mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-12-07 10:22:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #826 from kinvolk/dongsu/delete-docker-1.12

Browse Source 
app-emulation,torcx: delete docker 1.12
This commit is contained in:
Dongsu Park 2021-02-04 17:57:41 +01:00 committed by GitHub
commit ebf5dd95c5
16 changed files with 0 additions and 937 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/docker-1.12-yes.json vendored
View File

@ -1,11 +0,0 @@
{
"kind": "profile-manifest-v0",
"value": {
"images": [
{
"name": "docker",
"reference": "1.12"
}
]
}
}

1
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-9999.ebuild vendored
View File

@ -44,7 +44,6 @@ src_install() {
insinto "${vendordir}/profiles"
doins "${FILESDIR}/docker-1.12-no.json"
doins "${FILESDIR}/docker-1.12-yes.json"
doins "${FILESDIR}/vendor.json"
dodir "${vendordir}/store"

1
sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest vendored
View File

@ -1,3 +1,2 @@
DIST containerd-0.2.5.tar.gz 1003500 BLAKE2B ef08782b068e1d81df34881bdd156e7aa387d2710aee9b9c3b05a3d7cb018b7f78aab0aec77640823d8976636265e18ffc69abc25a4c326180b2c18c00059a4c SHA512 ba1e074bb7556a7c4be4d68dc62aa2fa4b823682c209d1609c1f11518a7b7167139ea159d31e0b21ba190d83115a67e5e45b54b6a4770742d49e9e561309551f
DIST containerd-0.2.6.tar.gz 1020572 BLAKE2B b235acc5badd3c3d87f72910c11e6adfd73e2cb7aa5273ab0ed9e6642aff8980d9b2a74875b4a69db36eaf67350124ef8629b0f460bdbe2d16d1ab834ba1e2cc SHA512 41018bda556a3ddfb1bd3a16e642548ba06f413b13fd1488e731896e277ba6c84a393ebd5de067ecaeccc695297a2b74edf22e5a3fe8f2e3eadf78d080bdeff6
DIST containerd-1.4.3.tar.gz 6178784 BLAKE2B 181ba9139ff9f245d71459baed21a6f2cde2d64f10bb42ae9361167c2686ccf25a90ee213df8f6d430a3c70390d0cd3e6620e42c6c7ec2dfe51289ca2d4add3c SHA512 40501a45c46e4f2f6df1ce9e4142612863b400bb2e804b1e23a0b9f0b1ed3d5c83a6fcce4e70f82a4557ce0f301e2de11cf2935039cb74b8ebec0dc71752406e

39
sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-0.2.5-r3.ebuild vendored
View File

@ -1,39 +0,0 @@
# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI=5
GITHUB_URI="github.com/docker/${PN}"
COREOS_GO_PACKAGE="${GITHUB_URI}"
COREOS_GO_VERSION="go1.7"
MY_PV="${PV/_/-}"
EGIT_COMMIT="v${MY_PV}"
SRC_URI="https://${GITHUB_URI}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz"
KEYWORDS="amd64 arm64"
inherit vcs-snapshot
inherit coreos-go systemd
DESCRIPTION="A daemon to control runC"
HOMEPAGE="https://containerd.tools"
LICENSE="Apache-2.0"
SLOT="0"
IUSE="seccomp"
DEPEND=""
RDEPEND="app-emulation/runc
seccomp? ( sys-libs/libseccomp )"
src_compile() {
local options=( $(usev seccomp) )
LDFLAGS= emake GIT_COMMIT="$EGIT_COMMIT" BUILDTAGS="${options[*]}"
}
src_install() {
dobin bin/containerd* bin/ctr
systemd_dounit "${FILESDIR}/containerd.service"
}

1
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc2_p136-r1.ebuild vendored
View File

@ -30,7 +30,6 @@ IUSE="apparmor hardened +seccomp selinux"
RDEPEND="
apparmor? ( sys-libs/libapparmor )
seccomp? ( sys-libs/libseccomp )
!app-emulation/runc
"
S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}

1
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc92.ebuild vendored
View File

@ -29,7 +29,6 @@ IUSE="ambient apparmor hardened +seccomp selinux"
RDEPEND="
apparmor? ( sys-libs/libapparmor )
seccomp? ( sys-libs/libseccomp )
!app-emulation/runc
"
S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}

321
sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r8.ebuild vendored
View File

@ -1,321 +0,0 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI=5
CROS_WORKON_PROJECT="flatcar-linux/docker"
CROS_WORKON_LOCALNAME="docker"
CROS_WORKON_REPO="git://github.com"
COREOS_GO_VERSION="go1.7"
CROS_WORKON_COMMIT="d9ad3fcd5cfb3f72ea60d08d540a350b17b7b035" # coreos-1.12.6
DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}"
KEYWORDS="amd64 arm64"
inherit bash-completion-r1 eutils linux-info multilib systemd udev user cros-workon coreos-go-depend
DESCRIPTION="Docker complements kernel namespacing with a high-level API which operates at the process level"
HOMEPAGE="https://dockerproject.org"
LICENSE="Apache-2.0"
SLOT="0"
IUSE="apparmor aufs +btrfs contrib +device-mapper experimental +overlay seccomp
+selinux vim-syntax zsh-completion +journald"
# https://github.com/docker/docker/blob/master/hack/PACKAGERS.md#build-dependencies
CDEPEND="
>=dev-db/sqlite-3.7.9:3
device-mapper? (
>=sys-fs/lvm2-2.02.89[thin]
)
seccomp? (
>=sys-libs/libseccomp-2.2.1[static-libs]
)
journald? (
>=sys-apps/systemd-225
)
"
DEPEND="
${CDEPEND}
btrfs? (
>=sys-fs/btrfs-progs-3.16.1
)
"
# For CoreOS builds coreos-kernel must be installed because this ebuild
# checks the kernel config. The kernel config is left by the kernel compile
# or an explicit copy when installing binary packages. See coreos-kernel.eclass
DEPEND+="sys-kernel/coreos-kernel"
# https://github.com/docker/docker/blob/master/hack/PACKAGERS.md#runtime-dependencies
# https://github.com/docker/docker/blob/master/hack/PACKAGERS.md#optional-dependencies
RDEPEND="
${CDEPEND}
!app-emulation/docker-bin
>=net-firewall/iptables-1.4
sys-process/procps
>=dev-vcs/git-1.7
>=app-arch/xz-utils-4.9
>=sys-apps/shadow-4.4
~app-emulation/containerd-0.2.5[seccomp?]
~app-emulation/runc-1.0.0_rc2_p9[apparmor?,seccomp?]
"
RESTRICT="installsources strip"
# see "contrib/check-config.sh" from upstream's sources
CONFIG_CHECK="
~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
~KEYS ~MACVLAN ~VETH ~BRIDGE ~BRIDGE_NETFILTER
~NF_NAT_IPV4 ~IP_NF_FILTER ~IP_NF_MANGLE ~IP_NF_TARGET_MASQUERADE
~IP_VS ~IP_VS_RR
~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK
~NETFILTER_XT_MATCH_IPVS
~NETFILTER_XT_MARK ~NETFILTER_XT_TARGET_REDIRECT
~NF_NAT ~NF_NAT_NEEDED
~POSIX_MQUEUE
~MEMCG_SWAP ~MEMCG_SWAP_ENABLED
~BLK_CGROUP ~IOSCHED_CFQ
~CGROUP_PERF
~CGROUP_HUGETLB
~NET_CLS_CGROUP
~CFS_BANDWIDTH ~FAIR_GROUP_SCHED ~RT_GROUP_SCHED
~XFRM_ALGO ~XFRM_USER
"
ERROR_KEYS="CONFIG_KEYS: is mandatory"
ERROR_MEMCG_SWAP="CONFIG_MEMCG_SWAP: is required if you wish to limit swap usage of containers"
ERROR_RESOURCE_COUNTERS="CONFIG_RESOURCE_COUNTERS: is optional for container statistics gathering"
ERROR_BLK_CGROUP="CONFIG_BLK_CGROUP: is optional for container statistics gathering"
ERROR_IOSCHED_CFQ="CONFIG_IOSCHED_CFQ: is optional for container statistics gathering"
ERROR_CGROUP_PERF="CONFIG_CGROUP_PERF: is optional for container statistics gathering"
ERROR_CFS_BANDWIDTH="CONFIG_CFS_BANDWIDTH: is optional for container statistics gathering"
ERROR_XFRM_ALGO="CONFIG_XFRM_ALGO: is optional for secure networks"
ERROR_XFRM_USER="CONFIG_XFRM_USER: is optional for secure networks"
pkg_setup() {
if kernel_is lt 3 10; then
ewarn ""
ewarn "Using Docker with kernels older than 3.10 is unstable and unsupported."
ewarn " - http://docs.docker.com/installation/binaries/#check-kernel-dependencies"
fi
# for where these kernel versions come from, see:
# https://www.google.com/search?q=945b2b2d259d1a4364a2799e80e8ff32f8c6ee6f+site%3Akernel.org%2Fpub%2Flinux%2Fkernel+file%3AChangeLog*
if ! {
kernel_is ge 3 16 \
|| { kernel_is 3 15 && kernel_is ge 3 15 5; } \
|| { kernel_is 3 14 && kernel_is ge 3 14 12; } \
|| { kernel_is 3 12 && kernel_is ge 3 12 25; }
}; then
ewarn ""
ewarn "There is a serious Docker-related kernel panic that has been fixed in 3.16+"
ewarn " (and was backported to 3.15.5+, 3.14.12+, and 3.12.25+)"
ewarn ""
ewarn "See also https://github.com/docker/docker/issues/2960"
fi
if kernel_is le 3 18; then
CONFIG_CHECK+="
~RESOURCE_COUNTERS
"
fi
if kernel_is le 3 13; then
CONFIG_CHECK+="
~NETPRIO_CGROUP
"
else
CONFIG_CHECK+="
~CGROUP_NET_PRIO
"
fi
if kernel_is lt 4 5; then
CONFIG_CHECK+="
~MEMCG_KMEM
"
ERROR_MEMCG_KMEM="CONFIG_MEMCG_KMEM: is optional"
fi
if kernel_is lt 4 7; then
CONFIG_CHECK+="
~DEVPTS_MULTIPLE_INSTANCES
"
fi
if use aufs; then
CONFIG_CHECK+="
~AUFS_FS
~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
"
ERROR_AUFS_FS="CONFIG_AUFS_FS: is required to be set if and only if aufs-sources are used instead of aufs4/aufs3"
fi
if use btrfs; then
CONFIG_CHECK+="
~BTRFS_FS
"
fi
if use device-mapper; then
CONFIG_CHECK+="
~BLK_DEV_DM ~DM_THIN_PROVISIONING ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
"
fi
if use overlay; then
CONFIG_CHECK+="
~OVERLAY_FS ~EXT4_FS_SECURITY ~EXT4_FS_POSIX_ACL
"
fi
if use seccomp; then
CONFIG_CHECK+="
~SECCOMP
"
fi
linux-info_pkg_setup
# create docker group for the code checking for it in /etc/group
enewgroup docker
}
src_prepare() {
# allow user patches (use sparingly - upstream won't support them)
epatch_user
# remove the .git directory so that hack/make.sh uses DOCKER_GITCOMMIT
# for the commit hash.
rm --recursive --force .git
}
src_compile() {
# if we treat them right, Docker's build scripts will set up a
# reasonable GOPATH for us
export AUTO_GOPATH=1
# if we're building from a zip, we need the GITCOMMIT value
[ "$DOCKER_GITCOMMIT" ] && export DOCKER_GITCOMMIT
if gcc-specs-pie; then
sed -i "s/EXTLDFLAGS_STATIC='/&-fno-PIC /" hack/make.sh || die
grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
sed "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
-i hack/make/dynbinary-client || die
sed "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
-i hack/make/dynbinary-daemon || die
grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
grep -q -- '-fno-PIC' hack/make/dynbinary-client || die 'hardened sed failed'
fi
# let's set up some optional features :)
export DOCKER_BUILDTAGS=''
for gd in aufs btrfs device-mapper overlay; do
if ! use $gd; then
DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
fi
done
for tag in apparmor seccomp selinux journald; do
if use $tag; then
DOCKER_BUILDTAGS+=" $tag"
fi
done
if has_version '<sys-fs/lvm2-2.02.110' ; then
# Docker uses the host files when testing features, so force
# docker to not use dm_task_deferred_remove to cover cross
# builds.
DOCKER_BUILDTAGS+=' libdm_no_deferred_remove'
fi
# https://github.com/docker/docker/pull/13338
if use experimental; then
export DOCKER_EXPERIMENTAL=1
else
unset DOCKER_EXPERIMENTAL
fi
go_export
# verbose building
export BUILDFLAGS="-x -v"
# time to build!
./hack/make.sh dynbinary || die 'dynbinary failed'
}
src_install() {
VERSION="$(cat VERSION)"
newbin "bundles/$VERSION/dynbinary-client/docker-$VERSION" docker
newbin "bundles/$VERSION/dynbinary-daemon/dockerd-$VERSION" dockerd
newbin "bundles/$VERSION/dynbinary-daemon/docker-proxy-$VERSION" docker-proxy
dosym containerd /usr/bin/docker-containerd
dosym containerd-shim /usr/bin/docker-containerd-shim
dosym runc /usr/bin/docker-runc
newinitd contrib/init/openrc/docker.initd docker
newconfd contrib/init/openrc/docker.confd docker
exeinto /usr/lib/flatcar
# Create /usr/lib/flatcar/dockerd script for backwards compatibility
doexe "${FILESDIR}/dockerd"
systemd_dounit "${FILESDIR}/docker.service"
systemd_dounit "${FILESDIR}/docker.socket"
insinto /usr/lib/systemd/network
doins "${FILESDIR}"/50-docker.network
doins "${FILESDIR}"/90-docker-veth.network
udev_dorules contrib/udev/*.rules
dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md
dodoc -r docs/*
dobashcomp contrib/completion/bash/*
if use zsh-completion; then
insinto /usr/share/zsh/site-functions
doins contrib/completion/zsh/*
fi
if use vim-syntax; then
insinto /usr/share/vim/vimfiles
doins -r contrib/syntax/vim/ftdetect
doins -r contrib/syntax/vim/syntax
fi
if use contrib; then
# note: intentionally not using "doins" so that we preserve +x bits
mkdir -p "${D}/usr/share/${PN}/contrib"
cp -R contrib/* "${D}/usr/share/${PN}/contrib"
fi
}
pkg_postinst() {
udev_reload
elog
elog "To use Docker, the Docker daemon must be running as root. To automatically"
elog "start the Docker daemon at boot, add Docker to the default runlevel:"
elog " rc-update add docker default"
elog "Similarly for systemd:"
elog " systemctl enable docker.service"
elog
elog "To use Docker as a non-root user, add yourself to the 'docker' group:"
elog " usermod -aG docker youruser"
elog
}

1
sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest vendored
View File

@ -1 +0,0 @@
DIST runc-1.0.0_rc2_p9.tar.gz 550963 SHA256 374822cc2895ed3899b7a3a03b566413ea782fccec1307231f27894e9c6d5bea SHA512 0176fc0fd69b298b5cb304388544a45b3805154f635c4a7492daac6e33774b16ad76af2b3008205de169306812834f4299106c89a17b1667168f3ad2ddc2e975 WHIRLPOOL 5015352fe7dc9ddedf93d555cf2750b3e9d72adfda534b1e30a69ac8b6b05e73bfbbe0ba72f543be4e3133f1604a5b42acc3363d30187a75861ca42755dfff81

27
sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0001-Makefile-do-not-install-dependencies-of-target.patch vendored
View File

@ -1,27 +0,0 @@
From 7a09c7817af44c87772c728655b71c6cfc9d1bc9 Mon Sep 17 00:00:00 2001
From: Nick Owens <mischief@offblast.org>
Date: Wed, 24 Aug 2016 19:34:42 -0700
Subject: [PATCH] Makefile: do not install dependencies of target
in order to install one must have permission to write to GOROOT which is
not the case in the CoreOS sdk.
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 0852c71..283aceb 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,7 @@ MAN_INSTALL_PATH := ${PREFIX}/share/man/man8/
VERSION := ${shell cat ./VERSION}
all: $(RUNC_LINK)
- go build -i -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -tags "$(BUILDTAGS)" -o runc .
+ go build -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -tags "$(BUILDTAGS)" -o runc .
static: $(RUNC_LINK)
CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o runc .
--
2.9.3

290
sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b_1.12.patch vendored
View File

@ -1,290 +0,0 @@
From 122c65bee886dda4d7bcb0512816b65fc878dacb Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 9 Jan 2019 13:40:01 +1100
Subject: [PATCH 1/1] nsenter: clone /proc/self/exe to avoid exposing host
binary to container
There are quite a few circumstances where /proc/self/exe pointing to a
pretty important container binary is a _bad_ thing, so to avoid this we
have to make a copy (preferably doing self-clean-up and not being
writeable).
As a hotfix we require memfd_create(2), but we can always extend this to
use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this
approach is no page-cache sharing for the runc binary (which overlayfs
would give us) but this is far less complicated.
This is only done during nsenter so that it happens transparently to the
Go code, and any libcontainer users benefit from it. This also makes
ExtraFiles and --preserve-fds handling trivial (because we don't need to
worry about it).
Fixes: CVE-2019-5736
Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
---
libcontainer/nsenter/cloned_binary.c | 221 +++++++++++++++++++++++++++
libcontainer/nsenter/nsexec.c | 11 ++
2 files changed, 232 insertions(+)
create mode 100644 libcontainer/nsenter/cloned_binary.c
diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
new file mode 100644
index 00000000..d9f6093a
--- /dev/null
+++ b/libcontainer/nsenter/cloned_binary.c
@@ -0,0 +1,221 @@
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <string.h>
+#include <limits.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/vfs.h>
+#include <sys/mman.h>
+#include <sys/sendfile.h>
+#include <sys/syscall.h>
+
+#include <linux/magic.h>
+#include <linux/memfd.h>
+
+/* Use our own wrapper for memfd_create. */
+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
+# define SYS_memfd_create __NR_memfd_create
+#endif
+#ifndef SYS_memfd_create
+# error "memfd_create(2) syscall not supported by this glibc version"
+#endif
+int memfd_create(const char *name, unsigned int flags)
+{
+ return syscall(SYS_memfd_create, name, flags);
+}
+
+/* This comes directly from <linux/fcntl.h>. */
+#ifndef F_LINUX_SPECIFIC_BASE
+# define F_LINUX_SPECIFIC_BASE 1024
+#endif
+#ifndef F_ADD_SEALS
+# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
+# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
+#endif
+#ifndef F_SEAL_SEAL
+# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */
+# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
+# define F_SEAL_GROW 0x0004 /* prevent file from growing */
+# define F_SEAL_WRITE 0x0008 /* prevent writes */
+#endif
+
+
+#define OUR_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
+#define OUR_MEMFD_SEALS \
+ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
+
+static void *must_realloc(void *ptr, size_t size)
+{
+ void *old = ptr;
+ do {
+ ptr = realloc(old, size);
+ } while(!ptr);
+ return ptr;
+}
+
+/*
+ * Verify whether we are currently in a self-cloned program (namely, is
+ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
+ * for shmem files), and we want to be sure it's actually sealed.
+ */
+static int is_self_cloned(void)
+{
+ int fd, seals;
+
+ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
+ if (fd < 0)
+ return -ENOTRECOVERABLE;
+
+ seals = fcntl(fd, F_GET_SEALS);
+ close(fd);
+ return seals == OUR_MEMFD_SEALS;
+}
+
+/*
+ * Basic wrapper around mmap(2) that gives you the file length so you can
+ * safely treat it as an ordinary buffer. Only gives you read access.
+ */
+static char *read_file(char *path, size_t *length)
+{
+ int fd;
+ char buf[4096], *copy = NULL;
+
+ if (!length)
+ return NULL;
+
+ fd = open(path, O_RDONLY | O_CLOEXEC);
+ if (fd < 0)
+ return NULL;
+
+ *length = 0;
+ for (;;) {
+ int n;
+
+ n = read(fd, buf, sizeof(buf));
+ if (n < 0)
+ goto error;
+ if (!n)
+ break;
+
+ copy = must_realloc(copy, (*length + n) * sizeof(*copy));
+ memcpy(copy + *length, buf, n);
+ *length += n;
+ }
+ close(fd);
+ return copy;
+
+error:
+ close(fd);
+ free(copy);
+ return NULL;
+}
+
+/*
+ * A poor-man's version of "xargs -0". Basically parses a given block of
+ * NUL-delimited data, within the given length and adds a pointer to each entry
+ * to the array of pointers.
+ */
+static int parse_xargs(char *data, int data_length, char ***output)
+{
+ int num = 0;
+ char *cur = data;
+
+ if (!data || *output != NULL)
+ return -1;
+
+ while (cur < data + data_length) {
+ num++;
+ *output = must_realloc(*output, (num + 1) * sizeof(**output));
+ (*output)[num - 1] = cur;
+ cur += strlen(cur) + 1;
+ }
+ (*output)[num] = NULL;
+ return num;
+}
+
+/*
+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
+ * This is necessary because we are running in a context where we don't have a
+ * main() that we can just get the arguments from.
+ */
+static int fetchve(char ***argv, char ***envp)
+{
+ char *cmdline = NULL, *environ = NULL;
+ size_t cmdline_size, environ_size;
+
+ cmdline = read_file("/proc/self/cmdline", &cmdline_size);
+ if (!cmdline)
+ goto error;
+ environ = read_file("/proc/self/environ", &environ_size);
+ if (!environ)
+ goto error;
+
+ if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
+ goto error;
+ if (parse_xargs(environ, environ_size, envp) <= 0)
+ goto error;
+
+ return 0;
+
+error:
+ free(environ);
+ free(cmdline);
+ return -EINVAL;
+}
+
+#define SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
+static int clone_binary(void)
+{
+ int binfd, memfd, err;
+ ssize_t sent = 0;
+
+ memfd = memfd_create(OUR_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
+ if (memfd < 0)
+ return -ENOTRECOVERABLE;
+
+ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
+ if (binfd < 0)
+ goto error;
+
+ sent = sendfile(memfd, binfd, NULL, SENDFILE_MAX);
+ close(binfd);
+ if (sent < 0)
+ goto error;
+
+ err = fcntl(memfd, F_ADD_SEALS, OUR_MEMFD_SEALS);
+ if (err < 0)
+ goto error;
+
+ return memfd;
+
+error:
+ close(memfd);
+ return -EIO;
+}
+
+int ensure_cloned_binary(void)
+{
+ int execfd;
+ char **argv = NULL, **envp = NULL;
+
+ /* Check that we're not self-cloned, and if we are then bail. */
+ int cloned = is_self_cloned();
+ if (cloned > 0 || cloned == -ENOTRECOVERABLE)
+ return cloned;
+
+ if (fetchve(&argv, &envp) < 0)
+ return -EINVAL;
+
+ execfd = clone_binary();
+ if (execfd < 0)
+ return -EIO;
+
+ fexecve(execfd, argv, envp);
+ return -ENOEXEC;
+}
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
index 30d5d594..0019dd9a 100644
--- a/libcontainer/nsenter/nsexec.c
+++ b/libcontainer/nsenter/nsexec.c
@@ -399,6 +399,9 @@ void nl_free(struct nlconfig_t *config)
free(config->data);
}
+/* Defined in cloned_binary.c. */
+int ensure_cloned_binary(void);
+
void nsexec(void)
{
int pipenum;
@@ -414,6 +417,14 @@ void nsexec(void)
if (pipenum == -1)
return;
+ /*
+ * We need to re-exec if we are not in a cloned binary. This is necessary
+ * to ensure that containers won't be able to access the host binary
+ * through /proc/self/exe. See CVE-2019-5736.
+ */
+ if (ensure_cloned_binary() < 0)
+ bail("could not ensure we are a cloned binary");
+
/* make the process non-dumpable */
if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
bail("failed to set process as non-dumpable");
--
2.20.1

94
sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-1.0.0_rc2_p9-Fix-setting-selinux-label-for-mqueue-under-userns.patch vendored
View File

@ -1,94 +0,0 @@
From 3ce50afe04f102cf28dbb6425773011707bf3ae0 Mon Sep 17 00:00:00 2001
From: Mrunal Patel <mrunalp@gmail.com>
Date: Wed, 12 Oct 2016 16:46:59 -0700
Subject: [PATCH] Fix setting SELinux label for mqueue when user namespaces are
enabled
If one tries to user SELinux with user namespaces, then labeling of /dev/mqueue
fails because the IPC namespace belongs to the root in init_user_ns. This
commit fixes that by unsharing IPC namespace after we clone into a new USER
namespace so the IPC namespace is owned by the root inside the new USER
namespace as opposed to init_user_ns.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
---
libcontainer/nsenter/nsexec.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
index b93f827..1e8d4da 100644
--- a/libcontainer/nsenter/nsexec.c
+++ b/libcontainer/nsenter/nsexec.c
@@ -94,14 +94,20 @@ static int child_func(void *arg)
longjmp(*ca->env, JUMP_VAL);
}
-static int clone_parent(jmp_buf *env, int flags) __attribute__ ((noinline));
-static int clone_parent(jmp_buf *env, int flags)
+static int clone_parent(jmp_buf *env, int flags, bool delay_ipc_unshare) __attribute__ ((noinline));
+static int clone_parent(jmp_buf *env, int flags, bool delay_ipc_unshare)
{
int child;
struct clone_arg ca = {
.env = env,
};
+ // Don't clone into NEWIPC at the same time as cloning into NEWUSER.
+ // This way we can ensure that NEWIPC namespace belongs to the root in new user namespace.
+ if (delay_ipc_unshare) {
+ flags &= ~CLONE_NEWIPC;
+ }
+
child = clone(child_func, ca.stack_ptr, CLONE_PARENT | SIGCHLD | flags, &ca);
/*
@@ -227,7 +233,7 @@ static void update_gidmap(int pid, char *map, int map_len)
#define JSON_MAX 4096
-static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlconfig_t *config)
+static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlconfig_t *config, bool delay_ipc_unshare)
{
int len, childpid;
char buf[JSON_MAX];
@@ -239,7 +245,7 @@ static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlcon
* (the bootstrap process). Also so we don't need to forward the
* child's exit code or resend its death signal.
*/
- childpid = clone_parent(env, config->cloneflags);
+ childpid = clone_parent(env, config->cloneflags, delay_ipc_unshare);
if (childpid < 0)
bail("unable to fork");
@@ -415,6 +421,9 @@ void nsexec(void)
if (config.cloneflags == -1)
bail("missing clone_flags");
+ bool delay_ipc_unshare = ((config.cloneflags & CLONE_NEWUSER) == CLONE_NEWUSER)
+ && ((config.cloneflags & CLONE_NEWIPC) == CLONE_NEWIPC);
+
/* Pipe so we can tell the child when we've finished setting up. */
if (pipe(syncpipe) < 0)
bail("failed to setup sync pipe between parent and child");
@@ -447,6 +456,12 @@ void nsexec(void)
if (setgroups(0, NULL) < 0)
bail("setgroups failed");
+ if (delay_ipc_unshare) {
+ if (unshare(CLONE_NEWIPC)) {
+ bail("unable to unshare IPC namespace");
+ }
+ }
+
if (consolefd != -1) {
if (ioctl(consolefd, TIOCSCTTY, 0) < 0)
bail("ioctl TIOCSCTTY failed");
@@ -466,7 +481,7 @@ void nsexec(void)
}
/* Run the parent code. */
- start_child(pipenum, &env, syncpipe, &config);
+ start_child(pipenum, &env, syncpipe, &config, delay_ipc_unshare);
/* Should never be reached. */
bail("should never be reached");

31
sdk_container/src/third_party/coreos-overlay/app-emulation/runc/metadata.xml vendored
View File

@ -1,31 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<longdescription lang="en">
runc is a CLI tool for spawning and running containers according
to the OCF (Open Container Format) specification.
</longdescription>
<maintainer type="person">
<email>cardoe@gentoo.org</email>
<name>Doug Goldstein</name>
</maintainer>
<maintainer type="person">
<email>williamh@gentoo.org</email>
<name>William Hubbs</name>
</maintainer>
<maintainer type="person">
<email>mrueg@gentoo.org</email>
<name>Manuel Rüger</name>
</maintainer>
<use>
<flag name="ambient">
Enable support for ambient capabilities set (Requires Linux kernel 4.3 or later).
</flag>
<flag name="apparmor">
Enable AppArmor support.
</flag>
</use>
<upstream>
<remote-id type="github">opencontainers/runc</remote-id>
</upstream>
</pkgmetadata>

63
sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2_p9-r1.ebuild vendored
View File

@ -1,63 +0,0 @@
# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
EAPI=5
GITHUB_URI="github.com/opencontainers/runc"
COREOS_GO_PACKAGE="${GITHUB_URI}"
COREOS_GO_VERSION="go1.6"
# the commit of runc that docker uses.
# see https://github.com/docker/docker/blob/v1.12.6/Dockerfile#L245
# Note: this commit is only really present in `docker/runc` in the 'docker/1.12.x' branch
# Update the patch number when this commit is changed (i.e. the _p in the
# ebuild).
# The patch version is arbitrarily the number of commits since the tag version
# spcified in the ebuild name. For example:
# $ git log v1.0.0-rc2..${COMMIT_ID} --oneline | wc -l
COMMIT_ID="50a19c6ff828c58e5dab13830bd3dacde268afe5"
inherit eutils flag-o-matic coreos-go-depend vcs-snapshot
DESCRIPTION="runc container cli tools"
HOMEPAGE="http://runc.io"
SRC_URI="https://${GITHUB_URI}/archive/${COMMIT_ID}.tar.gz -> ${P}.tar.gz"
KEYWORDS="amd64 arm64"
LICENSE="Apache-2.0"
SLOT="0"
IUSE="apparmor selinux +seccomp"
DEPEND=""
RDEPEND="
apparmor? ( sys-libs/libapparmor )
seccomp? ( sys-libs/libseccomp )
"
src_prepare() {
epatch "${FILESDIR}/0001-Makefile-do-not-install-dependencies-of-target.patch"
epatch "${FILESDIR}/0002-${PV}-Fix-setting-selinux-label-for-mqueue-under-userns.patch"
epatch "${FILESDIR}/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b_1.12.patch"
# Work around https://github.com/golang/go/issues/14669
# Remove after updating to go1.7
filter-flags -O*
go_export
}
src_compile() {
# build up optional flags
local options=(
$(usev apparmor)
$(usev seccomp)
$(usev selinux)
)
emake BUILDTAGS="${options[*]}" COMMIT="${COMMIT_ID}"
}
src_install() {
dobin runc
}

26
sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-1.12.ebuild vendored
View File

@ -1,26 +0,0 @@
# Copyright (c) 2017 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=2
DESCRIPTION="Packages to be installed in a torcx image for Docker"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="amd64 arm64"
# Explicitly list all packages that will be built into the image.
RDEPEND="
~app-emulation/docker-1.12.6
~app-emulation/containerd-0.2.5
~app-emulation/runc-1.0.0_rc2_p9
"
src_install() {
insinto /.torcx
newins "${FILESDIR}/${P}-manifest.json" manifest.json
# Enable the Docker socket by default.
local unitdir=/usr/lib/systemd/system
dosym ../docker.socket "${unitdir}/sockets.target.wants/docker.socket"
}

27
sdk_container/src/third_party/coreos-overlay/app-torcx/docker/files/docker-1.12-manifest.json vendored
View File

@ -1,27 +0,0 @@
{
"kind": "image-manifest-v0",
"value": {
"bin": [
"/bin/containerd",
"/bin/containerd-shim",
"/bin/ctr",
"/bin/docker",
"/bin/docker-containerd",
"/bin/docker-containerd-shim",
"/bin/docker-proxy",
"/bin/docker-runc",
"/bin/dockerd",
"/bin/runc"
],
"network": [
"/lib/systemd/network/50-docker.network",
"/lib/systemd/network/90-docker-veth.network"
],
"units": [
"/lib/systemd/system/containerd.service",
"/lib/systemd/system/docker.service",
"/lib/systemd/system/docker.socket",
"/lib/systemd/system/sockets.target.wants"
]
}
}

3
sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use vendored
View File

@ -6,9 +6,6 @@ sys-apps/systemd selinux
# Enable SELinux for coreutils
sys-apps/coreutils selinux
# Enable SELinux for runc
app-emulation/runc selinux
# Enable SELinux for tar
app-arch/tar selinux