From 5ad90ec5cf2db37d6e2951c9471adb3f79ed2d6e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 8 Nov 2022 01:31:55 -0500
Subject: [PATCH] import crun-0.18-3.module+el8.7.0+16212+65e1b35f

---
 .crun.metadata                                |   1 +
 .gitignore                                    |   1 +
 ...t-tests-build-init-always-statically.patch |  43 ++++++++
 ...-do-not-set-inheritable-capabilities.patch |  30 ++++++
 ...-do-not-set-inheritable-capabilities.patch |  31 ++++++
 SPECS/crun.spec                               | 101 ++++++++++++++++++
 6 files changed, 207 insertions(+)
 create mode 100644 .crun.metadata
 create mode 100644 .gitignore
 create mode 100644 SOURCES/0001-revert-tests-build-init-always-statically.patch
 create mode 100644 SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
 create mode 100644 SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch
 create mode 100644 SPECS/crun.spec

diff --git a/.crun.metadata b/.crun.metadata
new file mode 100644
index 0000000..8265173
--- /dev/null
+++ b/.crun.metadata
@@ -0,0 +1 @@
+c79a414d0b980611ba929a7526b7b4c30c2b3b1d SOURCES/crun-0.18.tar.gz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..8a10d4c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/crun-0.18.tar.gz
diff --git a/SOURCES/0001-revert-tests-build-init-always-statically.patch b/SOURCES/0001-revert-tests-build-init-always-statically.patch
new file mode 100644
index 0000000..6000c58
--- /dev/null
+++ b/SOURCES/0001-revert-tests-build-init-always-statically.patch
@@ -0,0 +1,43 @@
+From 320a7ec41342c95fd6bdc500cd207eb0ea5cda6a Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Fri, 19 Feb 2021 13:25:37 +0100
+Subject: [PATCH] Revert "tests: build init always statically"
+
+This reverts commit a0f322a49a10a014a447b505eda5923a8e6aff7c as it
+causes issues on RHEL 8.
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ Makefile.am | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index e39dc3b..2b8e18b 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -14,7 +14,7 @@ srpm: dist-gzip rpm/crun.spec
+ 	$(MAKE) -C $(WD) dist-gzip
+ 	rpmbuild -bs --define "_sourcedir $(WD)" --define "_specdir $(WD)" --define "_builddir $(WD)" --define "_srcrpmdir $(WD)" --define "_rpmdir $(WD)" --define "_buildrootdir $(WD)/.build" rpm/crun.spec
+ 
+-CLEANFILES = crun.spec tests/init
++CLEANFILES = crun.spec
+ 
+ lib_LTLIBRARIES = libcrun.la
+ 
+@@ -79,9 +79,9 @@ noinst_PROGRAMS = tests/init $(UNIT_TESTS)
+ 
+ TESTS_LDADD = libcrun_testing.a $(FOUND_LIBS)
+ 
+-tests/init: tests/init.c
+-	$(CC) -static-libgcc --static -o $@ $<
+-EXTRA_DIST += tests/init.c
++tests_init_LDADD =
++tests_init_LDFLAGS = -static-libgcc -all-static
++tests_init_SOURCES = tests/init.c $(UNIT_TESTS)
+ 
+ tests_tests_libcrun_utils_CFLAGS = -I $(abs_top_builddir)/libocispec/src -I $(abs_top_srcdir)/libocispec/src -I $(abs_top_builddir)/src -I $(abs_top_srcdir)/src
+ tests_tests_libcrun_utils_SOURCES = tests/tests_libcrun_utils.c
+-- 
+2.29.2
+
+
diff --git a/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch b/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
new file mode 100644
index 0000000..a873251
--- /dev/null
+++ b/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
@@ -0,0 +1,30 @@
+From ed485db1465d67f0215c27529c57a76a1daf5135 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Mon, 28 Feb 2022 11:05:18 +0100
+Subject: [PATCH 1/2] spec: do not set inheritable capabilities
+
+Closes: CVE-2022-27650
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+(cherry picked from commit b847d146d496c9d7beba166fd595488e85488562)
+---
+ src/libcrun/container.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/libcrun/container.c b/src/libcrun/container.c
+index d3fb017..1e3f3e6 100644
+--- a/src/libcrun/container.c
++++ b/src/libcrun/container.c
+@@ -128,9 +128,6 @@ static char spec_file[] = "\
+ 				\"CAP_NET_BIND_SERVICE\"\n\
+ 			],\n\
+ 			\"inheritable\": [\n\
+-				\"CAP_AUDIT_WRITE\",\n\
+-				\"CAP_KILL\",\n\
+-				\"CAP_NET_BIND_SERVICE\"\n\
+ 			],\n\
+ 			\"permitted\": [\n\
+ 				\"CAP_AUDIT_WRITE\",\n\
+-- 
+2.35.1
+
diff --git a/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch b/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch
new file mode 100644
index 0000000..3d8f390
--- /dev/null
+++ b/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch
@@ -0,0 +1,31 @@
+From 21cb5a8c7bcc90c42743ffd15cd11a55bf66993d Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Mon, 28 Feb 2022 11:06:50 +0100
+Subject: [PATCH 2/2] exec: --cap do not set inheritable capabilities
+
+Closes: CVE-2022-27650
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+(cherry picked from commit 1aeeed2e4fdeffb4875c0d0b439915894594c8c6)
+---
+ src/exec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/exec.c b/src/exec.c
+index bf6c05f..8c9862d 100644
+--- a/src/exec.c
++++ b/src/exec.c
+@@ -250,8 +250,8 @@ crun_command_exec (struct crun_global_arguments *global_args, int argc, char **a
+           capabilities->effective = exec_options.cap;
+           capabilities->effective_len = exec_options.cap_size;
+ 
+-          capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size);
+-          capabilities->inheritable_len = exec_options.cap_size;
++          capabilities->inheritable = NULL;
++          capabilities->inheritable_len = 0;
+ 
+           capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size);
+           capabilities->bounding_len = exec_options.cap_size;
+-- 
+2.35.1
+
diff --git a/SPECS/crun.spec b/SPECS/crun.spec
new file mode 100644
index 0000000..7505ee9
--- /dev/null
+++ b/SPECS/crun.spec
@@ -0,0 +1,101 @@
+Summary: OCI runtime written in C
+Name: crun
+Version: 0.18
+Release: 3%{?dist}
+Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch0: 0001-revert-tests-build-init-always-statically.patch
+Patch1: 0001-spec-do-not-set-inheritable-capabilities.patch
+Patch2: 0002-exec-cap-do-not-set-inheritable-capabilities.patch
+License: GPLv2+
+URL: https://github.com/containers/crun
+# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
+ExclusiveArch: %{go_arches}
+# We always run autogen.sh
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: gcc
+BuildRequires: python3
+BuildRequires: git
+BuildRequires: libcap-devel
+BuildRequires: systemd-devel
+BuildRequires: yajl-devel
+BuildRequires: libseccomp-devel
+BuildRequires: libselinux-devel
+BuildRequires: python3-libmount
+BuildRequires: libtool
+BuildRequires: go-md2man
+Provides: oci-runtime = 2
+
+%description
+crun is a runtime for running OCI containers
+
+%prep
+%autosetup -Sgit -n %{name}-%{version}
+
+%build
+export CFLAGS="%{optflags} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
+./autogen.sh
+%configure --disable-silent-rules
+
+%make_build
+
+%install
+%make_install
+rm -rf $RPM_BUILD_ROOT/usr/lib*
+
+%files
+%license COPYING
+%{_bindir}/%{name}
+%{_mandir}/man1/*
+
+%changelog
+* Tue Apr 05 2022 Jindrich Novy <jnovy@redhat.com> - 0.18-3
+- fix CVE-2022-27650
+- Related: #2061390
+
+* Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-2
+- allow to build without glibc-static (thanks to Giuseppe Scrivano)
+- Related: #1883490
+
+* Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-1
+- update to https://github.com/containers/crun/releases/tag/0.18
+- Related: #1883490
+
+* Fri Jan 22 2021 Jindrich Novy <jnovy@redhat.com> - 0.17-1
+- update to https://github.com/containers/crun/releases/tag/0.17
+- Related: #1883490
+
+* Thu Dec 03 2020 Jindrich Novy <jnovy@redhat.com> - 0.16-2
+- exclude i686 because of build failures
+- Related: #1883490
+
+* Wed Nov 25 2020 Jindrich Novy <jnovy@redhat.com> - 0.16-1
+- update to https://github.com/containers/crun/releases/tag/0.16
+- Related: #1883490
+
+* Wed Nov 04 2020 Jindrich Novy <jnovy@redhat.com> - 0.15.1-1
+- update to https://github.com/containers/crun/releases/tag/0.15.1
+- Related: #1883490
+
+* Thu Oct 29 2020 Jindrich Novy <jnovy@redhat.com> - 0.15-2
+- synchronize with stream-container-tools-rhel8
+- Related: #1883490
+
+* Wed Oct 21 2020 Jindrich Novy <jnovy@redhat.com> - 0.15-1
+- synchronize with stream-container-tools-rhel8
+- Related: #1883490
+
+* Tue Aug 11 2020 Jindrich Novy <jnovy@redhat.com> - 0.14.1-2
+- use proper CFLAGS
+- Related: #1821193
+
+* Wed Jul 08 2020 Jindrich Novy <jnovy@redhat.com> - 0.14.1-1
+- update to https://github.com/containers/crun/releases/tag/v0.14.1
+- Related: #1821193
+
+* Thu Jul 02 2020 Jindrich Novy <jnovy@redhat.com> - 0.14-1
+- update to https://github.com/containers/crun/releases/tag/v0.14
+- Related: #1821193
+
+* Tue Jun 16 2020 Giuseppe Scrivano <gscrivan@redhat.com> - 0.13-1
+- initial import