Add runc patch for CVE-2016-8867

tianon · Feb 28, 2017 · 4f5bd8a · 4f5bd8a
1 parent 8f6440c
commit 4f5bd8a
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 1 deletion.
diff --git a/app-emulation/runc/Manifest b/app-emulation/runc/Manifest
@@ -1,7 +1,8 @@
+AUX 1172-ambient-tag.patch 2971 SHA256 79c7abd6461de961ea36b413fc7854fc5f717b8a6244a908eddbeb32ace76351 SHA512 b1078f413e43c81b495479300656d4ef1e1d8bd2d11a495df4f4ecb8498323c4ce24ba8da3ee76e41737f9ffd8ca4f9b5b85a96cd276e5b60cebcf405df92ee7 WHIRLPOOL e2696b1abc740c75170190c0a7ad10635fbb1879a72d9e914818e6e0afa2a4bcb9e0a88f0268778b1df80cb739470c1c13461f2a1af87962c9f07083d23fedd3
 DIST runc-0.1.1.tar.gz 496416 SHA256 f9955daed1e73e842b2f28a258fba51f4e72a6b4b64cc3fc06415481d55ce000 SHA512 074482636fd2342c490c450d7a379cd14cd6c7b1ec6109cf729c4b451cc8cfb0e6b286d0df8e0cc0dba7b24d63d12bd5978013e08301a785db5e4280c595fdaa WHIRLPOOL f605e70d2bea88b5ba10f6375543824167509630cc3ed839575d5e0d3b05bb07edcac8fcee168aa3ae89adaf0ccf5ab816a201b27022ddcf31fd0218bd59c357
 DIST runc-1.0.0_rc1.tar.gz 532162 SHA256 77f9d4df1657fecc939be0261fcccccd34d5b22c02b8a49abad23fac33b4059a SHA512 88210bd7c2114f08f24bdf71e2d1b449b422edc7f6be069079d5e25bae909b3c3de069159185bb543181575bfe281b08d2430d2470430d84fb8f7e832b0f0a6e WHIRLPOOL 0b027a7b1d52c8d2d399252ecf3ec931e51c5e42fed9d20e846c61c240de4554f9fcd2d0fb7e132a561ff9fab63b66b24bede0d2d000d1ec08cddecba267902d
 DIST runc-1.0.0_rc2.tar.gz 550449 SHA256 638742c48426b9a3281aeb619e27513d972de228bdbd43b478baea99c186d491 SHA512 83a3d45efbb86d3d583b96062202b9e60121d250af2c0dd37d07fda574b642aa6f05e29cac6644ad3d624647400db694082e280383e41ca9f31dc0a33b87ed76 WHIRLPOOL 990a45739689db80bbeed43b0fd3a4ce4d0563ea833361b9112e750782313f19e638c4bfbd455f5dd1882d64c724dcf0213701322029c2c9f98f624863c744f3
 EBUILD runc-0.1.1.ebuild 1504 SHA256 ad4f7c3934103c5e122e9aeb30478fd33aa0b12a177b8d4e0cf71b2caaaa5430 SHA512 e6b1fdd9e4f7668694687f78c37956fed73fed8f6870beb5b6a91848e7ab116914f3ce36a2491524101f03c5cded8e9f78e610c37933878252d6f6399c639355 WHIRLPOOL fe430351f83613812bac6ab84cc8b4563c4ebdb593f3fc3dba08e65b3ea5ff8962b55f1e12d13d75f538efa7a006ab103776d2f8bf7ac3d308276a758c0017c0
 EBUILD runc-1.0.0_rc1.ebuild 1506 SHA256 a75f1cf2cb2f52ab08023f5b9cabd3acd7fdc9356ed54af5cb55306cfe397f9c SHA512 e767a2884892fdffab1a5acc462d255af76d307872d4b08c535f1c96a04a02c9812a31cf51d3086b6b27b09b95776be300baba1e5dcebbf27af20b0a7fe6305a WHIRLPOOL 171bc7017394728527ca34d2189a9ff8bcc2e015042a1723d7ce0d895d370f7979cbc128f45018f7f584f360189a4cd656eecbedc729f00c94e358c66c7ca2e8
-EBUILD runc-1.0.0_rc2.ebuild 1368 SHA256 5233d28ec382486e45d3782fe7cbaba936104a4232fd1e9980aeaa80455b714d SHA512 05588e1ede9f7d06d213c1acf77f854862865405f9a30de70dbc3f9aabe70fcdbd1710d5fc1132e72b61c595314e91bb3d6bc413784f1fd7757c1387bd3fa6e4 WHIRLPOOL 165ef927b393caf0df44f4e3c34918b1bd063165214a9bd76d634964dba5f02c3da7693d1a9d5a5da5d2fd56250ed0976ccc748a75bf5eca2c26162c09e0e226
+EBUILD runc-1.0.0_rc2.ebuild 1526 SHA256 2124b9ecedde64a68cddc6dbbec6ab363d99419c69fded85481c0f2f999672cd SHA512 d310021b7e9844ed88cfa39ff6755873997f8b888165ba221227c29bd6c0d24df59eb1fc02dc5a68345650ab683d8c621666ebb7f709c9fbc111866759bc7f7f WHIRLPOOL 53286b69cae53271a1ea5736ed6745ceeb415daa7c036521ef5d135775489c63c354418e5058c61b27f8ffb379035fbe91a0b12f3596b4da8ac81da320cb41cd
 EBUILD runc-9999.ebuild 1361 SHA256 a8e8b40b8f119acd4a3ea4dd9d03a5d23da9c2b8a5e11bce88a4865155421bb3 SHA512 7b8f3b4be4ce7d5f784e48fca3d92a9d634212171fc74cc44d5f05ac8b73712bb6cbd8157e0dcbc0a4fd606db06c1e142c98e5da6e6e8102b997b534796d80d3 WHIRLPOOL 8ff68d0edd62ec6a975b9acbc22844a6a2a6065591e297690522d2efa146118981b66137239c70ff1f59f9903f2cf743df235e9d1b2c34bdcd87ad020dacd84b
diff --git a/app-emulation/runc/files/1172-ambient-tag.patch b/app-emulation/runc/files/1172-ambient-tag.patch
@@ -0,0 +1,83 @@
+From 603c151e6c2a4a37c7fae887960d9cf46a105266 Mon Sep 17 00:00:00 2001
+From: Michael Crosby <crosbymichael@gmail.com>
+Date: Wed, 2 Nov 2016 10:47:22 -0700
+Subject: [PATCH] Move ambient capabilties behind build tag
+
+This moves the ambient capability support behind an `ambient` build tag
+so that it is only compiled upon request.
+
+Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
+---
+ Makefile                               | 2 +-
+ README.md                              | 1 +
+ libcontainer/capabilities_ambient.go   | 7 +++++++
+ libcontainer/capabilities_linux.go     | 2 --
+ libcontainer/capabilities_noambient.go | 7 +++++++
+ 5 files changed, 16 insertions(+), 3 deletions(-)
+ create mode 100644 libcontainer/capabilities_ambient.go
+ create mode 100644 libcontainer/capabilities_noambient.go
+
+diff --git a/Makefile b/Makefile
+index 9b72ed6..779be92 100644
+--- a/Makefile
++++ b/Makefile
+@@ -33,7 +33,7 @@ static: $(RUNC_LINK)
+ 	CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o runc .
+
+ release: $(RUNC_LINK)
+-	@flag_list=(seccomp selinux apparmor static); \
++	@flag_list=(seccomp selinux apparmor static ambient); \
+ 	unset expression; \
+ 	for flag in "$${flag_list[@]}"; do \
+ 		expression+="' '{'',$${flag}}"; \
+diff --git a/README.md b/README.md
+index b8ed43f..6c6d1d4 100644
+--- a/README.md
++++ b/README.md
+@@ -48,6 +48,7 @@ make BUILDTAGS='seccomp apparmor'
+ | seccomp   | Syscall filtering                  | libseccomp  |
+ | selinux   | selinux process and mount labeling | <none>      |
+ | apparmor  | apparmor profile support           | libapparmor |
++| ambient   | ambient capability support         | kernel 4.3  |
+
+
+ ### Running the test suite
+diff --git a/libcontainer/capabilities_ambient.go b/libcontainer/capabilities_ambient.go
+new file mode 100644
+index 0000000..50da283
+--- /dev/null
++++ b/libcontainer/capabilities_ambient.go
+@@ -0,0 +1,7 @@
++// +build linux,ambient
++
++package libcontainer
++
++import "github.com/syndtr/gocapability/capability"
++
++const allCapabilityTypes = capability.CAPS | capability.BOUNDS | capability.AMBS
+diff --git a/libcontainer/capabilities_linux.go b/libcontainer/capabilities_linux.go
+index 48338a1..31fd0dc 100644
+--- a/libcontainer/capabilities_linux.go
++++ b/libcontainer/capabilities_linux.go
+@@ -10,8 +10,6 @@ import (
+ 	"github.com/syndtr/gocapability/capability"
+ )
+
+-const allCapabilityTypes = capability.CAPS | capability.BOUNDS | capability.AMBS
+-
+ var capabilityMap map[string]capability.Cap
+
+ func init() {
+diff --git a/libcontainer/capabilities_noambient.go b/libcontainer/capabilities_noambient.go
+new file mode 100644
+index 0000000..752c4e5
+--- /dev/null
++++ b/libcontainer/capabilities_noambient.go
+@@ -0,0 +1,7 @@
++// +build !ambient,linux
++
++package libcontainer
++
++import "github.com/syndtr/gocapability/capability"
++
++const allCapabilityTypes = capability.CAPS | capability.BOUNDS
diff --git a/app-emulation/runc/runc-1.0.0_rc2.ebuild b/app-emulation/runc/runc-1.0.0_rc2.ebuild
@@ -16,6 +16,7 @@ else
 	KEYWORDS="~amd64 ~ppc64"
 	inherit golang-vcs-snapshot
 fi
+inherit eutils
 
 DESCRIPTION="runc container cli tools"
 HOMEPAGE="http://runc.io"
@@ -31,6 +32,11 @@ RDEPEND="
 
 S=${WORKDIR}/${P}/src/${EGO_PN}
 
+src_prepare() {
+	epatch "${FILESDIR}/1172-ambient-tag.patch" # CVE-2016-8867, see https://github.com/opencontainers/runc/pull/1172
+	default
+}
+
 src_compile() {
 	# Taken from app-emulation/docker-1.7.0-r1
 	export CGO_CFLAGS="-I${ROOT}/usr/include"