From f918038b73c4180a0dd5c1b5d0d7647434c4c9dc Mon Sep 17 00:00:00 2001 From: Shengjing Zhu Date: Sun, 10 Mar 2019 09:51:44 +0000 Subject: [PATCH] Import runc_1.0.0~rc6+dfsg1-3.debian.tar.xz [dgit import tarball runc 1.0.0~rc6+dfsg1-3 runc_1.0.0~rc6+dfsg1-3.debian.tar.xz] --- changelog | 258 ++++++++ clean | 23 + compat | 1 + control | 64 ++ copyright | 100 +++ gbp.conf | 11 + gitlab-ci.yml | 28 + golang-github-opencontainers-runc-dev.install | 1 + patches/CVE-2019-5736.patch | 573 ++++++++++++++++++ patches/series | 4 + .../test--fix_TestGetAdditionalGroups.patch | 33 + patches/test--skip-Hugetlb.patch | 48 ++ patches/test--skip_TestFactoryNewTmpfs.patch | 17 + rules | 44 ++ runc.docs | 2 + runc.install | 1 + runc.lintian-overrides | 1 + runc.manpages | 1 + source/format | 1 + source/lintian-overrides | 2 + watch | 9 + 21 files changed, 1222 insertions(+) create mode 100644 changelog create mode 100644 clean create mode 100644 compat create mode 100644 control create mode 100644 copyright create mode 100644 gbp.conf create mode 100644 gitlab-ci.yml create mode 100644 golang-github-opencontainers-runc-dev.install create mode 100644 patches/CVE-2019-5736.patch create mode 100644 patches/series create mode 100644 patches/test--fix_TestGetAdditionalGroups.patch create mode 100644 patches/test--skip-Hugetlb.patch create mode 100644 patches/test--skip_TestFactoryNewTmpfs.patch create mode 100755 rules create mode 100644 runc.docs create mode 100644 runc.install create mode 100644 runc.lintian-overrides create mode 100644 runc.manpages create mode 100644 source/format create mode 100644 source/lintian-overrides create mode 100644 watch diff --git a/changelog b/changelog new file mode 100644 index 0000000..7364f30 --- /dev/null +++ b/changelog @@ -0,0 +1,258 @@ +runc (1.0.0~rc6+dfsg1-3) unstable; urgency=medium + + * Team upload. + + [ Shengjing Zhu ] + * Improve patch for CVE-2019-5736 based on upstream commits. + Now the patch includes following commits: + + 2d4a37b nsenter: cloned_binary: userspace copy fallback if sendfile fails + + 16612d7 nsenter: cloned_binary: try to ro-bind /proc/self/exe before + copying + + af9da0a nsenter: cloned_binary: use the runc statedir for O_TMPFILE + + 2429d59 nsenter: cloned_binary: expand and add pre-3.11 fallbacks + + 5b775bf nsenter: cloned_binary: detect and handle short copies + + bb7d8b1 nsexec (CVE-2019-5736): avoid parsing environ + + 0a8e411 nsenter: clone /proc/self/exe to avoid exposing host binary to + container + + [ Arnaud Rebillout ] + * Add version and gitcommit to the ldflags (Closes: #909644) + Note that we fill the git commit with something that is NOT a git commit + at all, instead we use it as a placeholder for the debian version. The + debian version is a relevant information for the user, and it's nice to + be able to show it, some way or another. + + -- Shengjing Zhu Sun, 10 Mar 2019 17:51:44 +0800 + +runc (1.0.0~rc6+dfsg1-2) unstable; urgency=medium + + * Team upload. + * Apply upstream patch addressing CVE-2019-5736 (Closes: #922050) + Thanks Noah Meyerhans! + + -- Shengjing Zhu Tue, 12 Feb 2019 23:45:09 +0800 + +runc (1.0.0~rc6+dfsg1-1) unstable; urgency=medium + + * Standards-Version: 4.3.0. + * New upstream release. + + -- Dmitry Smirnov Fri, 25 Jan 2019 07:55:34 +1100 + +runc (1.0.0~rc5+dfsg1-4) unstable; urgency=medium + + * New patch to disable Hugetlb tests. + + -- Dmitry Smirnov Thu, 27 Sep 2018 08:16:11 +1000 + +runc (1.0.0~rc5+dfsg1-3) unstable; urgency=medium + + * TAGS += ambient + * New patch to fix FTBFS on mips* architectures. + + -- Dmitry Smirnov Mon, 18 Jun 2018 11:47:25 +1000 + +runc (1.0.0~rc5+dfsg1-2) unstable; urgency=medium + + * New patch to fix integer overflow on i686. + * Build with "selinux" tag (Closes: #865993). + Thanks, Laurent Bigonville. + * Added myself to uploaders. + + -- Dmitry Smirnov Sat, 16 Jun 2018 22:12:23 +1000 + +runc (1.0.0~rc5+dfsg1-1) unstable; urgency=medium + + * Team upload. + + [ Arnaud Rebillout ] + * Set minimum requirement for golang-gocapability-dev. + And drop the alternative name golang-github-syndtr-gocapability-dev, + this name never existed in the first place. + + [ Dmitry Smirnov ] + * New upstream release + * Testsuite: autopkgtest-pkg-go + * Standards-Version: 4.1.4; Priority: optional + * debhelper to version 11; compat to version 10. + * Added "XS-Go-Import-Path". + * (Build-)Depends: + - golang-github-codegangsta-cli-dev + - golang-github-coreos-pkg-dev + - golang-golang-x-sys-dev + - golang-logrus-dev + + golang-github-containerd-console-dev + + golang-github-pkg-errors-dev + + golang-github-sirupsen-logrus-dev + + golang-github-urfave-cli-dev + + -- Dmitry Smirnov Fri, 15 Jun 2018 21:48:18 +1000 + +runc (1.0.0~rc4+dfsg1-6) unstable; urgency=medium + + [ Michael Stapelberg ] + * update debian/gitlab-ci.yml (using salsa.debian.org/go-team/ci/cmd/ci) + + [ Dmitry Smirnov ] + * Removed myself from uploaders. + + [ Balint Reczey ] + * Team upload + * Stop using unix.SIGUNUSED which has been removed from golang.org/x/sys + (Closes: #889704) + + -- Balint Reczey Tue, 10 Apr 2018 18:40:56 +0200 + +runc (1.0.0~rc4+dfsg1-5) unstable; urgency=medium + + * Vcs-* urls: pkg-go-team -> go-team. + + -- Alexandre Viau Mon, 05 Feb 2018 23:05:40 -0500 + +runc (1.0.0~rc4+dfsg1-4) unstable; urgency=medium + + * Point vcs-* urls to packages subgroup. + + -- Alexandre Viau Thu, 25 Jan 2018 15:23:12 -0500 + +runc (1.0.0~rc4+dfsg1-3) unstable; urgency=medium + + * Change my email to @debian.org. + * Move to salsa.debian.org. + + -- Alexandre Viau Fri, 29 Dec 2017 00:34:59 -0500 + +runc (1.0.0~rc4+dfsg1-2) unstable; urgency=medium + + * Mark runc breaking docker.io (<= 1.13.1~ds1-2) (Closes: #877146) + + -- Balint Reczey Sat, 30 Sep 2017 11:50:52 -0400 + +runc (1.0.0~rc4+dfsg1-1) unstable; urgency=medium + + * Team Upload + * Update watch file to match release candidates + * Update Files-Excuded and d/control to match dependencies of rc4 + * New upstream release candidate 1.0.0-rc4 + * Drop obsoleted patches + * Drop outdated README.source + * Require at least final 1.0.0 release of + golang-github-opencontainers-specs-dev (Closes: #858250) + * Fix typo in golang-github-opencontainers-runc-dev package description + (Closes: #873760) + + -- Balint Reczey Sat, 30 Sep 2017 11:50:50 -0400 + +runc (1.0.0~rc2+git20170201.133.9df8b30-3) unstable; urgency=medium + + * Replace golang-go with golang-any in Build-Depends + + -- Konstantinos Margaritis Wed, 09 Aug 2017 15:00:55 +0300 + +runc (1.0.0~rc2+git20170201.133.9df8b30-2) unstable; urgency=medium + + * Patch to make libcontainer ignore cgroup2 hierarchy. Patch pulled from + https://github.com/opencontainers/runc/pull/1266. + + -- Vincent Bernat Fri, 30 Jun 2017 07:10:34 +0200 + +runc (1.0.0~rc2+git20170201.133.9df8b30-1) unstable; urgency=medium + + * New upstream snapshot for Docker 1.13.1. + + -- Tim Potter Wed, 24 May 2017 11:36:40 +1000 + +runc (1.0.0~rc2+git20161109.131.5137186-2) unstable; urgency=medium + + * Add Breaks line to binary package to avoid messing up previous + Docker installs. + + -- Tim Potter Fri, 24 Feb 2017 09:49:06 +1100 + +runc (1.0.0~rc2+git20161109.131.5137186-1) unstable; urgency=medium + + * New upstream snapshot. + * Refresh backported patch for CVE-2016-9962. + + -- Tim Potter Wed, 15 Feb 2017 09:08:52 +1100 + +runc (0.1.1+dfsg1-2) unstable; urgency=medium + + * Team upload. + * Backport patch for CVE-2016-9962 (Closes: #850951) + + -- Tianon Gravi Wed, 01 Feb 2017 07:17:54 -0800 + +runc (0.1.1+dfsg1-1) unstable; urgency=medium + + * New upstream release [June 2016]. + * testworks: disabled privileged and failing tests. + * Build with "apparmor seccomp" tags (Closes: #830818); + Build-Depends += "libapparmor-dev". + + -- Dmitry Smirnov Wed, 13 Jul 2016 23:00:43 +1000 + +runc (0.1.0+dfsg1-1) unstable; urgency=medium + + * Dropped dependency on "golang-docker-dev" in favour of bundled + (or build time sub-vendored) "github.com/docker/docker" in order + to avoid circular dependency with Docker. + * Standards-Version: 3.9.8. + * Corrected Vcs-Git URL. + + -- Dmitry Smirnov Sun, 12 Jun 2016 17:56:45 +1000 + +runc (0.1.0+dfsg-1) unstable; urgency=medium + + [ Tim Potter ] + * Team upload + * New upstream release [April 2016] + = golang-github-opencontainers-specs-dev (>= 0.5.0~) + * De-vendor new dependencies; pquerna/ffjson appears unused + + -- Dmitry Smirnov Sat, 23 Apr 2016 07:59:18 +1000 + +runc (0.0.9+dfsg-1) unstable; urgency=medium + + * New upstream release [March 2016]. + * (Build-)Depends: + = golang-github-opencontainers-specs-dev (>= 0.4.0~) + = golang-github-codegangsta-cli-dev (>= 0.0~git20151221~) + - help2man + + go-md2man + * Install upstream man pages. + * Install "runc" binary to "/usr/sbin". + + -- Dmitry Smirnov Sat, 16 Apr 2016 17:23:48 +1000 + +runc (0.0.8+dfsg-2) unstable; urgency=medium + + * (Build-)Depends: + + golang-github-docker-go-units-dev + + golang-github-seccomp-libseccomp-golang-dev + + -- Dmitry Smirnov Wed, 23 Mar 2016 20:05:01 +1100 + +runc (0.0.8+dfsg-1) unstable; urgency=medium + + * New upstream release [February 2016]. + * Build-Depends: + + golang-github-vishvananda-netlink-dev + * Updated Vcs URLs. + * Standards-Version: 3.9.7. + + -- Dmitry Smirnov Fri, 26 Feb 2016 18:19:24 +1100 + +runc (0.0.4~dfsg-1) unstable; urgency=medium + + * New upstream release (Closes: #802507). + * Dropped obsolete lintian-overrides. + + -- Dmitry Smirnov Wed, 21 Oct 2015 09:02:42 +1100 + +runc (0.0.3~dfsg2-1) unstable; urgency=low + + * Initial release (Closes: #796486). + Thanks, Alexandre Viau. + + -- Dmitry Smirnov Sun, 06 Sep 2015 18:06:34 +1000 diff --git a/clean b/clean new file mode 100644 index 0000000..bcf0b01 --- /dev/null +++ b/clean @@ -0,0 +1,23 @@ +libcontainer/criurpc/criurpc.pb.go + +## Remove generated man pages: +man/man8/* + +## Drop hanging test (introduced in 0.0.9). +## https://github.com/opencontainers/runc/issues/692 +libcontainer/nsenter/nsenter_test.go + +## Generated: +libcontainer/criurpc/criurpc.pb.go + + +## Failing tests: + +## Privileged tests: +### couldn't get cgroup root: mountpoint for cgroup not found +libcontainer/cgroups/fs/apply_raw_test.go + +### FAIL: TestXattr (0.00s) +### xattr_test.go:26: Success +### xattr_test.go:30: failed +libcontainer/xattr/xattr_test.go diff --git a/compat b/compat new file mode 100644 index 0000000..f599e28 --- /dev/null +++ b/compat @@ -0,0 +1 @@ +10 diff --git a/control b/control new file mode 100644 index 0000000..12da142 --- /dev/null +++ b/control @@ -0,0 +1,64 @@ +Source: runc +Section: devel +Priority: optional +Maintainer: Debian Go Packaging Team +Uploaders: Alexandre Viau , Dmitry Smirnov , + Tim Potter +Build-Depends: debhelper (>= 11~), + dh-golang, + go-md2man, + golang-any, + golang-dbus-dev, + golang-github-containerd-console-dev, + golang-github-coreos-go-systemd-dev, + golang-github-docker-go-units-dev, + golang-github-mrunalp-fileutils-dev, + golang-github-opencontainers-selinux-dev, + golang-github-opencontainers-specs-dev (>= 1.0.1-5~), + golang-github-pkg-errors-dev, + golang-github-seccomp-libseccomp-golang-dev, + golang-github-sirupsen-logrus-dev (>= 1.0.2~), + golang-github-urfave-cli-dev, + golang-github-vishvananda-netlink-dev, + golang-gocapability-dev (>= 0.0~git20160928~), + golang-goprotobuf-dev, + libapparmor-dev, + protobuf-compiler +Standards-Version: 4.3.0 +Homepage: https://github.com/opencontainers/runc +Vcs-Git: https://salsa.debian.org/go-team/packages/runc.git +Vcs-Browser: https://salsa.debian.org/go-team/packages/runc +XS-Go-Import-Path: github.com/opencontainers/runc +Testsuite: autopkgtest-pkg-go + +Package: runc +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Breaks: docker.io (<= 1.13.1~ds1-2) +Built-Using: ${misc:Built-Using} +Description: Open Container Project - runtime + "runc" is a command line client for running applications packaged according + to the Open Container Format (OCF) and is a compliant implementation of + the Open Container Project specification. + +Package: golang-github-opencontainers-runc-dev +Architecture: all +Depends: ${misc:Depends}, + golang-dbus-dev, + golang-github-coreos-go-systemd-dev, + golang-github-docker-go-units-dev, + golang-github-opencontainers-selinux-dev, + golang-github-opencontainers-specs-dev (>= 1.0.1-5~), + golang-github-seccomp-libseccomp-golang-dev, + golang-github-sirupsen-logrus-dev (>= 1.0.2~), + golang-github-urfave-cli-dev, + golang-github-vishvananda-netlink-dev, + golang-gocapability-dev (>= 0.0~git20160928~), + golang-goprotobuf-dev +Description: Open Container Project - development files + "runc" is a command line client for running applications packaged according + to the Open Container Format (OCF) and is a compliant implementation of + the Open Container Project specification. + . + This package provides development files formerly known as + "github.com/docker/libcontainer". diff --git a/copyright b/copyright new file mode 100644 index 0000000..daf1ae2 --- /dev/null +++ b/copyright @@ -0,0 +1,100 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: runc +Source: https://github.com/opencontainers/runc +Files-Excluded: + vendor/github.com/containerd/console + vendor/github.com/coreos/go-systemd + vendor/github.com/coreos/pkg + ~~vendor/github.com/cyphar/filepath-securejoin + vendor/github.com/docker/go-units + vendor/github.com/godbus/dbus + vendor/github.com/golang/protobuf + vendor/github.com/mrunalp/fileutils + vendor/github.com/opencontainers/runtime-spec + vendor/github.com/opencontainers/selinux + vendor/github.com/pkg/errors + vendor/github.com/seccomp/libseccomp-golang + vendor/github.com/sirupsen/logrus + vendor/github.com/syndtr/gocapability + vendor/github.com/urfave/cli + vendor/github.com/vishvananda/netlink + vendor/golang.org/x/sys + +Files: * +Copyright: 2012-2015 Docker, Inc. +License: Apache-2.0 + +Files: + vendor/github.com/cyphar/filepath-securejoin/* +Copyright: + 2014-2015 Docker Inc & Go Authors. All rights reserved. + 2017 SUSE LLC. All rights reserved. +License: BSD-3-Clause~Google + +Files: debian/* +Copyright: + 2015 Alexandre Viau + 2015-2019 Dmitry Smirnov +License: GPL-3+ + +Files: debian/patches/* +Copyright: 2015 Dmitry Smirnov +License: GPL-3+ or Apache-2.0 +Comment: patches can be licensed under the same terms as upstream. + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + The complete text of the Apache version 2.0 license + can be found in "/usr/share/common-licenses/Apache-2.0". + +License: GPL-3+ + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + ․ + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + ․ + The complete text of the GNU General Public License version 3 + can be found in "/usr/share/common-licenses/GPL-3". + +License: BSD-3-Clause~Google + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + * Neither the name of Google Inc. nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/gbp.conf b/gbp.conf new file mode 100644 index 0000000..433de42 --- /dev/null +++ b/gbp.conf @@ -0,0 +1,11 @@ +[buildpackage] +overlay = True +export-dir = ../build-area/ +tarball-dir = ../ + +[dch] +id-length = 0 + +[import-orig] +pristine-tar = True +merge = False diff --git a/gitlab-ci.yml b/gitlab-ci.yml new file mode 100644 index 0000000..5c8c31b --- /dev/null +++ b/gitlab-ci.yml @@ -0,0 +1,28 @@ + +# auto-generated, DO NOT MODIFY. +# The authoritative copy of this file lives at: +# https://salsa.debian.org/go-team/ci/blob/master/cmd/ci/gitlabciyml.go + +# TODO: publish under debian-go-team/ci +image: stapelberg/ci2 + +test_the_archive: + artifacts: + paths: + - before-applying-commit.json + - after-applying-commit.json + script: + # Create an overlay to discard writes to /srv/gopath/src after the build: + - "rm -rf /cache/overlay/{upper,work}" + - "mkdir -p /cache/overlay/{upper,work}" + - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src" + - "export GOPATH=/srv/gopath" + - "export GOCACHE=/cache/go" + # Build the world as-is: + - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json" + # Copy this package into the overlay: + - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'" + - "pgt-gopath -dsc /tmp/export/*.dsc" + # Rebuild the world: + - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json" + - "ci-diff before-applying-commit.json after-applying-commit.json" diff --git a/golang-github-opencontainers-runc-dev.install b/golang-github-opencontainers-runc-dev.install new file mode 100644 index 0000000..3e409b1 --- /dev/null +++ b/golang-github-opencontainers-runc-dev.install @@ -0,0 +1 @@ +usr/share/gocode/src diff --git a/patches/CVE-2019-5736.patch b/patches/CVE-2019-5736.patch new file mode 100644 index 0000000..73f5839 --- /dev/null +++ b/patches/CVE-2019-5736.patch @@ -0,0 +1,573 @@ +From: Shengjing Zhu +Date: Sun, 10 Mar 2019 17:47:46 +0800 +Subject: CVE-2019-5736 + +Backport upstream patches for CVE-2019-5736 + +Include commits: +2d4a37b427167907ef2402586a8e8e2931a22490 nsenter: cloned_binary: userspace copy fallback if sendfile fails +16612d74de5f84977e50a9c8ead7f0e9e13b8628 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying +af9da0a45082783f6005b252488943b5ee2e2138 nsenter: cloned_binary: use the runc statedir for O_TMPFILE +2429d59352b81f6b9cc79b5ed26780c5fe6ba4ec nsenter: cloned_binary: expand and add pre-3.11 fallbacks +5b775bf297c47a6bc50e36da89d1ec74a6fa01dc nsenter: cloned_binary: detect and handle short copies +bb7d8b1f41f7bf0399204d54009d6da57c3cc775 nsexec (CVE-2019-5736): avoid parsing environ +0a8e4117e7f715d5fbeef398405813ce8e88558b nsenter: clone /proc/self/exe to avoid exposing host binary to container + +Debian-Bug: https://bugs.debian.org/922050 +--- + libcontainer/nsenter/cloned_binary.c | 516 +++++++++++++++++++++++++++++++++++ + libcontainer/nsenter/nsexec.c | 11 + + 2 files changed, 527 insertions(+) + create mode 100644 libcontainer/nsenter/cloned_binary.c + +diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c +new file mode 100644 +index 0000000..b410e29 +--- /dev/null ++++ b/libcontainer/nsenter/cloned_binary.c +@@ -0,0 +1,516 @@ ++/* ++ * Copyright (C) 2019 Aleksa Sarai ++ * Copyright (C) 2019 SUSE LLC ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* Use our own wrapper for memfd_create. */ ++#if !defined(SYS_memfd_create) && defined(__NR_memfd_create) ++# define SYS_memfd_create __NR_memfd_create ++#endif ++/* memfd_create(2) flags -- copied from . */ ++#ifndef MFD_CLOEXEC ++# define MFD_CLOEXEC 0x0001U ++# define MFD_ALLOW_SEALING 0x0002U ++#endif ++int memfd_create(const char *name, unsigned int flags) ++{ ++#ifdef SYS_memfd_create ++ return syscall(SYS_memfd_create, name, flags); ++#else ++ errno = ENOSYS; ++ return -1; ++#endif ++} ++ ++ ++/* This comes directly from . */ ++#ifndef F_LINUX_SPECIFIC_BASE ++# define F_LINUX_SPECIFIC_BASE 1024 ++#endif ++#ifndef F_ADD_SEALS ++# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) ++# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) ++#endif ++#ifndef F_SEAL_SEAL ++# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */ ++# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */ ++# define F_SEAL_GROW 0x0004 /* prevent file from growing */ ++# define F_SEAL_WRITE 0x0008 /* prevent writes */ ++#endif ++ ++#define CLONED_BINARY_ENV "_LIBCONTAINER_CLONED_BINARY" ++#define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe" ++#define RUNC_MEMFD_SEALS \ ++ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) ++ ++static void *must_realloc(void *ptr, size_t size) ++{ ++ void *old = ptr; ++ do { ++ ptr = realloc(old, size); ++ } while(!ptr); ++ return ptr; ++} ++ ++/* ++ * Verify whether we are currently in a self-cloned program (namely, is ++ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather ++ * for shmem files), and we want to be sure it's actually sealed. ++ */ ++static int is_self_cloned(void) ++{ ++ int fd, ret, is_cloned = 0; ++ struct stat statbuf = {}; ++ struct statfs fsbuf = {}; ++ ++ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC); ++ if (fd < 0) ++ return -ENOTRECOVERABLE; ++ ++ /* ++ * Is the binary a fully-sealed memfd? We don't need CLONED_BINARY_ENV for ++ * this, because you cannot write to a sealed memfd no matter what (so ++ * sharing it isn't a bad thing -- and an admin could bind-mount a sealed ++ * memfd to /usr/bin/runc to allow re-use). ++ */ ++ ret = fcntl(fd, F_GET_SEALS); ++ if (ret >= 0) { ++ is_cloned = (ret == RUNC_MEMFD_SEALS); ++ goto out; ++ } ++ ++ /* ++ * All other forms require CLONED_BINARY_ENV, since they are potentially ++ * writeable (or we can't tell if they're fully safe) and thus we must ++ * check the environment as an extra layer of defence. ++ */ ++ if (!getenv(CLONED_BINARY_ENV)) { ++ is_cloned = false; ++ goto out; ++ } ++ ++ /* ++ * Is the binary on a read-only filesystem? We can't detect bind-mounts in ++ * particular (in-kernel they are identical to regular mounts) but we can ++ * at least be sure that it's read-only. In addition, to make sure that ++ * it's *our* bind-mount we check CLONED_BINARY_ENV. ++ */ ++ if (fstatfs(fd, &fsbuf) >= 0) ++ is_cloned |= (fsbuf.f_flags & MS_RDONLY); ++ ++ /* ++ * Okay, we're a tmpfile -- or we're currently running on RHEL <=7.6 ++ * which appears to have a borked backport of F_GET_SEALS. Either way, ++ * having a file which has no hardlinks indicates that we aren't using ++ * a host-side "runc" binary and this is something that a container ++ * cannot fake (because unlinking requires being able to resolve the ++ * path that you want to unlink). ++ */ ++ if (fstat(fd, &statbuf) >= 0) ++ is_cloned |= (statbuf.st_nlink == 0); ++ ++out: ++ close(fd); ++ return is_cloned; ++} ++ ++/* Read a given file into a new buffer, and providing the length. */ ++static char *read_file(char *path, size_t *length) ++{ ++ int fd; ++ char buf[4096], *copy = NULL; ++ ++ if (!length) ++ return NULL; ++ ++ fd = open(path, O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ return NULL; ++ ++ *length = 0; ++ for (;;) { ++ ssize_t n; ++ ++ n = read(fd, buf, sizeof(buf)); ++ if (n < 0) ++ goto error; ++ if (!n) ++ break; ++ ++ copy = must_realloc(copy, (*length + n) * sizeof(*copy)); ++ memcpy(copy + *length, buf, n); ++ *length += n; ++ } ++ close(fd); ++ return copy; ++ ++error: ++ close(fd); ++ free(copy); ++ return NULL; ++} ++ ++/* ++ * A poor-man's version of "xargs -0". Basically parses a given block of ++ * NUL-delimited data, within the given length and adds a pointer to each entry ++ * to the array of pointers. ++ */ ++static int parse_xargs(char *data, int data_length, char ***output) ++{ ++ int num = 0; ++ char *cur = data; ++ ++ if (!data || *output != NULL) ++ return -1; ++ ++ while (cur < data + data_length) { ++ num++; ++ *output = must_realloc(*output, (num + 1) * sizeof(**output)); ++ (*output)[num - 1] = cur; ++ cur += strlen(cur) + 1; ++ } ++ (*output)[num] = NULL; ++ return num; ++} ++ ++/* ++ * "Parse" out argv from /proc/self/cmdline. ++ * This is necessary because we are running in a context where we don't have a ++ * main() that we can just get the arguments from. ++ */ ++static int fetchve(char ***argv) ++{ ++ char *cmdline = NULL; ++ size_t cmdline_size; ++ ++ cmdline = read_file("/proc/self/cmdline", &cmdline_size); ++ if (!cmdline) ++ goto error; ++ ++ if (parse_xargs(cmdline, cmdline_size, argv) <= 0) ++ goto error; ++ ++ return 0; ++ ++error: ++ free(cmdline); ++ return -EINVAL; ++} ++ ++enum { ++ EFD_NONE = 0, ++ EFD_MEMFD, ++ EFD_FILE, ++}; ++ ++/* ++ * This comes from . We can't hard-code __O_TMPFILE because it ++ * changes depending on the architecture. If we don't have O_TMPFILE we always ++ * have the mkostemp(3) fallback. ++ */ ++#ifndef O_TMPFILE ++# if defined(__O_TMPFILE) && defined(O_DIRECTORY) ++# define O_TMPFILE (__O_TMPFILE | O_DIRECTORY) ++# endif ++#endif ++ ++static int make_execfd(int *fdtype) ++{ ++ int fd = -1; ++ char template[PATH_MAX] = {0}; ++ char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR"); ++ ++ if (!prefix || *prefix != '/') ++ prefix = "/tmp"; ++ if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0) ++ return -1; ++ ++ /* ++ * Now try memfd, it's much nicer than actually creating a file in STATEDIR ++ * since it's easily detected thanks to sealing and also doesn't require ++ * assumptions about STATEDIR. ++ */ ++ *fdtype = EFD_MEMFD; ++ fd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING); ++ if (fd >= 0) ++ return fd; ++ if (errno != ENOSYS && errno != EINVAL) ++ goto error; ++ ++#ifdef O_TMPFILE ++ /* ++ * Try O_TMPFILE to avoid races where someone might snatch our file. Note ++ * that O_EXCL isn't actually a security measure here (since you can just ++ * fd re-open it and clear O_EXCL). ++ */ ++ *fdtype = EFD_FILE; ++ fd = open(prefix, O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0700); ++ if (fd >= 0) { ++ struct stat statbuf = {}; ++ bool working_otmpfile = false; ++ ++ /* ++ * open(2) ignores unknown O_* flags -- yeah, I was surprised when I ++ * found this out too. As a result we can't check for EINVAL. However, ++ * if we get nlink != 0 (or EISDIR) then we know that this kernel ++ * doesn't support O_TMPFILE. ++ */ ++ if (fstat(fd, &statbuf) >= 0) ++ working_otmpfile = (statbuf.st_nlink == 0); ++ ++ if (working_otmpfile) ++ return fd; ++ ++ /* Pretend that we got EISDIR since O_TMPFILE failed. */ ++ close(fd); ++ errno = EISDIR; ++ } ++ if (errno != EISDIR) ++ goto error; ++#endif /* defined(O_TMPFILE) */ ++ ++ /* ++ * Our final option is to create a temporary file the old-school way, and ++ * then unlink it so that nothing else sees it by accident. ++ */ ++ *fdtype = EFD_FILE; ++ fd = mkostemp(template, O_CLOEXEC); ++ if (fd >= 0) { ++ if (unlink(template) >= 0) ++ return fd; ++ close(fd); ++ } ++ ++error: ++ *fdtype = EFD_NONE; ++ return -1; ++} ++ ++static int seal_execfd(int *fd, int fdtype) ++{ ++ switch (fdtype) { ++ case EFD_MEMFD: ++ return fcntl(*fd, F_ADD_SEALS, RUNC_MEMFD_SEALS); ++ case EFD_FILE: { ++ /* Need to re-open our pseudo-memfd as an O_PATH to avoid execve(2) giving -ETXTBSY. */ ++ int newfd; ++ char fdpath[PATH_MAX] = {0}; ++ ++ if (fchmod(*fd, 0100) < 0) ++ return -1; ++ ++ if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", *fd) < 0) ++ return -1; ++ ++ newfd = open(fdpath, O_PATH | O_CLOEXEC); ++ if (newfd < 0) ++ return -1; ++ ++ close(*fd); ++ *fd = newfd; ++ return 0; ++ } ++ default: ++ break; ++ } ++ return -1; ++} ++ ++static int try_bindfd(void) ++{ ++ int fd, ret = -1; ++ char template[PATH_MAX] = {0}; ++ char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR"); ++ ++ if (!prefix || *prefix != '/') ++ prefix = "/tmp"; ++ if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0) ++ return ret; ++ ++ /* ++ * We need somewhere to mount it, mounting anything over /proc/self is a ++ * BAD idea on the host -- even if we do it temporarily. ++ */ ++ fd = mkstemp(template); ++ if (fd < 0) ++ return ret; ++ close(fd); ++ ++ /* ++ * For obvious reasons this won't work in rootless mode because we haven't ++ * created a userns+mntns -- but getting that to work will be a bit ++ * complicated and it's only worth doing if someone actually needs it. ++ */ ++ ret = -EPERM; ++ if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0) ++ goto out; ++ if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0) ++ goto out_umount; ++ ++ ++ /* Get read-only handle that we're sure can't be made read-write. */ ++ ret = open(template, O_PATH | O_CLOEXEC); ++ ++out_umount: ++ /* ++ * Make sure the MNT_DETACH works, otherwise we could get remounted ++ * read-write and that would be quite bad (the fd would be made read-write ++ * too, invalidating the protection). ++ */ ++ if (umount2(template, MNT_DETACH) < 0) { ++ if (ret >= 0) ++ close(ret); ++ ret = -ENOTRECOVERABLE; ++ } ++ ++out: ++ /* ++ * We don't care about unlink errors, the worst that happens is that ++ * there's an empty file left around in STATEDIR. ++ */ ++ unlink(template); ++ return ret; ++} ++ ++static ssize_t fd_to_fd(int outfd, int infd) ++{ ++ ssize_t total = 0; ++ char buffer[4096]; ++ ++ for (;;) { ++ ssize_t nread, nwritten = 0; ++ ++ nread = read(infd, buffer, sizeof(buffer)); ++ if (nread < 0) ++ return -1; ++ if (!nread) ++ break; ++ ++ do { ++ ssize_t n = write(outfd, buffer + nwritten, nread - nwritten); ++ if (n < 0) ++ return -1; ++ nwritten += n; ++ } while(nwritten < nread); ++ ++ total += nwritten; ++ } ++ ++ return total; ++} ++ ++static int clone_binary(void) ++{ ++ int binfd, execfd; ++ struct stat statbuf = {}; ++ size_t sent = 0; ++ int fdtype = EFD_NONE; ++ ++ /* ++ * Before we resort to copying, let's try creating an ro-binfd in one shot ++ * by getting a handle for a read-only bind-mount of the execfd. ++ */ ++ execfd = try_bindfd(); ++ if (execfd >= 0) ++ return execfd; ++ ++ /* ++ * Dammit, that didn't work -- time to copy the binary to a safe place we ++ * can seal the contents. ++ */ ++ execfd = make_execfd(&fdtype); ++ if (execfd < 0 || fdtype == EFD_NONE) ++ return -ENOTRECOVERABLE; ++ ++ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); ++ if (binfd < 0) ++ goto error; ++ ++ if (fstat(binfd, &statbuf) < 0) ++ goto error_binfd; ++ ++ while (sent < statbuf.st_size) { ++ int n = sendfile(execfd, binfd, NULL, statbuf.st_size - sent); ++ if (n < 0) { ++ /* sendfile can fail so we fallback to a dumb user-space copy. */ ++ n = fd_to_fd(execfd, binfd); ++ if (n < 0) ++ goto error_binfd; ++ } ++ sent += n; ++ } ++ close(binfd); ++ if (sent != statbuf.st_size) ++ goto error; ++ ++ if (seal_execfd(&execfd, fdtype) < 0) ++ goto error; ++ ++ return execfd; ++ ++error_binfd: ++ close(binfd); ++error: ++ close(execfd); ++ return -EIO; ++} ++ ++/* Get cheap access to the environment. */ ++extern char **environ; ++ ++int ensure_cloned_binary(void) ++{ ++ int execfd; ++ char **argv = NULL; ++ ++ /* Check that we're not self-cloned, and if we are then bail. */ ++ int cloned = is_self_cloned(); ++ if (cloned > 0 || cloned == -ENOTRECOVERABLE) ++ return cloned; ++ ++ if (fetchve(&argv) < 0) ++ return -EINVAL; ++ ++ execfd = clone_binary(); ++ if (execfd < 0) ++ return -EIO; ++ ++ if (putenv(CLONED_BINARY_ENV "=1")) ++ goto error; ++ ++ fexecve(execfd, argv, environ); ++error: ++ close(execfd); ++ return -ENOEXEC; ++} +diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c +index 28269df..7750af3 100644 +--- a/libcontainer/nsenter/nsexec.c ++++ b/libcontainer/nsenter/nsexec.c +@@ -534,6 +534,9 @@ void join_namespaces(char *nslist) + free(namespaces); + } + ++/* Defined in cloned_binary.c. */ ++extern int ensure_cloned_binary(void); ++ + void nsexec(void) + { + int pipenum; +@@ -549,6 +552,14 @@ void nsexec(void) + if (pipenum == -1) + return; + ++ /* ++ * We need to re-exec if we are not in a cloned binary. This is necessary ++ * to ensure that containers won't be able to access the host binary ++ * through /proc/self/exe. See CVE-2019-5736. ++ */ ++ if (ensure_cloned_binary() < 0) ++ bail("could not ensure we are a cloned binary"); ++ + /* Parse all of the netlink configuration. */ + nl_parse(pipenum, &config); + diff --git a/patches/series b/patches/series new file mode 100644 index 0000000..f56bec1 --- /dev/null +++ b/patches/series @@ -0,0 +1,4 @@ +test--fix_TestGetAdditionalGroups.patch +test--skip-Hugetlb.patch +test--skip_TestFactoryNewTmpfs.patch +CVE-2019-5736.patch diff --git a/patches/test--fix_TestGetAdditionalGroups.patch b/patches/test--fix_TestGetAdditionalGroups.patch new file mode 100644 index 0000000..39fb84d --- /dev/null +++ b/patches/test--fix_TestGetAdditionalGroups.patch @@ -0,0 +1,33 @@ +Last-Update: 2018-06-16 +Forwarded: https://github.com/opencontainers/runc/pull/1821 +Bug-Upstream: https://github.com/opencontainers/runc/issues/941 +Author: Dmitry Smirnov +Description: fix FTBFS on i686 + src/github.com/opencontainers/runc/libcontainer/user/user_test.go:448:36: constant 2147483648 overflows int + +--- a/libcontainer/user/user_test.go ++++ b/libcontainer/user/user_test.go +@@ -444,9 +444,9 @@ + + if utils.GetIntSize() > 4 { + tests = append(tests, foo{ + // groups with too large id +- groups: []string{strconv.Itoa(1 << 31)}, ++ groups: []string{strconv.Itoa( 1<<31 -1 )}, + expected: nil, + hasError: true, + }) + } +--- a/libcontainer/user/user.go ++++ b/libcontainer/user/user.go +@@ -472,9 +472,9 @@ + if err != nil { + return nil, fmt.Errorf("Unable to find group %s", ag) + } + // Ensure gid is inside gid range. +- if gid < minId || gid > maxId { ++ if gid < minId || gid >= maxId { + return nil, ErrRange + } + gidMap[gid] = struct{}{} + } diff --git a/patches/test--skip-Hugetlb.patch b/patches/test--skip-Hugetlb.patch new file mode 100644 index 0000000..7f672fc --- /dev/null +++ b/patches/test--skip-Hugetlb.patch @@ -0,0 +1,48 @@ +Last-Update: 2018-09-27 +Forwarded: not-needed +Bug-Upstream: https://github.com/opencontainers/runc/issues/1822 +Author: Dmitry Smirnov +Description: disabled unreliable tests due to random failures on [ppc64el, s390x]. + +--- a/libcontainer/cgroups/fs/hugetlb_test.go ++++ b/libcontainer/cgroups/fs/hugetlb_test.go +@@ -87,8 +87,9 @@ + } + } + + func TestHugetlbStatsNoUsageFile(t *testing.T) { ++t.Skip("Disabled unreliable test") + helper := NewCgroupTestUtil("hugetlb", t) + defer helper.cleanup() + helper.writeFileContents(map[string]string{ + maxUsage: hugetlbMaxUsageContents, +@@ -102,8 +103,9 @@ + } + } + + func TestHugetlbStatsNoMaxUsageFile(t *testing.T) { ++t.Skip("Disabled unreliable test") + helper := NewCgroupTestUtil("hugetlb", t) + defer helper.cleanup() + for _, pageSize := range HugePageSizes { + helper.writeFileContents(map[string]string{ +@@ -119,8 +121,9 @@ + } + } + + func TestHugetlbStatsBadUsageFile(t *testing.T) { ++t.Skip("Disabled unreliable test") + helper := NewCgroupTestUtil("hugetlb", t) + defer helper.cleanup() + for _, pageSize := range HugePageSizes { + helper.writeFileContents(map[string]string{ +@@ -137,8 +140,9 @@ + } + } + + func TestHugetlbStatsBadMaxUsageFile(t *testing.T) { ++t.Skip("Disabled unreliable test") + helper := NewCgroupTestUtil("hugetlb", t) + defer helper.cleanup() + helper.writeFileContents(map[string]string{ + usage: hugetlbUsageContents, diff --git a/patches/test--skip_TestFactoryNewTmpfs.patch b/patches/test--skip_TestFactoryNewTmpfs.patch new file mode 100644 index 0000000..a49a504 --- /dev/null +++ b/patches/test--skip_TestFactoryNewTmpfs.patch @@ -0,0 +1,17 @@ +Last-Update: 2018-06-15 +Forwarded: not-needed +Author: Dmitry Smirnov +Description: disable test (requires root) + +--- a/libcontainer/factory_linux_test.go ++++ b/libcontainer/factory_linux_test.go +@@ -77,8 +77,9 @@ + } + } + + func TestFactoryNewTmpfs(t *testing.T) { ++t.Skip("DM - skipping privileged test") + root, rerr := newTestRoot() + if rerr != nil { + t.Fatal(rerr) + } diff --git a/rules b/rules new file mode 100755 index 0000000..0087b6b --- /dev/null +++ b/rules @@ -0,0 +1,44 @@ +#!/usr/bin/make -f + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +export DH_GOPKG := github.com/opencontainers/runc +export DH_GOLANG_INSTALL_EXTRA := libcontainer/seccomp/fixtures + +include /usr/share/dpkg/pkg-info.mk + +TAGS=apparmor seccomp selinux ambient +LDFLAGS := -X main.version=$(DEB_VERSION_UPSTREAM) -X main.gitCommit=$(DEB_VERSION) + +%: + dh $@ --buildsystem=golang --with=golang --builddirectory=_build + +override_dh_clean: + dh_clean + ## Remove Files-Excluded (when built from checkout or non-DFSG tarball): + $(RM) -rv `perl -0nE 'say $$1 if m{^Files\-Excluded\:\s*(.*?)(?:\n\n|Files:|Comment:)}sm;' debian/copyright` + +override_dh_auto_configure: + $(MAKE) -C libcontainer/criurpc + cd man && ./md2man-all.sh + dh_auto_configure +# ## Sub-vendor "github.com/docker/docker/pkg" (system lib takes preference over bundled one): +# mkdir -p _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker +# if [ -d "/usr/share/gocode/src/github.com/docker/docker/pkg" ]; then \ +# cp -vr /usr/share/gocode/src/github.com/docker/docker/pkg _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/ ;\ +# elif [ -d "vendor/github.com/docker/docker/pkg" ]; then \ +# cp -vr vendor/github.com/docker/docker/pkg _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/ ;\ +# fi + ## Remove extra license files: + $(RM) -v \ + _build/src/$(DH_GOPKG)/vendor/github.com/docker/docker/*/*/LICENSE* \ + ; +# ln -svrf vendor/github.com/opencontainers/specs _build/src/github.com/opencontainers/ + +override_dh_auto_build: + dh_auto_build -- -tags "$(TAGS)" -ldflags "$(LDFLAGS)" + +override_dh_auto_test: + DH_GOLANG_EXCLUDES="libcontainer/integration" \ + dh_auto_test -- -tags "$(TAGS)" diff --git a/runc.docs b/runc.docs new file mode 100644 index 0000000..a0eacdb --- /dev/null +++ b/runc.docs @@ -0,0 +1,2 @@ +README* +NOTICE diff --git a/runc.install b/runc.install new file mode 100644 index 0000000..9456224 --- /dev/null +++ b/runc.install @@ -0,0 +1 @@ +usr/bin/* /usr/sbin/ diff --git a/runc.lintian-overrides b/runc.lintian-overrides new file mode 100644 index 0000000..eaa0b29 --- /dev/null +++ b/runc.lintian-overrides @@ -0,0 +1 @@ +runc: spelling-error-in-binary diff --git a/runc.manpages b/runc.manpages new file mode 100644 index 0000000..99cddbc --- /dev/null +++ b/runc.manpages @@ -0,0 +1 @@ +man/man8/*.8 diff --git a/source/format b/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/source/lintian-overrides b/source/lintian-overrides new file mode 100644 index 0000000..81ccd6d --- /dev/null +++ b/source/lintian-overrides @@ -0,0 +1,2 @@ +# Result of Files-Excluded: +source-contains-empty-directory vendor/* diff --git a/watch b/watch new file mode 100644 index 0000000..ec26c94 --- /dev/null +++ b/watch @@ -0,0 +1,9 @@ +version=3 + +opts=\ +repack,\ +repacksuffix=+dfsg1,\ +uversionmangle=s/-rc/~rc/,\ +dversionmangle=s/[~+]dfsg\d*$// \ + https://github.com/opencontainers/runc/releases \ + .*archive/v?(\d\.\d\.\d.*)\.tar\.gz -- 2.30.2