lxc: update to 3.0.2, enable apparmor

CVE-2018-6556
This commit is contained in:
Cameron Nemo 2018-08-22 13:13:18 -07:00 committed by Helmut Pozimski
parent 2d41382e7c
commit e8a2ab0fb5
3 changed files with 104 additions and 7 deletions

View File

@ -0,0 +1,97 @@
diff --git configure.ac configure.ac
index 19d9ea22..b2b2f71c 100644
--- configure.ac
+++ configure.ac
@@ -619,6 +619,12 @@ AC_HEADER_MAJOR
# Check for some syscalls functions
AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr faccessat gettid memfd_create])
+# Check for strerror_r() support. Defines:
+# - HAVE_STRERROR_R if available
+# - HAVE_DECL_STRERROR_R if defined
+# - STRERROR_R_CHAR_P if it returns char *
+AC_FUNC_STRERROR_R
+
# Check for some functions
AC_CHECK_LIB(pthread, main)
AC_CHECK_FUNCS(statvfs)
@@ -676,6 +682,11 @@ if test "x$enable_werror" = "xyes"; then
CFLAGS="$CFLAGS -Werror -Wvla -std=gnu11"
fi
+AC_ARG_ENABLE([thread-safety],
+ [AC_HELP_STRING([--enable-thread-safety], [enforce thread-safety otherwise fail the build [default=yes]])],
+ [], [enable_thread_safety=yes])
+AM_CONDITIONAL([ENFORCE_THREAD_SAFETY], [test "x$enable_thread_safety" = "xyes"])
+
# Files requiring some variable expansion
AC_CONFIG_FILES([
Makefile
@@ -919,4 +930,7 @@ Debugging:
Paths:
- Logs in configpath: $enable_configpath_log
+
+Thread-safety:
+ - enforce: $enable_thread_safety
EOF
diff --git src/lxc/log.h src/lxc/log.h
index 4654fd91..a7f72b4c 100644
--- src/lxc/log.h
+++ src/lxc/log.h
@@ -327,22 +327,40 @@ ATTR_UNUSED static inline void LXC_##LEVEL(struct lxc_log_locinfo* locinfo, \
/*
* Helper macro to define errno string.
*/
-#if (_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600) && !defined(_GNU_SOURCE) || IS_BIONIC
-#define lxc_log_strerror_r \
- char errno_buf[MAXPATHLEN / 2] = {"Failed to get errno string"}; \
- char *ptr = errno_buf; \
- { \
- (void)strerror_r(errno, errno_buf, sizeof(errno_buf)); \
- }
+#if HAVE_STRERROR_R
+ #ifndef HAVE_DECL_STRERROR_R
+ #ifdef STRERROR_R_CHAR_P
+ char *strerror_r(int errnum, char *buf, size_t buflen);
+ #else
+ int strerror_r(int errnum, char *buf, size_t buflen);
+ #endif
+ #endif
+
+ #ifdef STRERROR_R_CHAR_P
+ #define lxc_log_strerror_r \
+ char errno_buf[MAXPATHLEN / 2] = {"Failed to get errno string"}; \
+ char *ptr = NULL; \
+ { \
+ ptr = strerror_r(errno, errno_buf, sizeof(errno_buf)); \
+ if (!ptr) \
+ ptr = errno_buf; \
+ }
+ #else
+ #define lxc_log_strerror_r \
+ char errno_buf[MAXPATHLEN / 2] = {"Failed to get errno string"}; \
+ char *ptr = errno_buf; \
+ { \
+ (void)strerror_r(errno, errno_buf, sizeof(errno_buf)); \
+ }
+ #endif
+#elif ENFORCE_THREAD_SAFETY
+ #error ENFORCE_THREAD_SAFETY was set but cannot be guaranteed
#else
-#define lxc_log_strerror_r \
- char errno_buf[MAXPATHLEN / 2] = {"Failed to get errno string"}; \
- char *ptr; \
- { \
- ptr = strerror_r(errno, errno_buf, sizeof(errno_buf)); \
- if (!ptr) \
- ptr = errno_buf; \
- }
+ #define lxc_log_strerror_r \
+ char *ptr = NULL; \
+ { \
+ ptr = strerror(errno); \
+ }
#endif
/*

View File

@ -1,5 +1,5 @@
--- src/lxc/parse.c 2018-03-28 04:48:26.000000000 +0300
+++ src/lxc/parse.c 2018-05-07 21:07:45.737722549 +0300
--- src/lxc/parse.c 2018-03-28 04:48:26.000000000 +0300
+++ src/lxc/parse.c 2018-05-07 21:07:45.737722549 +0300
@@ -23,11 +23,11 @@
#define _GNU_SOURCE

View File

@ -2,21 +2,21 @@
_desc="Linux Containers"
pkgname=lxc
version=3.0.1
revision=2
version=3.0.2
revision=1
build_style=gnu-configure
configure_args="--enable-doc --enable-seccomp
--enable-capabilities --disable-apparmor --with-distro=none
--enable-capabilities --enable-apparmor --with-distro=none
--with-rootfs-path=/var/lxc/containers --with-log-path=/var/lxc/log"
hostmakedepends="automake libtool pkg-config docbook2x"
makedepends="libcap-devel libseccomp-devel gnutls-devel"
makedepends="libcap-devel libseccomp-devel gnutls-devel libapparmor-devel"
depends="xz gnupg"
short_desc="${_desc} - utilities"
maintainer="Juan RP <xtraeme@voidlinux.eu>"
homepage="https://linuxcontainers.org"
license="LGPL-2.1"
distfiles="https://linuxcontainers.org/downloads/lxc-${version}.tar.gz"
checksum=45986c49be1c048fa127bd3e7ea1bd3347e25765c008a09a2e4c233151a2d5db
checksum=6ab7117b17066220da450c55ed77953998cf2336d415143b879554364af12f5c
conf_files="/etc/lxc/default.conf"
make_dirs="