Move {app-emulation -> app-containers}/runc

Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

18 files changed, 287 insertions, 13 deletions

diff --git a/app-containers/containerd/containerd-1.4.11.ebuild b/app-containers/containerd/containerd-1.4.11.ebuild
index d2038dd4a85c..44e419c33326 100644
--- a/app-containers/containerd/containerd-1.4.11.ebuild
+++ b/app-containers/containerd/containerd-1.4.11.ebuild
@@ -24,7 +24,7 @@ DEPEND="
 # recommended version of runc is found in script/setup/runc-version
 RDEPEND="
 	${DEPEND}
-	~app-emulation/runc-1.0.2
+	~app-containers/runc-1.0.2
 "
 
 BDEPEND="
diff --git a/app-containers/containerd/containerd-1.4.12.ebuild b/app-containers/containerd/containerd-1.4.12.ebuild
index 10c53e0472be..a738accf70b9 100644
--- a/app-containers/containerd/containerd-1.4.12.ebuild
+++ b/app-containers/containerd/containerd-1.4.12.ebuild
@@ -24,7 +24,7 @@ DEPEND="
 # recommended version of runc is found in script/setup/runc-version
 RDEPEND="
 	${DEPEND}
-	~app-emulation/runc-1.0.2
+	~app-containers/runc-1.0.2
 "
 
 BDEPEND="
diff --git a/app-containers/containerd/containerd-1.5.7.ebuild b/app-containers/containerd/containerd-1.5.7.ebuild
index 03b79d4159d6..de23ad71b908 100644
--- a/app-containers/containerd/containerd-1.5.7.ebuild
+++ b/app-containers/containerd/containerd-1.5.7.ebuild
@@ -22,7 +22,7 @@ DEPEND="
 # recommended version of runc is found in script/setup/runc-version
 RDEPEND="
 	${DEPEND}
-	~app-emulation/runc-1.0.2
+	~app-containers/runc-1.0.2
 "
 
 BDEPEND="
diff --git a/app-containers/cri-o/cri-o-1.21.0.ebuild b/app-containers/cri-o/cri-o-1.21.0.ebuild
index 51699a1ed417..bd5def52cce5 100644
--- a/app-containers/cri-o/cri-o-1.21.0.ebuild
+++ b/app-containers/cri-o/cri-o-1.21.0.ebuild
@@ -1915,7 +1915,7 @@ IUSE="btrfs +device-mapper selinux systemd"
 COMMON_DEPEND="
 	app-crypt/gpgme:=
 	app-containers/conmon
-	app-emulation/runc
+	app-containers/runc
 	dev-libs/glib:=
 	dev-libs/libassuan:=
 	dev-libs/libgpg-error:=
diff --git a/app-containers/cri-o/cri-o-1.21.4.ebuild b/app-containers/cri-o/cri-o-1.21.4.ebuild
index a7724cecf4ef..68c28e6f0190 100644
--- a/app-containers/cri-o/cri-o-1.21.4.ebuild
+++ b/app-containers/cri-o/cri-o-1.21.4.ebuild
@@ -1959,7 +1959,7 @@ IUSE="btrfs +device-mapper selinux systemd"
 COMMON_DEPEND="
 	app-crypt/gpgme:=
 	app-containers/conmon
-	app-emulation/runc
+	app-containers/runc
 	dev-libs/glib:=
 	dev-libs/libassuan:=
 	dev-libs/libgpg-error:=
diff --git a/app-containers/cri-o/cri-o-1.22.1.ebuild b/app-containers/cri-o/cri-o-1.22.1.ebuild
index b7d6765090d4..4d339e8f124f 100644
--- a/app-containers/cri-o/cri-o-1.22.1.ebuild
+++ b/app-containers/cri-o/cri-o-1.22.1.ebuild
@@ -1997,7 +1997,7 @@ IUSE="btrfs +device-mapper selinux systemd"
 COMMON_DEPEND="
 	app-crypt/gpgme:=
 	app-containers/conmon
-	app-emulation/runc
+	app-containers/runc
 	dev-libs/glib:=
 	dev-libs/libassuan:=
 	dev-libs/libgpg-error:=
diff --git a/app-containers/img/img-0.5.11.ebuild b/app-containers/img/img-0.5.11.ebuild
index cd92124e2d1f..a01cea3b2268 100644
--- a/app-containers/img/img-0.5.11.ebuild
+++ b/app-containers/img/img-0.5.11.ebuild
@@ -533,7 +533,7 @@ IUSE="seccomp"
 
 DEPEND="seccomp? ( sys-libs/libseccomp )"
 RDEPEND="${DEPEND}
-	app-emulation/runc"
+	app-containers/runc"
 
 src_compile() {
 		IMG_DISABLE_EMBEDDED_RUNC=1 \
diff --git a/app-containers/podman/podman-3.3.1.ebuild b/app-containers/podman/podman-3.3.1.ebuild
index ac44c72cf14e..0d45638721e4 100644
--- a/app-containers/podman/podman-3.3.1.ebuild
+++ b/app-containers/podman/podman-3.3.1.ebuild
@@ -21,7 +21,7 @@ RESTRICT="test"
 COMMON_DEPEND="
 	app-crypt/gpgme:=
 	>=app-containers/conmon-2.0.0
-	|| ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun )
+	|| ( >=app-containers/runc-1.0.0_rc6 app-containers/crun )
 	dev-libs/libassuan:=
 	dev-libs/libgpg-error:=
 	>=net-misc/cni-plugins-0.8.6
diff --git a/app-containers/podman/podman-3.4.0.ebuild b/app-containers/podman/podman-3.4.0.ebuild
index d58eb39fe82d..cbad65d0e440 100644
--- a/app-containers/podman/podman-3.4.0.ebuild
+++ b/app-containers/podman/podman-3.4.0.ebuild
@@ -21,7 +21,7 @@ RESTRICT+=" test"
 COMMON_DEPEND="
 	app-crypt/gpgme:=
 	>=app-containers/conmon-2.0.0
-	|| ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun )
+	|| ( >=app-containers/runc-1.0.0_rc6 app-containers/crun )
 	dev-libs/libassuan:=
 	dev-libs/libgpg-error:=
 	>=net-misc/cni-plugins-0.8.6
diff --git a/app-containers/podman/podman-3.4.1.ebuild b/app-containers/podman/podman-3.4.1.ebuild
index 4097b7d5adb1..44cbb7034662 100644
--- a/app-containers/podman/podman-3.4.1.ebuild
+++ b/app-containers/podman/podman-3.4.1.ebuild
@@ -21,7 +21,7 @@ RESTRICT+=" test"
 COMMON_DEPEND="
 	app-crypt/gpgme:=
 	>=app-containers/conmon-2.0.0
-	|| ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun )
+	|| ( >=app-containers/runc-1.0.0_rc6 app-containers/crun )
 	dev-libs/libassuan:=
 	dev-libs/libgpg-error:=
 	>=net-misc/cni-plugins-0.8.6
diff --git a/app-containers/podman/podman-3.4.2.ebuild b/app-containers/podman/podman-3.4.2.ebuild
index 9ce7f02cfc06..f27fd5123313 100644
--- a/app-containers/podman/podman-3.4.2.ebuild
+++ b/app-containers/podman/podman-3.4.2.ebuild
@@ -21,7 +21,7 @@ RESTRICT+=" test"
 COMMON_DEPEND="
 	app-crypt/gpgme:=
 	>=app-containers/conmon-2.0.0
-	|| ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun )
+	|| ( >=app-containers/runc-1.0.0_rc6 app-containers/crun )
 	dev-libs/libassuan:=
 	dev-libs/libgpg-error:=
 	>=net-misc/cni-plugins-0.8.6
diff --git a/app-containers/podman/podman-3.4.3.ebuild b/app-containers/podman/podman-3.4.3.ebuild
index bdd678320e5f..419c47b5d16f 100644
--- a/app-containers/podman/podman-3.4.3.ebuild
+++ b/app-containers/podman/podman-3.4.3.ebuild
@@ -21,7 +21,7 @@ RESTRICT+=" test"
 COMMON_DEPEND="
 	app-crypt/gpgme:=
 	>=app-containers/conmon-2.0.0
-	|| ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun )
+	|| ( >=app-containers/runc-1.0.0_rc6 app-containers/crun )
 	dev-libs/libassuan:=
 	dev-libs/libgpg-error:=
 	>=net-misc/cni-plugins-0.8.6
diff --git a/app-containers/podman/podman-3.4.4.ebuild b/app-containers/podman/podman-3.4.4.ebuild
index bdd678320e5f..419c47b5d16f 100644
--- a/app-containers/podman/podman-3.4.4.ebuild
+++ b/app-containers/podman/podman-3.4.4.ebuild
@@ -21,7 +21,7 @@ RESTRICT+=" test"
 COMMON_DEPEND="
 	app-crypt/gpgme:=
 	>=app-containers/conmon-2.0.0
-	|| ( >=app-emulation/runc-1.0.0_rc6 app-containers/crun )
+	|| ( >=app-containers/runc-1.0.0_rc6 app-containers/crun )
 	dev-libs/libassuan:=
 	dev-libs/libgpg-error:=
 	>=net-misc/cni-plugins-0.8.6
diff --git a/app-containers/runc/Manifest b/app-containers/runc/Manifest
new file mode 100644
index 000000000000..e896bdf3b837
--- /dev/null
+++ b/app-containers/runc/Manifest
@@ -0,0 +1,2 @@
+DIST runc-1.0.2.tar.gz 2374156 BLAKE2B 526520adb7127e46e7258de75e66a15a5aac216a2a2fcb91f4d9c5da393892242c4d93c5f5483ab111bf29eed7d8f0c8c138ae83a22809d72802a981dcda0395 SHA512 434abd6d7ad2508c2272b627d8aeeb28ecd8461899bff463e7d2c7abbc0f0cbb2e0bafbfe81fc534fad506b1acb4bda3e05639ecd908bc9d0d2e9356f1e56e26
+DIST runc-1.0.3.tar.gz 2375241 BLAKE2B 0fb9368ab5442462001c15a67a71821133ad90d16cac5aac760e52b2477db69c0a5dd59df42601119b19ede508889796c994a24624f88ec6a1a29dad19e0bf33 SHA512 64a1894c2b4ed5a68b185e88548fc9fbbd01d8a9495feed59fb196aa06763d64cfb71ca6cbc09d1defa26a0d94ad58626296585741f23df2e290147ba6c4c26e
diff --git a/app-containers/runc/files/CVE-2021-43784.patch b/app-containers/runc/files/CVE-2021-43784.patch
new file mode 100644
index 000000000000..ab3886ee9ba7
--- /dev/null
+++ b/app-containers/runc/files/CVE-2021-43784.patch
@@ -0,0 +1,86 @@
+From b8dbe46687c2a96efa9252b69d3fc1ce33bdc416 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Thu, 18 Nov 2021 16:12:59 +1100
+Subject: [PATCH] runc init: avoid netlink message length overflows
+
+When writing netlink messages, it is possible to have a byte array
+larger than UINT16_MAX which would result in the length field
+overflowing and allowing user-controlled data to be parsed as control
+characters (such as creating custom mount points, changing which set of
+namespaces to allow, and so on).
+
+Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ libcontainer/container_linux.go | 20 +++++++++++++++++++-
+ libcontainer/message_linux.go   |  9 +++++++++
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
+index 6ce1854f68..1484703b0c 100644
+--- a/libcontainer/container_linux.go
++++ b/libcontainer/container_linux.go
+@@ -2028,16 +2028,34 @@ func encodeIDMapping(idMap []configs.IDMap) ([]byte, error) {
+ 	return data.Bytes(), nil
+ }
+ 
++// netlinkError is an error wrapper type for use by custom netlink message
++// types. Panics with errors are wrapped in netlinkError so that the recover
++// in bootstrapData can distinguish intentional panics.
++type netlinkError struct{ error }
++
+ // bootstrapData encodes the necessary data in netlink binary format
+ // as a io.Reader.
+ // Consumer can write the data to a bootstrap program
+ // such as one that uses nsenter package to bootstrap the container's
+ // init process correctly, i.e. with correct namespaces, uid/gid
+ // mapping etc.
+-func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (io.Reader, error) {
++func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (_ io.Reader, Err error) {
+ 	// create the netlink message
+ 	r := nl.NewNetlinkRequest(int(InitMsg), 0)
+ 
++	// Our custom messages cannot bubble up an error using returns, instead
++	// they will panic with the specific error type, netlinkError. In that
++	// case, recover from the panic and return that as an error.
++	defer func() {
++		if r := recover(); r != nil {
++			if e, ok := r.(netlinkError); ok {
++				Err = e.error
++			} else {
++				panic(r)
++			}
++		}
++	}()
++
+ 	// write cloneFlags
+ 	r.AddData(&Int32msg{
+ 		Type:  CloneFlagsAttr,
+diff --git a/libcontainer/message_linux.go b/libcontainer/message_linux.go
+index 1d4f5033aa..e4107ce39f 100644
+--- a/libcontainer/message_linux.go
++++ b/libcontainer/message_linux.go
+@@ -3,6 +3,9 @@
+ package libcontainer
+ 
+ import (
++	"fmt"
++	"math"
++
+ 	"github.com/vishvananda/netlink/nl"
+ 	"golang.org/x/sys/unix"
+ )
+@@ -54,6 +57,12 @@ type Bytemsg struct {
+ 
+ func (msg *Bytemsg) Serialize() []byte {
+ 	l := msg.Len()
++	if l > math.MaxUint16 {
++		// We cannot return nil nor an error here, so we panic with
++		// a specific type instead, which is handled via recover in
++		// bootstrapData.
++		panic(netlinkError{fmt.Errorf("netlink: cannot serialize bytemsg of length %d (larger than UINT16_MAX)", l)})
++	}
+ 	buf := make([]byte, (l+unix.NLA_ALIGNTO-1) & ^(unix.NLA_ALIGNTO-1))
+ 	native := nl.NativeEndian()
+ 	native.PutUint16(buf[0:2], uint16(l))
diff --git a/app-containers/runc/metadata.xml b/app-containers/runc/metadata.xml
new file mode 100644
index 000000000000..d27ad6413b06
--- /dev/null
+++ b/app-containers/runc/metadata.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<longdescription lang="en">
+		runc is a CLI tool for spawning and running containers according
+		to the OCF (Open Container Format) specification.
+	</longdescription>
+	<maintainer type="person">
+		<email>williamh@gentoo.org</email>
+		<name>William Hubbs</name>
+	</maintainer>
+	<maintainer type="person">
+		<email>gyakovlev@gentoo.org</email>
+		<name>Georgy Yakovlev</name>
+	</maintainer>
+	<use>
+		<flag name="apparmor">
+			Enable AppArmor support.
+		</flag>
+		<flag name="kmem">
+			Enable Kernel Memory Accounting.
+		</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">opencontainers/runc</remote-id>
+		<remote-id type="cpe">cpe:/a:linuxfoundation:runc</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/app-containers/runc/runc-1.0.2-r1.ebuild b/app-containers/runc/runc-1.0.2-r1.ebuild
new file mode 100644
index 000000000000..38b6da62493d
--- /dev/null
+++ b/app-containers/runc/runc-1.0.2-r1.ebuild
@@ -0,0 +1,80 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit go-module linux-info
+
+# update on bump, look for https://github.com/docker\
+# docker-ce/blob/<docker ver OR branch>/components/engine/hack/dockerfile/install/runc.installer
+RUNC_COMMIT=52b36a2dd837e8462de8e01458bf02cf9eea47dd
+CONFIG_CHECK="~USER_NS"
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="http://github.com/opencontainers/runc/"
+MY_PV="${PV/_/-}"
+SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0 BSD-2 BSD MIT"
+SLOT="0"
+KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
+IUSE="apparmor hardened +kmem +seccomp test"
+
+DEPEND="seccomp? ( sys-libs/libseccomp )"
+
+RDEPEND="
+	${DEPEND}
+	!app-emulation/docker-runc
+	apparmor? ( sys-libs/libapparmor )
+"
+
+BDEPEND="
+	dev-go/go-md2man
+	test? ( "${RDEPEND}" )
+"
+
+PATCHES=( "${FILESDIR}/CVE-2021-43784.patch" )
+
+# tests need busybox binary, and portage namespace
+# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox
+# majority of tests pass
+RESTRICT+=" test"
+
+S="${WORKDIR}/${PN}-${MY_PV}"
+
+src_compile() {
+	# Taken from app-emulation/docker-1.7.0-r1
+	export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
+	export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
+		-L${ESYSROOT}/usr/$(get_libdir)"
+
+	# build up optional flags
+	local options=(
+		$(usev apparmor)
+		$(usev seccomp)
+		$(usex kmem '' 'nokmem')
+	)
+
+	myemakeargs=(
+		BUILDTAGS="${options[*]}"
+		COMMIT="${RUNC_COMMIT}"
+	)
+
+	emake "${myemakeargs[@]}" runc man
+}
+
+src_install() {
+	myemakeargs+=(
+		PREFIX="${ED}/usr"
+		BINDIR="${ED}/usr/bin"
+		MANDIR="${ED}/usr/share/man"
+	)
+	emake "${myemakeargs[@]}" install install-man install-bash
+
+	local DOCS=( README.md PRINCIPLES.md docs/. )
+	einstalldocs
+}
+
+src_test() {
+	emake "${myemakeargs[@]}" localunittest
+}
diff --git a/app-containers/runc/runc-1.0.3.ebuild b/app-containers/runc/runc-1.0.3.ebuild
new file mode 100644
index 000000000000..db1d0c6af602
--- /dev/null
+++ b/app-containers/runc/runc-1.0.3.ebuild
@@ -0,0 +1,78 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit go-module linux-info
+
+# update on bump, look for https://github.com/docker\
+# docker-ce/blob/<docker ver OR branch>/components/engine/hack/dockerfile/install/runc.installer
+RUNC_COMMIT=f46b6ba2c9314cfc8caae24a32ec5fe9ef1059fe
+CONFIG_CHECK="~USER_NS"
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="http://github.com/opencontainers/runc/"
+MY_PV="${PV/_/-}"
+SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0 BSD-2 BSD MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor hardened +kmem +seccomp test"
+
+DEPEND="seccomp? ( sys-libs/libseccomp )"
+
+RDEPEND="
+	${DEPEND}
+	!app-emulation/docker-runc
+	apparmor? ( sys-libs/libapparmor )
+"
+
+BDEPEND="
+	dev-go/go-md2man
+	test? ( "${RDEPEND}" )
+"
+
+# tests need busybox binary, and portage namespace
+# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox
+# majority of tests pass
+RESTRICT+=" test"
+
+S="${WORKDIR}/${PN}-${MY_PV}"
+
+src_compile() {
+	# Taken from app-emulation/docker-1.7.0-r1
+	export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
+	export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
+		-L${ESYSROOT}/usr/$(get_libdir)"
+
+	# build up optional flags
+	local options=(
+		$(usev apparmor)
+		$(usev seccomp)
+		$(usex kmem '' 'nokmem')
+	)
+
+	myemakeargs=(
+		BUILDTAGS="${options[*]}"
+		COMMIT="${RUNC_COMMIT}"
+	)
+
+	emake "${myemakeargs[@]}" runc man
+}
+
+src_install() {
+	myemakeargs+=(
+		PREFIX="${ED}/usr"
+		BINDIR="${ED}/usr/bin"
+		MANDIR="${ED}/usr/share/man"
+	)
+	emake "${myemakeargs[@]}" install install-man install-bash
+
+	local DOCS=( README.md PRINCIPLES.md docs/. )
+	einstalldocs
+}
+
+src_test() {
+	emake "${myemakeargs[@]}" localunittest
+}