project-lakitu: Update runc to v1.0.0_rc95
This patch updates runc version to v1.0.0_rc95 and fixes the dependent
ebuilds. This takes care of CVE-2021-30465.
BUG=b/189884213
TEST=Tested local build.
RELEASE_NOTE=Updated runc to v1.0.0_rc95 to take care of CVE-2021-30465.
Change-Id: I1a160293ef47bfc1035cf33250be985602a19902
Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/17490
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
diff --git a/project-lakitu/app-emulation/containerd/containerd-1.4.4-r1.ebuild b/project-lakitu/app-emulation/containerd/containerd-1.4.4-r2.ebuild
similarity index 100%
rename from project-lakitu/app-emulation/containerd/containerd-1.4.4-r1.ebuild
rename to project-lakitu/app-emulation/containerd/containerd-1.4.4-r2.ebuild
diff --git a/project-lakitu/app-emulation/containerd/containerd-1.4.4.ebuild b/project-lakitu/app-emulation/containerd/containerd-1.4.4.ebuild
index da2ce52..9aa3476 100644
--- a/project-lakitu/app-emulation/containerd/containerd-1.4.4.ebuild
+++ b/project-lakitu/app-emulation/containerd/containerd-1.4.4.ebuild
@@ -27,7 +27,7 @@
# containerd.service.
RDEPEND="
${DEPEND}
- ~app-emulation/runc-1.0.0_rc92
+ ~app-emulation/runc-1.0.0_rc95
sys-apps/systemd
"
diff --git a/project-lakitu/app-emulation/docker/docker-20.10.6-r2.ebuild b/project-lakitu/app-emulation/docker/docker-20.10.6-r3.ebuild
similarity index 100%
rename from project-lakitu/app-emulation/docker/docker-20.10.6-r2.ebuild
rename to project-lakitu/app-emulation/docker/docker-20.10.6-r3.ebuild
diff --git a/project-lakitu/app-emulation/docker/docker-20.10.6.ebuild b/project-lakitu/app-emulation/docker/docker-20.10.6.ebuild
index 4908a90..de7c136 100644
--- a/project-lakitu/app-emulation/docker/docker-20.10.6.ebuild
+++ b/project-lakitu/app-emulation/docker/docker-20.10.6.ebuild
@@ -41,7 +41,7 @@
>=app-arch/xz-utils-4.9
dev-libs/libltdl
>=app-emulation/containerd-1.4.3[apparmor?,btrfs?,device-mapper?,seccomp?]
- ~app-emulation/runc-1.0.0_rc92[apparmor?,seccomp?]
+ ~app-emulation/runc-1.0.0_rc95[apparmor?,seccomp?]
~app-emulation/docker-proxy-0.8.0_p20201215
cli? ( app-emulation/docker-cli )
container-init? ( >=sys-process/tini-0.19.0[static] )
diff --git a/project-lakitu/app-emulation/runc/Manifest b/project-lakitu/app-emulation/runc/Manifest
index dd7e4c0..cf7cc93 100644
--- a/project-lakitu/app-emulation/runc/Manifest
+++ b/project-lakitu/app-emulation/runc/Manifest
@@ -1 +1 @@
-DIST runc-1.0.0_rc92.tar.gz 2061469 BLAKE2B 06444eaf7602fe9ddaf7728c7f55bd718d1fe8f5f0ce6b21abc49a1d84eaa2fc3550d0d275ba5548ee9ebb6948a8ed415de8562a990d6085d1da8fb37e46afb9 SHA512 770a31736f5ab4ba359d91bd236750511f90b29af0af2bad5c238b611f465d7302e78b57ce8a702068440fda2d74588b92fd4d24c6d34e6fc1bd649ea3d8ee40
+DIST runc-1.0.0_rc95.tar.gz 2309875 BLAKE2B 8038a2d5311463f1e83665d513ac8b6336ccaa88fab64a3218b261aa03b2750d342f95bdae965c593d4fa89fc89b1e1a6371498c205160d9d09a5c4920ffa841 SHA512 c802a6e5f16cc0321642fc7adffe33819867c1779420f76b2cabd532edb5ac8c852beadcbcf6a3e895fe274f111c5623be5dcc822fef96e7e5259bf532174ba1
diff --git a/project-lakitu/app-emulation/runc/files/1.0.0_rc8-Do-not-clone-proc-self-exe-in-case-of-lakitu.patch b/project-lakitu/app-emulation/runc/files/1.0.0_rc8-Do-not-clone-proc-self-exe-in-case-of-lakitu.patch
index 4c566cd..d84a080 100644
--- a/project-lakitu/app-emulation/runc/files/1.0.0_rc8-Do-not-clone-proc-self-exe-in-case-of-lakitu.patch
+++ b/project-lakitu/app-emulation/runc/files/1.0.0_rc8-Do-not-clone-proc-self-exe-in-case-of-lakitu.patch
@@ -24,9 +24,9 @@
index ad10f140..48d9faa4 100644
--- a/libcontainer/nsenter/cloned_binary.c
+++ b/libcontainer/nsenter/cloned_binary.c
-@@ -94,6 +94,17 @@ static int is_self_cloned(void)
- struct stat statbuf = {};
- struct statfs fsbuf = {};
+@@ -141,6 +141,17 @@ static int is_self_cloned(void)
+ struct stat statbuf = { };
+ struct statfs fsbuf = { };
+ /* lakitu uses a readonly rootfs and therefore,
+ * a malicious container cannot overwrite the
@@ -39,9 +39,6 @@
+ * message events.*/
+ putenv(CLONED_BINARY_ENV "=1");
+
- fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
- if (fd < 0)
- return -ENOTRECOVERABLE;
---
-2.23.0.700.g56cf767bdb-goog
-
+ fd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
+ if (fd < 0) {
+ fprintf(stderr, "you have no read access to runc binary file\n");
diff --git a/project-lakitu/app-emulation/runc/runc-1.0.0_rc92-r1.ebuild b/project-lakitu/app-emulation/runc/runc-1.0.0_rc92-r1.ebuild
deleted file mode 120000
index 73e8223..0000000
--- a/project-lakitu/app-emulation/runc/runc-1.0.0_rc92-r1.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-runc-1.0.0_rc92.ebuild
\ No newline at end of file
diff --git a/project-lakitu/app-emulation/runc/runc-1.0.0_rc95-r1.ebuild b/project-lakitu/app-emulation/runc/runc-1.0.0_rc95-r1.ebuild
new file mode 120000
index 0000000..df1e80c
--- /dev/null
+++ b/project-lakitu/app-emulation/runc/runc-1.0.0_rc95-r1.ebuild
@@ -0,0 +1 @@
+runc-1.0.0_rc95.ebuild
\ No newline at end of file
diff --git a/project-lakitu/app-emulation/runc/runc-1.0.0_rc92.ebuild b/project-lakitu/app-emulation/runc/runc-1.0.0_rc95.ebuild
similarity index 87%
rename from project-lakitu/app-emulation/runc/runc-1.0.0_rc92.ebuild
rename to project-lakitu/app-emulation/runc/runc-1.0.0_rc95.ebuild
index f03d4af..4a3b89e 100644
--- a/project-lakitu/app-emulation/runc/runc-1.0.0_rc92.ebuild
+++ b/project-lakitu/app-emulation/runc/runc-1.0.0_rc95.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -18,7 +18,7 @@
LICENSE="Apache-2.0 BSD-2 BSD MIT"
SLOT="0"
KEYWORDS="*"
-IUSE="apparmor +ambient hardened +kmem +seccomp selinux test"
+IUSE="apparmor hardened +kmem +seccomp test"
DEPEND="seccomp? ( sys-libs/libseccomp )"
@@ -46,25 +46,20 @@
src_compile() {
# Taken from app-emulation/docker-1.7.0-r1
- export CGO_CFLAGS="-I${ROOT}/usr/include"
+ export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
- -L${ROOT}/usr/$(get_libdir)"
+ -L${ESYSROOT}/usr/$(get_libdir)"
# build up optional flags
local options=(
- $(usev ambient)
$(usev apparmor)
$(usev seccomp)
- $(usev selinux)
$(usex kmem '' 'nokmem')
)
myemakeargs=(
- BINDIR="${ED}/usr/bin"
BUILDTAGS="${options[*]}"
- COMMIT=${RUNC_COMMIT}
- DESTDIR="${ED}"
- PREFIX="${ED}/usr"
+ COMMIT="${RUNC_COMMIT}"
# lakitu: use the Go cross-compiler
GO="$(tc-getGO)"
)
@@ -76,6 +71,11 @@
}
src_install() {
+ myemakeargs+=(
+ PREFIX="${ED}/usr"
+ BINDIR="${ED}/usr/bin"
+ MANDIR="${ED}/usr/share/man"
+ )
emake "${myemakeargs[@]}" install install-man install-bash
local DOCS=( README.md PRINCIPLES.md docs/. )