diff -Nru golang-github-containers-toolbox-0.0.99.2/debian/changelog golang-github-containers-toolbox-0.0.99.2/debian/changelog --- golang-github-containers-toolbox-0.0.99.2/debian/changelog 2022-01-17 13:10:47.000000000 +0100 +++ golang-github-containers-toolbox-0.0.99.2/debian/changelog 2023-07-12 23:39:49.000000000 +0200 @@ -1,3 +1,10 @@ +golang-github-containers-toolbox (0.0.99.2-2ubuntu1.1) jammy; urgency=medium + + * Fix the ABI incompatibility issue (LP: #1993888). + * Add a build dependency on patchelf (necessary for the fix above). + + -- Andrej Shadura Wed, 12 Jul 2023 23:39:49 +0200 + golang-github-containers-toolbox (0.0.99.2-2ubuntu1) jammy; urgency=medium * Fix RISC-V build error (LP: #1958132) diff -Nru golang-github-containers-toolbox-0.0.99.2/debian/control golang-github-containers-toolbox-0.0.99.2/debian/control --- golang-github-containers-toolbox-0.0.99.2/debian/control 2022-01-17 13:01:03.000000000 +0100 +++ golang-github-containers-toolbox-0.0.99.2/debian/control 2023-07-12 23:39:49.000000000 +0200 @@ -28,6 +28,7 @@ golang-golang-x-crypto-dev, golang-golang-x-sys-dev, meson, + patchelf, pkgconf | pkg-config, shellcheck, systemd, diff -Nru golang-github-containers-toolbox-0.0.99.2/debian/patches/0001-riscv-pthread_sigmask.patch golang-github-containers-toolbox-0.0.99.2/debian/patches/0001-riscv-pthread_sigmask.patch --- golang-github-containers-toolbox-0.0.99.2/debian/patches/0001-riscv-pthread_sigmask.patch 2022-01-17 13:10:40.000000000 +0100 +++ golang-github-containers-toolbox-0.0.99.2/debian/patches/0001-riscv-pthread_sigmask.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,18 +0,0 @@ -Add missing pthread_sigmask definition for riscv64 - -Signed-off: Heinrich Schuchardt - -Bug-Ubuntu: 1958132 -Forwarded: no -Last-Update: 2022-01-17 ---- a/src/libc-wrappers/libc-wrappers.c -+++ b/src/libc-wrappers/libc-wrappers.c -@@ -26,6 +26,8 @@ - __asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.0"); - #elif defined __powerpc64__ && _CALL_ELF == 2 /* ppc64le */ - __asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17"); -+#elif defined (__riscv) && __riscv_xlen == 64 -+__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.27"); - #elif defined __s390x__ - __asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2"); - #elif defined __x86_64__ diff -Nru golang-github-containers-toolbox-0.0.99.2/debian/patches/0005-build-Ensure-that-binaries-are-run-against-their-bui.patch golang-github-containers-toolbox-0.0.99.2/debian/patches/0005-build-Ensure-that-binaries-are-run-against-their-bui.patch --- golang-github-containers-toolbox-0.0.99.2/debian/patches/0005-build-Ensure-that-binaries-are-run-against-their-bui.patch 1970-01-01 01:00:00.000000000 +0100 +++ golang-github-containers-toolbox-0.0.99.2/debian/patches/0005-build-Ensure-that-binaries-are-run-against-their-bui.patch 2023-07-12 20:01:51.000000000 +0200 @@ -0,0 +1,231 @@ +From: Debarshi Ray +Date: Thu, 21 Oct 2021 20:22:11 +0200 +Subject: build: Ensure that binaries are run against their build-time ABI + +The /usr/bin/toolbox binary is not only used to interact with toolbox +containers and images from the host. It's also used as the entry point +of the containers by bind mounting the binary from the host into the +container. This means that the /usr/bin/toolbox binary on the host must +also work inside the container, even if they have different operating +systems. + +In the past, this worked perfectly well with the POSIX shell +implementation because it got intepreted by whichever /bin/sh was +available. However, the Go implementation, can run into ABI +compatibility issues because binaries built on newer toolchains aren't +meant to be run against older runtimes. + +The previous approach [1] of restricting the versions of the glibc +symbols that are linked against isn't actually supported by glibc, and +breaks if the early process start-up code changes. This is seen in +glibc-2.34, which is used by Fedora 35 onwards, where a new version of +the __libc_start_main symbol [2] was added as part of some security +hardening: + $ objdump -T ./usr/bin/toolbox | grep GLIBC_2.34 + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + __libc_start_main + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + pthread_detach + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + pthread_create + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + pthread_attr_getstacksize + +This means that /usr/bin/toolbox binaries built against glibc-2.34 on +newer Fedoras fail to run against older glibcs in older Fedoras. + +Another option is to make the host's runtime available inside the +toolbox container and ensure that the binary always runs against it. + +Luckily, almost all supported containers have the host's /usr available +at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to +/run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing +the path of the dynamic linker (ie., PT_INTERP) to the one inside +/run/host. + +Unfortunately, there can only be one PT_INTERP entry inside the +binary, so there must be a /run/host on the host too. Therefore, a +/run/host symbolic link is created on the host that points to the +host's /. + +Based on ideas from Alexander Larsson and Ray Strode. + +[1] Commit 6ad9c631806961f3 + https://github.com/containers/toolbox/pull/534 + +[2] glibc commit 035c012e32c11e84 + https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84 + https://sourceware.org/bugzilla/show_bug.cgi?id=23323 + +https://github.com/containers/toolbox/issues/821 +--- + data/tmpfiles.d/toolbox.conf | 1 + + meson.build | 8 ++------ + playbooks/setup-env.yaml | 1 + + src/go-build-wrapper | 17 +++++++++++++--- + src/libc-wrappers/libc-wrappers.c | 42 --------------------------------------- + src/libc-wrappers/meson.build | 8 -------- + src/meson.build | 4 ---- + 7 files changed, 18 insertions(+), 63 deletions(-) + delete mode 100644 src/libc-wrappers/libc-wrappers.c + delete mode 100644 src/libc-wrappers/meson.build + +diff --git a/data/tmpfiles.d/toolbox.conf b/data/tmpfiles.d/toolbox.conf +index f22b64a..1c93cb1 100644 +--- a/data/tmpfiles.d/toolbox.conf ++++ b/data/tmpfiles.d/toolbox.conf +@@ -1 +1,2 @@ + d /run/media 0755 root root ++L /run/host - - - - ../ +diff --git a/meson.build b/meson.build +index 6824dd7..adec339 100644 +--- a/meson.build ++++ b/meson.build +@@ -1,17 +1,13 @@ + project( + 'toolbox', +- 'c', + version: '0.0.99.2', + license: 'ASL 2.0', +- meson_version: '>= 0.40.0', ++ meson_version: '>= 0.53.0', + ) + +-cc = meson.get_compiler('c') +-add_project_arguments('-pthread', language: 'c') +-add_project_link_arguments('-pthread', language: 'c') +- + go = find_program('go') + go_md2man = find_program('go-md2man') ++patchelf = find_program('patchelf') + shellcheck = find_program('shellcheck', required: false) + skopeo = find_program('skopeo', required: false) + +diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml +index f5f6216..70f9392 100644 +--- a/playbooks/setup-env.yaml ++++ b/playbooks/setup-env.yaml +@@ -13,6 +13,7 @@ + - golang-github-cpuguy83-md2man + - meson + - ninja-build ++ - patchelf + - podman + - skopeo + - systemd +diff --git a/src/go-build-wrapper b/src/go-build-wrapper +index 0d27120..677dca9 100755 +--- a/src/go-build-wrapper ++++ b/src/go-build-wrapper +@@ -16,9 +16,9 @@ + # + + +-if [ "$#" -ne 4 ]; then ++if [ "$#" -ne 3 ]; then + echo "go-build-wrapper: wrong arguments" >&2 +- echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION] [libc-wrappers.a]" >&2 ++ echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION]" >&2 + exit 1 + fi + +@@ -27,5 +27,16 @@ if ! cd "$1"; then + exit 1 + fi + +-go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" ++go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" ++ ++if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then ++ echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2 ++ exit 1 ++fi ++ ++if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then ++ echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2 ++ exit 1 ++fi ++ + exit "$?" +diff --git a/src/libc-wrappers/libc-wrappers.c b/src/libc-wrappers/libc-wrappers.c +deleted file mode 100644 +index 7b402bc..0000000 +--- a/src/libc-wrappers/libc-wrappers.c ++++ /dev/null +@@ -1,42 +0,0 @@ +-/* +- * Copyright © 2020 – 2021 Red Hat Inc. +- * +- * Licensed under the Apache License, Version 2.0 (the "License"); +- * you may not use this file except in compliance with the License. +- * You may obtain a copy of the License at +- * +- * http://www.apache.org/licenses/LICENSE-2.0 +- * +- * Unless required by applicable law or agreed to in writing, software +- * distributed under the License is distributed on an "AS IS" BASIS, +- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +- * See the License for the specific language governing permissions and +- * limitations under the License. +- */ +- +- +-#include +- +- +-#if defined __aarch64__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17"); +-#elif defined __arm__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.4"); +-#elif defined __i386__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.0"); +-#elif defined __powerpc64__ && _CALL_ELF == 2 /* ppc64le */ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17"); +-#elif defined __s390x__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2"); +-#elif defined __x86_64__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2.5"); +-#else +-#error "Please specify symbol version for pthread_sigmask" +-#endif +- +- +-int +-__wrap_pthread_sigmask (int how, const sigset_t *set, sigset_t *oldset) +-{ +- return pthread_sigmask (how, set, oldset); +-} +diff --git a/src/libc-wrappers/meson.build b/src/libc-wrappers/meson.build +deleted file mode 100644 +index 3984ce4..0000000 +--- a/src/libc-wrappers/meson.build ++++ /dev/null +@@ -1,8 +0,0 @@ +-sources = files( +- 'libc-wrappers.c', +-) +- +-libc_wrappers = static_library( +- 'c-wrappers', +- sources, +-) +diff --git a/src/meson.build b/src/meson.build +index f76606d..759db1f 100644 +--- a/src/meson.build ++++ b/src/meson.build +@@ -1,5 +1,3 @@ +-subdir('libc-wrappers') +- + go_build_wrapper_file = files('go-build-wrapper') + go_build_wrapper_program = find_program('go-build-wrapper') + +@@ -28,9 +26,7 @@ custom_target( + meson.current_source_dir(), + meson.current_build_dir(), + meson.project_version(), +- libc_wrappers.full_path(), + ], +- depends: libc_wrappers, + input: sources, + install: true, + install_dir: get_option('bindir'), diff -Nru golang-github-containers-toolbox-0.0.99.2/debian/patches/0006-build-Restore-backwards-compatibility-with-existing-.patch golang-github-containers-toolbox-0.0.99.2/debian/patches/0006-build-Restore-backwards-compatibility-with-existing-.patch --- golang-github-containers-toolbox-0.0.99.2/debian/patches/0006-build-Restore-backwards-compatibility-with-existing-.patch 1970-01-01 01:00:00.000000000 +0100 +++ golang-github-containers-toolbox-0.0.99.2/debian/patches/0006-build-Restore-backwards-compatibility-with-existing-.patch 2023-07-12 20:01:51.000000000 +0200 @@ -0,0 +1,83 @@ +From: Debarshi Ray +Date: Mon, 25 Oct 2021 02:55:09 +0200 +Subject: build: Restore backwards compatibility with existing containers + +The path of the dynamic linker (ie., PT_INTERP), as specified in an +architecture's ABI, often starts with /lib or /lib64, not /usr/lib or +/usr/lib64. eg., it's /lib/ld-linux-aarch64.so.1 for aarch64 and +/lib64/ld-linux-x86-64.so.2 for x86_64. + +Unfortunately, until very recently [1], only the host's /usr was +present inside a toolbox container's /run/host, not /lib or /lib64. +Therefore, simply prepending /run/host to the /usr/bin/toolbox +binary's existing PT_INTERP entry wouldn't locate the host's dynamic +linker inside the toolbox container. This broke backwards compatibility +with every container out there, except the ones created with the +current development version in Git. + +To restore backwards compatibility, the /lib and /lib64 symbolic links +must be resolved to their respective locations inside /usr. + +The following caveats must be noted: + + * With glibc, even the basename of the path of the dynamic linker as + specified in an architecture's ABI, is a symbolic link to a file + named ld-.so. However, this file can't be used as + the PT_INTERP entry, because its name will change when glibc is + updated and the PT_INTERP entry will become invalid until the + /usr/bin/toolbox binary is rebuilt. + + * On Debian, a path like /lib64/ld-linux-x86-64.so.2 doesn't resolve + to something inside /usr/lib64. Instead it ends up inside + /usr/lib/x86_64-linux-gnu through a series of symbolic links: + - /lib64 -> usr/lib64 + - /usr/lib64/ld-linux-x86-64.so.2 + -> /lib/x86_64-linux-gnu/ld-2.28.so + - /lib -> usr/lib + + * It's assumed that a symbolic link with the basename specified in + the ABI lives in the same directory as the actual dynamic linker + binary named ld-.so. + +Fallout from 6063eb27b98939942e316771224c5653a9b2e59b + +[1] Commit d03a5fee80f2f72d + https://github.com/containers/toolbox/pull/827 + +https://github.com/containers/toolbox/issues/821 +--- + src/go-build-wrapper | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/go-build-wrapper b/src/go-build-wrapper +index 677dca9..24eac67 100755 +--- a/src/go-build-wrapper ++++ b/src/go-build-wrapper +@@ -34,8 +34,25 @@ if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then + exit 1 + fi + +-if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then +- echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2 ++if ! interpreter_canonical=$(readlink --canonicalize "$interpreter"); then ++ echo "go-build-wrapper: failed to canonicalize PT_INTERP" >&2 ++ exit 1 ++fi ++ ++if ! interpreter_basename=$(basename "$interpreter"); then ++ echo "go-build-wrapper: failed to read the basename of PT_INTERP" >&2 ++ exit 1 ++fi ++ ++if ! interpreter_canonical_dirname=$(dirname "$interpreter_canonical"); then ++ echo "go-build-wrapper: failed to read the dirname of the canonicalized PT_INTERP" >&2 ++ exit 1 ++fi ++ ++interpreter="/run/host$interpreter_canonical_dirname/$interpreter_basename" ++ ++if ! patchelf --set-interpreter "$interpreter" "$2/toolbox"; then ++ echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to $interpreter" >&2 + exit 1 + fi + diff -Nru golang-github-containers-toolbox-0.0.99.2/debian/patches/series golang-github-containers-toolbox-0.0.99.2/debian/patches/series --- golang-github-containers-toolbox-0.0.99.2/debian/patches/series 2022-01-17 13:01:03.000000000 +0100 +++ golang-github-containers-toolbox-0.0.99.2/debian/patches/series 2023-07-12 20:01:51.000000000 +0200 @@ -1,4 +1,5 @@ 0002-Do-not-use-versioned-go-module.patch 0003-profile.d-Make-profile-more-generic.patch 0004-profile.d-Use-etc-os-release-when-usr-lib-os-release.patch -0001-riscv-pthread_sigmask.patch +0005-build-Ensure-that-binaries-are-run-against-their-bui.patch +0006-build-Restore-backwards-compatibility-with-existing-.patch