app-emulation/runc: delete runc 1.0.0_rc2

Now that docker 1.12 is gone, we can delete `app-emulation/runc` 1.0.0_rc2, which had dependency on docker 1.12. Note, we do not delete `app-emulation/docker-runc` 1.0.0_rc2, because that one is needed by Docker 17.03.
2025-08-18 10:27:00 +02:00 · 2021-02-03 11:02:26 +01:00 · 2021-02-03 11:02:26 +01:00 · 3305ae7947
commit 3305ae7947
parent 58195cfc50
6 changed files with 0 additions and 506 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest
@ -1 +0,0 @@
 DIST runc-1.0.0_rc2_p9.tar.gz 550963 SHA256 374822cc2895ed3899b7a3a03b566413ea782fccec1307231f27894e9c6d5bea SHA512 0176fc0fd69b298b5cb304388544a45b3805154f635c4a7492daac6e33774b16ad76af2b3008205de169306812834f4299106c89a17b1667168f3ad2ddc2e975 WHIRLPOOL 5015352fe7dc9ddedf93d555cf2750b3e9d72adfda534b1e30a69ac8b6b05e73bfbbe0ba72f543be4e3133f1604a5b42acc3363d30187a75861ca42755dfff81
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0001-Makefile-do-not-install-dependencies-of-target.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0001-Makefile-do-not-install-dependencies-of-target.patch
@ -1,27 +0,0 @@
 From 7a09c7817af44c87772c728655b71c6cfc9d1bc9 Mon Sep 17 00:00:00 2001
 From: Nick Owens <mischief@offblast.org>
 Date: Wed, 24 Aug 2016 19:34:42 -0700
 Subject: [PATCH] Makefile: do not install dependencies of target
 in order to install one must have permission to write to GOROOT which is
 not the case in the CoreOS sdk.
 ---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/Makefile b/Makefile
 index 0852c71..283aceb 100644
 --- a/Makefile
 +++ b/Makefile
@@ -23,7 +23,7 @@ MAN_INSTALL_PATH := ${PREFIX}/share/man/man8/
 VERSION := ${shell cat ./VERSION}
 all: $(RUNC_LINK)
 -	go build -i -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -tags "$(BUILDTAGS)" -o runc .
 +	go build -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -tags "$(BUILDTAGS)" -o runc .
 static: $(RUNC_LINK)
 	CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o runc .
 -- 
 2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b_1.12.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b_1.12.patch
@ -1,290 +0,0 @@
 From 122c65bee886dda4d7bcb0512816b65fc878dacb Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 9 Jan 2019 13:40:01 +1100
 Subject: [PATCH 1/1] nsenter: clone /proc/self/exe to avoid exposing host
 binary to container
 There are quite a few circumstances where /proc/self/exe pointing to a
 pretty important container binary is a _bad_ thing, so to avoid this we
 have to make a copy (preferably doing self-clean-up and not being
 writeable).
 As a hotfix we require memfd_create(2), but we can always extend this to
 use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this
 approach is no page-cache sharing for the runc binary (which overlayfs
 would give us) but this is far less complicated.
 This is only done during nsenter so that it happens transparently to the
 Go code, and any libcontainer users benefit from it. This also makes
 ExtraFiles and --preserve-fds handling trivial (because we don't need to
 worry about it).
 Fixes: CVE-2019-5736
 Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
 ---
 libcontainer/nsenter/cloned_binary.c | 221 +++++++++++++++++++++++++++
 libcontainer/nsenter/nsexec.c        |  11 ++
 2 files changed, 232 insertions(+)
 create mode 100644 libcontainer/nsenter/cloned_binary.c
 diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
 new file mode 100644
 index 00000000..d9f6093a
 --- /dev/null
 +++ b/libcontainer/nsenter/cloned_binary.c
@@ -0,0 +1,221 @@
 +#define _GNU_SOURCE
 +#include <unistd.h>
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <stdbool.h>
 +#include <string.h>
 +#include <limits.h>
 +#include <fcntl.h>
 +#include <errno.h>
 +
 +#include <sys/types.h>
 +#include <sys/stat.h>
 +#include <sys/vfs.h>
 +#include <sys/mman.h>
 +#include <sys/sendfile.h>
 +#include <sys/syscall.h>
 +
 +#include <linux/magic.h>
 +#include <linux/memfd.h>
 +
 +/* Use our own wrapper for memfd_create. */
 +#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
 +#  define SYS_memfd_create __NR_memfd_create
 +#endif
 +#ifndef SYS_memfd_create
 +#  error "memfd_create(2) syscall not supported by this glibc version"
 +#endif
 +int memfd_create(const char *name, unsigned int flags)
 +{
 +	return syscall(SYS_memfd_create, name, flags);
 +}
 +
 +/* This comes directly from <linux/fcntl.h>. */
 +#ifndef F_LINUX_SPECIFIC_BASE
 +#  define F_LINUX_SPECIFIC_BASE 1024
 +#endif
 +#ifndef F_ADD_SEALS
 +#  define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
 +#  define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
 +#endif
 +#ifndef F_SEAL_SEAL
 +#  define F_SEAL_SEAL   0x0001	/* prevent further seals from being set */
 +#  define F_SEAL_SHRINK 0x0002	/* prevent file from shrinking */
 +#  define F_SEAL_GROW   0x0004	/* prevent file from growing */
 +#  define F_SEAL_WRITE  0x0008	/* prevent writes */
 +#endif
 +
 +
 +#define OUR_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
 +#define OUR_MEMFD_SEALS \
 +	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
 +
 +static void *must_realloc(void *ptr, size_t size)
 +{
 +	void *old = ptr;
 +	do {
 +		ptr = realloc(old, size);
 +	} while(!ptr);
 +	return ptr;
 +}
 +
 +/*
 + * Verify whether we are currently in a self-cloned program (namely, is
 + * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
 + * for shmem files), and we want to be sure it's actually sealed.
 + */
 +static int is_self_cloned(void)
 +{
 +	int fd, seals;
 +
 +	fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
 +	if (fd < 0)
 +		return -ENOTRECOVERABLE;
 +
 +	seals = fcntl(fd, F_GET_SEALS);
 +	close(fd);
 +	return seals == OUR_MEMFD_SEALS;
 +}
 +
 +/*
 + * Basic wrapper around mmap(2) that gives you the file length so you can
 + * safely treat it as an ordinary buffer. Only gives you read access.
 + */
 +static char *read_file(char *path, size_t *length)
 +{
 +	int fd;
 +	char buf[4096], *copy = NULL;
 +
 +	if (!length)
 +		return NULL;
 +
 +	fd = open(path, O_RDONLY | O_CLOEXEC);
 +	if (fd < 0)
 +		return NULL;
 +
 +	*length = 0;
 +	for (;;) {
 +		int n;
 +
 +		n = read(fd, buf, sizeof(buf));
 +		if (n < 0)
 +			goto error;
 +		if (!n)
 +			break;
 +
 +		copy = must_realloc(copy, (*length + n) * sizeof(*copy));
 +		memcpy(copy + *length, buf, n);
 +		*length += n;
 +	}
 +	close(fd);
 +	return copy;
 +
 +error:
 +	close(fd);
 +	free(copy);
 +	return NULL;
 +}
 +
 +/*
 + * A poor-man's version of "xargs -0". Basically parses a given block of
 + * NUL-delimited data, within the given length and adds a pointer to each entry
 + * to the array of pointers.
 + */
 +static int parse_xargs(char *data, int data_length, char ***output)
 +{
 +	int num = 0;
 +	char *cur = data;
 +
 +	if (!data || *output != NULL)
 +		return -1;
 +
 +	while (cur < data + data_length) {
 +		num++;
 +		*output = must_realloc(*output, (num + 1) * sizeof(**output));
 +		(*output)[num - 1] = cur;
 +		cur += strlen(cur) + 1;
 +	}
 +	(*output)[num] = NULL;
 +	return num;
 +}
 +
 +/*
 + * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
 + * This is necessary because we are running in a context where we don't have a
 + * main() that we can just get the arguments from.
 + */
 +static int fetchve(char ***argv, char ***envp)
 +{
 +	char *cmdline = NULL, *environ = NULL;
 +	size_t cmdline_size, environ_size;
 +
 +	cmdline = read_file("/proc/self/cmdline", &cmdline_size);
 +	if (!cmdline)
 +		goto error;
 +	environ = read_file("/proc/self/environ", &environ_size);
 +	if (!environ)
 +		goto error;
 +
 +	if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
 +		goto error;
 +	if (parse_xargs(environ, environ_size, envp) <= 0)
 +		goto error;
 +
 +	return 0;
 +
 +error:
 +	free(environ);
 +	free(cmdline);
 +	return -EINVAL;
 +}
 +
 +#define SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
 +static int clone_binary(void)
 +{
 +	int binfd, memfd, err;
 +	ssize_t sent = 0;
 +
 +	memfd = memfd_create(OUR_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
 +	if (memfd < 0)
 +		return -ENOTRECOVERABLE;
 +
 +	binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
 +	if (binfd < 0)
 +		goto error;
 +
 +	sent = sendfile(memfd, binfd, NULL, SENDFILE_MAX);
 +	close(binfd);
 +	if (sent < 0)
 +		goto error;
 +
 +	err = fcntl(memfd, F_ADD_SEALS, OUR_MEMFD_SEALS);
 +	if (err < 0)
 +		goto error;
 +
 +	return memfd;
 +
 +error:
 +	close(memfd);
 +	return -EIO;
 +}
 +
 +int ensure_cloned_binary(void)
 +{
 +	int execfd;
 +	char **argv = NULL, **envp = NULL;
 +
 +	/* Check that we're not self-cloned, and if we are then bail. */
 +	int cloned = is_self_cloned();
 +	if (cloned > 0 || cloned == -ENOTRECOVERABLE)
 +		return cloned;
 +
 +	if (fetchve(&argv, &envp) < 0)
 +		return -EINVAL;
 +
 +	execfd = clone_binary();
 +	if (execfd < 0)
 +		return -EIO;
 +
 +	fexecve(execfd, argv, envp);
 +	return -ENOEXEC;
 +}
 diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
 index 30d5d594..0019dd9a 100644
 --- a/libcontainer/nsenter/nsexec.c
 +++ b/libcontainer/nsenter/nsexec.c
@@ -399,6 +399,9 @@ void nl_free(struct nlconfig_t *config)
 	free(config->data);
 }
 +/* Defined in cloned_binary.c. */
 +int ensure_cloned_binary(void);
 +
 void nsexec(void)
 {
 	int pipenum;
@@ -414,6 +417,14 @@ void nsexec(void)
 	if (pipenum == -1)
 		return;
 +	/*
 +	 * We need to re-exec if we are not in a cloned binary. This is necessary
 +	 * to ensure that containers won't be able to access the host binary
 +	 * through /proc/self/exe. See CVE-2019-5736.
 +	 */
 +	if (ensure_cloned_binary() < 0)
 +		bail("could not ensure we are a cloned binary");
 +
 	/* make the process non-dumpable */
 	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
 		bail("failed to set process as non-dumpable");
 -- 
 2.20.1
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-1.0.0_rc2_p9-Fix-setting-selinux-label-for-mqueue-under-userns.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-1.0.0_rc2_p9-Fix-setting-selinux-label-for-mqueue-under-userns.patch
@ -1,94 +0,0 @@
 From 3ce50afe04f102cf28dbb6425773011707bf3ae0 Mon Sep 17 00:00:00 2001
 From: Mrunal Patel <mrunalp@gmail.com>
 Date: Wed, 12 Oct 2016 16:46:59 -0700
 Subject: [PATCH] Fix setting SELinux label for mqueue when user namespaces are
 enabled
 If one tries to user SELinux with user namespaces, then labeling of /dev/mqueue
 fails because the IPC namespace belongs to the root in init_user_ns. This
 commit fixes that by unsharing IPC namespace after we clone into a new USER
 namespace so the IPC namespace is owned by the root inside the new USER
 namespace as opposed to init_user_ns.
 Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
 ---
 libcontainer/nsenter/nsexec.c | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)
 diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
 index b93f827..1e8d4da 100644
 --- a/libcontainer/nsenter/nsexec.c
 +++ b/libcontainer/nsenter/nsexec.c
@@ -94,14 +94,20 @@ static int child_func(void *arg)
 	longjmp(*ca->env, JUMP_VAL);
 }
 -static int clone_parent(jmp_buf *env, int flags) __attribute__ ((noinline));
 -static int clone_parent(jmp_buf *env, int flags)
 +static int clone_parent(jmp_buf *env, int flags, bool delay_ipc_unshare) __attribute__ ((noinline));
 +static int clone_parent(jmp_buf *env, int flags, bool delay_ipc_unshare)
 {
 	int child;
 	struct clone_arg ca = {
 		.env = env,
 	};
 +	// Don't clone into NEWIPC at the same time as cloning into NEWUSER.
 +	// This way we can ensure that NEWIPC namespace belongs to the root in new user namespace.
 +	if (delay_ipc_unshare) {
 +		flags &= ~CLONE_NEWIPC;
 +	}
 +
 	child = clone(child_func, ca.stack_ptr, CLONE_PARENT | SIGCHLD | flags, &ca);
 	/*
@@ -227,7 +233,7 @@ static void update_gidmap(int pid, char *map, int map_len)
 #define JSON_MAX 4096
 -static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlconfig_t *config)
 +static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlconfig_t *config, bool delay_ipc_unshare)
 {
 	int len, childpid;
 	char buf[JSON_MAX];
@@ -239,7 +245,7 @@ static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlcon
 	 * (the bootstrap process). Also so we don't need to forward the
 	 * child's exit code or resend its death signal.
 	 */
 -	childpid = clone_parent(env, config->cloneflags);
 +	childpid = clone_parent(env, config->cloneflags, delay_ipc_unshare);
 	if (childpid < 0)
 		bail("unable to fork");
@@ -415,6 +421,9 @@ void nsexec(void)
 	if (config.cloneflags == -1)
 		bail("missing clone_flags");
 +	bool delay_ipc_unshare = ((config.cloneflags & CLONE_NEWUSER) == CLONE_NEWUSER)
 +		&& ((config.cloneflags & CLONE_NEWIPC) == CLONE_NEWIPC);
 +
 	/* Pipe so we can tell the child when we've finished setting up. */
 	if (pipe(syncpipe) < 0)
 		bail("failed to setup sync pipe between parent and child");
@@ -447,6 +456,12 @@ void nsexec(void)
 		if (setgroups(0, NULL) < 0)
 			bail("setgroups failed");
 +		if (delay_ipc_unshare) {
 +			if (unshare(CLONE_NEWIPC)) {
 +				bail("unable to unshare IPC namespace");
 +			}
 +		}
 +
 		if (consolefd != -1) {
 			if (ioctl(consolefd, TIOCSCTTY, 0) < 0)
 				bail("ioctl TIOCSCTTY failed");
@@ -466,7 +481,7 @@ void nsexec(void)
 	}
 	/* Run the parent code. */
 -	start_child(pipenum, &env, syncpipe, &config);
 +	start_child(pipenum, &env, syncpipe, &config, delay_ipc_unshare);
 	/* Should never be reached. */
 	bail("should never be reached");
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/metadata.xml
@ -1,31 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<longdescription lang="en">
 		runc is a CLI tool for spawning and running containers according
 		to the OCF (Open Container Format) specification.
 	</longdescription>
 	<maintainer type="person">
 		<email>cardoe@gentoo.org</email>
 		<name>Doug Goldstein</name>
 	</maintainer>
 	<maintainer type="person">
 		<email>williamh@gentoo.org</email>
 		<name>William Hubbs</name>
 	</maintainer>
 	<maintainer type="person">
 		<email>mrueg@gentoo.org</email>
 		<name>Manuel Rüger</name>
 	</maintainer>
 	<use>
 		<flag name="ambient">
 			Enable support for ambient capabilities set (Requires Linux kernel 4.3 or later).
 		</flag>
 		<flag name="apparmor">
 			Enable AppArmor support.
 		</flag>
 	</use>
 	<upstream>
 		<remote-id type="github">opencontainers/runc</remote-id>
 	</upstream>
 </pkgmetadata>
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2_p9-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2_p9-r1.ebuild
@ -1,63 +0,0 @@
 # Copyright 1999-2016 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 # $Header: $
 EAPI=5
 GITHUB_URI="github.com/opencontainers/runc"
 COREOS_GO_PACKAGE="${GITHUB_URI}"
 COREOS_GO_VERSION="go1.6"
 # the commit of runc that docker uses.
 # see https://github.com/docker/docker/blob/v1.12.6/Dockerfile#L245
 # Note: this commit is only really present in `docker/runc` in the 'docker/1.12.x' branch
 # Update the patch number when this commit is changed (i.e. the _p in the
 # ebuild).
 # The patch version is arbitrarily the number of commits since the tag version
 # spcified in the ebuild name. For example:
 # $ git log v1.0.0-rc2..${COMMIT_ID} --oneline | wc -l
 COMMIT_ID="50a19c6ff828c58e5dab13830bd3dacde268afe5"
 inherit eutils flag-o-matic coreos-go-depend vcs-snapshot
 DESCRIPTION="runc container cli tools"
 HOMEPAGE="http://runc.io"
 SRC_URI="https://${GITHUB_URI}/archive/${COMMIT_ID}.tar.gz -> ${P}.tar.gz"
 KEYWORDS="amd64 arm64"
 LICENSE="Apache-2.0"
 SLOT="0"
 IUSE="apparmor selinux +seccomp"
 DEPEND=""
 RDEPEND="
 	apparmor? ( sys-libs/libapparmor )
 	seccomp? ( sys-libs/libseccomp )
 "
 src_prepare() {
 	epatch "${FILESDIR}/0001-Makefile-do-not-install-dependencies-of-target.patch"
 	epatch "${FILESDIR}/0002-${PV}-Fix-setting-selinux-label-for-mqueue-under-userns.patch"
 	epatch "${FILESDIR}/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b_1.12.patch"
 	# Work around https://github.com/golang/go/issues/14669
 	# Remove after updating to go1.7
 	filter-flags -O*
 	go_export
 }
 src_compile() {
 	# build up optional flags
 	local options=(
 		$(usev apparmor)
 		$(usev seccomp)
 		$(usev selinux)
 	)
 	emake BUILDTAGS="${options[*]}" COMMIT="${COMMIT_ID}"
 }
 src_install() {
 	dobin runc
 }
		`@ -1 +0,0 @@`
			`DIST runc-1.0.0_rc2_p9.tar.gz 550963 SHA256 374822cc2895ed3899b7a3a03b566413ea782fccec1307231f27894e9c6d5bea SHA512 0176fc0fd69b298b5cb304388544a45b3805154f635c4a7492daac6e33774b16ad76af2b3008205de169306812834f4299106c89a17b1667168f3ad2ddc2e975 WHIRLPOOL 5015352fe7dc9ddedf93d555cf2750b3e9d72adfda534b1e30a69ac8b6b05e73bfbbe0ba72f543be4e3133f1604a5b42acc3363d30187a75861ca42755dfff81`