commit: 17fae8ae6b2f316d1fc277d298adc179535090b6 Author: Rahil Bhimjiani <me <AT> rahil <DOT> rocks> AuthorDate: Sat Feb 3 01:02:03 2024 +0000 Commit: Zac Medico <zmedico <AT> gentoo <DOT> org> CommitDate: Thu Feb 8 03:17:17 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17fae8ae
app-containers/podman: add 4.9.2 This release addresses a number of Buildkit vulnerabilities including but not limited to: CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653. Bug: https://bugs.gentoo.org/923751 Signed-off-by: Rahil Bhimjiani <me <AT> rahil.rocks> Signed-off-by: Zac Medico <zmedico <AT> gentoo.org> app-containers/podman/Manifest | 1 + app-containers/podman/podman-4.9.2.ebuild | 136 ++++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+) diff --git a/app-containers/podman/Manifest b/app-containers/podman/Manifest index 3c4bd27e99ff..cb6918b21754 100644 --- a/app-containers/podman/Manifest +++ b/app-containers/podman/Manifest @@ -1,2 +1,3 @@ DIST podman-4.8.3.tar.gz 21565162 BLAKE2B 13d2e5800dce96ba8c1671f251c2809dc0166198b807978d44b6f10b4dd2095e909678a12518fed84a0a1b5eee5a71e944170eb55350c3af945a63910f9c8082 SHA512 13ade866b888d32ada3b38130d7cc4677591136e25234e040b478c5d002d1b7907ed46731996d25cc41b992b98b75f109c6e6eea44251f4ad89162b20266976d DIST podman-4.9.1.tar.gz 21573896 BLAKE2B 5005c84b0c430b790d64401d9b7e45cf8057f16add0535042ee9cd5f7af608461a13e266099fbf74631996edced3869bd019186266a7d1af82237db6fb990923 SHA512 59cece9806df3b69e202b39e0a45d71b3f6fd77dbbbe1452bc046468d5504fc52c21ad3056a89bab7d3f9a86c86e22369902e0a2840ca43e0dd3a6c4c10affc2 +DIST podman-4.9.2.tar.gz 21725053 BLAKE2B 8457b714198ba341d1bbceece492229d635c14de19abe903576337893b618d2fce6048ece4ea452ddecfbbe42fc53b2e706228a1c5809ddcd38e0aaa2c0bb6d0 SHA512 09f6c1839d67fb7404688c8fc6fcb65471ca9f9d1651f7c5c57baa52eb64f0a8f73523d7761a857794b6307d3a943aecd92fc247dd193ccf1d53eb234f9f6ff5 diff --git a/app-containers/podman/podman-4.9.2.ebuild b/app-containers/podman/podman-4.9.2.ebuild new file mode 100644 index 000000000000..3f6774cf6770 --- /dev/null +++ b/app-containers/podman/podman-4.9.2.ebuild @@ -0,0 +1,136 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module tmpfiles linux-info + +DESCRIPTION="A tool for managing OCI containers and pods with Docker-compatible CLI" +HOMEPAGE="https://github.com/containers/podman/ https://podman.io/"; + +if [[ ${PV} == 9999* ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/containers/podman.git"; +else + SRC_URI="https://github.com/containers/podman/archive/v${PV/_rc/-rc}.tar.gz -> ${P}.tar.gz" + S="${WORKDIR}/${P/_rc/-rc}" + KEYWORDS="~amd64 ~arm64 ~riscv" +fi + +# main pkg +LICENSE="Apache-2.0" +# deps +LICENSE+=" BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0" +SLOT="0" +IUSE="apparmor btrfs cgroup-hybrid wrapper +fuse +init +rootless +seccomp selinux systemd" +RESTRICT="test" + +RDEPEND=" + app-crypt/gpgme:= + >=app-containers/conmon-2.0.0 + >=app-containers/containers-common-0.56.0 + dev-libs/libassuan:= + dev-libs/libgpg-error:= + sys-apps/shadow:= + + apparmor? ( sys-libs/libapparmor ) + btrfs? ( sys-fs/btrfs-progs ) + cgroup-hybrid? ( >=app-containers/runc-1.0.0_rc6 ) + !cgroup-hybrid? ( app-containers/crun ) + wrapper? ( !app-containers/docker-cli ) + fuse? ( sys-fs/fuse-overlayfs ) + init? ( app-containers/catatonit ) + rootless? ( app-containers/slirp4netns ) + seccomp? ( sys-libs/libseccomp:= ) + selinux? ( sec-policy/selinux-podman sys-libs/libselinux:= ) + systemd? ( sys-apps/systemd:= ) +" +DEPEND="${RDEPEND}" +BDEPEND=" + dev-go/go-md2man +" + +PATCHES=( + "${FILESDIR}/seccomp-toggle-4.7.0.patch" +) + +CONFIG_CHECK=" + ~USER_NS +" + +pkg_setup() { + use btrfs && CONFIG_CHECK+=" ~BTRFS_FS" + linux-info_pkg_setup +} + +src_prepare() { + default + + # assure necessary files are present + local file + for file in apparmor_tag btrfs_installed_tag btrfs_tag systemd_tag; do + [[ -f hack/"${file}".sh ]] || die + done + + local feature + for feature in apparmor systemd; do + cat <<-EOF > hack/"${feature}"_tag.sh || die + #!/usr/bin/env bash + $(usex ${feature} "echo ${feature}" echo) + EOF + done + + echo -e "#!/usr/bin/env bash\n echo" > hack/btrfs_installed_tag.sh || die + cat <<-EOF > hack/btrfs_tag.sh || die + #!/usr/bin/env bash + $(usex btrfs echo 'echo exclude_graphdriver_btrfs btrfs_noversion') + EOF +} + +src_compile() { + export PREFIX="${EPREFIX}/usr" + + # For non-live versions, prevent git operations which causes sandbox violations + # https://github.com/gentoo/gentoo/pull/33531#issuecomment-1786107493 + [[ ${PV} != 9999* ]] && export COMMIT_NO="" GIT_COMMIT="" + + # BUILD_SECCOMP is used in the patch to toggle seccomp + emake BUILDFLAGS="-v -work -x" GOMD2MAN="go-md2man" BUILD_SECCOMP="$(usex seccomp)" all $(usev wrapper docker-docs) +} + +src_install() { + emake DESTDIR="${D}" install install.completions $(usev wrapper install.docker-full) + + insinto /etc/cni/net.d + doins cni/87-podman-bridge.conflist + + newconfd "${FILESDIR}"/podman.confd podman + newinitd "${FILESDIR}"/podman.initd podman + + insinto /etc/logrotate.d + newins "${FILESDIR}/podman.logrotated" podman + + keepdir /var/lib/containers +} + +pkg_preinst() { + PODMAN_ROOTLESS_UPGRADE=false + if use rootless; then + has_version 'app-containers/podman[rootless]' || PODMAN_ROOTLESS_UPGRADE=true + fi +} + +pkg_postinst() { + tmpfiles_process podman.conf $(usev wrapper podman-docker.conf) + + local want_newline=false + if [[ ${PODMAN_ROOTLESS_UPGRADE} == true ]] ; then + ${want_newline} && elog "" + elog "For rootless operation, you need to configure subuid/subgid" + elog "for user running podman. In case subuid/subgid has only been" + elog "configured for root, run:" + elog "usermod --add-subuids 1065536-1131071 <user>" + elog "usermod --add-subgids 1065536-1131071 <user>" + want_newline=true + fi +}
