From e8a2ab0fb563d101c5b0b2d3dc75812fefa2e750 Mon Sep 17 00:00:00 2001 From: Cameron Nemo Date: Wed, 22 Aug 2018 13:13:18 -0700 Subject: [PATCH] lxc: update to 3.0.2, enable apparmor CVE-2018-6556 --- srcpkgs/lxc/patches/musl-strerror.patch | 97 +++++++++++++++++++++++++ srcpkgs/lxc/patches/musl-string.patch | 4 +- srcpkgs/lxc/template | 10 +-- 3 files changed, 104 insertions(+), 7 deletions(-) create mode 100644 srcpkgs/lxc/patches/musl-strerror.patch diff --git a/srcpkgs/lxc/patches/musl-strerror.patch b/srcpkgs/lxc/patches/musl-strerror.patch new file mode 100644 index 00000000000..0d080e6ed51 --- /dev/null +++ b/srcpkgs/lxc/patches/musl-strerror.patch @@ -0,0 +1,97 @@ +diff --git configure.ac configure.ac +index 19d9ea22..b2b2f71c 100644 +--- configure.ac ++++ configure.ac +@@ -619,6 +619,12 @@ AC_HEADER_MAJOR + # Check for some syscalls functions + AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr faccessat gettid memfd_create]) + ++# Check for strerror_r() support. Defines: ++# - HAVE_STRERROR_R if available ++# - HAVE_DECL_STRERROR_R if defined ++# - STRERROR_R_CHAR_P if it returns char * ++AC_FUNC_STRERROR_R ++ + # Check for some functions + AC_CHECK_LIB(pthread, main) + AC_CHECK_FUNCS(statvfs) +@@ -676,6 +682,11 @@ if test "x$enable_werror" = "xyes"; then + CFLAGS="$CFLAGS -Werror -Wvla -std=gnu11" + fi + ++AC_ARG_ENABLE([thread-safety], ++ [AC_HELP_STRING([--enable-thread-safety], [enforce thread-safety otherwise fail the build [default=yes]])], ++ [], [enable_thread_safety=yes]) ++AM_CONDITIONAL([ENFORCE_THREAD_SAFETY], [test "x$enable_thread_safety" = "xyes"]) ++ + # Files requiring some variable expansion + AC_CONFIG_FILES([ + Makefile +@@ -919,4 +930,7 @@ Debugging: + + Paths: + - Logs in configpath: $enable_configpath_log ++ ++Thread-safety: ++ - enforce: $enable_thread_safety + EOF +diff --git src/lxc/log.h src/lxc/log.h +index 4654fd91..a7f72b4c 100644 +--- src/lxc/log.h ++++ src/lxc/log.h +@@ -327,22 +327,40 @@ ATTR_UNUSED static inline void LXC_##LEVEL(struct lxc_log_locinfo* locinfo, \ + /* + * Helper macro to define errno string. + */ +-#if (_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600) && !defined(_GNU_SOURCE) || IS_BIONIC +-#define lxc_log_strerror_r \ +- char errno_buf[MAXPATHLEN / 2] = {"Failed to get errno string"}; \ +- char *ptr = errno_buf; \ +- { \ +- (void)strerror_r(errno, errno_buf, sizeof(errno_buf)); \ +- } ++#if HAVE_STRERROR_R ++ #ifndef HAVE_DECL_STRERROR_R ++ #ifdef STRERROR_R_CHAR_P ++ char *strerror_r(int errnum, char *buf, size_t buflen); ++ #else ++ int strerror_r(int errnum, char *buf, size_t buflen); ++ #endif ++ #endif ++ ++ #ifdef STRERROR_R_CHAR_P ++ #define lxc_log_strerror_r \ ++ char errno_buf[MAXPATHLEN / 2] = {"Failed to get errno string"}; \ ++ char *ptr = NULL; \ ++ { \ ++ ptr = strerror_r(errno, errno_buf, sizeof(errno_buf)); \ ++ if (!ptr) \ ++ ptr = errno_buf; \ ++ } ++ #else ++ #define lxc_log_strerror_r \ ++ char errno_buf[MAXPATHLEN / 2] = {"Failed to get errno string"}; \ ++ char *ptr = errno_buf; \ ++ { \ ++ (void)strerror_r(errno, errno_buf, sizeof(errno_buf)); \ ++ } ++ #endif ++#elif ENFORCE_THREAD_SAFETY ++ #error ENFORCE_THREAD_SAFETY was set but cannot be guaranteed + #else +-#define lxc_log_strerror_r \ +- char errno_buf[MAXPATHLEN / 2] = {"Failed to get errno string"}; \ +- char *ptr; \ +- { \ +- ptr = strerror_r(errno, errno_buf, sizeof(errno_buf)); \ +- if (!ptr) \ +- ptr = errno_buf; \ +- } ++ #define lxc_log_strerror_r \ ++ char *ptr = NULL; \ ++ { \ ++ ptr = strerror(errno); \ ++ } + #endif + + /* diff --git a/srcpkgs/lxc/patches/musl-string.patch b/srcpkgs/lxc/patches/musl-string.patch index 7186db42893..e0d38efc7c5 100644 --- a/srcpkgs/lxc/patches/musl-string.patch +++ b/srcpkgs/lxc/patches/musl-string.patch @@ -1,5 +1,5 @@ ---- src/lxc/parse.c 2018-03-28 04:48:26.000000000 +0300 -+++ src/lxc/parse.c 2018-05-07 21:07:45.737722549 +0300 +--- src/lxc/parse.c 2018-03-28 04:48:26.000000000 +0300 ++++ src/lxc/parse.c 2018-05-07 21:07:45.737722549 +0300 @@ -23,11 +23,11 @@ #define _GNU_SOURCE diff --git a/srcpkgs/lxc/template b/srcpkgs/lxc/template index 1322cf613b7..9b9ef04ac3d 100644 --- a/srcpkgs/lxc/template +++ b/srcpkgs/lxc/template @@ -2,21 +2,21 @@ _desc="Linux Containers" pkgname=lxc -version=3.0.1 -revision=2 +version=3.0.2 +revision=1 build_style=gnu-configure configure_args="--enable-doc --enable-seccomp - --enable-capabilities --disable-apparmor --with-distro=none + --enable-capabilities --enable-apparmor --with-distro=none --with-rootfs-path=/var/lxc/containers --with-log-path=/var/lxc/log" hostmakedepends="automake libtool pkg-config docbook2x" -makedepends="libcap-devel libseccomp-devel gnutls-devel" +makedepends="libcap-devel libseccomp-devel gnutls-devel libapparmor-devel" depends="xz gnupg" short_desc="${_desc} - utilities" maintainer="Juan RP " homepage="https://linuxcontainers.org" license="LGPL-2.1" distfiles="https://linuxcontainers.org/downloads/lxc-${version}.tar.gz" -checksum=45986c49be1c048fa127bd3e7ea1bd3347e25765c008a09a2e4c233151a2d5db +checksum=6ab7117b17066220da450c55ed77953998cf2336d415143b879554364af12f5c conf_files="/etc/lxc/default.conf" make_dirs="