[CRun] Added crun package

Added a crun package with patches that allow for using it as a library

Author: mipo57

package/Config.in

@@ -1873,6 +1873,7 @@ menu "System tools"
 	source "package/kmod/Config.in"
 	source "package/kvmtool/Config.in"
 	source "package/lxc/Config.in"
+	source "package/crun/Config.in"
 	source "package/monit/Config.in"
 	source "package/ncdu/Config.in"
 	source "package/numactl/Config.in"

package/crun/0001-Preparing-for-library-build.patch

@@ -0,0 +1,136 @@
+From 9d14b28d5c5748abd3d073fbf65dd4cb6b50fdec Mon Sep 17 00:00:00 2001
+From: Michal Pogoda <michalpogoda@hotmail.com>
+Date: Tue, 17 Mar 2020 16:55:20 +0100
+Subject: [PATCH 1/2] Preparing for library build
+
+---
+ Makefile.am             | 19 +++++++++++++++++++
+ configure.ac            |  5 ++++-
+ libcrun.pc.in           | 11 +++++++++++
+ libocispec/Makefile.am  | 13 +++----------
+ src/libcrun/container.c |  2 +-
+ 5 files changed, 38 insertions(+), 12 deletions(-)
+ create mode 100644 libcrun.pc.in
+
+diff --git a/Makefile.am b/Makefile.am
+index 8f96a4f..5e86199 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -38,6 +38,25 @@ libcrun_la_SOURCES = src/libcrun/utils.c \
+ libcrun_la_CFLAGS = -I $(abs_top_builddir)/libocispec/src -I $(abs_top_srcdir)/libocispec/src
+ libcrun_la_LIBADD = libocispec/libocispec.la
+ 
++pkginclude_HEADERS = src/libcrun/container.h \
++		     config.h \
++		     src/libcrun/error.h \
++		     src/libcrun/status.h \
++		     src/libcrun/utils.h \
++		     libocispec/src/runtime_spec_schema_config_schema.h \
++		     libocispec/src/runtime_spec_schema_config_linux.h \
++		     libocispec/src/runtime_spec_schema_config_solaris.h \
++		     libocispec/src/runtime_spec_schema_config_windows.h \
++		     libocispec/src/runtime_spec_schema_config_vm.h \
++		     libocispec/src/runtime_spec_schema_defs.h \
++		     libocispec/src/runtime_spec_schema_defs_linux.h \
++		     libocispec/src/runtime_spec_schema_defs_windows.h \
++		     libocispec/src/runtime_spec_schema_defs_vm.h \
++		     libocispec/src/json_common.h
++
++pkgconfigdir = @pkgconfigdir@
++pkgconfig_DATA = libcrun.pc
++
+ if PYTHON_BINDINGS
+ pyexec_LTLIBRARIES = python_crun.la
+ python_crun_la_SOURCES = python/crun_python.c
+diff --git a/configure.ac b/configure.ac
+index ea6ed11..cab11ec 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -123,7 +123,10 @@ AC_SEARCH_LIBS([argp_parse], [argp], [], [AC_MSG_ERROR([*** argp functions not f
+ AM_CONDITIONAL([PYTHON_BINDINGS], [test "x$with_python_bindings" = "xyes"])
+ AM_CONDITIONAL([CRIU_SUPPORT], [test "x$have_criu" = "xyes"])
+ 
+-AC_CONFIG_FILES([Makefile rpm/crun.spec])
++PKG_INSTALLDIR
++AC_SUBST(pkgconfigdir)
++
++AC_CONFIG_FILES([Makefile rpm/crun.spec libcrun.pc])
+ 
+ AC_CONFIG_SUBDIRS([libocispec])
+ AC_OUTPUT
+diff --git a/libcrun.pc.in b/libcrun.pc.in
+new file mode 100644
+index 0000000..54ee2eb
+--- /dev/null
++++ b/libcrun.pc.in
+@@ -0,0 +1,11 @@
++prefix=@prefix@
++exec_prefix=@exec_prefix@
++libdir=@libdir@
++includedir=@includedir@
++
++Name: LibCRun
++Description: Library for running the OCI containers
++Version: 0.1.13
++Requires: libseccomp libcap yajl
++Cflags: -I${includedir}/crun -I${includedir}
++Libs: -L${libdir} -lseccomp -lcap -lyajl -lcrun 
+\ No newline at end of file
+diff --git a/libocispec/Makefile.am b/libocispec/Makefile.am
+index 65bed45..53a8b32 100644
+--- a/libocispec/Makefile.am
++++ b/libocispec/Makefile.am
+@@ -4,8 +4,7 @@ AM_CFLAGS = $(WARN_CFLAGS) -I$(top_srcdir)/src -I$(top_builddir)/src
+ 
+ GITIGNOREFILES = build-aux/ gtk-doc.make config.h.in aclocal.m4
+ 
+-noinst_LTLIBRARIES = libocispec.la
+-noinst_LIBRARIES = libocispec.a
++lib_LTLIBRARIES = libocispec.la
+ 
+ SOURCE_FILES = src/json_common.c \
+ 	src/image_spec_schema_config_schema.c \
+@@ -25,9 +24,8 @@ SOURCE_FILES = src/json_common.c \
+ 	src/runtime_spec_schema_defs_vm.c \
+ 	src/runtime_spec_schema_defs_windows.c \
+ 	src/runtime_spec_schema_state_schema.c \
+-	src/image_manifest_items_image_manifest_items_schema.c \
+-	src/json_common.c
+-
++	src/image_manifest_items_image_manifest_items_schema.c 
++	
+ HEADER_FILES = $(SOURCE_FILES:.c=.h)
+ 
+ src/json_common.h src/json_common.c:
+@@ -61,15 +59,10 @@ BUILT_SOURCES = $(HEADER_FILES) $(SOURCE_FILES)
+ libocispec_la_SOURCES = $(SOURCE_FILES) \
+ 	src/read-file.c
+ 
+-libocispec_a_SOURCES =
+-
+ CLEANFILES += $(HEADER_FILES) $(SOURCE_FILES)
+ 
+ TESTS_LDADD = libocispec.la $(SELINUX_LIBS) $(YAJL_LIBS)
+ 
+-libocispec.a: libocispec.la
+-	$(LIBTOOL) --mode=link $(GCC) libocispec.la -o libocispec.a
+-
+ tests_test_1_SOURCES = tests/test-1.c
+ tests_test_1_LDADD = $(TESTS_LDADD)
+ 
+diff --git a/src/libcrun/container.c b/src/libcrun/container.c
+index 22cb41f..7f7dafc 100644
+--- a/src/libcrun/container.c
++++ b/src/libcrun/container.c
+@@ -1778,7 +1778,7 @@ libcrun_container_run (libcrun_context_t *context, libcrun_container_t *containe
+       crun_set_output_handler (log_write_to_stderr, NULL, false);
+       libcrun_fail_with_error ((*err)->status, "%s", (*err)->msg);
+     }
+-  exit (ret);
++  _exit (ret);
+ }
+ 
+ int
+-- 
+2.20.1
+

package/crun/0002-Fix-cpuacct-not-beeing-created.patch

@@ -0,0 +1,25 @@
+From b8c2ac52796824ba32329617f2113f26e88a2e1b Mon Sep 17 00:00:00 2001
+From: Michal Pogoda <michalpogoda@hotmail.com>
+Date: Thu, 9 Apr 2020 16:07:43 +0200
+Subject: [PATCH 2/2] Fix cpuacct not beeing created
+
+---
+ src/libcrun/cgroup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcrun/cgroup.c b/src/libcrun/cgroup.c
+index 6947eaf..9a5d34d 100644
+--- a/src/libcrun/cgroup.c
++++ b/src/libcrun/cgroup.c
+@@ -39,7 +39,7 @@
+ 
+ static const cgroups_subsystem_t cgroups_subsystems[] = { "cpuset", "cpu", "devices", "pids", "memory",
+                                                           "net_cls,net_prio", "freezer", "blkio",
+-                                                          "hugetlb", "cpu,cpuacct", "perf_event",
++                                                          "hugetlb", "cpu", "cpuacct", "perf_event",
+                                                           "unified", NULL};
+ 
+ const cgroups_subsystem_t *
+-- 
+2.20.1
+

package/crun/Config.in

@@ -0,0 +1,8 @@
+config BR2_PACKAGE_CRUN
+	bool "crun"
+	select BR2_PACKAGE_YAJL
+	select BR2_PACKAGE_LIBSECCOMP
+	select BR2_PACKAGE_LIBCAP
+	help
+	  this package installs 'crun', which is a
+	  runc reimplementation in C

package/crun/crun.mk

@@ -0,0 +1,17 @@
+################################################################################
+#
+# crun
+#
+################################################################################
+
+CRUN_VERSION = 0.13
+CRUN_SITE = https://github.com/containers/crun/releases/download/$(CRUN_VERSION)
+CRUN_LICENSE = GPLv2+
+CRUN_LICENSE_FILES = COPYING
+CRUN_INSTALL_STAGING = YES
+CRUN_DEPENDENCIES = host-python3 yajl libcap libseccomp
+
+CRUN_CONF_OPTS = --disable-systemd --enable-shared
+CRUN_CONF_ENV = PYTHON=python3
+
+$(eval $(autotools-package))

package/libseccomp/0001-remove-static.patch

@@ -1,29 +1,40 @@
-Do not force static link, it breaks build with
-# BR2_STATIC_LIBS is not set
+From 5d010fb06eae43b284e5ccc322f6de47eb42b751 Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Sat, 2 Jun 2018 13:45:22 +0200
+Subject: [PATCH] remove static
+
+Do not force static link of tools, it breaks build with:
 BR2_SHARED_LIBS=y
 
+Patch retrieved from
+https://git.buildroot.net/buildroot/tree/package/libseccomp/0001-remove-static.patch
+and slighly updated to work with 2.3.3
+
+[Upstream status: https://github.com/seccomp/libseccomp/pull/121]
+
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Peter: updated for v2.4.0 which adds scmp_api_level]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ tools/Makefile.am | 3 ---
+ 1 file changed, 3 deletions(-)
 
-diff -uNr libseccomp-2.2.0.org/tests/Makefile.am libseccomp-2.2.0/tests/Makefile.am
---- libseccomp-2.2.0.org/tests/Makefile.am	2015-02-11 21:57:11.000000000 +0100
-+++ libseccomp-2.2.0/tests/Makefile.am	2015-03-29 16:03:49.668946652 +0200
-@@ -16,7 +16,6 @@
- # along with this library; if not, see <http://www.gnu.org/licenses>.
- #
- 
--AM_LDFLAGS = -static
- LDADD = util.la ../src/libseccomp.la
- 
- check_LTLIBRARIES = util.la
-diff -uNr libseccomp-2.2.0.org/tools/Makefile.am libseccomp-2.2.0/tools/Makefile.am
---- libseccomp-2.2.0.org/tools/Makefile.am	2015-02-11 21:57:11.000000000 +0100
-+++ libseccomp-2.2.0/tools/Makefile.am	2015-03-29 16:03:46.164992302 +0200
-@@ -33,8 +33,6 @@
- scmp_bpf_sim_SOURCES = scmp_bpf_sim.c bpf.h util.h
+diff --git a/tools/Makefile.am b/tools/Makefile.am
+index f768365..5f9d571 100644
+--- a/tools/Makefile.am
++++ b/tools/Makefile.am
+@@ -37,10 +37,7 @@ scmp_bpf_sim_SOURCES = scmp_bpf_sim.c bpf.h util.h
+ scmp_api_level_SOURCES = scmp_api_level.c
 
  scmp_sys_resolver_LDADD = ../src/libseccomp.la
 -scmp_sys_resolver_LDFLAGS = -static
  scmp_arch_detect_LDADD = ../src/libseccomp.la
 -scmp_arch_detect_LDFLAGS = -static
  scmp_bpf_disasm_LDADD = util.la
  scmp_bpf_sim_LDADD = util.la
+ scmp_api_level_LDADD = ../src/libseccomp.la
+-scmp_api_level_LDFLAGS = -static
+-- 
+2.11.0
+

package/libseccomp/0002-Circumvent-bug-in-uClibc-ng-syscall-on-x86_64-system.patch

@@ -0,0 +1,80 @@
+From 613e601bb4b50dc359b41f162a5b629449e4bbea Mon Sep 17 00:00:00 2001
+From: Carlos Santos <casantos@redhat.com>
+Date: Fri, 18 Oct 2019 22:02:49 -0300
+Subject: [PATCH] Circumvent bug in uClibc-ng syscall() on x86_64 systems
+
+On uClibc at least up to v1.0.32, syscall() for x86_64 is defined in
+libc/sysdeps/linux/x86_64/syscall.S as
+
+syscall:
+        movq %rdi, %rax         /* Syscall number -> rax.  */
+        movq %rsi, %rdi         /* shift arg1 - arg5.  */
+        movq %rdx, %rsi
+        movq %rcx, %rdx
+        movq %r8, %r10
+        movq %r9, %r8
+        movq 8(%rsp),%r9        /* arg6 is on the stack.  */
+        syscall                 /* Do the system call.  */
+        cmpq $-4095, %rax       /* Check %rax for error.  */
+        jae __syscall_error     /* Branch forward if it failed.  */
+        ret                     /* Return to caller.  */
+
+And __syscall_error is defined in
+libc/sysdeps/linux/x86_64/__syscall_error.c as
+
+int __syscall_error(void) attribute_hidden;
+int __syscall_error(void)
+{
+	register int err_no __asm__ ("%rcx");
+	__asm__ ("mov %rax, %rcx\n\t"
+	         "neg %rcx");
+	__set_errno(err_no);
+	return -1;
+}
+
+Notice that __syscall_error returns -1 as a 32-bit int in %rax, a 64-bit
+register i.e. 0x00000000ffffffff (decimal 4294967295). When this value
+is compared to -1 in _sys_chk_seccomp_flag_kernel() the result is false,
+leading the function to always return 0.
+
+Prevent the error by coercing the return value of syscall() to int in a
+temporary variable before comparing it to -1. We could use just an (int)
+cast but the variable makes the code more readable and the machine code
+generated by the compiler is the same in both cases.
+
+All other syscall() invocations were inspected and they either already
+coerce the result to int or do not compare it to -1.
+
+The same problem probably occurs on other 64-bit systems but so far only
+x86_64 was tested.
+
+A bug report is being submitted to uClibc.
+
+Signed-off-by: Carlos Santos <casantos@redhat.com>
+---
+ src/system.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/system.c b/src/system.c
+index 8e5aafc..811b401 100644
+--- a/src/system.c
++++ b/src/system.c
+@@ -215,10 +215,12 @@ static int _sys_chk_seccomp_flag_kernel(int flag)
+ 	/* this is an invalid seccomp(2) call because the last argument
+ 	 * is NULL, but depending on the errno value of EFAULT we can
+ 	 * guess if the filter flag is supported or not */
+-	if (sys_chk_seccomp_syscall() == 1 &&
+-	    syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 &&
+-	    errno == EFAULT)
++	int rc;
++	if (sys_chk_seccomp_syscall() == 1) {
++	    rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flag, NULL);
++	    if (rc == -1 && errno == EFAULT)
+ 		return 1;
++	}
+ 
+ 	return 0;
+ }
+-- 
+2.18.1
+

package/libseccomp/Config.in

@@ -1,22 +1,28 @@
+config BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS
+	bool
+	default y if BR2_aarch64
+	default y if BR2_arm || BR2_armeb
+	default y if BR2_mips || BR2_mipsel || BR2_mips64 || BR2_mips64el
+	default y if BR2_i386 || BR2_x86_64
+	default y if BR2_powerpc64 || BR2_powerpc
+
 config BR2_PACKAGE_LIBSECCOMP
 	bool "libseccomp"
-	depends on BR2_aarch64 || BR2_mips || BR2_mipsel || BR2_mips64 || \
-		BR2_mips64el || BR2_i386 || BR2_x86_64 || BR2_powerpc64 || \
-		BR2_powerpc
+	depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS
 	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12
 	help
 	  High level interface to the Linux Kernel's seccomp filter
 
-	  The libseccomp library provides an easy to use, platform independent,
-	  interface to the Linux Kernel's syscall filtering mechanism: seccomp.
-	  The libseccomp API is designed to abstract away the underlying BPF
-	  based syscall filter language and present a more conventional
-	  function-call based filtering interface that should be familiar to,
-	  and easily adopted by application developers.
+	  The libseccomp library provides an easy to use, platform
+	  independent, interface to the Linux Kernel's syscall filtering
+	  mechanism: seccomp. The libseccomp API is designed to abstract
+	  away the underlying BPF based syscall filter language and
+	  present a more conventional function-call based filtering
+	  interface that should be familiar to, and easily adopted by
+	  application developers.
 
 	  https://github.com/seccomp/libseccomp
 
 comment "libseccomp needs a toolchain w/ headers >= 3.12"
-	depends on BR2_aarch64 || BR2_mips || BR2_mipsel || BR2_mips64 || \
-		BR2_mips64el || BR2_i386 || BR2_x86_64
+	depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS
 	depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12

package/libseccomp/libseccomp.hash

@@ -1,2 +1,3 @@
 # Locally calculated
-sha256 09864282ae579c34bd5ef75ef3487200adfecaa51f5cffc7c7ad1ed2f89f5d6c libseccomp-v2.3.1.tar.gz
+sha256 36aa502c0461ae9efc6c93ec2430d6badd9bf91ecbe73806baf7b7c6f687ab4f libseccomp-2.4.1.tar.gz
+sha256 102900208eef27b766380135906d431dba87edaa7ec6aa72e6ebd3dd67f3a97b LICENSE