commit: 2941140a0760ca358eecc44391a79479f024a3de Author: Rahil Bhimjiani <rahil3108 <AT> gmail <DOT> com> AuthorDate: Thu Sep 21 18:34:24 2023 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Thu Sep 21 22:16:19 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2941140a
app-containers/containers-common: add 0.56.0 and live Common configs & docs for Containers eco-system (i.e. podman buildah skopeo...) Go realm, executables are all in compiled, static, tidy in one binary but docs & configs...OMG all over the place. Spent whole day coding all these (such noob, I know), but was fun & fulfilling. Once this is merged the foundation of podman-stack is built, so will proceed to update frontend packages of eco-system. Closes: https://bugs.gentoo.org/907805 Closes: https://bugs.gentoo.org/904433 Closes: https://bugs.gentoo.org/914456 Closes: https://bugs.gentoo.org/907804 Signed-off-by: Rahil Bhimjiani <rahil3108 <AT> gmail.com> Closes: https://github.com/gentoo/gentoo/pull/32976 Signed-off-by: Sam James <sam <AT> gentoo.org> app-containers/containers-common/Manifest | 1 + .../containers-common-0.56.0.ebuild | 76 ++ .../containers-common-9999.ebuild | 76 ++ .../containers-common/files/default.yaml | 28 + .../containers-common/files/fix-warnings.patch | 24 + app-containers/containers-common/files/mounts.conf | 3 + app-containers/containers-common/files/policy.json | 14 + .../containers-common/files/seccomp.json | 1051 ++++++++++++++++++++ app-containers/containers-common/metadata.xml | 17 + 9 files changed, 1290 insertions(+) diff --git a/app-containers/containers-common/Manifest b/app-containers/containers-common/Manifest new file mode 100644 index 000000000000..6c7325fe1c77 --- /dev/null +++ b/app-containers/containers-common/Manifest @@ -0,0 +1 @@ +DIST containers-common-0.56.0.tar.gz 12616120 BLAKE2B 6495ca7d0c9134bc8bd5f7b7541bb4f1160c74abb7a64bd4d2124104ea563f5381f0092da20ab45d81929a8632b1fcc1107ac05fdae011be446cff14ebf88c45 SHA512 4af720be95e6b5ca7d0664f99a389bf092b9f45d4e0602d9b49ef1d21b359d2307a94e0c88378fe0c751f5b40db54d7aab67eb497185a289cea9288cbfaa042c diff --git a/app-containers/containers-common/containers-common-0.56.0.ebuild b/app-containers/containers-common/containers-common-0.56.0.ebuild new file mode 100644 index 000000000000..f2bba24b1975 --- /dev/null +++ b/app-containers/containers-common/containers-common-0.56.0.ebuild @@ -0,0 +1,76 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="Common config files and docs for Containers eco-system" +HOMEPAGE="https://github.com/containers/common"; + +if [[ ${PV} == *9999* ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/containers/common.git"; +else + SRC_URI="https://github.com/containers/common/archive/v${PV}.tar.gz -> ${P}.tar.gz" + S="${WORKDIR}/${P#containers-}" + KEYWORDS="~amd64" +fi + +LICENSE="Apache-2.0" +SLOT="0" + +RDEPEND=" + app-containers/containers-image + app-containers/containers-storage + app-containers/containers-shortnames + net-firewall/nftables + net-firewall/iptables[nftables] + || ( app-containers/crun app-containers/runc ) + || ( + ( >=app-containers/netavark-1.6.0 >=app-containers/aardvark-dns-1.6.0 ) + >=app-containers/cni-plugins-0.9.1 + ) +" + +BDEPEND=" + >=dev-go/go-md2man-2.0.2 +" + +src_prepare() { + default + + [[ -f docs/Makefile ]] || die + sed -i -e 's|/usr/local|/usr|g;' docs/Makefile || die + + eapply "${FILESDIR}/fix-warnings.patch" +} + +src_configure() { + return +} + +src_compile() { + emake docs +} + +src_test() { + return +} + +src_install() { + emake DESTDIR="${D}" install + + insinto /etc/containers + # https://github.com/containers/skopeo/raw/main/default-policy.json + doins pkg/config/containers.conf "${FILESDIR}/policy.json" + + insinto /etc/containers/registries.d + # https://github.com/containers/skopeo/raw/main/default.yaml + doins "${FILESDIR}/default.yaml" + + insinto /usr/share/containers + # https://github.com/containers/common/raw/main/pkg/seccomp/seccomp.json + # https://github.com/containers/common/raw/main/pkg/subscriptions/mounts.conf + doins "${FILESDIR}/seccomp.json" "${FILESDIR}/mounts.conf" + + keepdir /etc/containers/certs.d /etc/containers/oci/hooks.d /etc/containers/systemd /var/lib/containers/sigstore +} diff --git a/app-containers/containers-common/containers-common-9999.ebuild b/app-containers/containers-common/containers-common-9999.ebuild new file mode 100644 index 000000000000..f2bba24b1975 --- /dev/null +++ b/app-containers/containers-common/containers-common-9999.ebuild @@ -0,0 +1,76 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="Common config files and docs for Containers eco-system" +HOMEPAGE="https://github.com/containers/common"; + +if [[ ${PV} == *9999* ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/containers/common.git"; +else + SRC_URI="https://github.com/containers/common/archive/v${PV}.tar.gz -> ${P}.tar.gz" + S="${WORKDIR}/${P#containers-}" + KEYWORDS="~amd64" +fi + +LICENSE="Apache-2.0" +SLOT="0" + +RDEPEND=" + app-containers/containers-image + app-containers/containers-storage + app-containers/containers-shortnames + net-firewall/nftables + net-firewall/iptables[nftables] + || ( app-containers/crun app-containers/runc ) + || ( + ( >=app-containers/netavark-1.6.0 >=app-containers/aardvark-dns-1.6.0 ) + >=app-containers/cni-plugins-0.9.1 + ) +" + +BDEPEND=" + >=dev-go/go-md2man-2.0.2 +" + +src_prepare() { + default + + [[ -f docs/Makefile ]] || die + sed -i -e 's|/usr/local|/usr|g;' docs/Makefile || die + + eapply "${FILESDIR}/fix-warnings.patch" +} + +src_configure() { + return +} + +src_compile() { + emake docs +} + +src_test() { + return +} + +src_install() { + emake DESTDIR="${D}" install + + insinto /etc/containers + # https://github.com/containers/skopeo/raw/main/default-policy.json + doins pkg/config/containers.conf "${FILESDIR}/policy.json" + + insinto /etc/containers/registries.d + # https://github.com/containers/skopeo/raw/main/default.yaml + doins "${FILESDIR}/default.yaml" + + insinto /usr/share/containers + # https://github.com/containers/common/raw/main/pkg/seccomp/seccomp.json + # https://github.com/containers/common/raw/main/pkg/subscriptions/mounts.conf + doins "${FILESDIR}/seccomp.json" "${FILESDIR}/mounts.conf" + + keepdir /etc/containers/certs.d /etc/containers/oci/hooks.d /etc/containers/systemd /var/lib/containers/sigstore +} diff --git a/app-containers/containers-common/files/default.yaml b/app-containers/containers-common/files/default.yaml new file mode 100644 index 000000000000..a7f3d2823136 --- /dev/null +++ b/app-containers/containers-common/files/default.yaml @@ -0,0 +1,28 @@ +# This is a default registries.d configuration file. You may +# add to this file or create additional files in registries.d/. +# +# lookaside: for reading/writing simple signing signatures +# lookaside-staging: for writing simple signing signatures, preferred over lookaside +# +# lookaside and lookaside-staging take a value of the following: +# lookaside: {schema}://location +# +# For reading signatures, schema may be http, https, or file. +# For writing signatures, schema may only be file. + +# The default locations are built-in, for both reading and writing: +# /var/lib/containers/sigstore for root, or +# ~/.local/share/containers/sigstore for non-root users. +default-docker: +# lookaside: https://… +# lookaside-staging: file:///… + +# The 'docker' indicator here is the start of the configuration +# for docker registries. +# +# docker: +# +# privateregistry.com: +# lookaside: https://privateregistry.com/sigstore/ +# lookaside-staging: /mnt/nfs/privateregistry/sigstore + diff --git a/app-containers/containers-common/files/fix-warnings.patch b/app-containers/containers-common/files/fix-warnings.patch new file mode 100644 index 000000000000..7f9cfe4e196c --- /dev/null +++ b/app-containers/containers-common/files/fix-warnings.patch @@ -0,0 +1,24 @@ +--- a/Makefile ++++ b/Makefile +@@ -4,20 +4,5 @@ + DESTDIR ?= +-PREFIX := /usr/local ++PREFIX := /usr + CONFIGDIR := ${PREFIX}/share/containers + +-define go-build +- CGO_ENABLED=0 \ +- GOOS=$(1) GOARCH=$(2) $(GO) build -tags "$(3)" ./... +-endef +- +-ifeq ($(shell uname -s),Linux) +-define go-build-c +- CGO_ENABLED=1 \ +- GOOS=$(1) GOARCH=$(2) $(GO) build -tags "$(3)" ./... +-endef +-else +-define go-build-c +-endef +-endif +- + .PHONY: diff --git a/app-containers/containers-common/files/mounts.conf b/app-containers/containers-common/files/mounts.conf new file mode 100644 index 000000000000..281e1d687f94 --- /dev/null +++ b/app-containers/containers-common/files/mounts.conf @@ -0,0 +1,3 @@ +# Refer to containers-mounts.conf(5) +# Example: +# /usr/share/rhel/secrets:/run/secrets diff --git a/app-containers/containers-common/files/policy.json b/app-containers/containers-common/files/policy.json new file mode 100644 index 000000000000..dffc54a62647 --- /dev/null +++ b/app-containers/containers-common/files/policy.json @@ -0,0 +1,14 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } +} diff --git a/app-containers/containers-common/files/seccomp.json b/app-containers/containers-common/files/seccomp.json new file mode 100644 index 000000000000..18674db4d62e --- /dev/null +++ b/app-containers/containers-common/files/seccomp.json @@ -0,0 +1,1051 @@ +{ + "defaultAction": "SCMP_ACT_ERRNO", + "defaultErrnoRet": 38, + "defaultErrno": "ENOSYS", + "archMap": [ + { + "architecture": "SCMP_ARCH_X86_64", + "subArchitectures": [ + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ] + }, + { + "architecture": "SCMP_ARCH_AARCH64", + "subArchitectures": [ + "SCMP_ARCH_ARM" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64" + ] + }, + { + "architecture": "SCMP_ARCH_S390X", + "subArchitectures": [ + "SCMP_ARCH_S390" + ] + } + ], + "syscalls": [ + { + "names": [ + "bdflush", + "io_pgetevents", + "kexec_file_load", + "kexec_load", + "migrate_pages", + "move_pages", + "nfsservctl", + "nice", + "oldfstat", + "oldlstat", + "oldolduname", + "oldstat", + "olduname", + "pciconfig_iobase", + "pciconfig_read", + "pciconfig_write", + "sgetmask", + "ssetmask", + "swapcontext", + "swapoff", + "swapon", + "sysfs", + "uselib", + "userfaultfd", + "ustat", + "vm86", + "vm86old", + "vmsplice" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": {}, + "errnoRet": 1, + "errno": "EPERM" + }, + { + "names": [ + "_llseek", + "_newselect", + "accept", + "accept4", + "access", + "adjtimex", + "alarm", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_adjtime", + "clock_adjtime64", + "clock_getres", + "clock_getres_time64", + "clock_gettime", + "clock_gettime64", + "clock_nanosleep", + "clock_nanosleep_time64", + "clone", + "clone3", + "close", + "close_range", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_pwait2", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "faccessat2", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsconfig", + "fsetxattr", + "fsmount", + "fsopen", + "fspick", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futex_time64", + "futimesat", + "get_mempolicy", + "get_robust_list", + "get_thread_area", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "io_cancel", + "io_destroy", + "io_getevents", + "io_setup", + "io_submit", + "ioctl", + "ioprio_get", + "ioprio_set", + "ipc", + "keyctl", + "kill", + "landlock_add_rule", + "landlock_create_ruleset", + "landlock_restrict_self", + "lchown", + "lchown32", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "mbind", + "membarrier", + "memfd_create", + "memfd_secret", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mount", + "mount_setattr", + "move_mount", + "mprotect", + "mq_getsetattr", + "mq_notify", + "mq_open", + "mq_timedreceive", + "mq_timedreceive_time64", + "mq_timedsend", + "mq_timedsend_time64", + "mq_unlink", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munlock", + "munlockall", + "munmap", + "name_to_handle_at", + "nanosleep", + "newfstatat", + "open", + "open_tree", + "openat", + "openat2", + "pause", + "pidfd_getfd", + "pidfd_open", + "pidfd_send_signal", + "pipe", + "pipe2", + "pivot_root", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", + "poll", + "ppoll", + "ppoll_time64", + "prctl", + "pread64", + "preadv", + "preadv2", + "prlimit64", + "process_mrelease", + "process_vm_readv", + "process_vm_writev", + "pselect6", + "pselect6_time64", + "ptrace", + "pwrite64", + "pwritev", + "pwritev2", + "read", + "readahead", + "readdir", + "readlink", + "readlinkat", + "readv", + "reboot", + "recv", + "recvfrom", + "recvmmsg", + "recvmmsg_time64", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rseq", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_sigtimedwait_time64", + "rt_tgsigqueueinfo", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_rr_get_interval_time64", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "semtimedop_time64", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "set_mempolicy", + "set_robust_list", + "set_thread_area", + "set_tid_address", + "setfsgid", + "setfsgid32", + "setfsuid", + "setfsuid32", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setns", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setrlimit", + "setsid", + "setsockopt", + "setuid", + "setuid32", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "shutdown", + "sigaction", + "sigaltstack", + "signal", + "signalfd", + "signalfd4", + "sigpending", + "sigprocmask", + "sigreturn", + "sigsuspend", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "syscall", + "sysinfo", + "syslog", + "tee", + "tgkill", + "time", + "timer_create", + "timer_delete", + "timer_getoverrun", + "timer_gettime", + "timer_gettime64", + "timer_settime", + "timer_settime64", + "timerfd", + "timerfd_create", + "timerfd_gettime", + "timerfd_gettime64", + "timerfd_settime", + "timerfd_settime64", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "umount", + "umount2", + "uname", + "unlink", + "unlinkat", + "unshare", + "utime", + "utimensat", + "utimensat_time64", + "utimes", + "vfork", + "wait4", + "waitid", + "waitpid", + "write", + "writev" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 0, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 8, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131072, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131080, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 4294967295, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "sync_file_range2" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "ppc64le" + ] + }, + "excludes": {} + }, + { + "names": [ + "arm_fadvise64_64", + "arm_sync_file_range", + "breakpoint", + "cacheflush", + "set_tls", + "sync_file_range2" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "arm", + "arm64" + ] + }, + "excludes": {} + }, + { + "names": [ + "arch_prctl" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32" + ] + }, + "excludes": {} + }, + { + "names": [ + "modify_ldt" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32", + "x86" + ] + }, + "excludes": {} + }, + { + "names": [ + "s390_pci_mmio_read", + "s390_pci_mmio_write", + "s390_runtime_instr" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": {} + }, + { + "names": [ + "open_by_handle_at" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_DAC_READ_SEARCH" + ] + }, + "excludes": {} + }, + { + "names": [ + "open_by_handle_at" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_DAC_READ_SEARCH" + ] + }, + "errnoRet": 1, + "errno": "EPERM" + }, + { + "names": [ + "bpf", + "fanotify_init", + "lookup_dcookie", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "excludes": {} + }, + { + "names": [ + "bpf", + "fanotify_init", + "lookup_dcookie", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "errnoRet": 1, + "errno": "EPERM" + }, + { + "names": [ + "chroot" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_CHROOT" + ] + }, + "excludes": {} + }, + { + "names": [ + "chroot" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_CHROOT" + ] + }, + "errnoRet": 1, + "errno": "EPERM" + }, + { + "names": [ + "delete_module", + "finit_module", + "init_module", + "query_module" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_MODULE" + ] + }, + "excludes": {} + }, + { + "names": [ + "delete_module", + "finit_module", + "init_module", + "query_module" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_MODULE" + ] + }, + "errnoRet": 1, + "errno": "EPERM" + }, + { + "names": [ + "acct" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PACCT" + ] + }, + "excludes": {} + }, + { + "names": [ + "acct" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_PACCT" + ] + }, + "errnoRet": 1, + "errno": "EPERM" + }, + { + "names": [ + "kcmp", + "process_madvise" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PTRACE" + ] + }, + "excludes": {} + }, + { + "names": [ + "kcmp", + "process_madvise" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_PTRACE" + ] + }, + "errnoRet": 1, + "errno": "EPERM" + }, + { + "names": [ + "ioperm", + "iopl" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_RAWIO" + ] + }, + "excludes": {} + }, + { + "names": [ + "ioperm", + "iopl" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_RAWIO" + ] + }, + "errnoRet": 1, + "errno": "EPERM" + }, + { + "names": [ + "clock_settime", + "clock_settime64", + "settimeofday", + "stime" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TIME" + ] + }, + "excludes": {} + }, + { + "names": [ + "clock_settime", + "clock_settime64", + "settimeofday", + "stime" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_TIME" + ] + }, + "errnoRet": 1, + "errno": "EPERM" + }, + { + "names": [ + "vhangup" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TTY_CONFIG" + ] + }, + "excludes": {} + }, + { + "names": [ + "vhangup" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_TTY_CONFIG" + ] + }, + "errnoRet": 1, + "errno": "EPERM" + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ERRNO", + "args": [ + { + "index": 0, + "value": 16, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + }, + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + }, + "errnoRet": 22, + "errno": "EINVAL" + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 16, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": null, + "comment": "", + "includes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + }, + "excludes": {} + } + ] +} \ No newline at end of file diff --git a/app-containers/containers-common/metadata.xml b/app-containers/containers-common/metadata.xml new file mode 100644 index 000000000000..f933e2eba60b --- /dev/null +++ b/app-containers/containers-common/metadata.xml @@ -0,0 +1,17 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd";> +<pkgmetadata> + <maintainer type="project" proxied="proxy"> + <email>proxy-ma...@gentoo.org</email> + <name>Proxy Maintainers</name> + </maintainer> + <maintainer type="person" proxied="yes"> + <email>rahil3...@gmail.com</email> + <name>Rahil Bhimjiani</name> + </maintainer> + <upstream> + <remote-id type="github">containers/common</remote-id> + <bugs-to>https://github.com/containers/common/issues</bugs-to> + <doc>https://github.com/containers/common/blob/main/README.md</doc> + </upstream> +</pkgmetadata>
