diff --git a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/docker-1.12-yes.json b/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/docker-1.12-yes.json deleted file mode 100644 index 8c9c97fb51..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/docker-1.12-yes.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "kind": "profile-manifest-v0", - "value": { - "images": [ - { - "name": "docker", - "reference": "1.12" - } - ] - } -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-9999.ebuild index 7d527d8187..6e8b602b11 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-9999.ebuild @@ -44,7 +44,6 @@ src_install() { insinto "${vendordir}/profiles" doins "${FILESDIR}/docker-1.12-no.json" - doins "${FILESDIR}/docker-1.12-yes.json" doins "${FILESDIR}/vendor.json" dodir "${vendordir}/store" diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest index 4b4021b7c2..04f2a4d5a1 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest @@ -1,3 +1,2 @@ -DIST containerd-0.2.5.tar.gz 1003500 BLAKE2B ef08782b068e1d81df34881bdd156e7aa387d2710aee9b9c3b05a3d7cb018b7f78aab0aec77640823d8976636265e18ffc69abc25a4c326180b2c18c00059a4c SHA512 ba1e074bb7556a7c4be4d68dc62aa2fa4b823682c209d1609c1f11518a7b7167139ea159d31e0b21ba190d83115a67e5e45b54b6a4770742d49e9e561309551f DIST containerd-0.2.6.tar.gz 1020572 BLAKE2B b235acc5badd3c3d87f72910c11e6adfd73e2cb7aa5273ab0ed9e6642aff8980d9b2a74875b4a69db36eaf67350124ef8629b0f460bdbe2d16d1ab834ba1e2cc SHA512 41018bda556a3ddfb1bd3a16e642548ba06f413b13fd1488e731896e277ba6c84a393ebd5de067ecaeccc695297a2b74edf22e5a3fe8f2e3eadf78d080bdeff6 DIST containerd-1.4.3.tar.gz 6178784 BLAKE2B 181ba9139ff9f245d71459baed21a6f2cde2d64f10bb42ae9361167c2686ccf25a90ee213df8f6d430a3c70390d0cd3e6620e42c6c7ec2dfe51289ca2d4add3c SHA512 40501a45c46e4f2f6df1ce9e4142612863b400bb2e804b1e23a0b9f0b1ed3d5c83a6fcce4e70f82a4557ce0f301e2de11cf2935039cb74b8ebec0dc71752406e diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-0.2.5-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-0.2.5-r3.ebuild deleted file mode 100644 index 91708ac150..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-0.2.5-r3.ebuild +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 1999-2016 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Id$ - -EAPI=5 - -GITHUB_URI="github.com/docker/${PN}" -COREOS_GO_PACKAGE="${GITHUB_URI}" -COREOS_GO_VERSION="go1.7" - -MY_PV="${PV/_/-}" -EGIT_COMMIT="v${MY_PV}" -SRC_URI="https://${GITHUB_URI}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz" -KEYWORDS="amd64 arm64" -inherit vcs-snapshot - -inherit coreos-go systemd - -DESCRIPTION="A daemon to control runC" -HOMEPAGE="https://containerd.tools" - -LICENSE="Apache-2.0" -SLOT="0" -IUSE="seccomp" - -DEPEND="" -RDEPEND="app-emulation/runc - seccomp? ( sys-libs/libseccomp )" - -src_compile() { - local options=( $(usev seccomp) ) - LDFLAGS= emake GIT_COMMIT="$EGIT_COMMIT" BUILDTAGS="${options[*]}" -} - -src_install() { - dobin bin/containerd* bin/ctr - - systemd_dounit "${FILESDIR}/containerd.service" -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc2_p136-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc2_p136-r1.ebuild index eb66b23a6b..1910170a79 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc2_p136-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc2_p136-r1.ebuild @@ -30,7 +30,6 @@ IUSE="apparmor hardened +seccomp selinux" RDEPEND=" apparmor? ( sys-libs/libapparmor ) seccomp? ( sys-libs/libseccomp ) - !app-emulation/runc " S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE} diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc92.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc92.ebuild index 7b08b31855..ae5daf34c8 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc92.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc92.ebuild @@ -29,7 +29,6 @@ IUSE="ambient apparmor hardened +seccomp selinux" RDEPEND=" apparmor? ( sys-libs/libapparmor ) seccomp? ( sys-libs/libseccomp ) - !app-emulation/runc " S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE} diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r8.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r8.ebuild deleted file mode 100644 index c462afcfd1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r8.ebuild +++ /dev/null @@ -1,321 +0,0 @@ -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Id$ - -EAPI=5 - -CROS_WORKON_PROJECT="flatcar-linux/docker" -CROS_WORKON_LOCALNAME="docker" -CROS_WORKON_REPO="git://github.com" -COREOS_GO_VERSION="go1.7" - -CROS_WORKON_COMMIT="d9ad3fcd5cfb3f72ea60d08d540a350b17b7b035" # coreos-1.12.6 -DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}" -KEYWORDS="amd64 arm64" - -inherit bash-completion-r1 eutils linux-info multilib systemd udev user cros-workon coreos-go-depend - -DESCRIPTION="Docker complements kernel namespacing with a high-level API which operates at the process level" -HOMEPAGE="https://dockerproject.org" -LICENSE="Apache-2.0" -SLOT="0" -IUSE="apparmor aufs +btrfs contrib +device-mapper experimental +overlay seccomp - +selinux vim-syntax zsh-completion +journald" - -# https://github.com/docker/docker/blob/master/hack/PACKAGERS.md#build-dependencies -CDEPEND=" - >=dev-db/sqlite-3.7.9:3 - device-mapper? ( - >=sys-fs/lvm2-2.02.89[thin] - ) - seccomp? ( - >=sys-libs/libseccomp-2.2.1[static-libs] - ) - journald? ( - >=sys-apps/systemd-225 - ) -" - -DEPEND=" - ${CDEPEND} - - btrfs? ( - >=sys-fs/btrfs-progs-3.16.1 - ) -" - -# For CoreOS builds coreos-kernel must be installed because this ebuild -# checks the kernel config. The kernel config is left by the kernel compile -# or an explicit copy when installing binary packages. See coreos-kernel.eclass -DEPEND+="sys-kernel/coreos-kernel" - -# https://github.com/docker/docker/blob/master/hack/PACKAGERS.md#runtime-dependencies -# https://github.com/docker/docker/blob/master/hack/PACKAGERS.md#optional-dependencies -RDEPEND=" - ${CDEPEND} - - !app-emulation/docker-bin - >=net-firewall/iptables-1.4 - sys-process/procps - >=dev-vcs/git-1.7 - >=app-arch/xz-utils-4.9 - >=sys-apps/shadow-4.4 - - ~app-emulation/containerd-0.2.5[seccomp?] - ~app-emulation/runc-1.0.0_rc2_p9[apparmor?,seccomp?] -" - -RESTRICT="installsources strip" - -# see "contrib/check-config.sh" from upstream's sources -CONFIG_CHECK=" - ~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS - ~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG - ~KEYS ~MACVLAN ~VETH ~BRIDGE ~BRIDGE_NETFILTER - ~NF_NAT_IPV4 ~IP_NF_FILTER ~IP_NF_MANGLE ~IP_NF_TARGET_MASQUERADE - ~IP_VS ~IP_VS_RR - ~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK - ~NETFILTER_XT_MATCH_IPVS - ~NETFILTER_XT_MARK ~NETFILTER_XT_TARGET_REDIRECT - ~NF_NAT ~NF_NAT_NEEDED - - ~POSIX_MQUEUE - - ~MEMCG_SWAP ~MEMCG_SWAP_ENABLED - - ~BLK_CGROUP ~IOSCHED_CFQ - ~CGROUP_PERF - ~CGROUP_HUGETLB - ~NET_CLS_CGROUP - ~CFS_BANDWIDTH ~FAIR_GROUP_SCHED ~RT_GROUP_SCHED - ~XFRM_ALGO ~XFRM_USER -" - -ERROR_KEYS="CONFIG_KEYS: is mandatory" -ERROR_MEMCG_SWAP="CONFIG_MEMCG_SWAP: is required if you wish to limit swap usage of containers" -ERROR_RESOURCE_COUNTERS="CONFIG_RESOURCE_COUNTERS: is optional for container statistics gathering" - -ERROR_BLK_CGROUP="CONFIG_BLK_CGROUP: is optional for container statistics gathering" -ERROR_IOSCHED_CFQ="CONFIG_IOSCHED_CFQ: is optional for container statistics gathering" -ERROR_CGROUP_PERF="CONFIG_CGROUP_PERF: is optional for container statistics gathering" -ERROR_CFS_BANDWIDTH="CONFIG_CFS_BANDWIDTH: is optional for container statistics gathering" -ERROR_XFRM_ALGO="CONFIG_XFRM_ALGO: is optional for secure networks" -ERROR_XFRM_USER="CONFIG_XFRM_USER: is optional for secure networks" - -pkg_setup() { - if kernel_is lt 3 10; then - ewarn "" - ewarn "Using Docker with kernels older than 3.10 is unstable and unsupported." - ewarn " - http://docs.docker.com/installation/binaries/#check-kernel-dependencies" - fi - - # for where these kernel versions come from, see: - # https://www.google.com/search?q=945b2b2d259d1a4364a2799e80e8ff32f8c6ee6f+site%3Akernel.org%2Fpub%2Flinux%2Fkernel+file%3AChangeLog* - if ! { - kernel_is ge 3 16 \ - || { kernel_is 3 15 && kernel_is ge 3 15 5; } \ - || { kernel_is 3 14 && kernel_is ge 3 14 12; } \ - || { kernel_is 3 12 && kernel_is ge 3 12 25; } - }; then - ewarn "" - ewarn "There is a serious Docker-related kernel panic that has been fixed in 3.16+" - ewarn " (and was backported to 3.15.5+, 3.14.12+, and 3.12.25+)" - ewarn "" - ewarn "See also https://github.com/docker/docker/issues/2960" - fi - - if kernel_is le 3 18; then - CONFIG_CHECK+=" - ~RESOURCE_COUNTERS - " - fi - - if kernel_is le 3 13; then - CONFIG_CHECK+=" - ~NETPRIO_CGROUP - " - else - CONFIG_CHECK+=" - ~CGROUP_NET_PRIO - " - fi - - if kernel_is lt 4 5; then - CONFIG_CHECK+=" - ~MEMCG_KMEM - " - ERROR_MEMCG_KMEM="CONFIG_MEMCG_KMEM: is optional" - fi - - if kernel_is lt 4 7; then - CONFIG_CHECK+=" - ~DEVPTS_MULTIPLE_INSTANCES - " - fi - - if use aufs; then - CONFIG_CHECK+=" - ~AUFS_FS - ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY - " - ERROR_AUFS_FS="CONFIG_AUFS_FS: is required to be set if and only if aufs-sources are used instead of aufs4/aufs3" - fi - - if use btrfs; then - CONFIG_CHECK+=" - ~BTRFS_FS - " - fi - - if use device-mapper; then - CONFIG_CHECK+=" - ~BLK_DEV_DM ~DM_THIN_PROVISIONING ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY - " - fi - - if use overlay; then - CONFIG_CHECK+=" - ~OVERLAY_FS ~EXT4_FS_SECURITY ~EXT4_FS_POSIX_ACL - " - fi - - if use seccomp; then - CONFIG_CHECK+=" - ~SECCOMP - " - fi - - linux-info_pkg_setup - - # create docker group for the code checking for it in /etc/group - enewgroup docker -} - -src_prepare() { - # allow user patches (use sparingly - upstream won't support them) - epatch_user - - # remove the .git directory so that hack/make.sh uses DOCKER_GITCOMMIT - # for the commit hash. - rm --recursive --force .git -} - -src_compile() { - # if we treat them right, Docker's build scripts will set up a - # reasonable GOPATH for us - export AUTO_GOPATH=1 - - # if we're building from a zip, we need the GITCOMMIT value - [ "$DOCKER_GITCOMMIT" ] && export DOCKER_GITCOMMIT - - if gcc-specs-pie; then - sed -i "s/EXTLDFLAGS_STATIC='/&-fno-PIC /" hack/make.sh || die - grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed' - - sed "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \ - -i hack/make/dynbinary-client || die - sed "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \ - -i hack/make/dynbinary-daemon || die - grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed' - grep -q -- '-fno-PIC' hack/make/dynbinary-client || die 'hardened sed failed' - fi - - # let's set up some optional features :) - export DOCKER_BUILDTAGS='' - for gd in aufs btrfs device-mapper overlay; do - if ! use $gd; then - DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}" - fi - done - - for tag in apparmor seccomp selinux journald; do - if use $tag; then - DOCKER_BUILDTAGS+=" $tag" - fi - done - - if has_version ' -Date: Wed, 24 Aug 2016 19:34:42 -0700 -Subject: [PATCH] Makefile: do not install dependencies of target - -in order to install one must have permission to write to GOROOT which is -not the case in the CoreOS sdk. ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 0852c71..283aceb 100644 ---- a/Makefile -+++ b/Makefile -@@ -23,7 +23,7 @@ MAN_INSTALL_PATH := ${PREFIX}/share/man/man8/ - VERSION := ${shell cat ./VERSION} - - all: $(RUNC_LINK) -- go build -i -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -tags "$(BUILDTAGS)" -o runc . -+ go build -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -tags "$(BUILDTAGS)" -o runc . - - static: $(RUNC_LINK) - CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o runc . --- -2.9.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b_1.12.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b_1.12.patch deleted file mode 100644 index 6d85b3dcca..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b_1.12.patch +++ /dev/null @@ -1,290 +0,0 @@ -From 122c65bee886dda4d7bcb0512816b65fc878dacb Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Wed, 9 Jan 2019 13:40:01 +1100 -Subject: [PATCH 1/1] nsenter: clone /proc/self/exe to avoid exposing host - binary to container - -There are quite a few circumstances where /proc/self/exe pointing to a -pretty important container binary is a _bad_ thing, so to avoid this we -have to make a copy (preferably doing self-clean-up and not being -writeable). - -As a hotfix we require memfd_create(2), but we can always extend this to -use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this -approach is no page-cache sharing for the runc binary (which overlayfs -would give us) but this is far less complicated. - -This is only done during nsenter so that it happens transparently to the -Go code, and any libcontainer users benefit from it. This also makes -ExtraFiles and --preserve-fds handling trivial (because we don't need to -worry about it). - -Fixes: CVE-2019-5736 -Co-developed-by: Christian Brauner -Signed-off-by: Aleksa Sarai -Signed-off-by: Mrunal Patel ---- - libcontainer/nsenter/cloned_binary.c | 221 +++++++++++++++++++++++++++ - libcontainer/nsenter/nsexec.c | 11 ++ - 2 files changed, 232 insertions(+) - create mode 100644 libcontainer/nsenter/cloned_binary.c - -diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c -new file mode 100644 -index 00000000..d9f6093a ---- /dev/null -+++ b/libcontainer/nsenter/cloned_binary.c -@@ -0,0 +1,221 @@ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+ -+/* Use our own wrapper for memfd_create. */ -+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create) -+# define SYS_memfd_create __NR_memfd_create -+#endif -+#ifndef SYS_memfd_create -+# error "memfd_create(2) syscall not supported by this glibc version" -+#endif -+int memfd_create(const char *name, unsigned int flags) -+{ -+ return syscall(SYS_memfd_create, name, flags); -+} -+ -+/* This comes directly from . */ -+#ifndef F_LINUX_SPECIFIC_BASE -+# define F_LINUX_SPECIFIC_BASE 1024 -+#endif -+#ifndef F_ADD_SEALS -+# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) -+# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) -+#endif -+#ifndef F_SEAL_SEAL -+# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */ -+# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */ -+# define F_SEAL_GROW 0x0004 /* prevent file from growing */ -+# define F_SEAL_WRITE 0x0008 /* prevent writes */ -+#endif -+ -+ -+#define OUR_MEMFD_COMMENT "runc_cloned:/proc/self/exe" -+#define OUR_MEMFD_SEALS \ -+ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) -+ -+static void *must_realloc(void *ptr, size_t size) -+{ -+ void *old = ptr; -+ do { -+ ptr = realloc(old, size); -+ } while(!ptr); -+ return ptr; -+} -+ -+/* -+ * Verify whether we are currently in a self-cloned program (namely, is -+ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather -+ * for shmem files), and we want to be sure it's actually sealed. -+ */ -+static int is_self_cloned(void) -+{ -+ int fd, seals; -+ -+ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC); -+ if (fd < 0) -+ return -ENOTRECOVERABLE; -+ -+ seals = fcntl(fd, F_GET_SEALS); -+ close(fd); -+ return seals == OUR_MEMFD_SEALS; -+} -+ -+/* -+ * Basic wrapper around mmap(2) that gives you the file length so you can -+ * safely treat it as an ordinary buffer. Only gives you read access. -+ */ -+static char *read_file(char *path, size_t *length) -+{ -+ int fd; -+ char buf[4096], *copy = NULL; -+ -+ if (!length) -+ return NULL; -+ -+ fd = open(path, O_RDONLY | O_CLOEXEC); -+ if (fd < 0) -+ return NULL; -+ -+ *length = 0; -+ for (;;) { -+ int n; -+ -+ n = read(fd, buf, sizeof(buf)); -+ if (n < 0) -+ goto error; -+ if (!n) -+ break; -+ -+ copy = must_realloc(copy, (*length + n) * sizeof(*copy)); -+ memcpy(copy + *length, buf, n); -+ *length += n; -+ } -+ close(fd); -+ return copy; -+ -+error: -+ close(fd); -+ free(copy); -+ return NULL; -+} -+ -+/* -+ * A poor-man's version of "xargs -0". Basically parses a given block of -+ * NUL-delimited data, within the given length and adds a pointer to each entry -+ * to the array of pointers. -+ */ -+static int parse_xargs(char *data, int data_length, char ***output) -+{ -+ int num = 0; -+ char *cur = data; -+ -+ if (!data || *output != NULL) -+ return -1; -+ -+ while (cur < data + data_length) { -+ num++; -+ *output = must_realloc(*output, (num + 1) * sizeof(**output)); -+ (*output)[num - 1] = cur; -+ cur += strlen(cur) + 1; -+ } -+ (*output)[num] = NULL; -+ return num; -+} -+ -+/* -+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ. -+ * This is necessary because we are running in a context where we don't have a -+ * main() that we can just get the arguments from. -+ */ -+static int fetchve(char ***argv, char ***envp) -+{ -+ char *cmdline = NULL, *environ = NULL; -+ size_t cmdline_size, environ_size; -+ -+ cmdline = read_file("/proc/self/cmdline", &cmdline_size); -+ if (!cmdline) -+ goto error; -+ environ = read_file("/proc/self/environ", &environ_size); -+ if (!environ) -+ goto error; -+ -+ if (parse_xargs(cmdline, cmdline_size, argv) <= 0) -+ goto error; -+ if (parse_xargs(environ, environ_size, envp) <= 0) -+ goto error; -+ -+ return 0; -+ -+error: -+ free(environ); -+ free(cmdline); -+ return -EINVAL; -+} -+ -+#define SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */ -+static int clone_binary(void) -+{ -+ int binfd, memfd, err; -+ ssize_t sent = 0; -+ -+ memfd = memfd_create(OUR_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING); -+ if (memfd < 0) -+ return -ENOTRECOVERABLE; -+ -+ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); -+ if (binfd < 0) -+ goto error; -+ -+ sent = sendfile(memfd, binfd, NULL, SENDFILE_MAX); -+ close(binfd); -+ if (sent < 0) -+ goto error; -+ -+ err = fcntl(memfd, F_ADD_SEALS, OUR_MEMFD_SEALS); -+ if (err < 0) -+ goto error; -+ -+ return memfd; -+ -+error: -+ close(memfd); -+ return -EIO; -+} -+ -+int ensure_cloned_binary(void) -+{ -+ int execfd; -+ char **argv = NULL, **envp = NULL; -+ -+ /* Check that we're not self-cloned, and if we are then bail. */ -+ int cloned = is_self_cloned(); -+ if (cloned > 0 || cloned == -ENOTRECOVERABLE) -+ return cloned; -+ -+ if (fetchve(&argv, &envp) < 0) -+ return -EINVAL; -+ -+ execfd = clone_binary(); -+ if (execfd < 0) -+ return -EIO; -+ -+ fexecve(execfd, argv, envp); -+ return -ENOEXEC; -+} -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index 30d5d594..0019dd9a 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -399,6 +399,9 @@ void nl_free(struct nlconfig_t *config) - free(config->data); - } - -+/* Defined in cloned_binary.c. */ -+int ensure_cloned_binary(void); -+ - void nsexec(void) - { - int pipenum; -@@ -414,6 +417,14 @@ void nsexec(void) - if (pipenum == -1) - return; - -+ /* -+ * We need to re-exec if we are not in a cloned binary. This is necessary -+ * to ensure that containers won't be able to access the host binary -+ * through /proc/self/exe. See CVE-2019-5736. -+ */ -+ if (ensure_cloned_binary() < 0) -+ bail("could not ensure we are a cloned binary"); -+ - /* make the process non-dumpable */ - if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { - bail("failed to set process as non-dumpable"); --- -2.20.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-1.0.0_rc2_p9-Fix-setting-selinux-label-for-mqueue-under-userns.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-1.0.0_rc2_p9-Fix-setting-selinux-label-for-mqueue-under-userns.patch deleted file mode 100644 index 8653745603..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-1.0.0_rc2_p9-Fix-setting-selinux-label-for-mqueue-under-userns.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 3ce50afe04f102cf28dbb6425773011707bf3ae0 Mon Sep 17 00:00:00 2001 -From: Mrunal Patel -Date: Wed, 12 Oct 2016 16:46:59 -0700 -Subject: [PATCH] Fix setting SELinux label for mqueue when user namespaces are - enabled - -If one tries to user SELinux with user namespaces, then labeling of /dev/mqueue -fails because the IPC namespace belongs to the root in init_user_ns. This -commit fixes that by unsharing IPC namespace after we clone into a new USER -namespace so the IPC namespace is owned by the root inside the new USER -namespace as opposed to init_user_ns. - -Signed-off-by: Mrunal Patel ---- - libcontainer/nsenter/nsexec.c | 25 ++++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) - -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index b93f827..1e8d4da 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -94,14 +94,20 @@ static int child_func(void *arg) - longjmp(*ca->env, JUMP_VAL); - } - --static int clone_parent(jmp_buf *env, int flags) __attribute__ ((noinline)); --static int clone_parent(jmp_buf *env, int flags) -+static int clone_parent(jmp_buf *env, int flags, bool delay_ipc_unshare) __attribute__ ((noinline)); -+static int clone_parent(jmp_buf *env, int flags, bool delay_ipc_unshare) - { - int child; - struct clone_arg ca = { - .env = env, - }; - -+ // Don't clone into NEWIPC at the same time as cloning into NEWUSER. -+ // This way we can ensure that NEWIPC namespace belongs to the root in new user namespace. -+ if (delay_ipc_unshare) { -+ flags &= ~CLONE_NEWIPC; -+ } -+ - child = clone(child_func, ca.stack_ptr, CLONE_PARENT | SIGCHLD | flags, &ca); - - /* -@@ -227,7 +233,7 @@ static void update_gidmap(int pid, char *map, int map_len) - - #define JSON_MAX 4096 - --static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlconfig_t *config) -+static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlconfig_t *config, bool delay_ipc_unshare) - { - int len, childpid; - char buf[JSON_MAX]; -@@ -239,7 +245,7 @@ static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlcon - * (the bootstrap process). Also so we don't need to forward the - * child's exit code or resend its death signal. - */ -- childpid = clone_parent(env, config->cloneflags); -+ childpid = clone_parent(env, config->cloneflags, delay_ipc_unshare); - if (childpid < 0) - bail("unable to fork"); - -@@ -415,6 +421,9 @@ void nsexec(void) - if (config.cloneflags == -1) - bail("missing clone_flags"); - -+ bool delay_ipc_unshare = ((config.cloneflags & CLONE_NEWUSER) == CLONE_NEWUSER) -+ && ((config.cloneflags & CLONE_NEWIPC) == CLONE_NEWIPC); -+ - /* Pipe so we can tell the child when we've finished setting up. */ - if (pipe(syncpipe) < 0) - bail("failed to setup sync pipe between parent and child"); -@@ -447,6 +456,12 @@ void nsexec(void) - if (setgroups(0, NULL) < 0) - bail("setgroups failed"); - -+ if (delay_ipc_unshare) { -+ if (unshare(CLONE_NEWIPC)) { -+ bail("unable to unshare IPC namespace"); -+ } -+ } -+ - if (consolefd != -1) { - if (ioctl(consolefd, TIOCSCTTY, 0) < 0) - bail("ioctl TIOCSCTTY failed"); -@@ -466,7 +481,7 @@ void nsexec(void) - } - - /* Run the parent code. */ -- start_child(pipenum, &env, syncpipe, &config); -+ start_child(pipenum, &env, syncpipe, &config, delay_ipc_unshare); - - /* Should never be reached. */ - bail("should never be reached"); diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/metadata.xml deleted file mode 100644 index 91b38bdea9..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/metadata.xml +++ /dev/null @@ -1,31 +0,0 @@ - - - - - runc is a CLI tool for spawning and running containers according - to the OCF (Open Container Format) specification. - - - cardoe@gentoo.org - Doug Goldstein - - - williamh@gentoo.org - William Hubbs - - - mrueg@gentoo.org - Manuel RĂ¼ger - - - - Enable support for ambient capabilities set (Requires Linux kernel 4.3 or later). - - - Enable AppArmor support. - - - - opencontainers/runc - - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2_p9-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2_p9-r1.ebuild deleted file mode 100644 index 6b0c2c5c6c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2_p9-r1.ebuild +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 1999-2016 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: $ - -EAPI=5 - -GITHUB_URI="github.com/opencontainers/runc" -COREOS_GO_PACKAGE="${GITHUB_URI}" -COREOS_GO_VERSION="go1.6" -# the commit of runc that docker uses. -# see https://github.com/docker/docker/blob/v1.12.6/Dockerfile#L245 -# Note: this commit is only really present in `docker/runc` in the 'docker/1.12.x' branch -# Update the patch number when this commit is changed (i.e. the _p in the -# ebuild). -# The patch version is arbitrarily the number of commits since the tag version -# spcified in the ebuild name. For example: -# $ git log v1.0.0-rc2..${COMMIT_ID} --oneline | wc -l -COMMIT_ID="50a19c6ff828c58e5dab13830bd3dacde268afe5" - -inherit eutils flag-o-matic coreos-go-depend vcs-snapshot - -DESCRIPTION="runc container cli tools" -HOMEPAGE="http://runc.io" - -SRC_URI="https://${GITHUB_URI}/archive/${COMMIT_ID}.tar.gz -> ${P}.tar.gz" -KEYWORDS="amd64 arm64" - -LICENSE="Apache-2.0" -SLOT="0" -IUSE="apparmor selinux +seccomp" - -DEPEND="" -RDEPEND=" - apparmor? ( sys-libs/libapparmor ) - seccomp? ( sys-libs/libseccomp ) -" - -src_prepare() { - epatch "${FILESDIR}/0001-Makefile-do-not-install-dependencies-of-target.patch" - epatch "${FILESDIR}/0002-${PV}-Fix-setting-selinux-label-for-mqueue-under-userns.patch" - epatch "${FILESDIR}/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b_1.12.patch" - - # Work around https://github.com/golang/go/issues/14669 - # Remove after updating to go1.7 - filter-flags -O* - - go_export -} - -src_compile() { - # build up optional flags - local options=( - $(usev apparmor) - $(usev seccomp) - $(usev selinux) - ) - - emake BUILDTAGS="${options[*]}" COMMIT="${COMMIT_ID}" -} - -src_install() { - dobin runc -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-1.12.ebuild b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-1.12.ebuild deleted file mode 100644 index fdc2701eda..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-1.12.ebuild +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright (c) 2017 CoreOS, Inc.. All rights reserved. -# Distributed under the terms of the GNU General Public License v2 - -EAPI=2 - -DESCRIPTION="Packages to be installed in a torcx image for Docker" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="amd64 arm64" - -# Explicitly list all packages that will be built into the image. -RDEPEND=" - ~app-emulation/docker-1.12.6 - ~app-emulation/containerd-0.2.5 - ~app-emulation/runc-1.0.0_rc2_p9 -" - -src_install() { - insinto /.torcx - newins "${FILESDIR}/${P}-manifest.json" manifest.json - - # Enable the Docker socket by default. - local unitdir=/usr/lib/systemd/system - dosym ../docker.socket "${unitdir}/sockets.target.wants/docker.socket" -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/files/docker-1.12-manifest.json b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/files/docker-1.12-manifest.json deleted file mode 100644 index b8bdf18da4..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/files/docker-1.12-manifest.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "kind": "image-manifest-v0", - "value": { - "bin": [ - "/bin/containerd", - "/bin/containerd-shim", - "/bin/ctr", - "/bin/docker", - "/bin/docker-containerd", - "/bin/docker-containerd-shim", - "/bin/docker-proxy", - "/bin/docker-runc", - "/bin/dockerd", - "/bin/runc" - ], - "network": [ - "/lib/systemd/network/50-docker.network", - "/lib/systemd/network/90-docker-veth.network" - ], - "units": [ - "/lib/systemd/system/containerd.service", - "/lib/systemd/system/docker.service", - "/lib/systemd/system/docker.socket", - "/lib/systemd/system/sockets.target.wants" - ] - } -} diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use index f39aadd998..8ef3c98ded 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use @@ -6,9 +6,6 @@ sys-apps/systemd selinux # Enable SELinux for coreutils sys-apps/coreutils selinux -# Enable SELinux for runc -app-emulation/runc selinux - # Enable SELinux for tar app-arch/tar selinux