[dgit import tarball runc 1.0.0~rc6+dfsg1-3 runc_1.0.0~rc6+dfsg1-3.debian.tar.xz]
--- /dev/null
+runc (1.0.0~rc6+dfsg1-3) unstable; urgency=medium
+
+ * Team upload.
+
+ [ Shengjing Zhu ]
+ * Improve patch for CVE-2019-5736 based on upstream commits.
+ Now the patch includes following commits:
+ + 2d4a37b nsenter: cloned_binary: userspace copy fallback if sendfile fails
+ + 16612d7 nsenter: cloned_binary: try to ro-bind /proc/self/exe before
+ copying
+ + af9da0a nsenter: cloned_binary: use the runc statedir for O_TMPFILE
+ + 2429d59 nsenter: cloned_binary: expand and add pre-3.11 fallbacks
+ + 5b775bf nsenter: cloned_binary: detect and handle short copies
+ + bb7d8b1 nsexec (CVE-2019-5736): avoid parsing environ
+ + 0a8e411 nsenter: clone /proc/self/exe to avoid exposing host binary to
+ container
+
+ [ Arnaud Rebillout ]
+ * Add version and gitcommit to the ldflags (Closes: #909644)
+ Note that we fill the git commit with something that is NOT a git commit
+ at all, instead we use it as a placeholder for the debian version. The
+ debian version is a relevant information for the user, and it's nice to
+ be able to show it, some way or another.
+
+ -- Shengjing Zhu <zhsj@debian.org> Sun, 10 Mar 2019 17:51:44 +0800
+
+runc (1.0.0~rc6+dfsg1-2) unstable; urgency=medium
+
+ * Team upload.
+ * Apply upstream patch addressing CVE-2019-5736 (Closes: #922050)
+ Thanks Noah Meyerhans!
+
+ -- Shengjing Zhu <zhsj@debian.org> Tue, 12 Feb 2019 23:45:09 +0800
+
+runc (1.0.0~rc6+dfsg1-1) unstable; urgency=medium
+
+ * Standards-Version: 4.3.0.
+ * New upstream release.
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Fri, 25 Jan 2019 07:55:34 +1100
+
+runc (1.0.0~rc5+dfsg1-4) unstable; urgency=medium
+
+ * New patch to disable Hugetlb tests.
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Thu, 27 Sep 2018 08:16:11 +1000
+
+runc (1.0.0~rc5+dfsg1-3) unstable; urgency=medium
+
+ * TAGS += ambient
+ * New patch to fix FTBFS on mips* architectures.
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Mon, 18 Jun 2018 11:47:25 +1000
+
+runc (1.0.0~rc5+dfsg1-2) unstable; urgency=medium
+
+ * New patch to fix integer overflow on i686.
+ * Build with "selinux" tag (Closes: #865993).
+ Thanks, Laurent Bigonville.
+ * Added myself to uploaders.
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Sat, 16 Jun 2018 22:12:23 +1000
+
+runc (1.0.0~rc5+dfsg1-1) unstable; urgency=medium
+
+ * Team upload.
+
+ [ Arnaud Rebillout ]
+ * Set minimum requirement for golang-gocapability-dev.
+ And drop the alternative name golang-github-syndtr-gocapability-dev,
+ this name never existed in the first place.
+
+ [ Dmitry Smirnov ]
+ * New upstream release
+ * Testsuite: autopkgtest-pkg-go
+ * Standards-Version: 4.1.4; Priority: optional
+ * debhelper to version 11; compat to version 10.
+ * Added "XS-Go-Import-Path".
+ * (Build-)Depends:
+ - golang-github-codegangsta-cli-dev
+ - golang-github-coreos-pkg-dev
+ - golang-golang-x-sys-dev
+ - golang-logrus-dev
+ + golang-github-containerd-console-dev
+ + golang-github-pkg-errors-dev
+ + golang-github-sirupsen-logrus-dev
+ + golang-github-urfave-cli-dev
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Fri, 15 Jun 2018 21:48:18 +1000
+
+runc (1.0.0~rc4+dfsg1-6) unstable; urgency=medium
+
+ [ Michael Stapelberg ]
+ * update debian/gitlab-ci.yml (using salsa.debian.org/go-team/ci/cmd/ci)
+
+ [ Dmitry Smirnov ]
+ * Removed myself from uploaders.
+
+ [ Balint Reczey ]
+ * Team upload
+ * Stop using unix.SIGUNUSED which has been removed from golang.org/x/sys
+ (Closes: #889704)
+
+ -- Balint Reczey <rbalint@ubuntu.com> Tue, 10 Apr 2018 18:40:56 +0200
+
+runc (1.0.0~rc4+dfsg1-5) unstable; urgency=medium
+
+ * Vcs-* urls: pkg-go-team -> go-team.
+
+ -- Alexandre Viau <aviau@debian.org> Mon, 05 Feb 2018 23:05:40 -0500
+
+runc (1.0.0~rc4+dfsg1-4) unstable; urgency=medium
+
+ * Point vcs-* urls to packages subgroup.
+
+ -- Alexandre Viau <aviau@debian.org> Thu, 25 Jan 2018 15:23:12 -0500
+
+runc (1.0.0~rc4+dfsg1-3) unstable; urgency=medium
+
+ * Change my email to @debian.org.
+ * Move to salsa.debian.org.
+
+ -- Alexandre Viau <aviau@debian.org> Fri, 29 Dec 2017 00:34:59 -0500
+
+runc (1.0.0~rc4+dfsg1-2) unstable; urgency=medium
+
+ * Mark runc breaking docker.io (<= 1.13.1~ds1-2) (Closes: #877146)
+
+ -- Balint Reczey <rbalint@ubuntu.com> Sat, 30 Sep 2017 11:50:52 -0400
+
+runc (1.0.0~rc4+dfsg1-1) unstable; urgency=medium
+
+ * Team Upload
+ * Update watch file to match release candidates
+ * Update Files-Excuded and d/control to match dependencies of rc4
+ * New upstream release candidate 1.0.0-rc4
+ * Drop obsoleted patches
+ * Drop outdated README.source
+ * Require at least final 1.0.0 release of
+ golang-github-opencontainers-specs-dev (Closes: #858250)
+ * Fix typo in golang-github-opencontainers-runc-dev package description
+ (Closes: #873760)
+
+ -- Balint Reczey <rbalint@ubuntu.com> Sat, 30 Sep 2017 11:50:50 -0400
+
+runc (1.0.0~rc2+git20170201.133.9df8b30-3) unstable; urgency=medium
+
+ * Replace golang-go with golang-any in Build-Depends
+
+ -- Konstantinos Margaritis <markos@debian.org> Wed, 09 Aug 2017 15:00:55 +0300
+
+runc (1.0.0~rc2+git20170201.133.9df8b30-2) unstable; urgency=medium
+
+ * Patch to make libcontainer ignore cgroup2 hierarchy. Patch pulled from
+ https://github.com/opencontainers/runc/pull/1266.
+
+ -- Vincent Bernat <bernat@debian.org> Fri, 30 Jun 2017 07:10:34 +0200
+
+runc (1.0.0~rc2+git20170201.133.9df8b30-1) unstable; urgency=medium
+
+ * New upstream snapshot for Docker 1.13.1.
+
+ -- Tim Potter <tpot@hpe.com> Wed, 24 May 2017 11:36:40 +1000
+
+runc (1.0.0~rc2+git20161109.131.5137186-2) unstable; urgency=medium
+
+ * Add Breaks line to binary package to avoid messing up previous
+ Docker installs.
+
+ -- Tim Potter <tpot@hpe.com> Fri, 24 Feb 2017 09:49:06 +1100
+
+runc (1.0.0~rc2+git20161109.131.5137186-1) unstable; urgency=medium
+
+ * New upstream snapshot.
+ * Refresh backported patch for CVE-2016-9962.
+
+ -- Tim Potter <tpot@hpe.com> Wed, 15 Feb 2017 09:08:52 +1100
+
+runc (0.1.1+dfsg1-2) unstable; urgency=medium
+
+ * Team upload.
+ * Backport patch for CVE-2016-9962 (Closes: #850951)
+
+ -- Tianon Gravi <tianon@debian.org> Wed, 01 Feb 2017 07:17:54 -0800
+
+runc (0.1.1+dfsg1-1) unstable; urgency=medium
+
+ * New upstream release [June 2016].
+ * testworks: disabled privileged and failing tests.
+ * Build with "apparmor seccomp" tags (Closes: #830818);
+ Build-Depends += "libapparmor-dev".
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Wed, 13 Jul 2016 23:00:43 +1000
+
+runc (0.1.0+dfsg1-1) unstable; urgency=medium
+
+ * Dropped dependency on "golang-docker-dev" in favour of bundled
+ (or build time sub-vendored) "github.com/docker/docker" in order
+ to avoid circular dependency with Docker.
+ * Standards-Version: 3.9.8.
+ * Corrected Vcs-Git URL.
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Sun, 12 Jun 2016 17:56:45 +1000
+
+runc (0.1.0+dfsg-1) unstable; urgency=medium
+
+ [ Tim Potter ]
+ * Team upload
+ * New upstream release [April 2016]
+ = golang-github-opencontainers-specs-dev (>= 0.5.0~)
+ * De-vendor new dependencies; pquerna/ffjson appears unused
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Sat, 23 Apr 2016 07:59:18 +1000
+
+runc (0.0.9+dfsg-1) unstable; urgency=medium
+
+ * New upstream release [March 2016].
+ * (Build-)Depends:
+ = golang-github-opencontainers-specs-dev (>= 0.4.0~)
+ = golang-github-codegangsta-cli-dev (>= 0.0~git20151221~)
+ - help2man
+ + go-md2man
+ * Install upstream man pages.
+ * Install "runc" binary to "/usr/sbin".
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Sat, 16 Apr 2016 17:23:48 +1000
+
+runc (0.0.8+dfsg-2) unstable; urgency=medium
+
+ * (Build-)Depends:
+ + golang-github-docker-go-units-dev
+ + golang-github-seccomp-libseccomp-golang-dev
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Wed, 23 Mar 2016 20:05:01 +1100
+
+runc (0.0.8+dfsg-1) unstable; urgency=medium
+
+ * New upstream release [February 2016].
+ * Build-Depends:
+ + golang-github-vishvananda-netlink-dev
+ * Updated Vcs URLs.
+ * Standards-Version: 3.9.7.
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Fri, 26 Feb 2016 18:19:24 +1100
+
+runc (0.0.4~dfsg-1) unstable; urgency=medium
+
+ * New upstream release (Closes: #802507).
+ * Dropped obsolete lintian-overrides.
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Wed, 21 Oct 2015 09:02:42 +1100
+
+runc (0.0.3~dfsg2-1) unstable; urgency=low
+
+ * Initial release (Closes: #796486).
+ Thanks, Alexandre Viau.
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Sun, 06 Sep 2015 18:06:34 +1000
--- /dev/null
+libcontainer/criurpc/criurpc.pb.go
+
+## Remove generated man pages:
+man/man8/*
+
+## Drop hanging test (introduced in 0.0.9).
+## https://github.com/opencontainers/runc/issues/692
+libcontainer/nsenter/nsenter_test.go
+
+## Generated:
+libcontainer/criurpc/criurpc.pb.go
+
+
+## Failing tests:
+
+## Privileged tests:
+### couldn't get cgroup root: mountpoint for cgroup not found
+libcontainer/cgroups/fs/apply_raw_test.go
+
+### FAIL: TestXattr (0.00s)
+### xattr_test.go:26: Success
+### xattr_test.go:30: failed
+libcontainer/xattr/xattr_test.go
--- /dev/null
+Source: runc
+Section: devel
+Priority: optional
+Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
+Uploaders: Alexandre Viau <aviau@debian.org>, Dmitry Smirnov <onlyjob@debian.org>,
+ Tim Potter <tpot@hpe.com>
+Build-Depends: debhelper (>= 11~),
+ dh-golang,
+ go-md2man,
+ golang-any,
+ golang-dbus-dev,
+ golang-github-containerd-console-dev,
+ golang-github-coreos-go-systemd-dev,
+ golang-github-docker-go-units-dev,
+ golang-github-mrunalp-fileutils-dev,
+ golang-github-opencontainers-selinux-dev,
+ golang-github-opencontainers-specs-dev (>= 1.0.1-5~),
+ golang-github-pkg-errors-dev,
+ golang-github-seccomp-libseccomp-golang-dev,
+ golang-github-sirupsen-logrus-dev (>= 1.0.2~),
+ golang-github-urfave-cli-dev,
+ golang-github-vishvananda-netlink-dev,
+ golang-gocapability-dev (>= 0.0~git20160928~),
+ golang-goprotobuf-dev,
+ libapparmor-dev,
+ protobuf-compiler
+Standards-Version: 4.3.0
+Homepage: https://github.com/opencontainers/runc
+Vcs-Git: https://salsa.debian.org/go-team/packages/runc.git
+Vcs-Browser: https://salsa.debian.org/go-team/packages/runc
+XS-Go-Import-Path: github.com/opencontainers/runc
+Testsuite: autopkgtest-pkg-go
+
+Package: runc
+Architecture: any
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Breaks: docker.io (<= 1.13.1~ds1-2)
+Built-Using: ${misc:Built-Using}
+Description: Open Container Project - runtime
+ "runc" is a command line client for running applications packaged according
+ to the Open Container Format (OCF) and is a compliant implementation of
+ the Open Container Project specification.
+
+Package: golang-github-opencontainers-runc-dev
+Architecture: all
+Depends: ${misc:Depends},
+ golang-dbus-dev,
+ golang-github-coreos-go-systemd-dev,
+ golang-github-docker-go-units-dev,
+ golang-github-opencontainers-selinux-dev,
+ golang-github-opencontainers-specs-dev (>= 1.0.1-5~),
+ golang-github-seccomp-libseccomp-golang-dev,
+ golang-github-sirupsen-logrus-dev (>= 1.0.2~),
+ golang-github-urfave-cli-dev,
+ golang-github-vishvananda-netlink-dev,
+ golang-gocapability-dev (>= 0.0~git20160928~),
+ golang-goprotobuf-dev
+Description: Open Container Project - development files
+ "runc" is a command line client for running applications packaged according
+ to the Open Container Format (OCF) and is a compliant implementation of
+ the Open Container Project specification.
+ .
+ This package provides development files formerly known as
+ "github.com/docker/libcontainer".
--- /dev/null
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: runc
+Source: https://github.com/opencontainers/runc
+Files-Excluded:
+ vendor/github.com/containerd/console
+ vendor/github.com/coreos/go-systemd
+ vendor/github.com/coreos/pkg
+ ~~vendor/github.com/cyphar/filepath-securejoin
+ vendor/github.com/docker/go-units
+ vendor/github.com/godbus/dbus
+ vendor/github.com/golang/protobuf
+ vendor/github.com/mrunalp/fileutils
+ vendor/github.com/opencontainers/runtime-spec
+ vendor/github.com/opencontainers/selinux
+ vendor/github.com/pkg/errors
+ vendor/github.com/seccomp/libseccomp-golang
+ vendor/github.com/sirupsen/logrus
+ vendor/github.com/syndtr/gocapability
+ vendor/github.com/urfave/cli
+ vendor/github.com/vishvananda/netlink
+ vendor/golang.org/x/sys
+
+Files: *
+Copyright: 2012-2015 Docker, Inc.
+License: Apache-2.0
+
+Files:
+ vendor/github.com/cyphar/filepath-securejoin/*
+Copyright:
+ 2014-2015 Docker Inc & Go Authors. All rights reserved.
+ 2017 SUSE LLC. All rights reserved.
+License: BSD-3-Clause~Google
+
+Files: debian/*
+Copyright:
+ 2015 Alexandre Viau <alexandre@alexandreviau.net>
+ 2015-2019 Dmitry Smirnov <onlyjob@debian.org>
+License: GPL-3+
+
+Files: debian/patches/*
+Copyright: 2015 Dmitry Smirnov <onlyjob@debian.org>
+License: GPL-3+ or Apache-2.0
+Comment: patches can be licensed under the same terms as upstream.
+
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ The complete text of the Apache version 2.0 license
+ can be found in "/usr/share/common-licenses/Apache-2.0".
+
+License: GPL-3+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ ․
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ ․
+ The complete text of the GNU General Public License version 3
+ can be found in "/usr/share/common-licenses/GPL-3".
+
+License: BSD-3-Clause~Google
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are
+ met:
+ .
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following disclaimer
+ in the documentation and/or other materials provided with the
+ distribution.
+ * Neither the name of Google Inc. nor the names of its
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- /dev/null
+[buildpackage]
+overlay = True
+export-dir = ../build-area/
+tarball-dir = ../
+
+[dch]
+id-length = 0
+
+[import-orig]
+pristine-tar = True
+merge = False
--- /dev/null
+
+# auto-generated, DO NOT MODIFY.
+# The authoritative copy of this file lives at:
+# https://salsa.debian.org/go-team/ci/blob/master/cmd/ci/gitlabciyml.go
+
+# TODO: publish under debian-go-team/ci
+image: stapelberg/ci2
+
+test_the_archive:
+ artifacts:
+ paths:
+ - before-applying-commit.json
+ - after-applying-commit.json
+ script:
+ # Create an overlay to discard writes to /srv/gopath/src after the build:
+ - "rm -rf /cache/overlay/{upper,work}"
+ - "mkdir -p /cache/overlay/{upper,work}"
+ - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src"
+ - "export GOPATH=/srv/gopath"
+ - "export GOCACHE=/cache/go"
+ # Build the world as-is:
+ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json"
+ # Copy this package into the overlay:
+ - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'"
+ - "pgt-gopath -dsc /tmp/export/*.dsc"
+ # Rebuild the world:
+ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json"
+ - "ci-diff before-applying-commit.json after-applying-commit.json"
--- /dev/null
+usr/share/gocode/src
--- /dev/null
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Sun, 10 Mar 2019 17:47:46 +0800
+Subject: CVE-2019-5736
+
+Backport upstream patches for CVE-2019-5736
+
+Include commits:
+2d4a37b427167907ef2402586a8e8e2931a22490 nsenter: cloned_binary: userspace copy fallback if sendfile fails
+16612d74de5f84977e50a9c8ead7f0e9e13b8628 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying
+af9da0a45082783f6005b252488943b5ee2e2138 nsenter: cloned_binary: use the runc statedir for O_TMPFILE
+2429d59352b81f6b9cc79b5ed26780c5fe6ba4ec nsenter: cloned_binary: expand and add pre-3.11 fallbacks
+5b775bf297c47a6bc50e36da89d1ec74a6fa01dc nsenter: cloned_binary: detect and handle short copies
+bb7d8b1f41f7bf0399204d54009d6da57c3cc775 nsexec (CVE-2019-5736): avoid parsing environ
+0a8e4117e7f715d5fbeef398405813ce8e88558b nsenter: clone /proc/self/exe to avoid exposing host binary to container
+
+Debian-Bug: https://bugs.debian.org/922050
+---
+ libcontainer/nsenter/cloned_binary.c | 516 +++++++++++++++++++++++++++++++++++
+ libcontainer/nsenter/nsexec.c | 11 +
+ 2 files changed, 527 insertions(+)
+ create mode 100644 libcontainer/nsenter/cloned_binary.c
+
+diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
+new file mode 100644
+index 0000000..b410e29
+--- /dev/null
++++ b/libcontainer/nsenter/cloned_binary.c
+@@ -0,0 +1,516 @@
++/*
++ * Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
++ * Copyright (C) 2019 SUSE LLC
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++#define _GNU_SOURCE
++#include <unistd.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <stdbool.h>
++#include <string.h>
++#include <limits.h>
++#include <fcntl.h>
++#include <errno.h>
++
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/statfs.h>
++#include <sys/vfs.h>
++#include <sys/mman.h>
++#include <sys/mount.h>
++#include <sys/sendfile.h>
++#include <sys/syscall.h>
++
++/* Use our own wrapper for memfd_create. */
++#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
++# define SYS_memfd_create __NR_memfd_create
++#endif
++/* memfd_create(2) flags -- copied from <linux/memfd.h>. */
++#ifndef MFD_CLOEXEC
++# define MFD_CLOEXEC 0x0001U
++# define MFD_ALLOW_SEALING 0x0002U
++#endif
++int memfd_create(const char *name, unsigned int flags)
++{
++#ifdef SYS_memfd_create
++ return syscall(SYS_memfd_create, name, flags);
++#else
++ errno = ENOSYS;
++ return -1;
++#endif
++}
++
++
++/* This comes directly from <linux/fcntl.h>. */
++#ifndef F_LINUX_SPECIFIC_BASE
++# define F_LINUX_SPECIFIC_BASE 1024
++#endif
++#ifndef F_ADD_SEALS
++# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
++# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
++#endif
++#ifndef F_SEAL_SEAL
++# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */
++# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
++# define F_SEAL_GROW 0x0004 /* prevent file from growing */
++# define F_SEAL_WRITE 0x0008 /* prevent writes */
++#endif
++
++#define CLONED_BINARY_ENV "_LIBCONTAINER_CLONED_BINARY"
++#define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
++#define RUNC_MEMFD_SEALS \
++ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
++
++static void *must_realloc(void *ptr, size_t size)
++{
++ void *old = ptr;
++ do {
++ ptr = realloc(old, size);
++ } while(!ptr);
++ return ptr;
++}
++
++/*
++ * Verify whether we are currently in a self-cloned program (namely, is
++ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
++ * for shmem files), and we want to be sure it's actually sealed.
++ */
++static int is_self_cloned(void)
++{
++ int fd, ret, is_cloned = 0;
++ struct stat statbuf = {};
++ struct statfs fsbuf = {};
++
++ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
++ if (fd < 0)
++ return -ENOTRECOVERABLE;
++
++ /*
++ * Is the binary a fully-sealed memfd? We don't need CLONED_BINARY_ENV for
++ * this, because you cannot write to a sealed memfd no matter what (so
++ * sharing it isn't a bad thing -- and an admin could bind-mount a sealed
++ * memfd to /usr/bin/runc to allow re-use).
++ */
++ ret = fcntl(fd, F_GET_SEALS);
++ if (ret >= 0) {
++ is_cloned = (ret == RUNC_MEMFD_SEALS);
++ goto out;
++ }
++
++ /*
++ * All other forms require CLONED_BINARY_ENV, since they are potentially
++ * writeable (or we can't tell if they're fully safe) and thus we must
++ * check the environment as an extra layer of defence.
++ */
++ if (!getenv(CLONED_BINARY_ENV)) {
++ is_cloned = false;
++ goto out;
++ }
++
++ /*
++ * Is the binary on a read-only filesystem? We can't detect bind-mounts in
++ * particular (in-kernel they are identical to regular mounts) but we can
++ * at least be sure that it's read-only. In addition, to make sure that
++ * it's *our* bind-mount we check CLONED_BINARY_ENV.
++ */
++ if (fstatfs(fd, &fsbuf) >= 0)
++ is_cloned |= (fsbuf.f_flags & MS_RDONLY);
++
++ /*
++ * Okay, we're a tmpfile -- or we're currently running on RHEL <=7.6
++ * which appears to have a borked backport of F_GET_SEALS. Either way,
++ * having a file which has no hardlinks indicates that we aren't using
++ * a host-side "runc" binary and this is something that a container
++ * cannot fake (because unlinking requires being able to resolve the
++ * path that you want to unlink).
++ */
++ if (fstat(fd, &statbuf) >= 0)
++ is_cloned |= (statbuf.st_nlink == 0);
++
++out:
++ close(fd);
++ return is_cloned;
++}
++
++/* Read a given file into a new buffer, and providing the length. */
++static char *read_file(char *path, size_t *length)
++{
++ int fd;
++ char buf[4096], *copy = NULL;
++
++ if (!length)
++ return NULL;
++
++ fd = open(path, O_RDONLY | O_CLOEXEC);
++ if (fd < 0)
++ return NULL;
++
++ *length = 0;
++ for (;;) {
++ ssize_t n;
++
++ n = read(fd, buf, sizeof(buf));
++ if (n < 0)
++ goto error;
++ if (!n)
++ break;
++
++ copy = must_realloc(copy, (*length + n) * sizeof(*copy));
++ memcpy(copy + *length, buf, n);
++ *length += n;
++ }
++ close(fd);
++ return copy;
++
++error:
++ close(fd);
++ free(copy);
++ return NULL;
++}
++
++/*
++ * A poor-man's version of "xargs -0". Basically parses a given block of
++ * NUL-delimited data, within the given length and adds a pointer to each entry
++ * to the array of pointers.
++ */
++static int parse_xargs(char *data, int data_length, char ***output)
++{
++ int num = 0;
++ char *cur = data;
++
++ if (!data || *output != NULL)
++ return -1;
++
++ while (cur < data + data_length) {
++ num++;
++ *output = must_realloc(*output, (num + 1) * sizeof(**output));
++ (*output)[num - 1] = cur;
++ cur += strlen(cur) + 1;
++ }
++ (*output)[num] = NULL;
++ return num;
++}
++
++/*
++ * "Parse" out argv from /proc/self/cmdline.
++ * This is necessary because we are running in a context where we don't have a
++ * main() that we can just get the arguments from.
++ */
++static int fetchve(char ***argv)
++{
++ char *cmdline = NULL;
++ size_t cmdline_size;
++
++ cmdline = read_file("/proc/self/cmdline", &cmdline_size);
++ if (!cmdline)
++ goto error;
++
++ if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
++ goto error;
++
++ return 0;
++
++error:
++ free(cmdline);
++ return -EINVAL;
++}
++
++enum {
++ EFD_NONE = 0,
++ EFD_MEMFD,
++ EFD_FILE,
++};
++
++/*
++ * This comes from <linux/fcntl.h>. We can't hard-code __O_TMPFILE because it
++ * changes depending on the architecture. If we don't have O_TMPFILE we always
++ * have the mkostemp(3) fallback.
++ */
++#ifndef O_TMPFILE
++# if defined(__O_TMPFILE) && defined(O_DIRECTORY)
++# define O_TMPFILE (__O_TMPFILE | O_DIRECTORY)
++# endif
++#endif
++
++static int make_execfd(int *fdtype)
++{
++ int fd = -1;
++ char template[PATH_MAX] = {0};
++ char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
++
++ if (!prefix || *prefix != '/')
++ prefix = "/tmp";
++ if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
++ return -1;
++
++ /*
++ * Now try memfd, it's much nicer than actually creating a file in STATEDIR
++ * since it's easily detected thanks to sealing and also doesn't require
++ * assumptions about STATEDIR.
++ */
++ *fdtype = EFD_MEMFD;
++ fd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
++ if (fd >= 0)
++ return fd;
++ if (errno != ENOSYS && errno != EINVAL)
++ goto error;
++
++#ifdef O_TMPFILE
++ /*
++ * Try O_TMPFILE to avoid races where someone might snatch our file. Note
++ * that O_EXCL isn't actually a security measure here (since you can just
++ * fd re-open it and clear O_EXCL).
++ */
++ *fdtype = EFD_FILE;
++ fd = open(prefix, O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0700);
++ if (fd >= 0) {
++ struct stat statbuf = {};
++ bool working_otmpfile = false;
++
++ /*
++ * open(2) ignores unknown O_* flags -- yeah, I was surprised when I
++ * found this out too. As a result we can't check for EINVAL. However,
++ * if we get nlink != 0 (or EISDIR) then we know that this kernel
++ * doesn't support O_TMPFILE.
++ */
++ if (fstat(fd, &statbuf) >= 0)
++ working_otmpfile = (statbuf.st_nlink == 0);
++
++ if (working_otmpfile)
++ return fd;
++
++ /* Pretend that we got EISDIR since O_TMPFILE failed. */
++ close(fd);
++ errno = EISDIR;
++ }
++ if (errno != EISDIR)
++ goto error;
++#endif /* defined(O_TMPFILE) */
++
++ /*
++ * Our final option is to create a temporary file the old-school way, and
++ * then unlink it so that nothing else sees it by accident.
++ */
++ *fdtype = EFD_FILE;
++ fd = mkostemp(template, O_CLOEXEC);
++ if (fd >= 0) {
++ if (unlink(template) >= 0)
++ return fd;
++ close(fd);
++ }
++
++error:
++ *fdtype = EFD_NONE;
++ return -1;
++}
++
++static int seal_execfd(int *fd, int fdtype)
++{
++ switch (fdtype) {
++ case EFD_MEMFD:
++ return fcntl(*fd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
++ case EFD_FILE: {
++ /* Need to re-open our pseudo-memfd as an O_PATH to avoid execve(2) giving -ETXTBSY. */
++ int newfd;
++ char fdpath[PATH_MAX] = {0};
++
++ if (fchmod(*fd, 0100) < 0)
++ return -1;
++
++ if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", *fd) < 0)
++ return -1;
++
++ newfd = open(fdpath, O_PATH | O_CLOEXEC);
++ if (newfd < 0)
++ return -1;
++
++ close(*fd);
++ *fd = newfd;
++ return 0;
++ }
++ default:
++ break;
++ }
++ return -1;
++}
++
++static int try_bindfd(void)
++{
++ int fd, ret = -1;
++ char template[PATH_MAX] = {0};
++ char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
++
++ if (!prefix || *prefix != '/')
++ prefix = "/tmp";
++ if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
++ return ret;
++
++ /*
++ * We need somewhere to mount it, mounting anything over /proc/self is a
++ * BAD idea on the host -- even if we do it temporarily.
++ */
++ fd = mkstemp(template);
++ if (fd < 0)
++ return ret;
++ close(fd);
++
++ /*
++ * For obvious reasons this won't work in rootless mode because we haven't
++ * created a userns+mntns -- but getting that to work will be a bit
++ * complicated and it's only worth doing if someone actually needs it.
++ */
++ ret = -EPERM;
++ if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0)
++ goto out;
++ if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0)
++ goto out_umount;
++
++
++ /* Get read-only handle that we're sure can't be made read-write. */
++ ret = open(template, O_PATH | O_CLOEXEC);
++
++out_umount:
++ /*
++ * Make sure the MNT_DETACH works, otherwise we could get remounted
++ * read-write and that would be quite bad (the fd would be made read-write
++ * too, invalidating the protection).
++ */
++ if (umount2(template, MNT_DETACH) < 0) {
++ if (ret >= 0)
++ close(ret);
++ ret = -ENOTRECOVERABLE;
++ }
++
++out:
++ /*
++ * We don't care about unlink errors, the worst that happens is that
++ * there's an empty file left around in STATEDIR.
++ */
++ unlink(template);
++ return ret;
++}
++
++static ssize_t fd_to_fd(int outfd, int infd)
++{
++ ssize_t total = 0;
++ char buffer[4096];
++
++ for (;;) {
++ ssize_t nread, nwritten = 0;
++
++ nread = read(infd, buffer, sizeof(buffer));
++ if (nread < 0)
++ return -1;
++ if (!nread)
++ break;
++
++ do {
++ ssize_t n = write(outfd, buffer + nwritten, nread - nwritten);
++ if (n < 0)
++ return -1;
++ nwritten += n;
++ } while(nwritten < nread);
++
++ total += nwritten;
++ }
++
++ return total;
++}
++
++static int clone_binary(void)
++{
++ int binfd, execfd;
++ struct stat statbuf = {};
++ size_t sent = 0;
++ int fdtype = EFD_NONE;
++
++ /*
++ * Before we resort to copying, let's try creating an ro-binfd in one shot
++ * by getting a handle for a read-only bind-mount of the execfd.
++ */
++ execfd = try_bindfd();
++ if (execfd >= 0)
++ return execfd;
++
++ /*
++ * Dammit, that didn't work -- time to copy the binary to a safe place we
++ * can seal the contents.
++ */
++ execfd = make_execfd(&fdtype);
++ if (execfd < 0 || fdtype == EFD_NONE)
++ return -ENOTRECOVERABLE;
++
++ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
++ if (binfd < 0)
++ goto error;
++
++ if (fstat(binfd, &statbuf) < 0)
++ goto error_binfd;
++
++ while (sent < statbuf.st_size) {
++ int n = sendfile(execfd, binfd, NULL, statbuf.st_size - sent);
++ if (n < 0) {
++ /* sendfile can fail so we fallback to a dumb user-space copy. */
++ n = fd_to_fd(execfd, binfd);
++ if (n < 0)
++ goto error_binfd;
++ }
++ sent += n;
++ }
++ close(binfd);
++ if (sent != statbuf.st_size)
++ goto error;
++
++ if (seal_execfd(&execfd, fdtype) < 0)
++ goto error;
++
++ return execfd;
++
++error_binfd:
++ close(binfd);
++error:
++ close(execfd);
++ return -EIO;
++}
++
++/* Get cheap access to the environment. */
++extern char **environ;
++
++int ensure_cloned_binary(void)
++{
++ int execfd;
++ char **argv = NULL;
++
++ /* Check that we're not self-cloned, and if we are then bail. */
++ int cloned = is_self_cloned();
++ if (cloned > 0 || cloned == -ENOTRECOVERABLE)
++ return cloned;
++
++ if (fetchve(&argv) < 0)
++ return -EINVAL;
++
++ execfd = clone_binary();
++ if (execfd < 0)
++ return -EIO;
++
++ if (putenv(CLONED_BINARY_ENV "=1"))
++ goto error;
++
++ fexecve(execfd, argv, environ);
++error:
++ close(execfd);
++ return -ENOEXEC;
++}
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index 28269df..7750af3 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
+@@ -534,6 +534,9 @@ void join_namespaces(char *nslist)
+ free(namespaces);
+ }
+
++/* Defined in cloned_binary.c. */
++extern int ensure_cloned_binary(void);
++
+ void nsexec(void)
+ {
+ int pipenum;
+@@ -549,6 +552,14 @@ void nsexec(void)
+ if (pipenum == -1)
+ return;
+
++ /*
++ * We need to re-exec if we are not in a cloned binary. This is necessary
++ * to ensure that containers won't be able to access the host binary
++ * through /proc/self/exe. See CVE-2019-5736.
++ */
++ if (ensure_cloned_binary() < 0)
++ bail("could not ensure we are a cloned binary");
++
+ /* Parse all of the netlink configuration. */
+ nl_parse(pipenum, &config);
+
--- /dev/null
+test--fix_TestGetAdditionalGroups.patch
+test--skip-Hugetlb.patch
+test--skip_TestFactoryNewTmpfs.patch
+CVE-2019-5736.patch
--- /dev/null
+Last-Update: 2018-06-16
+Forwarded: https://github.com/opencontainers/runc/pull/1821
+Bug-Upstream: https://github.com/opencontainers/runc/issues/941
+Author: Dmitry Smirnov <onlyjob@debian.org>
+Description: fix FTBFS on i686
+ src/github.com/opencontainers/runc/libcontainer/user/user_test.go:448:36: constant 2147483648 overflows int
+
+--- a/libcontainer/user/user_test.go
++++ b/libcontainer/user/user_test.go
+@@ -444,9 +444,9 @@
+
+ if utils.GetIntSize() > 4 {
+ tests = append(tests, foo{
+ // groups with too large id
+- groups: []string{strconv.Itoa(1 << 31)},
++ groups: []string{strconv.Itoa( 1<<31 -1 )},
+ expected: nil,
+ hasError: true,
+ })
+ }
+--- a/libcontainer/user/user.go
++++ b/libcontainer/user/user.go
+@@ -472,9 +472,9 @@
+ if err != nil {
+ return nil, fmt.Errorf("Unable to find group %s", ag)
+ }
+ // Ensure gid is inside gid range.
+- if gid < minId || gid > maxId {
++ if gid < minId || gid >= maxId {
+ return nil, ErrRange
+ }
+ gidMap[gid] = struct{}{}
+ }
--- /dev/null
+Last-Update: 2018-09-27
+Forwarded: not-needed
+Bug-Upstream: https://github.com/opencontainers/runc/issues/1822
+Author: Dmitry Smirnov <onlyjob@debian.org>
+Description: disabled unreliable tests due to random failures on [ppc64el, s390x].
+
+--- a/libcontainer/cgroups/fs/hugetlb_test.go
++++ b/libcontainer/cgroups/fs/hugetlb_test.go
+@@ -87,8 +87,9 @@
+ }
+ }
+
+ func TestHugetlbStatsNoUsageFile(t *testing.T) {
++t.Skip("Disabled unreliable test")
+ helper := NewCgroupTestUtil("hugetlb", t)
+ defer helper.cleanup()
+ helper.writeFileContents(map[string]string{
+ maxUsage: hugetlbMaxUsageContents,
+@@ -102,8 +103,9 @@
+ }
+ }
+
+ func TestHugetlbStatsNoMaxUsageFile(t *testing.T) {
++t.Skip("Disabled unreliable test")
+ helper := NewCgroupTestUtil("hugetlb", t)
+ defer helper.cleanup()
+ for _, pageSize := range HugePageSizes {
+ helper.writeFileContents(map[string]string{
+@@ -119,8 +121,9 @@
+ }
+ }
+
+ func TestHugetlbStatsBadUsageFile(t *testing.T) {
++t.Skip("Disabled unreliable test")
+ helper := NewCgroupTestUtil("hugetlb", t)
+ defer helper.cleanup()
+ for _, pageSize := range HugePageSizes {
+ helper.writeFileContents(map[string]string{
+@@ -137,8 +140,9 @@
+ }
+ }
+
+ func TestHugetlbStatsBadMaxUsageFile(t *testing.T) {
++t.Skip("Disabled unreliable test")
+ helper := NewCgroupTestUtil("hugetlb", t)
+ defer helper.cleanup()
+ helper.writeFileContents(map[string]string{
+ usage: hugetlbUsageContents,
--- /dev/null
+Last-Update: 2018-06-15
+Forwarded: not-needed
+Author: Dmitry Smirnov <onlyjob@debian.org>
+Description: disable test (requires root)
+
+--- a/libcontainer/factory_linux_test.go
++++ b/libcontainer/factory_linux_test.go
+@@ -77,8 +77,9 @@
+ }
+ }
+
+ func TestFactoryNewTmpfs(t *testing.T) {
++t.Skip("DM - skipping privileged test")
+ root, rerr := newTestRoot()
+ if rerr != nil {
+ t.Fatal(rerr)
+ }
--- /dev/null
+#!/usr/bin/make -f
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+export DH_GOPKG := github.com/opencontainers/runc
+export DH_GOLANG_INSTALL_EXTRA := libcontainer/seccomp/fixtures
+
+include /usr/share/dpkg/pkg-info.mk
+
+TAGS=apparmor seccomp selinux ambient
+LDFLAGS := -X main.version=$(DEB_VERSION_UPSTREAM) -X main.gitCommit=$(DEB_VERSION)
+
+%:
+ dh $@ --buildsystem=golang --with=golang --builddirectory=_build
+
+override_dh_clean:
+ dh_clean
+ ## Remove Files-Excluded (when built from checkout or non-DFSG tarball):
+ $(RM) -rv `perl -0nE 'say $$1 if m{^Files\-Excluded\:\s*(.*?)(?:\n\n|Files:|Comment:)}sm;' debian/copyright`
+
+override_dh_auto_configure:
+ $(MAKE) -C libcontainer/criurpc
+ cd man && ./md2man-all.sh
+ dh_auto_configure
+# ## Sub-vendor "github.com/docker/docker/pkg" (system lib takes preference over bundled one):
+# mkdir -p _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker
+# if [ -d "/usr/share/gocode/src/github.com/docker/docker/pkg" ]; then \
+# cp -vr /usr/share/gocode/src/github.com/docker/docker/pkg _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/ ;\
+# elif [ -d "vendor/github.com/docker/docker/pkg" ]; then \
+# cp -vr vendor/github.com/docker/docker/pkg _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/ ;\
+# fi
+ ## Remove extra license files:
+ $(RM) -v \
+ _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/*/*/LICENSE* \
+ ;
+# ln -svrf vendor/github.com/opencontainers/specs _build/src/github.com/opencontainers/
+
+override_dh_auto_build:
+ dh_auto_build -- -tags "$(TAGS)" -ldflags "$(LDFLAGS)"
+
+override_dh_auto_test:
+ DH_GOLANG_EXCLUDES="libcontainer/integration" \
+ dh_auto_test -- -tags "$(TAGS)"
--- /dev/null
+README*
+NOTICE
--- /dev/null
+usr/bin/* /usr/sbin/
--- /dev/null
+runc: spelling-error-in-binary
--- /dev/null
+man/man8/*.8
--- /dev/null
+3.0 (quilt)
--- /dev/null
+# Result of Files-Excluded:
+source-contains-empty-directory vendor/*
--- /dev/null
+version=3
+
+opts=\
+repack,\
+repacksuffix=+dfsg1,\
+uversionmangle=s/-rc/~rc/,\
+dversionmangle=s/[~+]dfsg\d*$// \
+ https://github.com/opencontainers/runc/releases \
+ .*archive/v?(\d\.\d\.\d.*)\.tar\.gz
projects / runc.git / commitdiff