Bug#924208: unblock: runc/1.0.0~rc6+dfsg1-3

[Shengjing Zhu <zhsj@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package runc

-3 will be uploaded to unstable after ack, it

* Improve the patch for CVE-2019-5736. After the CVE published, there are
  more commits in upstream applied, and are nice to have for buster.
* Add version info to build flags, this fixes #909644

debdiff is in attachment, and can be viewed on salsa,
https://salsa.debian.org/go-team/packages/runc/compare/debian%2F1.0.0_rc6+dfsg1-2...master

unblock runc/1.0.0~rc6+dfsg1-3

diff -Nru runc-1.0.0~rc6+dfsg1/debian/changelog runc-1.0.0~rc6+dfsg1/debian/changelog
--- runc-1.0.0~rc6+dfsg1/debian/changelog	2019-02-12 23:45:09.000000000 +0800
+++ runc-1.0.0~rc6+dfsg1/debian/changelog	2019-03-10 17:51:44.000000000 +0800
@@ -1,3 +1,29 @@
+runc (1.0.0~rc6+dfsg1-3) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Shengjing Zhu ]
+  * Improve patch for CVE-2019-5736 based on upstream commits.
+    Now the patch includes following commits:
+    + 2d4a37b nsenter: cloned_binary: userspace copy fallback if sendfile fails
+    + 16612d7 nsenter: cloned_binary: try to ro-bind /proc/self/exe before
+              copying
+    + af9da0a nsenter: cloned_binary: use the runc statedir for O_TMPFILE
+    + 2429d59 nsenter: cloned_binary: expand and add pre-3.11 fallbacks
+    + 5b775bf nsenter: cloned_binary: detect and handle short copies
+    + bb7d8b1 nsexec (CVE-2019-5736): avoid parsing environ
+    + 0a8e411 nsenter: clone /proc/self/exe to avoid exposing host binary to
+              container
+
+  [ Arnaud Rebillout ]
+  * Add version and gitcommit to the ldflags (Closes: #909644)
+    Note that we fill the git commit with something that is NOT a git commit
+    at all, instead we use it as a placeholder for the debian version. The
+    debian version is a relevant information for the user, and it's nice to
+    be able to show it, some way or another.
+
+ -- Shengjing Zhu <zhsj@debian.org>  Sun, 10 Mar 2019 17:51:44 +0800
+
 runc (1.0.0~rc6+dfsg1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru runc-1.0.0~rc6+dfsg1/debian/patches/CVE-2019-5736.patch runc-1.0.0~rc6+dfsg1/debian/patches/CVE-2019-5736.patch
--- runc-1.0.0~rc6+dfsg1/debian/patches/CVE-2019-5736.patch	2019-02-12 23:45:09.000000000 +0800
+++ runc-1.0.0~rc6+dfsg1/debian/patches/CVE-2019-5736.patch	2019-03-10 17:51:44.000000000 +0800
@@ -1,33 +1,31 @@
-Author: Aleksa Sarai <asarai@suse.de>
-Origin: https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922050
-Subject: nsenter: clone /proc/self/exe to avoid exposing host binary to container
-    
-    There are quite a few circumstances where /proc/self/exe pointing to a
-    pretty important container binary is a _bad_ thing, so to avoid this we
-    have to make a copy (preferably doing self-clean-up and not being
-    writeable).
-    
-    We require memfd_create(2) -- though there is an O_TMPFILE fallback --
-    but we can always extend this to use a scratch MNT_DETACH overlayfs or
-    tmpfs. The main downside to this approach is no page-cache sharing for
-    the runc binary (which overlayfs would give us) but this is far less
-    complicated.
-    
-    This is only done during nsenter so that it happens transparently to the
-    Go code, and any libcontainer users benefit from it. This also makes
-    ExtraFiles and --preserve-fds handling trivial (because we don't need to
-    worry about it).
-    
-    Fixes: CVE-2019-5736
-    Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
-    Signed-off-by: Aleksa Sarai <asarai@suse.de>
+From: Shengjing Zhu <zhsj@debian.org>
+Date: Sun, 10 Mar 2019 17:47:46 +0800
+Subject: CVE-2019-5736
 
-Index: runc-1.0.0~rc6+dfsg1/libcontainer/nsenter/cloned_binary.c
-===================================================================
+Backport upstream patches for CVE-2019-5736
+
+Include commits:
+2d4a37b427167907ef2402586a8e8e2931a22490 nsenter: cloned_binary: userspace copy fallback if sendfile fails
+16612d74de5f84977e50a9c8ead7f0e9e13b8628 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying
+af9da0a45082783f6005b252488943b5ee2e2138 nsenter: cloned_binary: use the runc statedir for O_TMPFILE
+2429d59352b81f6b9cc79b5ed26780c5fe6ba4ec nsenter: cloned_binary: expand and add pre-3.11 fallbacks
+5b775bf297c47a6bc50e36da89d1ec74a6fa01dc nsenter: cloned_binary: detect and handle short copies
+bb7d8b1f41f7bf0399204d54009d6da57c3cc775 nsexec (CVE-2019-5736): avoid parsing environ
+0a8e4117e7f715d5fbeef398405813ce8e88558b nsenter: clone /proc/self/exe to avoid exposing host binary to container
+
+Debian-Bug: https://bugs.debian.org/922050
+---
+ libcontainer/nsenter/cloned_binary.c | 516 +++++++++++++++++++++++++++++++++++
+ libcontainer/nsenter/nsexec.c        |  11 +
+ 2 files changed, 527 insertions(+)
+ create mode 100644 libcontainer/nsenter/cloned_binary.c
+
+diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
+new file mode 100644
+index 0000000..b410e29
 --- /dev/null
-+++ runc-1.0.0~rc6+dfsg1/libcontainer/nsenter/cloned_binary.c
-@@ -0,0 +1,268 @@
++++ b/libcontainer/nsenter/cloned_binary.c
+@@ -0,0 +1,516 @@
 +/*
 + * Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
 + * Copyright (C) 2019 SUSE LLC
@@ -57,8 +55,10 @@
 +
 +#include <sys/types.h>
 +#include <sys/stat.h>
++#include <sys/statfs.h>
 +#include <sys/vfs.h>
 +#include <sys/mman.h>
++#include <sys/mount.h>
 +#include <sys/sendfile.h>
 +#include <sys/syscall.h>
 +
@@ -66,18 +66,21 @@
 +#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
 +#  define SYS_memfd_create __NR_memfd_create
 +#endif
-+#ifdef SYS_memfd_create
-+#  define HAVE_MEMFD_CREATE
 +/* memfd_create(2) flags -- copied from <linux/memfd.h>. */
-+#  ifndef MFD_CLOEXEC
-+#    define MFD_CLOEXEC       0x0001U
-+#    define MFD_ALLOW_SEALING 0x0002U
-+#  endif
++#ifndef MFD_CLOEXEC
++#  define MFD_CLOEXEC       0x0001U
++#  define MFD_ALLOW_SEALING 0x0002U
++#endif
 +int memfd_create(const char *name, unsigned int flags)
 +{
++#ifdef SYS_memfd_create
 +	return syscall(SYS_memfd_create, name, flags);
-+}
++#else
++	errno = ENOSYS;
++	return -1;
 +#endif
++}
++
 +
 +/* This comes directly from <linux/fcntl.h>. */
 +#ifndef F_LINUX_SPECIFIC_BASE
@@ -94,12 +97,10 @@
 +#  define F_SEAL_WRITE  0x0008	/* prevent writes */
 +#endif
 +
-+#define RUNC_SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
-+#ifdef HAVE_MEMFD_CREATE
-+#  define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
-+#  define RUNC_MEMFD_SEALS \
++#define CLONED_BINARY_ENV "_LIBCONTAINER_CLONED_BINARY"
++#define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
++#define RUNC_MEMFD_SEALS \
 +	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
-+#endif
 +
 +static void *must_realloc(void *ptr, size_t size)
 +{
@@ -118,28 +119,61 @@
 +static int is_self_cloned(void)
 +{
 +	int fd, ret, is_cloned = 0;
++	struct stat statbuf = {};
++	struct statfs fsbuf = {};
 +
 +	fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
 +	if (fd < 0)
 +		return -ENOTRECOVERABLE;
 +
-+#ifdef HAVE_MEMFD_CREATE
++	/*
++	 * Is the binary a fully-sealed memfd? We don't need CLONED_BINARY_ENV for
++	 * this, because you cannot write to a sealed memfd no matter what (so
++	 * sharing it isn't a bad thing -- and an admin could bind-mount a sealed
++	 * memfd to /usr/bin/runc to allow re-use).
++	 */
 +	ret = fcntl(fd, F_GET_SEALS);
-+	is_cloned = (ret == RUNC_MEMFD_SEALS);
-+#else
-+	struct stat statbuf = {0};
-+	ret = fstat(fd, &statbuf);
-+	if (ret >= 0)
-+		is_cloned = (statbuf.st_nlink == 0);
-+#endif
++	if (ret >= 0) {
++		is_cloned = (ret == RUNC_MEMFD_SEALS);
++		goto out;
++	}
++
++	/*
++	 * All other forms require CLONED_BINARY_ENV, since they are potentially
++	 * writeable (or we can't tell if they're fully safe) and thus we must
++	 * check the environment as an extra layer of defence.
++	 */
++	if (!getenv(CLONED_BINARY_ENV)) {
++		is_cloned = false;
++		goto out;
++	}
++
++	/*
++	 * Is the binary on a read-only filesystem? We can't detect bind-mounts in
++	 * particular (in-kernel they are identical to regular mounts) but we can
++	 * at least be sure that it's read-only. In addition, to make sure that
++	 * it's *our* bind-mount we check CLONED_BINARY_ENV.
++	 */
++	if (fstatfs(fd, &fsbuf) >= 0)
++		is_cloned |= (fsbuf.f_flags & MS_RDONLY);
++
++	/*
++	 * Okay, we're a tmpfile -- or we're currently running on RHEL <=7.6
++	 * which appears to have a borked backport of F_GET_SEALS. Either way,
++	 * having a file which has no hardlinks indicates that we aren't using
++	 * a host-side "runc" binary and this is something that a container
++	 * cannot fake (because unlinking requires being able to resolve the
++	 * path that you want to unlink).
++	 */
++	if (fstat(fd, &statbuf) >= 0)
++		is_cloned |= (statbuf.st_nlink == 0);
++
++out:
 +	close(fd);
 +	return is_cloned;
 +}
 +
-+/*
-+ * Basic wrapper around mmap(2) that gives you the file length so you can
-+ * safely treat it as an ordinary buffer. Only gives you read access.
-+ */
++/* Read a given file into a new buffer, and providing the length. */
 +static char *read_file(char *path, size_t *length)
 +{
 +	int fd;
@@ -154,7 +188,7 @@
 +
 +	*length = 0;
 +	for (;;) {
-+		int n;
++		ssize_t n;
 +
 +		n = read(fd, buf, sizeof(buf));
 +		if (n < 0)
@@ -199,107 +233,319 @@
 +}
 +
 +/*
-+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
++ * "Parse" out argv from /proc/self/cmdline.
 + * This is necessary because we are running in a context where we don't have a
 + * main() that we can just get the arguments from.
 + */
-+static int fetchve(char ***argv, char ***envp)
++static int fetchve(char ***argv)
 +{
-+	char *cmdline = NULL, *environ = NULL;
-+	size_t cmdline_size, environ_size;
++	char *cmdline = NULL;
++	size_t cmdline_size;
 +
 +	cmdline = read_file("/proc/self/cmdline", &cmdline_size);
 +	if (!cmdline)
 +		goto error;
-+	environ = read_file("/proc/self/environ", &environ_size);
-+	if (!environ)
-+		goto error;
 +
 +	if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
 +		goto error;
-+	if (parse_xargs(environ, environ_size, envp) <= 0)
-+		goto error;
 +
 +	return 0;
 +
 +error:
-+	free(environ);
 +	free(cmdline);
 +	return -EINVAL;
 +}
 +
-+static int clone_binary(void)
-+{
-+	int binfd, memfd;
-+	ssize_t sent = 0;
++enum {
++	EFD_NONE = 0,
++	EFD_MEMFD,
++	EFD_FILE,
++};
 +
-+#ifdef HAVE_MEMFD_CREATE
-+	memfd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
-+#else
-+	memfd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0711);
++/*
++ * This comes from <linux/fcntl.h>. We can't hard-code __O_TMPFILE because it
++ * changes depending on the architecture. If we don't have O_TMPFILE we always
++ * have the mkostemp(3) fallback.
++ */
++#ifndef O_TMPFILE
++#  if defined(__O_TMPFILE) && defined(O_DIRECTORY)
++#    define O_TMPFILE (__O_TMPFILE | O_DIRECTORY)
++#  endif
 +#endif
-+	if (memfd < 0)
++
++static int make_execfd(int *fdtype)
++{
++	int fd = -1;
++	char template[PATH_MAX] = {0};
++	char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
++
++	if (!prefix || *prefix != '/')
++		prefix = "/tmp";
++	if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
++		return -1;
++
++	/*
++	 * Now try memfd, it's much nicer than actually creating a file in STATEDIR
++	 * since it's easily detected thanks to sealing and also doesn't require
++	 * assumptions about STATEDIR.
++	 */
++	*fdtype = EFD_MEMFD;
++	fd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
++	if (fd >= 0)
++		return fd;
++	if (errno != ENOSYS && errno != EINVAL)
++		goto error;
++
++#ifdef O_TMPFILE
++	/*
++	 * Try O_TMPFILE to avoid races where someone might snatch our file. Note
++	 * that O_EXCL isn't actually a security measure here (since you can just
++	 * fd re-open it and clear O_EXCL).
++	 */
++	*fdtype = EFD_FILE;
++	fd = open(prefix, O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0700);
++	if (fd >= 0) {
++		struct stat statbuf = {};
++		bool working_otmpfile = false;
++
++		/*
++		 * open(2) ignores unknown O_* flags -- yeah, I was surprised when I
++		 * found this out too. As a result we can't check for EINVAL. However,
++		 * if we get nlink != 0 (or EISDIR) then we know that this kernel
++		 * doesn't support O_TMPFILE.
++		 */
++		if (fstat(fd, &statbuf) >= 0)
++			working_otmpfile = (statbuf.st_nlink == 0);
++
++		if (working_otmpfile)
++			return fd;
++
++		/* Pretend that we got EISDIR since O_TMPFILE failed. */
++		close(fd);
++		errno = EISDIR;
++	}
++	if (errno != EISDIR)
++		goto error;
++#endif /* defined(O_TMPFILE) */
++
++	/*
++	 * Our final option is to create a temporary file the old-school way, and
++	 * then unlink it so that nothing else sees it by accident.
++	 */
++	*fdtype = EFD_FILE;
++	fd = mkostemp(template, O_CLOEXEC);
++	if (fd >= 0) {
++		if (unlink(template) >= 0)
++			return fd;
++		close(fd);
++	}
++
++error:
++	*fdtype = EFD_NONE;
++	return -1;
++}
++
++static int seal_execfd(int *fd, int fdtype)
++{
++	switch (fdtype) {
++	case EFD_MEMFD:
++		return fcntl(*fd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
++	case EFD_FILE: {
++		/* Need to re-open our pseudo-memfd as an O_PATH to avoid execve(2) giving -ETXTBSY. */
++		int newfd;
++		char fdpath[PATH_MAX] = {0};
++
++		if (fchmod(*fd, 0100) < 0)
++			return -1;
++
++		if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", *fd) < 0)
++			return -1;
++
++		newfd = open(fdpath, O_PATH | O_CLOEXEC);
++		if (newfd < 0)
++			return -1;
++
++		close(*fd);
++		*fd = newfd;
++		return 0;
++	}
++	default:
++	   break;
++	}
++	return -1;
++}
++
++static int try_bindfd(void)
++{
++	int fd, ret = -1;
++	char template[PATH_MAX] = {0};
++	char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
++
++	if (!prefix || *prefix != '/')
++		prefix = "/tmp";
++	if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
++		return ret;
++
++	/*
++	 * We need somewhere to mount it, mounting anything over /proc/self is a
++	 * BAD idea on the host -- even if we do it temporarily.
++	 */
++	fd = mkstemp(template);
++	if (fd < 0)
++		return ret;
++	close(fd);
++
++	/*
++	 * For obvious reasons this won't work in rootless mode because we haven't
++	 * created a userns+mntns -- but getting that to work will be a bit
++	 * complicated and it's only worth doing if someone actually needs it.
++	 */
++	ret = -EPERM;
++	if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0)
++		goto out;
++	if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0)
++		goto out_umount;
++
++
++	/* Get read-only handle that we're sure can't be made read-write. */
++	ret = open(template, O_PATH | O_CLOEXEC);
++
++out_umount:
++	/*
++	 * Make sure the MNT_DETACH works, otherwise we could get remounted
++	 * read-write and that would be quite bad (the fd would be made read-write
++	 * too, invalidating the protection).
++	 */
++	if (umount2(template, MNT_DETACH) < 0) {
++		if (ret >= 0)
++			close(ret);
++		ret = -ENOTRECOVERABLE;
++	}
++
++out:
++	/*
++	 * We don't care about unlink errors, the worst that happens is that
++	 * there's an empty file left around in STATEDIR.
++	 */
++	unlink(template);
++	return ret;
++}
++
++static ssize_t fd_to_fd(int outfd, int infd)
++{
++	ssize_t total = 0;
++	char buffer[4096];
++
++	for (;;) {
++		ssize_t nread, nwritten = 0;
++
++		nread = read(infd, buffer, sizeof(buffer));
++		if (nread < 0)
++			return -1;
++		if (!nread)
++			break;
++
++		do {
++			ssize_t n = write(outfd, buffer + nwritten, nread - nwritten);
++			if (n < 0)
++				return -1;
++			nwritten += n;
++		} while(nwritten < nread);
++
++		total += nwritten;
++	}
++
++	return total;
++}
++
++static int clone_binary(void)
++{
++	int binfd, execfd;
++	struct stat statbuf = {};
++	size_t sent = 0;
++	int fdtype = EFD_NONE;
++
++	/*
++	 * Before we resort to copying, let's try creating an ro-binfd in one shot
++	 * by getting a handle for a read-only bind-mount of the execfd.
++	 */
++	execfd = try_bindfd();
++	if (execfd >= 0)
++		return execfd;
++
++	/*
++	 * Dammit, that didn't work -- time to copy the binary to a safe place we
++	 * can seal the contents.
++	 */
++	execfd = make_execfd(&fdtype);
++	if (execfd < 0 || fdtype == EFD_NONE)
 +		return -ENOTRECOVERABLE;
 +
 +	binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
 +	if (binfd < 0)
 +		goto error;
 +
-+	sent = sendfile(memfd, binfd, NULL, RUNC_SENDFILE_MAX);
-+	close(binfd);
-+	if (sent < 0)
-+		goto error;
++	if (fstat(binfd, &statbuf) < 0)
++		goto error_binfd;
 +
-+#ifdef HAVE_MEMFD_CREATE
-+	int err = fcntl(memfd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
-+	if (err < 0)
++	while (sent < statbuf.st_size) {
++		int n = sendfile(execfd, binfd, NULL, statbuf.st_size - sent);
++		if (n < 0) {
++			/* sendfile can fail so we fallback to a dumb user-space copy. */
++			n = fd_to_fd(execfd, binfd);
++			if (n < 0)
++				goto error_binfd;
++		}
++		sent += n;
++	}
++	close(binfd);
++	if (sent != statbuf.st_size)
 +		goto error;
-+#else
-+	/* Need to re-open "memfd" as read-only to avoid execve(2) giving -EXTBUSY. */
-+	int newfd;
-+	char *fdpath = NULL;
 +
-+	if (asprintf(&fdpath, "/proc/self/fd/%d", memfd) < 0)
-+		goto error;
-+	newfd = open(fdpath, O_RDONLY | O_CLOEXEC);
-+	free(fdpath);
-+	if (newfd < 0)
++	if (seal_execfd(&execfd, fdtype) < 0)
 +		goto error;
 +
-+	close(memfd);
-+	memfd = newfd;
-+#endif
-+	return memfd;
++	return execfd;
 +
++error_binfd:
++	close(binfd);
 +error:
-+	close(memfd);
++	close(execfd);
 +	return -EIO;
 +}
 +
++/* Get cheap access to the environment. */
++extern char **environ;
++
 +int ensure_cloned_binary(void)
 +{
 +	int execfd;
-+	char **argv = NULL, **envp = NULL;
++	char **argv = NULL;
 +
 +	/* Check that we're not self-cloned, and if we are then bail. */
 +	int cloned = is_self_cloned();
 +	if (cloned > 0 || cloned == -ENOTRECOVERABLE)
 +		return cloned;
 +
-+	if (fetchve(&argv, &envp) < 0)
++	if (fetchve(&argv) < 0)
 +		return -EINVAL;
 +
 +	execfd = clone_binary();
 +	if (execfd < 0)
 +		return -EIO;
 +
-+	fexecve(execfd, argv, envp);
++	if (putenv(CLONED_BINARY_ENV "=1"))
++		goto error;
++
++	fexecve(execfd, argv, environ);
++error:
++	close(execfd);
 +	return -ENOEXEC;
 +}
-Index: runc-1.0.0~rc6+dfsg1/libcontainer/nsenter/nsexec.c
-===================================================================
---- runc-1.0.0~rc6+dfsg1.orig/libcontainer/nsenter/nsexec.c
-+++ runc-1.0.0~rc6+dfsg1/libcontainer/nsenter/nsexec.c
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index 28269df..7750af3 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
 @@ -534,6 +534,9 @@ void join_namespaces(char *nslist)
  	free(namespaces);
  }
diff -Nru runc-1.0.0~rc6+dfsg1/debian/rules runc-1.0.0~rc6+dfsg1/debian/rules
--- runc-1.0.0~rc6+dfsg1/debian/rules	2019-02-12 23:45:09.000000000 +0800
+++ runc-1.0.0~rc6+dfsg1/debian/rules	2019-03-10 17:51:44.000000000 +0800
@@ -5,7 +5,11 @@
 
 export DH_GOPKG := github.com/opencontainers/runc
 export DH_GOLANG_INSTALL_EXTRA := libcontainer/seccomp/fixtures
+
+include /usr/share/dpkg/pkg-info.mk
+
 TAGS=apparmor seccomp selinux ambient
+LDFLAGS := -X main.version=$(DEB_VERSION_UPSTREAM) -X main.gitCommit=$(DEB_VERSION)
 
 %:
 	dh $@ --buildsystem=golang --with=golang --builddirectory=_build
@@ -33,7 +37,7 @@
 #	ln -svrf vendor/github.com/opencontainers/specs  _build/src/github.com/opencontainers/
 
 override_dh_auto_build:
-	dh_auto_build -- -tags "$(TAGS)"
+	dh_auto_build -- -tags "$(TAGS)" -ldflags "$(LDFLAGS)"
 
 override_dh_auto_test:
 	DH_GOLANG_EXCLUDES="libcontainer/integration" \

Attachment: signature.asc
Description: PGP signature