From 872961ff359118eced8fc8e1fdc5d96cc0e526b6 Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Tue, 21 Feb 2017 10:48:50 -0800 Subject: [PATCH] app-emulation/runc: update to use intended version This updates the ebuild to include a patch number indicating changes since the referenced version number. This is because docker uses untagged versions of runc, and so we need additional version information. Prior to this change, the runc ebuild inadvertently used the upstream distfile cache of runc's distfile, regardless of the commit referenced and the -r bumps. This also re-fixes CVE-2016-9962. The patch for that vulnerability was dropped once we thought the commit contained the fix, but since the commit was being ignored and the fix never made it into any tagged release, we accidentally regressed. Finally, tihs updates the selinux patch. This was sourced from projectatomic/runc on the docker-1.13.1 branch. --- .../app-emulation/runc/Manifest | 2 +- ...-unshare-of-clone-newipc-for-selinux.patch | 45 +++++++++ ...nt-set-label-for-mqueue-under-userns.patch | 94 ------------------- ...2-r6.ebuild => runc-1.0.0_rc2_p133.ebuild} | 7 +- 4 files changed, 52 insertions(+), 96 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Delay-unshare-of-clone-newipc-for-selinux.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Dont-set-label-for-mqueue-under-userns.patch rename sdk_container/src/third_party/coreos-overlay/app-emulation/runc/{runc-1.0.0_rc2-r6.ebuild => runc-1.0.0_rc2_p133.ebuild} (79%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest index 9c9a5c0937..f005a91786 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest @@ -1 +1 @@ -DIST runc-1.0.0_rc2.tar.gz 550449 SHA256 638742c48426b9a3281aeb619e27513d972de228bdbd43b478baea99c186d491 SHA512 83a3d45efbb86d3d583b96062202b9e60121d250af2c0dd37d07fda574b642aa6f05e29cac6644ad3d624647400db694082e280383e41ca9f31dc0a33b87ed76 WHIRLPOOL 990a45739689db80bbeed43b0fd3a4ce4d0563ea833361b9112e750782313f19e638c4bfbd455f5dd1882d64c724dcf0213701322029c2c9f98f624863c744f3 +DIST runc-1.0.0_rc2_p133.tar.gz 560793 SHA256 11f69923a786efb82b65d9f1eec0ac665a985e631a67f3f4d466dac720efacdd SHA512 8c19a02a55108cef36cbd1ff739a3c8e2962d188c426517fce91483ec525546d39c14072f0a0f2471b6b70a05cf6c1f0e99cfeb5e87203fcbae955bd5f5bd16b WHIRLPOOL 8a1f44234c668aca5c53e401ce80e2c297ad9c7ed0b10d782494e93020f824e6d5e3a00be221f1ff5d039df998c43556228503788181a45256d91278dd005721 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Delay-unshare-of-clone-newipc-for-selinux.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Delay-unshare-of-clone-newipc-for-selinux.patch new file mode 100644 index 0000000000..23290395a3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Delay-unshare-of-clone-newipc-for-selinux.patch @@ -0,0 +1,45 @@ +From 4a4021f597aa37f69a73f0f98e320abf9df1a814 Mon Sep 17 00:00:00 2001 +From: Mrunal Patel +Date: Thu, 2 Feb 2017 11:23:26 -0800 +Subject: [PATCH] Delay unshare of CLONE_NEWIPC for SELinux + +We ensure that mqueue is owned by user namespace root +by unsharing CLONE_NEWIPC after we become user namespace +root. This allows us to apply the container SELinux label +to mqueue. + +Signed-off-by: Mrunal Patel +--- + libcontainer/nsenter/nsexec.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c +index 5b680d0..0a10f80 100644 +--- a/libcontainer/nsenter/nsexec.c ++++ b/libcontainer/nsenter/nsexec.c +@@ -639,7 +639,12 @@ void nsexec(void) + * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID) + * was broken, so we'll just do it the long way anyway. + */ +- if (unshare(config.cloneflags) < 0) ++ uint32_t apply_cloneflags = config.cloneflags; ++ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) { ++ apply_cloneflags &= ~CLONE_NEWIPC; ++ } ++ ++ if (unshare(apply_cloneflags) < 0) + bail("failed to unshare namespaces"); + + /* +@@ -735,6 +740,11 @@ void nsexec(void) + if (setgroups(0, NULL) < 0) + bail("setgroups failed"); + ++ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) { ++ if (unshare(CLONE_NEWIPC) < 0) ++ bail("unshare ipc failed"); ++ } ++ + if (consolefd != -1) { + if (ioctl(consolefd, TIOCSCTTY, 0) < 0) + bail("ioctl TIOCSCTTY failed"); diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Dont-set-label-for-mqueue-under-userns.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Dont-set-label-for-mqueue-under-userns.patch deleted file mode 100644 index 8653745603..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Dont-set-label-for-mqueue-under-userns.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 3ce50afe04f102cf28dbb6425773011707bf3ae0 Mon Sep 17 00:00:00 2001 -From: Mrunal Patel -Date: Wed, 12 Oct 2016 16:46:59 -0700 -Subject: [PATCH] Fix setting SELinux label for mqueue when user namespaces are - enabled - -If one tries to user SELinux with user namespaces, then labeling of /dev/mqueue -fails because the IPC namespace belongs to the root in init_user_ns. This -commit fixes that by unsharing IPC namespace after we clone into a new USER -namespace so the IPC namespace is owned by the root inside the new USER -namespace as opposed to init_user_ns. - -Signed-off-by: Mrunal Patel ---- - libcontainer/nsenter/nsexec.c | 25 ++++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) - -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index b93f827..1e8d4da 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -94,14 +94,20 @@ static int child_func(void *arg) - longjmp(*ca->env, JUMP_VAL); - } - --static int clone_parent(jmp_buf *env, int flags) __attribute__ ((noinline)); --static int clone_parent(jmp_buf *env, int flags) -+static int clone_parent(jmp_buf *env, int flags, bool delay_ipc_unshare) __attribute__ ((noinline)); -+static int clone_parent(jmp_buf *env, int flags, bool delay_ipc_unshare) - { - int child; - struct clone_arg ca = { - .env = env, - }; - -+ // Don't clone into NEWIPC at the same time as cloning into NEWUSER. -+ // This way we can ensure that NEWIPC namespace belongs to the root in new user namespace. -+ if (delay_ipc_unshare) { -+ flags &= ~CLONE_NEWIPC; -+ } -+ - child = clone(child_func, ca.stack_ptr, CLONE_PARENT | SIGCHLD | flags, &ca); - - /* -@@ -227,7 +233,7 @@ static void update_gidmap(int pid, char *map, int map_len) - - #define JSON_MAX 4096 - --static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlconfig_t *config) -+static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlconfig_t *config, bool delay_ipc_unshare) - { - int len, childpid; - char buf[JSON_MAX]; -@@ -239,7 +245,7 @@ static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlcon - * (the bootstrap process). Also so we don't need to forward the - * child's exit code or resend its death signal. - */ -- childpid = clone_parent(env, config->cloneflags); -+ childpid = clone_parent(env, config->cloneflags, delay_ipc_unshare); - if (childpid < 0) - bail("unable to fork"); - -@@ -415,6 +421,9 @@ void nsexec(void) - if (config.cloneflags == -1) - bail("missing clone_flags"); - -+ bool delay_ipc_unshare = ((config.cloneflags & CLONE_NEWUSER) == CLONE_NEWUSER) -+ && ((config.cloneflags & CLONE_NEWIPC) == CLONE_NEWIPC); -+ - /* Pipe so we can tell the child when we've finished setting up. */ - if (pipe(syncpipe) < 0) - bail("failed to setup sync pipe between parent and child"); -@@ -447,6 +456,12 @@ void nsexec(void) - if (setgroups(0, NULL) < 0) - bail("setgroups failed"); - -+ if (delay_ipc_unshare) { -+ if (unshare(CLONE_NEWIPC)) { -+ bail("unable to unshare IPC namespace"); -+ } -+ } -+ - if (consolefd != -1) { - if (ioctl(consolefd, TIOCSCTTY, 0) < 0) - bail("ioctl TIOCSCTTY failed"); -@@ -466,7 +481,7 @@ void nsexec(void) - } - - /* Run the parent code. */ -- start_child(pipenum, &env, syncpipe, &config); -+ start_child(pipenum, &env, syncpipe, &config, delay_ipc_unshare); - - /* Should never be reached. */ - bail("should never be reached"); diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2-r6.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2_p133.ebuild similarity index 79% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2-r6.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2_p133.ebuild index a28103802a..7357ac37bb 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2-r6.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2_p133.ebuild @@ -10,6 +10,11 @@ COREOS_GO_VERSION="go1.6" # the commit of runc that docker uses. # see https://github.com/docker/docker/blob/v1.13.1/hack/dockerfile/binaries-commits#L6 # Note: this commit is only really present in `docker/runc` in the 'docker/1.13.x' branch +# Update the patch number when this commit is changed (i.e. the _p in the +# ebuild). +# The patch version is arbitrarily the number of commits since the tag version +# spcified in the ebuild name. For example: +# $ git log v1.0.0-rc2..${COMMIT_ID} --oneline | wc -l COMMIT_ID="9df8b306d01f59d3a8029be411de015b7304dd8f" inherit eutils flag-o-matic coreos-go-depend vcs-snapshot @@ -32,7 +37,7 @@ RDEPEND=" src_prepare() { epatch "${FILESDIR}/0001-Makefile-do-not-install-dependencies-of-target.patch" - epatch "${FILESDIR}/0002-Dont-set-label-for-mqueue-under-userns.patch" + epatch "${FILESDIR}/0002-Delay-unshare-of-clone-newipc-for-selinux.patch" # Work around https://github.com/golang/go/issues/14669 # Remove after updating to go1.7