3 files changed, 97 insertions, 0 deletions
diff --git a/recipes-containers/lxc/files/commands-fix-check-for-seccomp-notify-support.patch b/recipes-containers/lxc/files/commands-fix-check-for-seccomp-notify-support.patch
new file mode 100644
index 00000000..391af381
--- /dev/null
+++ b/recipes-containers/lxc/files/commands-fix-check-for-seccomp-notify-support.patch
@@ -0,0 +1,44 @@
+From a342b11fedb3010630de4909ca707ebdc0862060 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cotequeiroz@gmail.com>
+Date: Fri, 25 Dec 2020 13:54:14 -0300
+Subject: [PATCH] commands: fix check for seccomp notify support
+Use HAVE_SECCOMP_NOTIFY instead of HAVE_DECL_SECCOMP_NOTIFY_FD.
+Currently the latter will be true if the declaration is found by
+configure, even if 'configure --disable-seccomp' is used.
+HAVE_SECCOMP_NOTIFY is defined in lxcseccomp.h if both HAVE_SECCOMP and
+HAVE_DECL_SECCOMP_NOTIFY_FD are true, which is the correct behavior.
+Upstream-status: submitted https://github.com/lxc/lxc/pull/3623
+Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
+---
+ src/lxc/commands.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/src/lxc/commands.c b/src/lxc/commands.c
+index a9a03ca2c..37d1abcef 100644
+--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
+@@ -501,7 +501,7 @@ static int lxc_cmd_get_devpts_fd_callback(int fd, struct lxc_cmd_req *req,
+ 
+ int lxc_cmd_get_seccomp_notify_fd(const char *name, const char *lxcpath)
+ {
+-#if HAVE_DECL_SECCOMP_NOTIFY_FD
+#ifdef HAVE_SECCOMP_NOTIFY
+        int ret, stopped;
+        struct lxc_cmd_rr cmd = {
+                .req = {
+@@ -526,7 +526,7 @@ static int lxc_cmd_get_seccomp_notify_fd_callback(int fd, struct lxc_cmd_req *re
+                                                  struct lxc_handler *handler,
+                                                  struct lxc_epoll_descr *descr)
+ {
+-#if HAVE_DECL_SECCOMP_NOTIFY_FD
+#ifdef HAVE_SECCOMP_NOTIFY
+        struct lxc_cmd_rsp rsp = {
+                .ret = 0,
+        };
+-- 
+2.17.1
diff --git a/recipes-containers/lxc/files/configure-skip-libseccomp-tests-if-it-is-disabled.patch b/recipes-containers/lxc/files/configure-skip-libseccomp-tests-if-it-is-disabled.patch
new file mode 100644
index 00000000..7ba992f6
--- /dev/null
+++ b/recipes-containers/lxc/files/configure-skip-libseccomp-tests-if-it-is-disabled.patch
@@ -0,0 +1,51 @@
+From 67cd8bde2d46983df8fa9f647e9fc0b96370ec29 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cotequeiroz@gmail.com>
+Date: Sat, 16 Jan 2021 13:54:07 -0300
+Subject: [PATCH] configure: skip libseccomp tests if it is disabled
+Move the block checking for libseccomp api compatibility inside
+AM_COND_IF([ENABLE_SECCOMP] ... ).
+Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
+---
+ configure.ac | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+diff --git a/configure.ac b/configure.ac
+index f58487f5d..ce6363136 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -312,6 +312,14 @@ AM_COND_IF([ENABLE_SECCOMP],
+                AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])])
+                AC_SUBST([SECCOMP_LIBS], [-lseccomp])
+                ])
+       # HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0
+       OLD_CFLAGS="$CFLAGS"
+       CFLAGS="$CFLAGS $SECCOMP_CFLAGS"
+       AC_CHECK_TYPES([scmp_filter_ctx], [], [], [[#include <seccomp.h>]])
+       AC_CHECK_DECLS([seccomp_notify_fd], [], [], [[#include <seccomp.h>]])
+       AC_CHECK_TYPES([struct seccomp_notif_sizes], [], [], [[#include <seccomp.h>]])
+       AC_CHECK_DECLS([seccomp_syscall_resolve_name_arch], [], [], [[#include <seccomp.h>]])
+       CFLAGS="$OLD_CFLAGS"
+        ])
+ 
+ AC_MSG_CHECKING(for static libcap)
+@@ -359,15 +367,6 @@ AM_COND_IF([ENABLE_CAP],
+         AC_CHECK_LIB(cap,cap_get_file, AC_DEFINE(LIBCAP_SUPPORTS_FILE_CAPABILITIES,1,[Have cap_get_file]),[],[])
+         AC_SUBST([CAP_LIBS], [-lcap])])
+ 
+-# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0
+-OLD_CFLAGS="$CFLAGS"
+-CFLAGS="$CFLAGS $SECCOMP_CFLAGS"
+-AC_CHECK_TYPES([scmp_filter_ctx], [], [], [[#include <seccomp.h>]])
+-AC_CHECK_DECLS([seccomp_notify_fd], [], [], [[#include <seccomp.h>]])
+-AC_CHECK_TYPES([struct seccomp_notif_sizes], [], [], [[#include <seccomp.h>]])
+-AC_CHECK_DECLS([seccomp_syscall_resolve_name_arch], [], [], [[#include <seccomp.h>]])
+-CFLAGS="$OLD_CFLAGS"
+-
+ AC_CHECK_HEADERS([linux/bpf.h], [
+        AC_CHECK_TYPES([struct bpf_cgroup_dev_ctx], [], [], [[#include <linux/bpf.h>]])
+ ], [], [])
+-- 
+2.17.1
diff --git a/recipes-containers/lxc/lxc_4.0.6.bb b/recipes-containers/lxc/lxc_4.0.6.bb
index b4229090..c9bf3d09 100644
--- a/recipes-containers/lxc/lxc_4.0.6.bb
+++ b/recipes-containers/lxc/lxc_4.0.6.bb
@@ -49,6 +49,8 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}/${BPN}-${PV}.tar.gz \
        file://tests-add-no-validate-when-using-download-template.patch \
        file://dnsmasq.conf \
        file://lxc-net \
+        file://configure-skip-libseccomp-tests-if-it-is-disabled.patch \
+        file://commands-fix-check-for-seccomp-notify-support.patch \
        "
 SRC_URI[md5sum] = "732571c7cb4ab845068afb227bf35256"

diff --git a/recipes-containers/lxc/files/commands-fix-check-for-seccomp-notify-support.patch b/recipes-containers/lxc/files/commands-fix-check-for-seccomp-notify-support.patch new file mode 100644 index 00000000..391af381 --- /dev/null +++ b/recipes-containers/lxc/files/commands-fix-check-for-seccomp-notify-support.patch
@@ -0,0 +1,44 @@
		1	From a342b11fedb3010630de4909ca707ebdc0862060 Mon Sep 17 00:00:00 2001
		2	From: Eneas U de Queiroz <cotequeiroz@gmail.com>
		3	Date: Fri, 25 Dec 2020 13:54:14 -0300
		4	Subject: [PATCH] commands: fix check for seccomp notify support
		5
		6	Use HAVE_SECCOMP_NOTIFY instead of HAVE_DECL_SECCOMP_NOTIFY_FD.
		7	Currently the latter will be true if the declaration is found by
		8	configure, even if 'configure --disable-seccomp' is used.
		9
		10	HAVE_SECCOMP_NOTIFY is defined in lxcseccomp.h if both HAVE_SECCOMP and
		11	HAVE_DECL_SECCOMP_NOTIFY_FD are true, which is the correct behavior.
		12
		13	Upstream-status: submitted https://github.com/lxc/lxc/pull/3623
		14
		15	Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
		16	---
		17	src/lxc/commands.c \| 4 ++--
		18	1 file changed, 2 insertions(+), 2 deletions(-)
		19
		20	diff --git a/src/lxc/commands.c b/src/lxc/commands.c
		21	index a9a03ca2c..37d1abcef 100644
		22	--- a/src/lxc/commands.c
		23	+++ b/src/lxc/commands.c
		24	@@ -501,7 +501,7 @@ static int lxc_cmd_get_devpts_fd_callback(int fd, struct lxc_cmd_req *req,
		25
		26	int lxc_cmd_get_seccomp_notify_fd(const char name, const char lxcpath)
		27	{
		28	-#if HAVE_DECL_SECCOMP_NOTIFY_FD
		29	+#ifdef HAVE_SECCOMP_NOTIFY
		30	int ret, stopped;
		31	struct lxc_cmd_rr cmd = {
		32	.req = {
		33	@@ -526,7 +526,7 @@ static int lxc_cmd_get_seccomp_notify_fd_callback(int fd, struct lxc_cmd_req *re
		34	struct lxc_handler *handler,
		35	struct lxc_epoll_descr *descr)
		36	{
		37	-#if HAVE_DECL_SECCOMP_NOTIFY_FD
		38	+#ifdef HAVE_SECCOMP_NOTIFY
		39	struct lxc_cmd_rsp rsp = {
		40	.ret = 0,
		41	};
		42	--
		43	2.17.1
		44


diff --git a/recipes-containers/lxc/files/configure-skip-libseccomp-tests-if-it-is-disabled.patch b/recipes-containers/lxc/files/configure-skip-libseccomp-tests-if-it-is-disabled.patch new file mode 100644 index 00000000..7ba992f6 --- /dev/null +++ b/recipes-containers/lxc/files/configure-skip-libseccomp-tests-if-it-is-disabled.patch
@@ -0,0 +1,51 @@
		1	From 67cd8bde2d46983df8fa9f647e9fc0b96370ec29 Mon Sep 17 00:00:00 2001
		2	From: Eneas U de Queiroz <cotequeiroz@gmail.com>
		3	Date: Sat, 16 Jan 2021 13:54:07 -0300
		4	Subject: [PATCH] configure: skip libseccomp tests if it is disabled
		5
		6	Move the block checking for libseccomp api compatibility inside
		7	AM_COND_IF([ENABLE_SECCOMP] ... ).
		8
		9	Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
		10	---
		11	configure.ac \| 17 ++++++++---------
		12	1 file changed, 8 insertions(+), 9 deletions(-)
		13
		14	diff --git a/configure.ac b/configure.ac
		15	index f58487f5d..ce6363136 100644
		16	--- a/configure.ac
		17	+++ b/configure.ac
		18	@@ -312,6 +312,14 @@ AM_COND_IF([ENABLE_SECCOMP],
		19	AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])])
		20	AC_SUBST([SECCOMP_LIBS], [-lseccomp])
		21	])
		22	+ # HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0
		23	+ OLD_CFLAGS="$CFLAGS"
		24	+ CFLAGS="$CFLAGS $SECCOMP_CFLAGS"
		25	+ AC_CHECK_TYPES([scmp_filter_ctx], [], [], [[#include <seccomp.h>]])
		26	+ AC_CHECK_DECLS([seccomp_notify_fd], [], [], [[#include <seccomp.h>]])
		27	+ AC_CHECK_TYPES([struct seccomp_notif_sizes], [], [], [[#include <seccomp.h>]])
		28	+ AC_CHECK_DECLS([seccomp_syscall_resolve_name_arch], [], [], [[#include <seccomp.h>]])
		29	+ CFLAGS="$OLD_CFLAGS"
		30	])
		31
		32	AC_MSG_CHECKING(for static libcap)
		33	@@ -359,15 +367,6 @@ AM_COND_IF([ENABLE_CAP],
		34	AC_CHECK_LIB(cap,cap_get_file, AC_DEFINE(LIBCAP_SUPPORTS_FILE_CAPABILITIES,1,[Have cap_get_file]),[],[])
		35	AC_SUBST([CAP_LIBS], [-lcap])])
		36
		37	-# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0
		38	-OLD_CFLAGS="$CFLAGS"
		39	-CFLAGS="$CFLAGS $SECCOMP_CFLAGS"
		40	-AC_CHECK_TYPES([scmp_filter_ctx], [], [], [[#include <seccomp.h>]])
		41	-AC_CHECK_DECLS([seccomp_notify_fd], [], [], [[#include <seccomp.h>]])
		42	-AC_CHECK_TYPES([struct seccomp_notif_sizes], [], [], [[#include <seccomp.h>]])
		43	-AC_CHECK_DECLS([seccomp_syscall_resolve_name_arch], [], [], [[#include <seccomp.h>]])
		44	-CFLAGS="$OLD_CFLAGS"
		45	-
		46	AC_CHECK_HEADERS([linux/bpf.h], [
		47	AC_CHECK_TYPES([struct bpf_cgroup_dev_ctx], [], [], [[#include <linux/bpf.h>]])
		48	], [], [])
		49	--
		50	2.17.1
		51


diff --git a/recipes-containers/lxc/lxc_4.0.6.bb b/recipes-containers/lxc/lxc_4.0.6.bb index b4229090..c9bf3d09 100644 --- a/recipes-containers/lxc/lxc_4.0.6.bb +++ b/recipes-containers/lxc/lxc_4.0.6.bb
@@ -49,6 +49,8 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}/${BPN}-${PV}.tar.gz \
49	file://tests-add-no-validate-when-using-download-template.patch \	49	file://tests-add-no-validate-when-using-download-template.patch \
50	file://dnsmasq.conf \	50	file://dnsmasq.conf \
51	file://lxc-net \	51	file://lxc-net \
		52	file://configure-skip-libseccomp-tests-if-it-is-disabled.patch \
		53	file://commands-fix-check-for-seccomp-notify-support.patch \
52	"	54	"
53		55
54	SRC_URI[md5sum] = "732571c7cb4ab845068afb227bf35256"	56	SRC_URI[md5sum] = "732571c7cb4ab845068afb227bf35256"