc/files/CVE-2021-43784.patch86
-rw-r--r--app-containers/runc/metadata.xml28
-rw-r--r--app-containers/runc/runc-1.0.2-r1.ebuild80
-rw-r--r--app-containers/runc/runc-1.0.3.ebuild78
5 files changed, 278 insertions, 0 deletions
diff --git a/app-containers/runc/Manifest b/app-containers/runc/Manifest
new file mode 100644
index 000000000000..6f30e4b4766c
--- /dev/null
+++ b/app-containers/runc/Manifest
@@ -0,0 +1,6 @@
+AUX CVE-2021-43784.patch 3305 BLAKE2B c6e16dd2793d99c2513c3bc047c9ccbd9870c15908078895e9e436b437dac55854105ccb0edf48588294125958fc9285637f839b6804cce9a7269fb5f85f4360 SHA512 584bc4e5e88275fa2c300965882697ca6afb6e0987bc1a888d96febbc47e56b17f346c595fe6e3933a29c143c000d574a64475de8779e4f7ef2d724d7be43589
+DIST runc-1.0.2.tar.gz 2374156 BLAKE2B 526520adb7127e46e7258de75e66a15a5aac216a2a2fcb91f4d9c5da393892242c4d93c5f5483ab111bf29eed7d8f0c8c138ae83a22809d72802a981dcda0395 SHA512 434abd6d7ad2508c2272b627d8aeeb28ecd8461899bff463e7d2c7abbc0f0cbb2e0bafbfe81fc534fad506b1acb4bda3e05639ecd908bc9d0d2e9356f1e56e26
+DIST runc-1.0.3.tar.gz 2375241 BLAKE2B 0fb9368ab5442462001c15a67a71821133ad90d16cac5aac760e52b2477db69c0a5dd59df42601119b19ede508889796c994a24624f88ec6a1a29dad19e0bf33 SHA512 64a1894c2b4ed5a68b185e88548fc9fbbd01d8a9495feed59fb196aa06763d64cfb71ca6cbc09d1defa26a0d94ad58626296585741f23df2e290147ba6c4c26e
+EBUILD runc-1.0.2-r1.ebuild 1841 BLAKE2B 8a4aa33bfe3ae59ee8681af70ef35eb0aaf87b12ce37e6d73dcb01561a911680b692afb5b89a9ed1618f9c2c5dd2388423d4f6e79fe14f4cd54b57a6264d5898 SHA512 8a0a701449cac7fa48dbb02af920a500e2a6f6595a2023ab80dbc5ac6c9effc01d78ea3c3a4b45cd82316e1e285c5b04dfcffd7f8b356e3ef687384dce985176
+EBUILD runc-1.0.3.ebuild 1796 BLAKE2B 7e38d0d0a17654824af699c71f409e439402950be4117ce7ecfd05d8a0309232ac0686c22e47057b7a0f01b799a1a4f03a69b609c176edcd500ea124f8343e90 SHA512 b99b64ac65c3a947c205b215c1dbfe6ae1d38599fe38d63670f5adf7b152fda001720f63512e52e37637bdaf2f52d6606ecdb45abc12575207ff1614237cc1f9
+MISC metadata.xml 822 BLAKE2B 2029743d60c9a6197e3db4ca27c3ee48bc86f624a50d7caa9bfb7f958383a1736d8817f2f977ac0e673229bd61f341a00f266dbce35dcd9633ecc27b182478d5 SHA512 f80b366f7fc8f4ff5bd46245aa80871748800a557440af3aa45bd1a508732cf634b6f21a3445135450eefbac91ab16f7b344c3f557af8ef69fdd8120ca6cf4e5
diff --git a/app-containers/runc/files/CVE-2021-43784.patch b/app-containers/runc/files/CVE-2021-43784.patch
new file mode 100644
index 000000000000..ab3886ee9ba7
--- /dev/null
+++ b/app-containers/runc/files/CVE-2021-43784.patch
@@ -0,0 +1,86 @@
+From b8dbe46687c2a96efa9252b69d3fc1ce33bdc416 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Thu, 18 Nov 2021 16:12:59 +1100
+Subject: [PATCH] runc init: avoid netlink message length overflows
+
+When writing netlink messages, it is possible to have a byte array
+larger than UINT16_MAX which would result in the length field
+overflowing and allowing user-controlled data to be parsed as control
+characters (such as creating custom mount points, changing which set of
+namespaces to allow, and so on).
+
+Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ libcontainer/container_linux.go | 20 +++++++++++++++++++-
+ libcontainer/message_linux.go | 9 +++++++++
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
+index 6ce1854f68..1484703b0c 100644
+--- a/libcontainer/container_linux.go
++++ b/libcontainer/container_linux.go
+@@ -2028,16 +2028,34 @@ func encodeIDMapping(idMap []configs.IDMap) ([]byte, error) {
+ return data.Bytes(), nil
+ }
+
++// netlinkError is an error wrapper type for use by custom netlink message
++// types. Panics with errors are wrapped in netlinkError so that the recover
++// in bootstrapData can distinguish intentional panics.
++type netlinkError struct{ error }
++
+ // bootstrapData encodes the necessary data in netlink binary format
+ // as a io.Reader.
+ // Consumer can write the data to a bootstrap program
+ // such as one that uses nsenter package to bootstrap the container's
+ // init process correctly, i.e. with correct namespaces, uid/gid
+ // mapping etc.
+-func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (io.Reader, error) {
++func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (_ io.Reader, Err error) {
+ // create the netlink message
+ r := nl.NewNetlinkRequest(int(InitMsg), 0)
+
++ // Our custom messages cannot bubble up an error using returns, instead
++ // they will panic with the specific error type, netlinkError. In that
++ // case, recover from the panic and return that as an error.
++ defer func() {
++ if r := recover(); r != nil {
++ if e, ok := r.(netlinkError); ok {
++ Err = e.error
++ } else {
++ panic(r)
++ }
++ }
++ }()
++
+ // write cloneFlags
+ r.AddData(&Int32msg{
+ Type: CloneFlagsAttr,
+diff --git a/libcontainer/message_linux.go b/libcontainer/message_linux.go
+index 1d4f5033aa..e4107ce39f 100644
+--- a/libcontainer/message_linux.go
++++ b/libcontainer/message_linux.go
+@@ -3,6 +3,9 @@
+ package libcontainer
+
+ import (
++ "fmt"
++ "math"
++
+ "github.com/vishvananda/netlink/nl"
+ "golang.org/x/sys/unix"
+ )
+@@ -54,6 +57,12 @@ type Bytemsg struct {
+
+ func (msg *Bytemsg) Serialize() []byte {
+ l := msg.Len()
++ if l > math.MaxUint16 {
++ // We cannot return nil nor an error here, so we panic with
++ // a specific type instead, which is handled via recover in
++ // bootstrapData.
++ panic(netlinkError{fmt.Errorf("netlink: cannot serialize bytemsg of length %d (larger than UINT16_MAX)", l)})
++ }
+ buf := make([]byte, (l+unix.NLA_ALIGNTO-1) & ^(unix.NLA_ALIGNTO-1))
+ native := nl.NativeEndian()
+ native.PutUint16(buf[0:2], uint16(l))
diff --git a/app-containers/runc/metadata.xml b/app-containers/runc/metadata.xml
new file mode 100644
index 000000000000..d27ad6413b06
--- /dev/null
+++ b/app-containers/runc/metadata.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <longdescription lang="en">
+ runc is a CLI tool for spawning and running containers according
+ to the OCF (Open Container Format) specification.
+ </longdescription>
+ <maintainer type="person">
+ <email>williamh@gentoo.org</email>
+ <name>William Hubbs</name>
+ </maintainer>
+ <maintainer type="person">
+ <email>gyakovlev@gentoo.org</email>
+ <name>Georgy Yakovlev</name>
+ </maintainer>
+ <use>
+ <flag name="apparmor">
+ Enable AppArmor support.
+ </flag>
+ <flag name="kmem">
+ Enable Kernel Memory Accounting.
+ </flag>
+ </use>
+ <upstream>
+ <remote-id type="github">opencontainers/runc</remote-id>
+ <remote-id type="cpe">cpe:/a:linuxfoundation:runc</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/app-containers/runc/runc-1.0.2-r1.ebuild b/app-containers/runc/runc-1.0.2-r1.ebuild
new file mode 100644
index 000000000000..d31a90d65a0d
--- /dev/null
+++ b/app-containers/runc/runc-1.0.2-r1.ebuild
@@ -0,0 +1,80 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit go-module linux-info
+
+# update on bump, look for https://github.com/docker\
+# docker-ce/blob/<docker ver OR branch>/components/engine/hack/dockerfile/install/runc.installer
+RUNC_COMMIT=52b36a2dd837e8462de8e01458bf02cf9eea47dd
+CONFIG_CHECK="~USER_NS"
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="http://github.com/opencontainers/runc/"
+MY_PV="${PV/_/-}"
+SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0 BSD-2 BSD MIT"
+SLOT="0"
+KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
+IUSE="apparmor hardened +kmem +seccomp test"
+
+DEPEND="seccomp? ( sys-libs/libseccomp )"
+
+RDEPEND="
+ ${DEPEND}
+ !app-emulation/docker-runc
+ apparmor? ( sys-libs/libapparmor )
+"
+
+BDEPEND="
+ dev-go/go-md2man
+ test? ( "${RDEPEND}" )
+"
+
+PATCHES=( "${FILESDIR}/CVE-2021-43784.patch" )
+
+# tests need busybox binary, and portage namespace
+# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox
+# majority of tests pass
+RESTRICT+=" test"
+
+S="${WORKDIR}/${PN}-${MY_PV}"
+
+src_compile() {
+ # Taken from app-containers/docker-1.7.0-r1
+ export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
+ export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
+ -L${ESYSROOT}/usr/$(get_libdir)"
+
+ # build up optional flags
+ local options=(
+ $(usev apparmor)
+ $(usev seccomp)
+ $(usex kmem '' 'nokmem')
+ )
+
+ myemakeargs=(
+ BUILDTAGS="${options[*]}"
+ COMMIT="${RUNC_COMMIT}"
+ )
+
+ emake "${myemakeargs[@]}" runc man
+}
+
+src_install() {
+ myemakeargs+=(
+ PREFIX="${ED}/usr"
+ BINDIR="${ED}/usr/bin"
+ MANDIR="${ED}/usr/share/man"
+ )
+ emake "${myemakeargs[@]}" install install-man install-bash
+
+ local DOCS=( README.md PRINCIPLES.md docs/. )
+ einstalldocs
+}
+
+src_test() {
+ emake "${myemakeargs[@]}" localunittest
+}
diff --git a/app-containers/runc/runc-1.0.3.ebuild b/app-containers/runc/runc-1.0.3.ebuild
new file mode 100644
index 000000000000..b4281cd2aad2
--- /dev/null
+++ b/app-containers/runc/runc-1.0.3.ebuild
@@ -0,0 +1,78 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit go-module linux-info
+
+# update on bump, look for https://github.com/docker\
+# docker-ce/blob/<docker ver OR branch>/components/engine/hack/dockerfile/install/runc.installer
+RUNC_COMMIT=f46b6ba2c9314cfc8caae24a32ec5fe9ef1059fe
+CONFIG_CHECK="~USER_NS"
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="http://github.com/opencontainers/runc/"
+MY_PV="${PV/_/-}"
+SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0 BSD-2 BSD MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor hardened +kmem +seccomp test"
+
+DEPEND="seccomp? ( sys-libs/libseccomp )"
+
+RDEPEND="
+ ${DEPEND}
+ !app-emulation/docker-runc
+ apparmor? ( sys-libs/libapparmor )
+"
+
+BDEPEND="
+ dev-go/go-md2man
+ test? ( "${RDEPEND}" )
+"
+
+# tests need busybox binary, and portage namespace
+# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox
+# majority of tests pass
+RESTRICT+=" test"
+
+S="${WORKDIR}/${PN}-${MY_PV}"
+
+src_compile() {
+ # Taken from app-containers/docker-1.7.0-r1
+ export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
+ export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
+ -L${ESYSROOT}/usr/$(get_libdir)"
+
+ # build up optional flags
+ local options=(
+ $(usev apparmor)
+ $(usev seccomp)
+ $(usex kmem '' 'nokmem')
+ )
+
+ myemakeargs=(
+ BUILDTAGS="${options[*]}"
+ COMMIT="${RUNC_COMMIT}"
+ )
+
+ emake "${myemakeargs[@]}" runc man
+}
+
+src_install() {
+ myemakeargs+=(
+ PREFIX="${ED}/usr"
+ BINDIR="${ED}/usr/bin"
+ MANDIR="${ED}/usr/share/man"
+ )
+ emake "${myemakeargs[@]}" install install-man install-bash
+
+ local DOCS=( README.md PRINCIPLES.md docs/. )
+ einstalldocs
+}
+
+src_test() {
+ emake "${myemakeargs[@]}" localunittest
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-14 20:50:44 +0000