From: Shengjing Zhu Date: Sun, 10 Mar 2019 09:51:44 +0000 (+0000) Subject: runc (1.0.0~rc6+dfsg1-3) unstable; urgency=medium X-Git-Tag: archive/raspbian/1.0.0_rc10+dfsg1-1+rpi1~1^2^2~4 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=cb81dadc54ff552c857288a3d9dcc57eca4ddbfb;p=runc.git runc (1.0.0~rc6+dfsg1-3) unstable; urgency=medium * Team upload. [ Shengjing Zhu ] * Improve patch for CVE-2019-5736 based on upstream commits. Now the patch includes following commits: + 2d4a37b nsenter: cloned_binary: userspace copy fallback if sendfile fails + 16612d7 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying + af9da0a nsenter: cloned_binary: use the runc statedir for O_TMPFILE + 2429d59 nsenter: cloned_binary: expand and add pre-3.11 fallbacks + 5b775bf nsenter: cloned_binary: detect and handle short copies + bb7d8b1 nsexec (CVE-2019-5736): avoid parsing environ + 0a8e411 nsenter: clone /proc/self/exe to avoid exposing host binary to container [ Arnaud Rebillout ] * Add version and gitcommit to the ldflags (Closes: #909644) Note that we fill the git commit with something that is NOT a git commit at all, instead we use it as a placeholder for the debian version. The debian version is a relevant information for the user, and it's nice to be able to show it, some way or another. [dgit import unpatched runc 1.0.0~rc6+dfsg1-3] --- cb81dadc54ff552c857288a3d9dcc57eca4ddbfb diff --cc debian/changelog index 0000000,0000000..7364f30 new file mode 100644 --- /dev/null +++ b/debian/changelog @@@ -1,0 -1,0 +1,258 @@@ ++runc (1.0.0~rc6+dfsg1-3) unstable; urgency=medium ++ ++ * Team upload. ++ ++ [ Shengjing Zhu ] ++ * Improve patch for CVE-2019-5736 based on upstream commits. ++ Now the patch includes following commits: ++ + 2d4a37b nsenter: cloned_binary: userspace copy fallback if sendfile fails ++ + 16612d7 nsenter: cloned_binary: try to ro-bind /proc/self/exe before ++ copying ++ + af9da0a nsenter: cloned_binary: use the runc statedir for O_TMPFILE ++ + 2429d59 nsenter: cloned_binary: expand and add pre-3.11 fallbacks ++ + 5b775bf nsenter: cloned_binary: detect and handle short copies ++ + bb7d8b1 nsexec (CVE-2019-5736): avoid parsing environ ++ + 0a8e411 nsenter: clone /proc/self/exe to avoid exposing host binary to ++ container ++ ++ [ Arnaud Rebillout ] ++ * Add version and gitcommit to the ldflags (Closes: #909644) ++ Note that we fill the git commit with something that is NOT a git commit ++ at all, instead we use it as a placeholder for the debian version. The ++ debian version is a relevant information for the user, and it's nice to ++ be able to show it, some way or another. ++ ++ -- Shengjing Zhu Sun, 10 Mar 2019 17:51:44 +0800 ++ ++runc (1.0.0~rc6+dfsg1-2) unstable; urgency=medium ++ ++ * Team upload. ++ * Apply upstream patch addressing CVE-2019-5736 (Closes: #922050) ++ Thanks Noah Meyerhans! ++ ++ -- Shengjing Zhu Tue, 12 Feb 2019 23:45:09 +0800 ++ ++runc (1.0.0~rc6+dfsg1-1) unstable; urgency=medium ++ ++ * Standards-Version: 4.3.0. ++ * New upstream release. ++ ++ -- Dmitry Smirnov Fri, 25 Jan 2019 07:55:34 +1100 ++ ++runc (1.0.0~rc5+dfsg1-4) unstable; urgency=medium ++ ++ * New patch to disable Hugetlb tests. ++ ++ -- Dmitry Smirnov Thu, 27 Sep 2018 08:16:11 +1000 ++ ++runc (1.0.0~rc5+dfsg1-3) unstable; urgency=medium ++ ++ * TAGS += ambient ++ * New patch to fix FTBFS on mips* architectures. ++ ++ -- Dmitry Smirnov Mon, 18 Jun 2018 11:47:25 +1000 ++ ++runc (1.0.0~rc5+dfsg1-2) unstable; urgency=medium ++ ++ * New patch to fix integer overflow on i686. ++ * Build with "selinux" tag (Closes: #865993). ++ Thanks, Laurent Bigonville. ++ * Added myself to uploaders. ++ ++ -- Dmitry Smirnov Sat, 16 Jun 2018 22:12:23 +1000 ++ ++runc (1.0.0~rc5+dfsg1-1) unstable; urgency=medium ++ ++ * Team upload. ++ ++ [ Arnaud Rebillout ] ++ * Set minimum requirement for golang-gocapability-dev. ++ And drop the alternative name golang-github-syndtr-gocapability-dev, ++ this name never existed in the first place. ++ ++ [ Dmitry Smirnov ] ++ * New upstream release ++ * Testsuite: autopkgtest-pkg-go ++ * Standards-Version: 4.1.4; Priority: optional ++ * debhelper to version 11; compat to version 10. ++ * Added "XS-Go-Import-Path". ++ * (Build-)Depends: ++ - golang-github-codegangsta-cli-dev ++ - golang-github-coreos-pkg-dev ++ - golang-golang-x-sys-dev ++ - golang-logrus-dev ++ + golang-github-containerd-console-dev ++ + golang-github-pkg-errors-dev ++ + golang-github-sirupsen-logrus-dev ++ + golang-github-urfave-cli-dev ++ ++ -- Dmitry Smirnov Fri, 15 Jun 2018 21:48:18 +1000 ++ ++runc (1.0.0~rc4+dfsg1-6) unstable; urgency=medium ++ ++ [ Michael Stapelberg ] ++ * update debian/gitlab-ci.yml (using salsa.debian.org/go-team/ci/cmd/ci) ++ ++ [ Dmitry Smirnov ] ++ * Removed myself from uploaders. ++ ++ [ Balint Reczey ] ++ * Team upload ++ * Stop using unix.SIGUNUSED which has been removed from golang.org/x/sys ++ (Closes: #889704) ++ ++ -- Balint Reczey Tue, 10 Apr 2018 18:40:56 +0200 ++ ++runc (1.0.0~rc4+dfsg1-5) unstable; urgency=medium ++ ++ * Vcs-* urls: pkg-go-team -> go-team. ++ ++ -- Alexandre Viau Mon, 05 Feb 2018 23:05:40 -0500 ++ ++runc (1.0.0~rc4+dfsg1-4) unstable; urgency=medium ++ ++ * Point vcs-* urls to packages subgroup. ++ ++ -- Alexandre Viau Thu, 25 Jan 2018 15:23:12 -0500 ++ ++runc (1.0.0~rc4+dfsg1-3) unstable; urgency=medium ++ ++ * Change my email to @debian.org. ++ * Move to salsa.debian.org. ++ ++ -- Alexandre Viau Fri, 29 Dec 2017 00:34:59 -0500 ++ ++runc (1.0.0~rc4+dfsg1-2) unstable; urgency=medium ++ ++ * Mark runc breaking docker.io (<= 1.13.1~ds1-2) (Closes: #877146) ++ ++ -- Balint Reczey Sat, 30 Sep 2017 11:50:52 -0400 ++ ++runc (1.0.0~rc4+dfsg1-1) unstable; urgency=medium ++ ++ * Team Upload ++ * Update watch file to match release candidates ++ * Update Files-Excuded and d/control to match dependencies of rc4 ++ * New upstream release candidate 1.0.0-rc4 ++ * Drop obsoleted patches ++ * Drop outdated README.source ++ * Require at least final 1.0.0 release of ++ golang-github-opencontainers-specs-dev (Closes: #858250) ++ * Fix typo in golang-github-opencontainers-runc-dev package description ++ (Closes: #873760) ++ ++ -- Balint Reczey Sat, 30 Sep 2017 11:50:50 -0400 ++ ++runc (1.0.0~rc2+git20170201.133.9df8b30-3) unstable; urgency=medium ++ ++ * Replace golang-go with golang-any in Build-Depends ++ ++ -- Konstantinos Margaritis Wed, 09 Aug 2017 15:00:55 +0300 ++ ++runc (1.0.0~rc2+git20170201.133.9df8b30-2) unstable; urgency=medium ++ ++ * Patch to make libcontainer ignore cgroup2 hierarchy. Patch pulled from ++ https://github.com/opencontainers/runc/pull/1266. ++ ++ -- Vincent Bernat Fri, 30 Jun 2017 07:10:34 +0200 ++ ++runc (1.0.0~rc2+git20170201.133.9df8b30-1) unstable; urgency=medium ++ ++ * New upstream snapshot for Docker 1.13.1. ++ ++ -- Tim Potter Wed, 24 May 2017 11:36:40 +1000 ++ ++runc (1.0.0~rc2+git20161109.131.5137186-2) unstable; urgency=medium ++ ++ * Add Breaks line to binary package to avoid messing up previous ++ Docker installs. ++ ++ -- Tim Potter Fri, 24 Feb 2017 09:49:06 +1100 ++ ++runc (1.0.0~rc2+git20161109.131.5137186-1) unstable; urgency=medium ++ ++ * New upstream snapshot. ++ * Refresh backported patch for CVE-2016-9962. ++ ++ -- Tim Potter Wed, 15 Feb 2017 09:08:52 +1100 ++ ++runc (0.1.1+dfsg1-2) unstable; urgency=medium ++ ++ * Team upload. ++ * Backport patch for CVE-2016-9962 (Closes: #850951) ++ ++ -- Tianon Gravi Wed, 01 Feb 2017 07:17:54 -0800 ++ ++runc (0.1.1+dfsg1-1) unstable; urgency=medium ++ ++ * New upstream release [June 2016]. ++ * testworks: disabled privileged and failing tests. ++ * Build with "apparmor seccomp" tags (Closes: #830818); ++ Build-Depends += "libapparmor-dev". ++ ++ -- Dmitry Smirnov Wed, 13 Jul 2016 23:00:43 +1000 ++ ++runc (0.1.0+dfsg1-1) unstable; urgency=medium ++ ++ * Dropped dependency on "golang-docker-dev" in favour of bundled ++ (or build time sub-vendored) "github.com/docker/docker" in order ++ to avoid circular dependency with Docker. ++ * Standards-Version: 3.9.8. ++ * Corrected Vcs-Git URL. ++ ++ -- Dmitry Smirnov Sun, 12 Jun 2016 17:56:45 +1000 ++ ++runc (0.1.0+dfsg-1) unstable; urgency=medium ++ ++ [ Tim Potter ] ++ * Team upload ++ * New upstream release [April 2016] ++ = golang-github-opencontainers-specs-dev (>= 0.5.0~) ++ * De-vendor new dependencies; pquerna/ffjson appears unused ++ ++ -- Dmitry Smirnov Sat, 23 Apr 2016 07:59:18 +1000 ++ ++runc (0.0.9+dfsg-1) unstable; urgency=medium ++ ++ * New upstream release [March 2016]. ++ * (Build-)Depends: ++ = golang-github-opencontainers-specs-dev (>= 0.4.0~) ++ = golang-github-codegangsta-cli-dev (>= 0.0~git20151221~) ++ - help2man ++ + go-md2man ++ * Install upstream man pages. ++ * Install "runc" binary to "/usr/sbin". ++ ++ -- Dmitry Smirnov Sat, 16 Apr 2016 17:23:48 +1000 ++ ++runc (0.0.8+dfsg-2) unstable; urgency=medium ++ ++ * (Build-)Depends: ++ + golang-github-docker-go-units-dev ++ + golang-github-seccomp-libseccomp-golang-dev ++ ++ -- Dmitry Smirnov Wed, 23 Mar 2016 20:05:01 +1100 ++ ++runc (0.0.8+dfsg-1) unstable; urgency=medium ++ ++ * New upstream release [February 2016]. ++ * Build-Depends: ++ + golang-github-vishvananda-netlink-dev ++ * Updated Vcs URLs. ++ * Standards-Version: 3.9.7. ++ ++ -- Dmitry Smirnov Fri, 26 Feb 2016 18:19:24 +1100 ++ ++runc (0.0.4~dfsg-1) unstable; urgency=medium ++ ++ * New upstream release (Closes: #802507). ++ * Dropped obsolete lintian-overrides. ++ ++ -- Dmitry Smirnov Wed, 21 Oct 2015 09:02:42 +1100 ++ ++runc (0.0.3~dfsg2-1) unstable; urgency=low ++ ++ * Initial release (Closes: #796486). ++ Thanks, Alexandre Viau. ++ ++ -- Dmitry Smirnov Sun, 06 Sep 2015 18:06:34 +1000 diff --cc debian/clean index 0000000,0000000..bcf0b01 new file mode 100644 --- /dev/null +++ b/debian/clean @@@ -1,0 -1,0 +1,23 @@@ ++libcontainer/criurpc/criurpc.pb.go ++ ++## Remove generated man pages: ++man/man8/* ++ ++## Drop hanging test (introduced in 0.0.9). ++## https://github.com/opencontainers/runc/issues/692 ++libcontainer/nsenter/nsenter_test.go ++ ++## Generated: ++libcontainer/criurpc/criurpc.pb.go ++ ++ ++## Failing tests: ++ ++## Privileged tests: ++### couldn't get cgroup root: mountpoint for cgroup not found ++libcontainer/cgroups/fs/apply_raw_test.go ++ ++### FAIL: TestXattr (0.00s) ++### xattr_test.go:26: Success ++### xattr_test.go:30: failed ++libcontainer/xattr/xattr_test.go diff --cc debian/compat index 0000000,0000000..f599e28 new file mode 100644 --- /dev/null +++ b/debian/compat @@@ -1,0 -1,0 +1,1 @@@ ++10 diff --cc debian/control index 0000000,0000000..12da142 new file mode 100644 --- /dev/null +++ b/debian/control @@@ -1,0 -1,0 +1,64 @@@ ++Source: runc ++Section: devel ++Priority: optional ++Maintainer: Debian Go Packaging Team ++Uploaders: Alexandre Viau , Dmitry Smirnov , ++ Tim Potter ++Build-Depends: debhelper (>= 11~), ++ dh-golang, ++ go-md2man, ++ golang-any, ++ golang-dbus-dev, ++ golang-github-containerd-console-dev, ++ golang-github-coreos-go-systemd-dev, ++ golang-github-docker-go-units-dev, ++ golang-github-mrunalp-fileutils-dev, ++ golang-github-opencontainers-selinux-dev, ++ golang-github-opencontainers-specs-dev (>= 1.0.1-5~), ++ golang-github-pkg-errors-dev, ++ golang-github-seccomp-libseccomp-golang-dev, ++ golang-github-sirupsen-logrus-dev (>= 1.0.2~), ++ golang-github-urfave-cli-dev, ++ golang-github-vishvananda-netlink-dev, ++ golang-gocapability-dev (>= 0.0~git20160928~), ++ golang-goprotobuf-dev, ++ libapparmor-dev, ++ protobuf-compiler ++Standards-Version: 4.3.0 ++Homepage: https://github.com/opencontainers/runc ++Vcs-Git: https://salsa.debian.org/go-team/packages/runc.git ++Vcs-Browser: https://salsa.debian.org/go-team/packages/runc ++XS-Go-Import-Path: github.com/opencontainers/runc ++Testsuite: autopkgtest-pkg-go ++ ++Package: runc ++Architecture: any ++Depends: ${misc:Depends}, ${shlibs:Depends} ++Breaks: docker.io (<= 1.13.1~ds1-2) ++Built-Using: ${misc:Built-Using} ++Description: Open Container Project - runtime ++ "runc" is a command line client for running applications packaged according ++ to the Open Container Format (OCF) and is a compliant implementation of ++ the Open Container Project specification. ++ ++Package: golang-github-opencontainers-runc-dev ++Architecture: all ++Depends: ${misc:Depends}, ++ golang-dbus-dev, ++ golang-github-coreos-go-systemd-dev, ++ golang-github-docker-go-units-dev, ++ golang-github-opencontainers-selinux-dev, ++ golang-github-opencontainers-specs-dev (>= 1.0.1-5~), ++ golang-github-seccomp-libseccomp-golang-dev, ++ golang-github-sirupsen-logrus-dev (>= 1.0.2~), ++ golang-github-urfave-cli-dev, ++ golang-github-vishvananda-netlink-dev, ++ golang-gocapability-dev (>= 0.0~git20160928~), ++ golang-goprotobuf-dev ++Description: Open Container Project - development files ++ "runc" is a command line client for running applications packaged according ++ to the Open Container Format (OCF) and is a compliant implementation of ++ the Open Container Project specification. ++ . ++ This package provides development files formerly known as ++ "github.com/docker/libcontainer". diff --cc debian/copyright index 0000000,0000000..daf1ae2 new file mode 100644 --- /dev/null +++ b/debian/copyright @@@ -1,0 -1,0 +1,100 @@@ ++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ ++Upstream-Name: runc ++Source: https://github.com/opencontainers/runc ++Files-Excluded: ++ vendor/github.com/containerd/console ++ vendor/github.com/coreos/go-systemd ++ vendor/github.com/coreos/pkg ++ ~~vendor/github.com/cyphar/filepath-securejoin ++ vendor/github.com/docker/go-units ++ vendor/github.com/godbus/dbus ++ vendor/github.com/golang/protobuf ++ vendor/github.com/mrunalp/fileutils ++ vendor/github.com/opencontainers/runtime-spec ++ vendor/github.com/opencontainers/selinux ++ vendor/github.com/pkg/errors ++ vendor/github.com/seccomp/libseccomp-golang ++ vendor/github.com/sirupsen/logrus ++ vendor/github.com/syndtr/gocapability ++ vendor/github.com/urfave/cli ++ vendor/github.com/vishvananda/netlink ++ vendor/golang.org/x/sys ++ ++Files: * ++Copyright: 2012-2015 Docker, Inc. ++License: Apache-2.0 ++ ++Files: ++ vendor/github.com/cyphar/filepath-securejoin/* ++Copyright: ++ 2014-2015 Docker Inc & Go Authors. All rights reserved. ++ 2017 SUSE LLC. All rights reserved. ++License: BSD-3-Clause~Google ++ ++Files: debian/* ++Copyright: ++ 2015 Alexandre Viau ++ 2015-2019 Dmitry Smirnov ++License: GPL-3+ ++ ++Files: debian/patches/* ++Copyright: 2015 Dmitry Smirnov ++License: GPL-3+ or Apache-2.0 ++Comment: patches can be licensed under the same terms as upstream. ++ ++License: Apache-2.0 ++ Licensed under the Apache License, Version 2.0 (the "License"); ++ you may not use this file except in compliance with the License. ++ You may obtain a copy of the License at ++ . ++ http://www.apache.org/licenses/LICENSE-2.0 ++ . ++ Unless required by applicable law or agreed to in writing, software ++ distributed under the License is distributed on an "AS IS" BASIS, ++ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ See the License for the specific language governing permissions and ++ limitations under the License. ++ . ++ The complete text of the Apache version 2.0 license ++ can be found in "/usr/share/common-licenses/Apache-2.0". ++ ++License: GPL-3+ ++ This program is free software: you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation, either version 3 of the License, or ++ (at your option) any later version. ++ ․ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ․ ++ The complete text of the GNU General Public License version 3 ++ can be found in "/usr/share/common-licenses/GPL-3". ++ ++License: BSD-3-Clause~Google ++ Redistribution and use in source and binary forms, with or without ++ modification, are permitted provided that the following conditions are ++ met: ++ . ++ * Redistributions of source code must retain the above copyright ++ notice, this list of conditions and the following disclaimer. ++ * Redistributions in binary form must reproduce the above ++ copyright notice, this list of conditions and the following disclaimer ++ in the documentation and/or other materials provided with the ++ distribution. ++ * Neither the name of Google Inc. nor the names of its ++ contributors may be used to endorse or promote products derived from ++ this software without specific prior written permission. ++ . ++ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ++ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --cc debian/gbp.conf index 0000000,0000000..433de42 new file mode 100644 --- /dev/null +++ b/debian/gbp.conf @@@ -1,0 -1,0 +1,11 @@@ ++[buildpackage] ++overlay = True ++export-dir = ../build-area/ ++tarball-dir = ../ ++ ++[dch] ++id-length = 0 ++ ++[import-orig] ++pristine-tar = True ++merge = False diff --cc debian/gitlab-ci.yml index 0000000,0000000..5c8c31b new file mode 100644 --- /dev/null +++ b/debian/gitlab-ci.yml @@@ -1,0 -1,0 +1,28 @@@ ++ ++# auto-generated, DO NOT MODIFY. ++# The authoritative copy of this file lives at: ++# https://salsa.debian.org/go-team/ci/blob/master/cmd/ci/gitlabciyml.go ++ ++# TODO: publish under debian-go-team/ci ++image: stapelberg/ci2 ++ ++test_the_archive: ++ artifacts: ++ paths: ++ - before-applying-commit.json ++ - after-applying-commit.json ++ script: ++ # Create an overlay to discard writes to /srv/gopath/src after the build: ++ - "rm -rf /cache/overlay/{upper,work}" ++ - "mkdir -p /cache/overlay/{upper,work}" ++ - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src" ++ - "export GOPATH=/srv/gopath" ++ - "export GOCACHE=/cache/go" ++ # Build the world as-is: ++ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json" ++ # Copy this package into the overlay: ++ - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'" ++ - "pgt-gopath -dsc /tmp/export/*.dsc" ++ # Rebuild the world: ++ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json" ++ - "ci-diff before-applying-commit.json after-applying-commit.json" diff --cc debian/golang-github-opencontainers-runc-dev.install index 0000000,0000000..3e409b1 new file mode 100644 --- /dev/null +++ b/debian/golang-github-opencontainers-runc-dev.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/share/gocode/src diff --cc debian/patches/CVE-2019-5736.patch index 0000000,0000000..73f5839 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2019-5736.patch @@@ -1,0 -1,0 +1,573 @@@ ++From: Shengjing Zhu ++Date: Sun, 10 Mar 2019 17:47:46 +0800 ++Subject: CVE-2019-5736 ++ ++Backport upstream patches for CVE-2019-5736 ++ ++Include commits: ++2d4a37b427167907ef2402586a8e8e2931a22490 nsenter: cloned_binary: userspace copy fallback if sendfile fails ++16612d74de5f84977e50a9c8ead7f0e9e13b8628 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying ++af9da0a45082783f6005b252488943b5ee2e2138 nsenter: cloned_binary: use the runc statedir for O_TMPFILE ++2429d59352b81f6b9cc79b5ed26780c5fe6ba4ec nsenter: cloned_binary: expand and add pre-3.11 fallbacks ++5b775bf297c47a6bc50e36da89d1ec74a6fa01dc nsenter: cloned_binary: detect and handle short copies ++bb7d8b1f41f7bf0399204d54009d6da57c3cc775 nsexec (CVE-2019-5736): avoid parsing environ ++0a8e4117e7f715d5fbeef398405813ce8e88558b nsenter: clone /proc/self/exe to avoid exposing host binary to container ++ ++Debian-Bug: https://bugs.debian.org/922050 ++--- ++ libcontainer/nsenter/cloned_binary.c | 516 +++++++++++++++++++++++++++++++++++ ++ libcontainer/nsenter/nsexec.c | 11 + ++ 2 files changed, 527 insertions(+) ++ create mode 100644 libcontainer/nsenter/cloned_binary.c ++ ++diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c ++new file mode 100644 ++index 0000000..b410e29 ++--- /dev/null +++++ b/libcontainer/nsenter/cloned_binary.c ++@@ -0,0 +1,516 @@ +++/* +++ * Copyright (C) 2019 Aleksa Sarai +++ * Copyright (C) 2019 SUSE LLC +++ * +++ * Licensed under the Apache License, Version 2.0 (the "License"); +++ * you may not use this file except in compliance with the License. +++ * You may obtain a copy of the License at +++ * +++ * http://www.apache.org/licenses/LICENSE-2.0 +++ * +++ * Unless required by applicable law or agreed to in writing, software +++ * distributed under the License is distributed on an "AS IS" BASIS, +++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +++ * See the License for the specific language governing permissions and +++ * limitations under the License. +++ */ +++ +++#define _GNU_SOURCE +++#include +++#include +++#include +++#include +++#include +++#include +++#include +++#include +++ +++#include +++#include +++#include +++#include +++#include +++#include +++#include +++#include +++ +++/* Use our own wrapper for memfd_create. */ +++#if !defined(SYS_memfd_create) && defined(__NR_memfd_create) +++# define SYS_memfd_create __NR_memfd_create +++#endif +++/* memfd_create(2) flags -- copied from . */ +++#ifndef MFD_CLOEXEC +++# define MFD_CLOEXEC 0x0001U +++# define MFD_ALLOW_SEALING 0x0002U +++#endif +++int memfd_create(const char *name, unsigned int flags) +++{ +++#ifdef SYS_memfd_create +++ return syscall(SYS_memfd_create, name, flags); +++#else +++ errno = ENOSYS; +++ return -1; +++#endif +++} +++ +++ +++/* This comes directly from . */ +++#ifndef F_LINUX_SPECIFIC_BASE +++# define F_LINUX_SPECIFIC_BASE 1024 +++#endif +++#ifndef F_ADD_SEALS +++# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) +++# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) +++#endif +++#ifndef F_SEAL_SEAL +++# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */ +++# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */ +++# define F_SEAL_GROW 0x0004 /* prevent file from growing */ +++# define F_SEAL_WRITE 0x0008 /* prevent writes */ +++#endif +++ +++#define CLONED_BINARY_ENV "_LIBCONTAINER_CLONED_BINARY" +++#define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe" +++#define RUNC_MEMFD_SEALS \ +++ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) +++ +++static void *must_realloc(void *ptr, size_t size) +++{ +++ void *old = ptr; +++ do { +++ ptr = realloc(old, size); +++ } while(!ptr); +++ return ptr; +++} +++ +++/* +++ * Verify whether we are currently in a self-cloned program (namely, is +++ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather +++ * for shmem files), and we want to be sure it's actually sealed. +++ */ +++static int is_self_cloned(void) +++{ +++ int fd, ret, is_cloned = 0; +++ struct stat statbuf = {}; +++ struct statfs fsbuf = {}; +++ +++ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC); +++ if (fd < 0) +++ return -ENOTRECOVERABLE; +++ +++ /* +++ * Is the binary a fully-sealed memfd? We don't need CLONED_BINARY_ENV for +++ * this, because you cannot write to a sealed memfd no matter what (so +++ * sharing it isn't a bad thing -- and an admin could bind-mount a sealed +++ * memfd to /usr/bin/runc to allow re-use). +++ */ +++ ret = fcntl(fd, F_GET_SEALS); +++ if (ret >= 0) { +++ is_cloned = (ret == RUNC_MEMFD_SEALS); +++ goto out; +++ } +++ +++ /* +++ * All other forms require CLONED_BINARY_ENV, since they are potentially +++ * writeable (or we can't tell if they're fully safe) and thus we must +++ * check the environment as an extra layer of defence. +++ */ +++ if (!getenv(CLONED_BINARY_ENV)) { +++ is_cloned = false; +++ goto out; +++ } +++ +++ /* +++ * Is the binary on a read-only filesystem? We can't detect bind-mounts in +++ * particular (in-kernel they are identical to regular mounts) but we can +++ * at least be sure that it's read-only. In addition, to make sure that +++ * it's *our* bind-mount we check CLONED_BINARY_ENV. +++ */ +++ if (fstatfs(fd, &fsbuf) >= 0) +++ is_cloned |= (fsbuf.f_flags & MS_RDONLY); +++ +++ /* +++ * Okay, we're a tmpfile -- or we're currently running on RHEL <=7.6 +++ * which appears to have a borked backport of F_GET_SEALS. Either way, +++ * having a file which has no hardlinks indicates that we aren't using +++ * a host-side "runc" binary and this is something that a container +++ * cannot fake (because unlinking requires being able to resolve the +++ * path that you want to unlink). +++ */ +++ if (fstat(fd, &statbuf) >= 0) +++ is_cloned |= (statbuf.st_nlink == 0); +++ +++out: +++ close(fd); +++ return is_cloned; +++} +++ +++/* Read a given file into a new buffer, and providing the length. */ +++static char *read_file(char *path, size_t *length) +++{ +++ int fd; +++ char buf[4096], *copy = NULL; +++ +++ if (!length) +++ return NULL; +++ +++ fd = open(path, O_RDONLY | O_CLOEXEC); +++ if (fd < 0) +++ return NULL; +++ +++ *length = 0; +++ for (;;) { +++ ssize_t n; +++ +++ n = read(fd, buf, sizeof(buf)); +++ if (n < 0) +++ goto error; +++ if (!n) +++ break; +++ +++ copy = must_realloc(copy, (*length + n) * sizeof(*copy)); +++ memcpy(copy + *length, buf, n); +++ *length += n; +++ } +++ close(fd); +++ return copy; +++ +++error: +++ close(fd); +++ free(copy); +++ return NULL; +++} +++ +++/* +++ * A poor-man's version of "xargs -0". Basically parses a given block of +++ * NUL-delimited data, within the given length and adds a pointer to each entry +++ * to the array of pointers. +++ */ +++static int parse_xargs(char *data, int data_length, char ***output) +++{ +++ int num = 0; +++ char *cur = data; +++ +++ if (!data || *output != NULL) +++ return -1; +++ +++ while (cur < data + data_length) { +++ num++; +++ *output = must_realloc(*output, (num + 1) * sizeof(**output)); +++ (*output)[num - 1] = cur; +++ cur += strlen(cur) + 1; +++ } +++ (*output)[num] = NULL; +++ return num; +++} +++ +++/* +++ * "Parse" out argv from /proc/self/cmdline. +++ * This is necessary because we are running in a context where we don't have a +++ * main() that we can just get the arguments from. +++ */ +++static int fetchve(char ***argv) +++{ +++ char *cmdline = NULL; +++ size_t cmdline_size; +++ +++ cmdline = read_file("/proc/self/cmdline", &cmdline_size); +++ if (!cmdline) +++ goto error; +++ +++ if (parse_xargs(cmdline, cmdline_size, argv) <= 0) +++ goto error; +++ +++ return 0; +++ +++error: +++ free(cmdline); +++ return -EINVAL; +++} +++ +++enum { +++ EFD_NONE = 0, +++ EFD_MEMFD, +++ EFD_FILE, +++}; +++ +++/* +++ * This comes from . We can't hard-code __O_TMPFILE because it +++ * changes depending on the architecture. If we don't have O_TMPFILE we always +++ * have the mkostemp(3) fallback. +++ */ +++#ifndef O_TMPFILE +++# if defined(__O_TMPFILE) && defined(O_DIRECTORY) +++# define O_TMPFILE (__O_TMPFILE | O_DIRECTORY) +++# endif +++#endif +++ +++static int make_execfd(int *fdtype) +++{ +++ int fd = -1; +++ char template[PATH_MAX] = {0}; +++ char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR"); +++ +++ if (!prefix || *prefix != '/') +++ prefix = "/tmp"; +++ if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0) +++ return -1; +++ +++ /* +++ * Now try memfd, it's much nicer than actually creating a file in STATEDIR +++ * since it's easily detected thanks to sealing and also doesn't require +++ * assumptions about STATEDIR. +++ */ +++ *fdtype = EFD_MEMFD; +++ fd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING); +++ if (fd >= 0) +++ return fd; +++ if (errno != ENOSYS && errno != EINVAL) +++ goto error; +++ +++#ifdef O_TMPFILE +++ /* +++ * Try O_TMPFILE to avoid races where someone might snatch our file. Note +++ * that O_EXCL isn't actually a security measure here (since you can just +++ * fd re-open it and clear O_EXCL). +++ */ +++ *fdtype = EFD_FILE; +++ fd = open(prefix, O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0700); +++ if (fd >= 0) { +++ struct stat statbuf = {}; +++ bool working_otmpfile = false; +++ +++ /* +++ * open(2) ignores unknown O_* flags -- yeah, I was surprised when I +++ * found this out too. As a result we can't check for EINVAL. However, +++ * if we get nlink != 0 (or EISDIR) then we know that this kernel +++ * doesn't support O_TMPFILE. +++ */ +++ if (fstat(fd, &statbuf) >= 0) +++ working_otmpfile = (statbuf.st_nlink == 0); +++ +++ if (working_otmpfile) +++ return fd; +++ +++ /* Pretend that we got EISDIR since O_TMPFILE failed. */ +++ close(fd); +++ errno = EISDIR; +++ } +++ if (errno != EISDIR) +++ goto error; +++#endif /* defined(O_TMPFILE) */ +++ +++ /* +++ * Our final option is to create a temporary file the old-school way, and +++ * then unlink it so that nothing else sees it by accident. +++ */ +++ *fdtype = EFD_FILE; +++ fd = mkostemp(template, O_CLOEXEC); +++ if (fd >= 0) { +++ if (unlink(template) >= 0) +++ return fd; +++ close(fd); +++ } +++ +++error: +++ *fdtype = EFD_NONE; +++ return -1; +++} +++ +++static int seal_execfd(int *fd, int fdtype) +++{ +++ switch (fdtype) { +++ case EFD_MEMFD: +++ return fcntl(*fd, F_ADD_SEALS, RUNC_MEMFD_SEALS); +++ case EFD_FILE: { +++ /* Need to re-open our pseudo-memfd as an O_PATH to avoid execve(2) giving -ETXTBSY. */ +++ int newfd; +++ char fdpath[PATH_MAX] = {0}; +++ +++ if (fchmod(*fd, 0100) < 0) +++ return -1; +++ +++ if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", *fd) < 0) +++ return -1; +++ +++ newfd = open(fdpath, O_PATH | O_CLOEXEC); +++ if (newfd < 0) +++ return -1; +++ +++ close(*fd); +++ *fd = newfd; +++ return 0; +++ } +++ default: +++ break; +++ } +++ return -1; +++} +++ +++static int try_bindfd(void) +++{ +++ int fd, ret = -1; +++ char template[PATH_MAX] = {0}; +++ char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR"); +++ +++ if (!prefix || *prefix != '/') +++ prefix = "/tmp"; +++ if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0) +++ return ret; +++ +++ /* +++ * We need somewhere to mount it, mounting anything over /proc/self is a +++ * BAD idea on the host -- even if we do it temporarily. +++ */ +++ fd = mkstemp(template); +++ if (fd < 0) +++ return ret; +++ close(fd); +++ +++ /* +++ * For obvious reasons this won't work in rootless mode because we haven't +++ * created a userns+mntns -- but getting that to work will be a bit +++ * complicated and it's only worth doing if someone actually needs it. +++ */ +++ ret = -EPERM; +++ if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0) +++ goto out; +++ if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0) +++ goto out_umount; +++ +++ +++ /* Get read-only handle that we're sure can't be made read-write. */ +++ ret = open(template, O_PATH | O_CLOEXEC); +++ +++out_umount: +++ /* +++ * Make sure the MNT_DETACH works, otherwise we could get remounted +++ * read-write and that would be quite bad (the fd would be made read-write +++ * too, invalidating the protection). +++ */ +++ if (umount2(template, MNT_DETACH) < 0) { +++ if (ret >= 0) +++ close(ret); +++ ret = -ENOTRECOVERABLE; +++ } +++ +++out: +++ /* +++ * We don't care about unlink errors, the worst that happens is that +++ * there's an empty file left around in STATEDIR. +++ */ +++ unlink(template); +++ return ret; +++} +++ +++static ssize_t fd_to_fd(int outfd, int infd) +++{ +++ ssize_t total = 0; +++ char buffer[4096]; +++ +++ for (;;) { +++ ssize_t nread, nwritten = 0; +++ +++ nread = read(infd, buffer, sizeof(buffer)); +++ if (nread < 0) +++ return -1; +++ if (!nread) +++ break; +++ +++ do { +++ ssize_t n = write(outfd, buffer + nwritten, nread - nwritten); +++ if (n < 0) +++ return -1; +++ nwritten += n; +++ } while(nwritten < nread); +++ +++ total += nwritten; +++ } +++ +++ return total; +++} +++ +++static int clone_binary(void) +++{ +++ int binfd, execfd; +++ struct stat statbuf = {}; +++ size_t sent = 0; +++ int fdtype = EFD_NONE; +++ +++ /* +++ * Before we resort to copying, let's try creating an ro-binfd in one shot +++ * by getting a handle for a read-only bind-mount of the execfd. +++ */ +++ execfd = try_bindfd(); +++ if (execfd >= 0) +++ return execfd; +++ +++ /* +++ * Dammit, that didn't work -- time to copy the binary to a safe place we +++ * can seal the contents. +++ */ +++ execfd = make_execfd(&fdtype); +++ if (execfd < 0 || fdtype == EFD_NONE) +++ return -ENOTRECOVERABLE; +++ +++ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); +++ if (binfd < 0) +++ goto error; +++ +++ if (fstat(binfd, &statbuf) < 0) +++ goto error_binfd; +++ +++ while (sent < statbuf.st_size) { +++ int n = sendfile(execfd, binfd, NULL, statbuf.st_size - sent); +++ if (n < 0) { +++ /* sendfile can fail so we fallback to a dumb user-space copy. */ +++ n = fd_to_fd(execfd, binfd); +++ if (n < 0) +++ goto error_binfd; +++ } +++ sent += n; +++ } +++ close(binfd); +++ if (sent != statbuf.st_size) +++ goto error; +++ +++ if (seal_execfd(&execfd, fdtype) < 0) +++ goto error; +++ +++ return execfd; +++ +++error_binfd: +++ close(binfd); +++error: +++ close(execfd); +++ return -EIO; +++} +++ +++/* Get cheap access to the environment. */ +++extern char **environ; +++ +++int ensure_cloned_binary(void) +++{ +++ int execfd; +++ char **argv = NULL; +++ +++ /* Check that we're not self-cloned, and if we are then bail. */ +++ int cloned = is_self_cloned(); +++ if (cloned > 0 || cloned == -ENOTRECOVERABLE) +++ return cloned; +++ +++ if (fetchve(&argv) < 0) +++ return -EINVAL; +++ +++ execfd = clone_binary(); +++ if (execfd < 0) +++ return -EIO; +++ +++ if (putenv(CLONED_BINARY_ENV "=1")) +++ goto error; +++ +++ fexecve(execfd, argv, environ); +++error: +++ close(execfd); +++ return -ENOEXEC; +++} ++diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c ++index 28269df..7750af3 100644 ++--- a/libcontainer/nsenter/nsexec.c +++++ b/libcontainer/nsenter/nsexec.c ++@@ -534,6 +534,9 @@ void join_namespaces(char *nslist) ++ free(namespaces); ++ } ++ +++/* Defined in cloned_binary.c. */ +++extern int ensure_cloned_binary(void); +++ ++ void nsexec(void) ++ { ++ int pipenum; ++@@ -549,6 +552,14 @@ void nsexec(void) ++ if (pipenum == -1) ++ return; ++ +++ /* +++ * We need to re-exec if we are not in a cloned binary. This is necessary +++ * to ensure that containers won't be able to access the host binary +++ * through /proc/self/exe. See CVE-2019-5736. +++ */ +++ if (ensure_cloned_binary() < 0) +++ bail("could not ensure we are a cloned binary"); +++ ++ /* Parse all of the netlink configuration. */ ++ nl_parse(pipenum, &config); ++ diff --cc debian/patches/series index 0000000,0000000..f56bec1 new file mode 100644 --- /dev/null +++ b/debian/patches/series @@@ -1,0 -1,0 +1,4 @@@ ++test--fix_TestGetAdditionalGroups.patch ++test--skip-Hugetlb.patch ++test--skip_TestFactoryNewTmpfs.patch ++CVE-2019-5736.patch diff --cc debian/patches/test--fix_TestGetAdditionalGroups.patch index 0000000,0000000..39fb84d new file mode 100644 --- /dev/null +++ b/debian/patches/test--fix_TestGetAdditionalGroups.patch @@@ -1,0 -1,0 +1,33 @@@ ++Last-Update: 2018-06-16 ++Forwarded: https://github.com/opencontainers/runc/pull/1821 ++Bug-Upstream: https://github.com/opencontainers/runc/issues/941 ++Author: Dmitry Smirnov ++Description: fix FTBFS on i686 ++ src/github.com/opencontainers/runc/libcontainer/user/user_test.go:448:36: constant 2147483648 overflows int ++ ++--- a/libcontainer/user/user_test.go +++++ b/libcontainer/user/user_test.go ++@@ -444,9 +444,9 @@ ++ ++ if utils.GetIntSize() > 4 { ++ tests = append(tests, foo{ ++ // groups with too large id ++- groups: []string{strconv.Itoa(1 << 31)}, +++ groups: []string{strconv.Itoa( 1<<31 -1 )}, ++ expected: nil, ++ hasError: true, ++ }) ++ } ++--- a/libcontainer/user/user.go +++++ b/libcontainer/user/user.go ++@@ -472,9 +472,9 @@ ++ if err != nil { ++ return nil, fmt.Errorf("Unable to find group %s", ag) ++ } ++ // Ensure gid is inside gid range. ++- if gid < minId || gid > maxId { +++ if gid < minId || gid >= maxId { ++ return nil, ErrRange ++ } ++ gidMap[gid] = struct{}{} ++ } diff --cc debian/patches/test--skip-Hugetlb.patch index 0000000,0000000..7f672fc new file mode 100644 --- /dev/null +++ b/debian/patches/test--skip-Hugetlb.patch @@@ -1,0 -1,0 +1,48 @@@ ++Last-Update: 2018-09-27 ++Forwarded: not-needed ++Bug-Upstream: https://github.com/opencontainers/runc/issues/1822 ++Author: Dmitry Smirnov ++Description: disabled unreliable tests due to random failures on [ppc64el, s390x]. ++ ++--- a/libcontainer/cgroups/fs/hugetlb_test.go +++++ b/libcontainer/cgroups/fs/hugetlb_test.go ++@@ -87,8 +87,9 @@ ++ } ++ } ++ ++ func TestHugetlbStatsNoUsageFile(t *testing.T) { +++t.Skip("Disabled unreliable test") ++ helper := NewCgroupTestUtil("hugetlb", t) ++ defer helper.cleanup() ++ helper.writeFileContents(map[string]string{ ++ maxUsage: hugetlbMaxUsageContents, ++@@ -102,8 +103,9 @@ ++ } ++ } ++ ++ func TestHugetlbStatsNoMaxUsageFile(t *testing.T) { +++t.Skip("Disabled unreliable test") ++ helper := NewCgroupTestUtil("hugetlb", t) ++ defer helper.cleanup() ++ for _, pageSize := range HugePageSizes { ++ helper.writeFileContents(map[string]string{ ++@@ -119,8 +121,9 @@ ++ } ++ } ++ ++ func TestHugetlbStatsBadUsageFile(t *testing.T) { +++t.Skip("Disabled unreliable test") ++ helper := NewCgroupTestUtil("hugetlb", t) ++ defer helper.cleanup() ++ for _, pageSize := range HugePageSizes { ++ helper.writeFileContents(map[string]string{ ++@@ -137,8 +140,9 @@ ++ } ++ } ++ ++ func TestHugetlbStatsBadMaxUsageFile(t *testing.T) { +++t.Skip("Disabled unreliable test") ++ helper := NewCgroupTestUtil("hugetlb", t) ++ defer helper.cleanup() ++ helper.writeFileContents(map[string]string{ ++ usage: hugetlbUsageContents, diff --cc debian/patches/test--skip_TestFactoryNewTmpfs.patch index 0000000,0000000..a49a504 new file mode 100644 --- /dev/null +++ b/debian/patches/test--skip_TestFactoryNewTmpfs.patch @@@ -1,0 -1,0 +1,17 @@@ ++Last-Update: 2018-06-15 ++Forwarded: not-needed ++Author: Dmitry Smirnov ++Description: disable test (requires root) ++ ++--- a/libcontainer/factory_linux_test.go +++++ b/libcontainer/factory_linux_test.go ++@@ -77,8 +77,9 @@ ++ } ++ } ++ ++ func TestFactoryNewTmpfs(t *testing.T) { +++t.Skip("DM - skipping privileged test") ++ root, rerr := newTestRoot() ++ if rerr != nil { ++ t.Fatal(rerr) ++ } diff --cc debian/rules index 0000000,0000000..0087b6b new file mode 100755 --- /dev/null +++ b/debian/rules @@@ -1,0 -1,0 +1,44 @@@ ++#!/usr/bin/make -f ++ ++# Uncomment this to turn on verbose mode. ++#export DH_VERBOSE=1 ++ ++export DH_GOPKG := github.com/opencontainers/runc ++export DH_GOLANG_INSTALL_EXTRA := libcontainer/seccomp/fixtures ++ ++include /usr/share/dpkg/pkg-info.mk ++ ++TAGS=apparmor seccomp selinux ambient ++LDFLAGS := -X main.version=$(DEB_VERSION_UPSTREAM) -X main.gitCommit=$(DEB_VERSION) ++ ++%: ++ dh $@ --buildsystem=golang --with=golang --builddirectory=_build ++ ++override_dh_clean: ++ dh_clean ++ ## Remove Files-Excluded (when built from checkout or non-DFSG tarball): ++ $(RM) -rv `perl -0nE 'say $$1 if m{^Files\-Excluded\:\s*(.*?)(?:\n\n|Files:|Comment:)}sm;' debian/copyright` ++ ++override_dh_auto_configure: ++ $(MAKE) -C libcontainer/criurpc ++ cd man && ./md2man-all.sh ++ dh_auto_configure ++# ## Sub-vendor "github.com/docker/docker/pkg" (system lib takes preference over bundled one): ++# mkdir -p _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker ++# if [ -d "/usr/share/gocode/src/github.com/docker/docker/pkg" ]; then \ ++# cp -vr /usr/share/gocode/src/github.com/docker/docker/pkg _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/ ;\ ++# elif [ -d "vendor/github.com/docker/docker/pkg" ]; then \ ++# cp -vr vendor/github.com/docker/docker/pkg _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/ ;\ ++# fi ++ ## Remove extra license files: ++ $(RM) -v \ ++ _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/*/*/LICENSE* \ ++ ; ++# ln -svrf vendor/github.com/opencontainers/specs _build/src/github.com/opencontainers/ ++ ++override_dh_auto_build: ++ dh_auto_build -- -tags "$(TAGS)" -ldflags "$(LDFLAGS)" ++ ++override_dh_auto_test: ++ DH_GOLANG_EXCLUDES="libcontainer/integration" \ ++ dh_auto_test -- -tags "$(TAGS)" diff --cc debian/runc.docs index 0000000,0000000..a0eacdb new file mode 100644 --- /dev/null +++ b/debian/runc.docs @@@ -1,0 -1,0 +1,2 @@@ ++README* ++NOTICE diff --cc debian/runc.install index 0000000,0000000..9456224 new file mode 100644 --- /dev/null +++ b/debian/runc.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/bin/* /usr/sbin/ diff --cc debian/runc.lintian-overrides index 0000000,0000000..eaa0b29 new file mode 100644 --- /dev/null +++ b/debian/runc.lintian-overrides @@@ -1,0 -1,0 +1,1 @@@ ++runc: spelling-error-in-binary diff --cc debian/runc.manpages index 0000000,0000000..99cddbc new file mode 100644 --- /dev/null +++ b/debian/runc.manpages @@@ -1,0 -1,0 +1,1 @@@ ++man/man8/*.8 diff --cc debian/source/format index 0000000,0000000..163aaf8 new file mode 100644 --- /dev/null +++ b/debian/source/format @@@ -1,0 -1,0 +1,1 @@@ ++3.0 (quilt) diff --cc debian/source/lintian-overrides index 0000000,0000000..81ccd6d new file mode 100644 --- /dev/null +++ b/debian/source/lintian-overrides @@@ -1,0 -1,0 +1,2 @@@ ++# Result of Files-Excluded: ++source-contains-empty-directory vendor/* diff --cc debian/watch index 0000000,0000000..ec26c94 new file mode 100644 --- /dev/null +++ b/debian/watch @@@ -1,0 -1,0 +1,9 @@@ ++version=3 ++ ++opts=\ ++repack,\ ++repacksuffix=+dfsg1,\ ++uversionmangle=s/-rc/~rc/,\ ++dversionmangle=s/[~+]dfsg\d*$// \ ++ https://github.com/opencontainers/runc/releases \ ++ .*archive/v?(\d\.\d\.\d.*)\.tar\.gz