app-containers/runc: Sync with Gentoo

It's from Gentoo commit 98bed121b8fc4f3becbb4b08397b9abce40d5bf4. Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
2026-02-14 20:21:19 +01:00 · 2026-02-02 07:24:54 +00:00 · 2026-02-02 07:24:54 +00:00 · 434b63483f
commit 434b63483f
parent 693bc190aa
3 changed files with 239 additions and 3 deletions
--- a/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest
@ -5,3 +5,4 @@ DIST runc-1.2.8.tar.gz 2834651 BLAKE2B 5f76e40ee8bda4668758dce318625af1dbb13c0d3
 DIST runc-1.3.0.tar.gz 2858199 BLAKE2B c9402a074b816b9452763267a7ffdc69af6c0cd4cf54fbdfdc91ccbd8bbc5daa783259176775e90f6266fa6a02bf0bad7fbb8eb879b5764309f7f9cd2f246086 SHA512 63422501f6189d0d47f6b2f59565de572bc68b138a65c7dbcc8b5ad42dbc37245ee66e2683ab61971a84c076a15f54f484c37fde4a30815ee19edc9a0d97e9f4
 DIST runc-1.3.1.tar.gz 2860795 BLAKE2B 5711881488dc3d52182377dc09690436aff142552d35728b10c221874a1dafc3b1fe78972891ebfc53e232465aec97eacc78318a453b030c052ca2218c61438d SHA512 0a3007d046fe9711541e29ca07fd72515f19b220c8c79b9df9164f7b88a6b9077ba7a11607593b641823b9e99c0f2e96500a57e2a16e11501bbb7c4690870183
 DIST runc-1.3.3.tar.gz 2929410 BLAKE2B 1feddc154836eff606a685a0c0d606c1bbcd5a1a1ec8a288233581a88e0b3b6a95f446125688a8dca5efd5a275bf22931553cb9ab894f6aa0826d5a1274b6f91 SHA512 9ce0af1b79163c44913979c0483322247b154109871a113726163f64c6354141e7cefb5fb6e1225eaa4bb48a1e33ba9a6049cb45cb2af8793134647dad18c8dc
+DIST runc-1.4.0.tar.gz 2958986 BLAKE2B 9a363986a05c2c19646373373b94944642bf9f74a2a9f10d201baff7d76d54e39e273d6ceb9f94449926246ec22c2b863812ca1e4e8910cb166294b7ea7c4068 SHA512 a5b52d8494a4210d9ff4caefd0513b94b80ef9dd16c6eb369761cde2fce30214f765eee01c3cbb2e0cfd933371362fd89b08656b434d76038ffe1f8a59dea215
--- a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.3.ebuild
@ -1,4 +1,4 @@
-# Copyright 1999-2025 Gentoo Authors
+# Copyright 1999-2026 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

 EAPI=8
@ -9,8 +9,6 @@ inherit go-module linux-info
 # https://github.com/opencontainers/runc
 RUNC_COMMIT=d842d7719497cc3b774fd71620278ac9e17710e0

-CONFIG_CHECK="~USER_NS"
-
 DESCRIPTION="runc container cli tools"
 HOMEPAGE="https://github.com/opencontainers/runc/"
 MY_PV="${PV/_/-}"
@ -38,6 +36,89 @@ BDEPEND="
 # majority of tests pass
 RESTRICT+=" test"

+# Please refer:
+# https://github.com/opencontainers/runc/blob/main/script/check-config.sh
+pkg_setup() {
+	CONFIG_CHECK="
+		~NAMESPACES
+		~NET_NS
+		~PID_NS
+		~IPC_NS
+		~UTS_NS
+		~CGROUPS
+		~CGROUP_CPUACCT
+		~CGROUP_DEVICE
+		~CGROUP_FREEZER
+		~CGROUP_SCHED
+		~CPUSETS
+		~MEMCG
+		~KEYS
+		~VETH
+		~BRIDGE
+		~BRIDGE_NETFILTER
+		~IP_NF_FILTER
+		~IP_NF_TARGET_MASQUERADE
+		~NETFILTER_XT_MATCH_ADDRTYPE
+		~NETFILTER_XT_MATCH_COMMENT
+		~NETFILTER_XT_MATCH_CONNTRACK
+		~NETFILTER_XT_MATCH_IPVS
+		~IP_NF_NAT
+		~NF_NAT
+		~POSIX_MQUEUE
+		~OVERLAY_FS
+	"
+
+	CONFIG_CHECK+="
+		~USER_NS
+	"
+
+	use seccomp && CONFIG_CHECK+="
+		~SECCOMP
+		~SECCOMP_FILTER
+	"
+	WARNING_SECCOMP="CONFIG_SECCOMP is required as optional feature"
+
+	CONFIG_CHECK+="
+		~CGROUP_PIDS
+	"
+	WARNING_CGROUP_PIDS="CONFIG_CGROUP_PIDS is required as optional feature"
+
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~BLK_CGROUP
+		~BLK_DEV_THROTTLING
+		~CGROUP_PERF
+		~CGROUP_HUGETLB
+		~NET_CLS_CGROUP
+		~CFS_BANDWIDTH
+		~FAIR_GROUP_SCHED
+		~RT_GROUP_SCHED
+		~IP_NF_TARGET_REDIRECT
+		~IP_VS
+		~IP_VS_NFCT
+		~IP_VS_PROTO_TCP
+		~IP_VS_PROTO_UDP
+		~IP_VS_RR
+		~CHECKPOINT_RESTORE
+		~CGROUP_NET_PRIO
+	"
+
+	use selinux && CONFIG_CHECK+="
+		~SECURITY_SELINUX"
+
+	use apparmor && CONFIG_CHECK+="
+		~SECURITY_APPARMOR"
+
+	if [[ -n ${CONFIG_CHECK} ]]; then
+		linux-info_pkg_setup
+	fi
+}
+
 src_compile() {
 	# build up optional flags
 	local options=(
--- a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.4.0-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.4.0-r1.ebuild
@ -0,0 +1,154 @@
+# Copyright 1999-2026 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit go-module linux-info
+
+# update on bump, look for commit ID on release tag.
+# https://github.com/opencontainers/runc
+RUNC_COMMIT=8bd78a9977e604c4d5f67a7415d7b8b8c109cdc4
+
+CONFIG_CHECK="~USER_NS"
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="https://github.com/opencontainers/runc/"
+MY_PV="${PV/_/-}"
+SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+S="${WORKDIR}/${PN}-${MY_PV}"
+
+LICENSE="Apache-2.0 BSD-2 BSD MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor hardened +kmem +seccomp selinux test"
+
+COMMON_DEPEND="
+	apparmor? ( sys-libs/libapparmor )
+	seccomp? ( sys-libs/libseccomp )"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}
+	!app-emulation/docker-runc
+	selinux? ( sec-policy/selinux-container )"
+BDEPEND="
+	dev-go/go-md2man
+	test? ( "${RDEPEND}" )"
+
+# tests need busybox binary, and portage namespace
+# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox
+# majority of tests pass
+RESTRICT+=" test"
+
+# Please refer:
+# https://github.com/opencontainers/runc/blob/main/script/check-config.sh
+pkg_setup() {
+	CONFIG_CHECK="
+		~NAMESPACES
+		~NET_NS
+		~PID_NS
+		~IPC_NS
+		~UTS_NS
+		~CGROUPS
+		~CGROUP_CPUACCT
+		~CGROUP_DEVICE
+		~CGROUP_FREEZER
+		~CGROUP_SCHED
+		~CPUSETS
+		~MEMCG
+		~KEYS
+		~VETH
+		~BRIDGE
+		~BRIDGE_NETFILTER
+		~IP_NF_FILTER
+		~IP_NF_TARGET_MASQUERADE
+		~NETFILTER_XT_MATCH_ADDRTYPE
+		~NETFILTER_XT_MATCH_COMMENT
+		~NETFILTER_XT_MATCH_CONNTRACK
+		~NETFILTER_XT_MATCH_IPVS
+		~IP_NF_NAT
+		~NF_NAT
+		~POSIX_MQUEUE
+		~OVERLAY_FS
+	"
+
+	CONFIG_CHECK+="
+		~USER_NS
+	"
+
+	use seccomp && CONFIG_CHECK+="
+		~SECCOMP
+		~SECCOMP_FILTER
+	"
+	WARNING_SECCOMP="CONFIG_SECCOMP is required as optional feature"
+
+	CONFIG_CHECK+="
+		~CGROUP_PIDS
+	"
+	WARNING_CGROUP_PIDS="CONFIG_CGROUP_PIDS is required as optional feature"
+
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~BLK_CGROUP
+		~BLK_DEV_THROTTLING
+		~CGROUP_PERF
+		~CGROUP_HUGETLB
+		~NET_CLS_CGROUP
+		~CFS_BANDWIDTH
+		~FAIR_GROUP_SCHED
+		~RT_GROUP_SCHED
+		~IP_NF_TARGET_REDIRECT
+		~IP_VS
+		~IP_VS_NFCT
+		~IP_VS_PROTO_TCP
+		~IP_VS_PROTO_UDP
+		~IP_VS_RR
+		~CHECKPOINT_RESTORE
+		~CGROUP_NET_PRIO
+	"
+
+	use selinux && CONFIG_CHECK+="
+		~SECURITY_SELINUX"
+
+	use apparmor && CONFIG_CHECK+="
+		~SECURITY_APPARMOR"
+
+	if [[ -n ${CONFIG_CHECK} ]]; then
+		linux-info_pkg_setup
+	fi
+}
+
+src_compile() {
+	# build up optional flags
+	local options=(
+		$(usev apparmor)
+		$(usev seccomp)
+		$(usex kmem '' 'nokmem')
+	)
+
+	myemakeargs=(
+		BUILDTAGS="${options[*]}"
+		COMMIT="${RUNC_COMMIT}"
+	)
+
+	emake "${myemakeargs[@]}" runc man
+}
+
+src_install() {
+	myemakeargs+=(
+		PREFIX="${ED}/usr"
+		BINDIR="${ED}/usr/bin"
+		MANDIR="${ED}/usr/share/man"
+	)
+	emake "${myemakeargs[@]}" install install-man install-bash
+
+	local DOCS=( README.md PRINCIPLES.md docs/. )
+	einstalldocs
+}
+
+src_test() {
+	emake "${myemakeargs[@]}" localunittest
+}