mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-01-08 18:12:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1649 from flatcar/krnowak/runc-lts

Browse Source 
runc 1.1.12 for lts 2023
This commit is contained in:
Krzesimir Nowak 2024-02-12 15:32:48 +01:00 committed by GitHub
commit 89636a5638
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 24 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelog/security/2024-02-12-runc.md Normal file
View File

@ -0,0 +1 @@
- runc ([CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626))

1
changelog/updates/2024-02-12-runc.md Normal file
View File

@ -0,0 +1 @@
- runc ([1.1.12](https://github.com/opencontainers/runc/releases/tag/v1.1.12))

0
sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-1.6.16.ebuild → sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-1.6.16-r1.ebuild vendored
View File

2
sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild vendored
View File

@ -29,7 +29,7 @@ SLOT="0"
IUSE="+btrfs hardened"
DEPEND="btrfs? ( sys-fs/btrfs-progs )"
RDEPEND="~app-emulation/docker-runc-1.1.4
RDEPEND="~app-emulation/docker-runc-1.1.12
sys-libs/libseccomp"
S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}

2
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest vendored
View File

@ -1 +1 @@
DIST docker-runc-1.1.4.tar.gz 2337285 BLAKE2B b82beac54eb07cf0a657af910201fcff05579d7311bef9d07df1fc8b60fac2b9560b250366193f0f84319ced66bc3f1a1af1bb8a57233187e7ef77a7799b55e7 SHA512 c6665265369af843550181fe44217d0e4f5c3b019c47359bfe9db94dcbd1866c05756b09adea905437bbff8bcfd2b6b02185ca4e7f1d62ed3bf177118308e41a
DIST docker-runc-1.1.12.tar.gz 2525814 BLAKE2B 55965eda3f145a8f17e483e5f7d73cc8b6e17df5c501d9b9fd6796d6154acb069d30893f7d040da6c190811affe92e257790a270fc331662c0d2735872362141 SHA512 12da3fb0a26a1f6e5dca233614a544fae9d73a01751a9bf5f5c0a8247832c7159395213d613a3f680aa6462f661e890b507e26e36949117200c39446878bbaa1

4
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.4.ebuild → sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.1.12.ebuild vendored
View File

@ -8,7 +8,7 @@ COREOS_GO_PACKAGE="${GITHUB_URI}"
COREOS_GO_VERSION="go1.18"
# the commit of runc that docker uses.
# see https://github.com/docker/docker-ce/blob/v19.03.15/components/engine/hack/dockerfile/install/runc.installer#L4
COMMIT_ID="81a44cf162f4409cc6ff656e2433b87321bf8a7a"
COMMIT_ID="51d5e94601ceffbbd85688df1c928ecccbfa4685"
inherit eutils flag-o-matic coreos-go vcs-snapshot
@ -55,7 +55,7 @@ src_compile() {
)
GOPATH="${WORKDIR}/${P}" emake BUILDTAGS="${options[*]}" \
VERSION=1.1.4+dev.docker-20.10 \
VERSION=1.1.12+dev.docker-20.10 \
COMMIT="${COMMIT_ID}"
}

34
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch vendored
View File

@ -1,4 +1,4 @@
From ab3a3b89d712bb1c6ca2e09ffc375f4b837e9401 Mon Sep 17 00:00:00 2001
From 2b89252c4605acb2376c004d3b7096d362eeaa7c Mon Sep 17 00:00:00 2001
From: Mrunal Patel <mrunalp@gmail.com>
Date: Thu, 2 Feb 2017 11:23:26 -0800
Subject: [PATCH] Delay unshare of CLONE_NEWIPC for SELinux
@ -10,37 +10,37 @@ to mqueue.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
---
libcontainer/nsenter/nsexec.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
libcontainer/nsenter/nsexec.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
index 0ad68834..5100698a 100644
index 2d224bab..800cb0dc 100644
--- a/libcontainer/nsenter/nsexec.c
+++ b/libcontainer/nsenter/nsexec.c
@@ -719,7 +719,12 @@ void nsexec(void)
@@ -1241,7 +1241,11 @@ void nsexec(void)
* some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
* was broken, so we'll just do it the long way anyway.
*/
write_log(DEBUG, "unshare remaining namespace (except cgroupns)");
- if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
- try_unshare(config.cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
+ uint32_t apply_cloneflags = config.cloneflags;
+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
+ apply_cloneflags &= ~CLONE_NEWIPC;
+ }
+
+ if (unshare(apply_cloneflags & ~CLONE_NEWCGROUP) < 0)
bail("failed to unshare remaining namespaces (except cgroupns)");
+ try_unshare(apply_cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
/*
@@ -841,6 +846,11 @@ void nsexec(void)
/* Ask our parent to send the mount sources fds. */
if (config.mountsources) {
@@ -1358,6 +1362,10 @@ void nsexec(void)
bail("setgroups failed");
}
+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
+ if (unshare(CLONE_NEWIPC) < 0)
+ bail("unshare ipc failed");
+ try_unshare(CLONE_NEWIPC, "ipc namespace");
+ }
+
/*
* Wait until our topmost parent has finished cgroup setup in
* p.manager.Apply().
if (config.cloneflags & CLONE_NEWCGROUP) {
try_unshare(CLONE_NEWCGROUP, "cgroup namespace");
}
--
2.34.1

2
sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild vendored
View File

@ -15,7 +15,7 @@ RDEPEND="
~app-emulation/docker-cli-20.10.23
~app-emulation/containerd-1.6.16
~app-emulation/docker-proxy-0.8.0_p20210525
~app-emulation/docker-runc-1.1.4
~app-emulation/docker-runc-1.1.12
=dev-libs/libltdl-2.4.7
~sys-process/tini-0.19.0
"