[gentoo-commits] repo/gentoo:master commit in: app-containers/podman/

["Zac Medico" <zmedico@gentoo.org>]

commit:     9569a2ffc816bb40837a3f0e0a872cf57f20bf3f
Author:     Rahil Bhimjiani <me <AT> rahil <DOT> rocks>
AuthorDate: Tue Mar 26 08:13:57 2024 +0000
Commit:     Zac Medico <zmedico <AT> gentoo <DOT> org>
CommitDate: Wed Mar 27 03:02:01 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9569a2ff

app-containers/podman: 4.9.4 fixes CVE-2024-1753 and CVE-2024-24786

also backported some niceities from 5.x ebuild
* fix failed build with python-exec[-native-symlinks]
* improvments in init.d/podman, add podman-restart and
podman-clean-transient scripts, add podman-auto-update cronjob

Bug: https://bugs.gentoo.org/927500
Bug: https://bugs.gentoo.org/927501
Signed-off-by: Rahil Bhimjiani <me <AT> rahil.rocks>
From: https://github.com/gentoo/gentoo/pull/35929
Signed-off-by: Zac Medico <zmedico <AT> gentoo.org>

 app-containers/podman/Manifest            |   1 +
 app-containers/podman/podman-4.9.4.ebuild | 156 ++++++++++++++++++++++++++++++
 2 files changed, 157 insertions(+)

diff --git a/app-containers/podman/Manifest b/app-containers/podman/Manifest
index 1f1960306d0d..2e96132cac7e 100644
--- a/app-containers/podman/Manifest
+++ b/app-containers/podman/Manifest
@@ -1,2 +1,3 @@
 DIST podman-4.9.3.tar.gz 21727849 BLAKE2B 9a67ba4266a8a0e20d165ba2bae00dcf146724ee976838d5e3310b094155ffa89bff526e8ae72864dc100d1e6878d5519d53581dc7e034982a4f2b364e4c8feb SHA512 395014bbe70923f1444d2f33440013a16e9c339b70be5e6a9c7026617a40795a1c0e410c08a52fba46b9f5e853d853ce4133db36167a3c5ace7d325f8b3a3327
+DIST podman-4.9.4.tar.gz 21733620 BLAKE2B 17d099c0a13fbbb77556742313c39995127fc97b4086ef3c2d74a92cc0a4f825a6c729dd099c6d4f4cd3d2ebfd470494babdeaa85a5653b327ea1a16fb5ea993 SHA512 7b52555789a1c214fcf26b0826bdda6cf0ccca588f87c0f15ac5e8358ddac625e17cafbe6a43de07cad964e1418b5ee0d2e38a5cb5dc6f6d4e638399749a7f7b
 DIST podman-5.0.0.tar.gz 21861935 BLAKE2B 1ec7006f272f5da7f93929bc543cd8988d6f9596cb868e9561578ebef85d51cbd6baa4b66571872fc9748c639ca636ce27f6d90303707f04caa321c7b71db81a SHA512 8800d96d668cbc7a7ff85a09c71b3307a280c124513fd02fe478f415cf8db43ee47dc7e9c3b75046c6bda9f916937a2cc59887c2c4b26766c2f770abb87fd7ce

diff --git a/app-containers/podman/podman-4.9.4.ebuild b/app-containers/podman/podman-4.9.4.ebuild
new file mode 100644
index 000000000000..4505efe8f91d
--- /dev/null
+++ b/app-containers/podman/podman-4.9.4.ebuild
@@ -0,0 +1,156 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11,12} )
+
+inherit go-module python-any-r1 tmpfiles linux-info
+
+DESCRIPTION="A tool for managing OCI containers and pods with Docker-compatible CLI"
+HOMEPAGE="https://github.com/containers/podman/ https://podman.io/"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/podman.git"
+else
+	SRC_URI="https://github.com/containers/podman/archive/v${PV/_rc/-rc}.tar.gz -> ${P}.tar.gz"
+	S="${WORKDIR}/${P/_rc/-rc}"
+	if [[ ${PV} != *rc* ]] ; then
+		KEYWORDS="~amd64 ~arm64 ~riscv"
+	fi
+fi
+
+# main pkg
+LICENSE="Apache-2.0"
+# deps
+LICENSE+=" BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
+SLOT="0"
+IUSE="apparmor btrfs cgroup-hybrid wrapper +fuse +init +rootless +seccomp selinux systemd"
+RESTRICT="test"
+
+RDEPEND="
+	app-crypt/gpgme:=
+	>=app-containers/conmon-2.0.0
+	>=app-containers/containers-common-0.56.0
+	dev-libs/libassuan:=
+	dev-libs/libgpg-error:=
+	sys-apps/shadow:=
+
+	apparmor? ( sys-libs/libapparmor )
+	btrfs? ( sys-fs/btrfs-progs )
+	cgroup-hybrid? ( >=app-containers/runc-1.0.0_rc6  )
+	!cgroup-hybrid? ( app-containers/crun )
+	wrapper? ( !app-containers/docker-cli )
+	fuse? ( sys-fs/fuse-overlayfs )
+	init? ( app-containers/catatonit )
+	rootless? ( app-containers/slirp4netns )
+	seccomp? ( sys-libs/libseccomp:= )
+	selinux? ( sec-policy/selinux-podman sys-libs/libselinux:= )
+	systemd? ( sys-apps/systemd:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	${PYTHON_DEPS}
+	dev-go/go-md2man
+"
+
+PATCHES=(
+	"${FILESDIR}/seccomp-toggle-4.7.0.patch"
+)
+
+CONFIG_CHECK="
+	~USER_NS
+"
+
+pkg_setup() {
+	use btrfs && CONFIG_CHECK+=" ~BTRFS_FS"
+	linux-info_pkg_setup
+	python-any-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	# assure necessary files are present
+	local file
+	for file in apparmor_tag btrfs_installed_tag btrfs_tag systemd_tag; do
+		[[ -f hack/"${file}".sh ]] || die
+	done
+
+	local feature
+	for feature in apparmor systemd; do
+		cat <<-EOF > hack/"${feature}"_tag.sh || die
+		#!/usr/bin/env bash
+		$(usex ${feature} "echo ${feature}" echo)
+		EOF
+	done
+
+	echo -e "#!/usr/bin/env bash\n echo" > hack/btrfs_installed_tag.sh || die
+	cat <<-EOF > hack/btrfs_tag.sh || die
+	#!/usr/bin/env bash
+	$(usex btrfs echo 'echo exclude_graphdriver_btrfs btrfs_noversion')
+	EOF
+}
+
+src_compile() {
+	export PREFIX="${EPREFIX}/usr"
+
+	# bug 906073
+	use elibc_musl && export CGO_CFLAGS="-D_LARGEFILE64_SOURCE"
+
+	# For non-live versions, prevent git operations which causes sandbox violations
+	# https://github.com/gentoo/gentoo/pull/33531#issuecomment-1786107493
+	[[ ${PV} != 9999* ]] && export COMMIT_NO="" GIT_COMMIT="" EPOCH_TEST_COMMIT=""
+
+	# BUILD_SECCOMP is used in the patch to toggle seccomp
+	emake BUILDFLAGS="-v -work -x" GOMD2MAN="go-md2man" BUILD_SECCOMP="$(usex seccomp)" all $(usev wrapper docker-docs)
+}
+
+src_install() {
+	emake DESTDIR="${D}" install install.completions $(usev wrapper install.docker-full)
+
+	insinto /etc/cni/net.d
+	doins cni/87-podman-bridge.conflist
+
+	if use !systemd; then
+		newconfd "${FILESDIR}"/podman-5.0.0_rc4.confd podman
+		newinitd "${FILESDIR}"/podman-5.0.0_rc4.initd podman
+
+		newinitd "${FILESDIR}"/podman-restart-5.0.0_rc4.initd podman-restart
+		newconfd "${FILESDIR}"/podman-restart-5.0.0_rc4.confd podman-restart
+
+		newinitd "${FILESDIR}"/podman-clean-transient-5.0.0_rc6.initd podman-clean-transient
+		newconfd "${FILESDIR}"/podman-clean-transient-5.0.0_rc6.confd podman-clean-transient
+
+		exeinto /etc/cron.daily
+		newexe "${FILESDIR}"/podman-auto-update-5.0.0.cron podman-auto-update
+
+		insinto /etc/logrotate.d
+		newins "${FILESDIR}/podman.logrotated" podman
+	fi
+
+	keepdir /var/lib/containers
+}
+
+pkg_preinst() {
+	PODMAN_ROOTLESS_UPGRADE=false
+	if use rootless; then
+		has_version 'app-containers/podman[rootless]' || PODMAN_ROOTLESS_UPGRADE=true
+	fi
+}
+
+pkg_postinst() {
+	tmpfiles_process podman.conf $(usev wrapper podman-docker.conf)
+
+	local want_newline=false
+	if [[ ${PODMAN_ROOTLESS_UPGRADE} == true ]] ; then
+		${want_newline} && elog ""
+		elog "For rootless operation, you need to configure subuid/subgid"
+		elog "for user running podman. In case subuid/subgid has only been"
+		elog "configured for root, run:"
+		elog "usermod --add-subuids 1065536-1131071 <user>"
+		elog "usermod --add-subgids 1065536-1131071 <user>"
+		want_newline=true
+	fi
+}