Version in base suite: 0.17+dfsg-1+deb11u1 Base version: crun_0.17+dfsg-1+deb11u1 Target version: crun_0.17+dfsg-1+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/crun/crun_0.17+dfsg-1+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/crun/crun_0.17+dfsg-1+deb11u2.dsc changelog | 9 ++ patches/series | 2 patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch | 36 +++++++++ patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch | 48 ++++++++++++ 4 files changed, 95 insertions(+) diff -Nru crun-0.17+dfsg/debian/changelog crun-0.17+dfsg/debian/changelog --- crun-0.17+dfsg/debian/changelog 2023-02-11 21:44:44.000000000 +0000 +++ crun-0.17+dfsg/debian/changelog 2023-11-02 16:52:46.000000000 +0000 @@ -1,3 +1,12 @@ +crun (0.17+dfsg-1+deb11u2) bullseye; urgency=medium + + * Backport two commits from upstream ("ignore ENOTSUP when chmod a + symlink"), that restore containers with systemd as their init system, when + running under Linux >= v6.6, >= v6.1.55 and >= 5.10.197, i.e. bullseye's + and bookworm's current stable kernels. (Closes: #1053821) + + -- Faidon Liambotis Thu, 02 Nov 2023 18:52:46 +0200 + crun (0.17+dfsg-1+deb11u1) bullseye; urgency=medium * Backport upstream commits b847d14 ("spec: do not set inheritable diff -Nru crun-0.17+dfsg/debian/patches/series crun-0.17+dfsg/debian/patches/series --- crun-0.17+dfsg/debian/patches/series 2023-02-11 21:44:44.000000000 +0000 +++ crun-0.17+dfsg/debian/patches/series 2023-11-02 16:52:46.000000000 +0000 @@ -1,2 +1,4 @@ CVE-2022-27650-b847d14.patch CVE-2022-27650-1aeeed2.patch +utils-ignore-ENOTSUP-when-chmod-a-symlink.patch +utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch diff -Nru crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch --- crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch 1970-01-01 00:00:00.000000000 +0000 +++ crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch 2023-11-02 16:52:46.000000000 +0000 @@ -0,0 +1,36 @@ +From 60296f112fddc74f4926f8ca6f6e1ef7a61ef5b9 Mon Sep 17 00:00:00 2001 +From: Giuseppe Scrivano +Date: Tue, 26 Sep 2023 11:51:19 +0200 +Subject: [PATCH] utils: fix ignore ENOTSUP when chmod a symlink + +when ENOTSUP is encountered we must continue copying the other files, +not doing an early return. + +commit 57262a2710c83fa08767f0ce3ba7a80993515bb2 introduced the +regression with the Podman CI. + +Signed-off-by: Giuseppe Scrivano + +Origin: upstream, https://github.com/containers/crun/commit/14afa8a46e2e83608a3a219402bce8ea8d071192 +Bug: https://github.com/containers/crun/issues/1308 +Bug-Debian: https://bugs.debian.org/1053821 +--- + src/libcrun/utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c +index 5c7f315..5306c5b 100644 +--- a/src/libcrun/utils.c ++++ b/src/libcrun/utils.c +@@ -1858,7 +1858,7 @@ copy_recursive_fd_to_fd (int srcdirfd, int dfd, const char *srcname, const char + { + /* If the operation fails with ENOTSUP we are dealing with a symlink, so ignore it. */ + if (errno == ENOTSUP) +- return 0; ++ continue; + + if (UNLIKELY (ret < 0)) + return crun_make_error (err, errno, "chmod `%s/%s`", destname, de->d_name); +-- +2.39.2 + diff -Nru crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch --- crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch 1970-01-01 00:00:00.000000000 +0000 +++ crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch 2023-11-02 16:52:46.000000000 +0000 @@ -0,0 +1,48 @@ +From 3bc67556e2f077337e574e4c3aaf18488410b2f5 Mon Sep 17 00:00:00 2001 +From: Giuseppe Scrivano +Date: Fri, 22 Sep 2023 11:34:19 +0200 +Subject: [PATCH] utils: ignore ENOTSUP when chmod a symlink + +commit 5d1f903f75a80daa4dfb3d84e114ec8ecbf29956 in the kernel, present +in a release since Linux 6.6 doesn't allow anymore to change the +mode of a symlink, so just ignore the failure. + +Closes: https://github.com/containers/crun/issues/1308 + +Signed-off-by: Giuseppe Scrivano + +Origin: upstream, https://github.com/containers/crun/commit/57262a2710c83fa08767f0ce3ba7a80993515bb2 +Bug: https://github.com/containers/crun/issues/1308 +Bug-Debian: https://bugs.debian.org/1053821 +--- + src/libcrun/utils.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c +index cac0fb9..5c7f315 100644 +--- a/src/libcrun/utils.c ++++ b/src/libcrun/utils.c +@@ -1856,18 +1856,9 @@ copy_recursive_fd_to_fd (int srcdirfd, int dfd, const char *srcname, const char + ret = fchmodat (destdirfd, de->d_name, mode & ALLPERMS, AT_SYMLINK_NOFOLLOW); + if (UNLIKELY (ret < 0)) + { ++ /* If the operation fails with ENOTSUP we are dealing with a symlink, so ignore it. */ + if (errno == ENOTSUP) +- { +- char proc_path[32]; +- cleanup_close int fd = -1; +- +- fd = openat (destdirfd, de->d_name, O_PATH | O_NOFOLLOW); +- if (UNLIKELY (fd < 0)) +- return crun_make_error (err, errno, "open `%s/%s`", destname, de->d_name); +- +- sprintf (proc_path, "/proc/self/fd/%d", fd); +- ret = chmod (proc_path, mode & ALLPERMS); +- } ++ return 0; + + if (UNLIKELY (ret < 0)) + return crun_make_error (err, errno, "chmod `%s/%s`", destname, de->d_name); +-- +2.39.2 +