app-containers/podman: add 4.8.3

Security

* Fixed GHSA-45x7-px36-x8w8
(https://github.com/advisories/GHSA-45x7-px36-x8w8) : CVE-2023-48795 by vendoring golang.org/x/crypto v0.17.0.

Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
Bug: https://bugs.gentoo.org/921290
Signed-off-by: Zac Medico <zmedico@gentoo.org>

2 files changed, 137 insertions, 0 deletions

diff --git a/app-containers/podman/Manifest b/app-containers/podman/Manifest
index ad29f404deb0..56e74b08acbf 100644
--- a/app-containers/podman/Manifest
+++ b/app-containers/podman/Manifest
@@ -2,3 +2,4 @@ DIST podman-4.5.0.tar.gz 17423692 BLAKE2B ba28e77626bb4bcdb85b20031e12cf93f2eb31
 DIST podman-4.7.2.tar.gz 20554551 BLAKE2B a53bbe6b21145ab394b4a9bc540d4335ca6cdd0e0a98e741e5cfb8aa19aaeb2801ca8d117d42b0d66f618018a2d4b1d736fc851b58b661cbae6ee815712fb936 SHA512 1873a158f2e0527b6e57929f391c4ea5adee5fba33e861eb7744cd0ac845f7296f6149b5e824142e701e5b4db95466585206f37402298301f99cc40b781a51ba
 DIST podman-4.8.1.tar.gz 21569190 BLAKE2B ea142f6ee120008c96fa1edef9be9a22cd846483f37a42ce3e5755aefcc5d9ee0c22b85edc7677e4bc6e4416870d8a45b382018865170fa922e97700504d4682 SHA512 a9188b81d4f4babb04c5a44d8a3aefb73c5d8f53d056d32c5c8563f296e27fa4f4b60f6c8581bebb7ee47c3f760743fd386211906ef0a88249f78256b24a4764
 DIST podman-4.8.2.tar.gz 21561815 BLAKE2B 7e922f0c7efdd359793891895977662793f400cc54802f56a75e9acc9c7dedf3da4fb10212fb54734edcf9eba28219c4c6de875f002085c0a47cb50c9c41cd53 SHA512 4ad4d03010fc706bb53de4d5de4779f0f32f623cda301f5bbcfd9d2e8f443f2955d2c8b9278f4741aad72498e87081475a53d5e5b1ce8a28035e18aa6d5acb0c
+DIST podman-4.8.3.tar.gz 21565162 BLAKE2B 13d2e5800dce96ba8c1671f251c2809dc0166198b807978d44b6f10b4dd2095e909678a12518fed84a0a1b5eee5a71e944170eb55350c3af945a63910f9c8082 SHA512 13ade866b888d32ada3b38130d7cc4677591136e25234e040b478c5d002d1b7907ed46731996d25cc41b992b98b75f109c6e6eea44251f4ad89162b20266976d
diff --git a/app-containers/podman/podman-4.8.3.ebuild b/app-containers/podman/podman-4.8.3.ebuild
new file mode 100644
index 000000000000..e71d643e48de
--- /dev/null
+++ b/app-containers/podman/podman-4.8.3.ebuild
@@ -0,0 +1,136 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit go-module tmpfiles linux-info
+
+DESCRIPTION="A tool for managing OCI containers and pods with Docker-compatible CLI"
+HOMEPAGE="https://github.com/containers/podman/ https://podman.io/"
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/podman.git"
+else
+	SRC_URI="https://github.com/containers/podman/archive/v${PV/_rc/-rc}.tar.gz -> ${P}.tar.gz"
+	S="${WORKDIR}/${P/_rc/-rc}"
+	KEYWORDS="~amd64 ~arm64 ~riscv"
+fi
+
+# main pkg
+LICENSE="Apache-2.0"
+# deps
+LICENSE+=" BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
+SLOT="0"
+IUSE="apparmor btrfs cgroup-hybrid wrapper +fuse +init +rootless +seccomp selinux systemd"
+RESTRICT="test"
+
+RDEPEND="
+	app-crypt/gpgme:=
+	>=app-containers/conmon-2.0.0
+	>=app-containers/containers-common-0.56.0
+	dev-libs/libassuan:=
+	dev-libs/libgpg-error:=
+	sys-apps/shadow:=
+
+	apparmor? ( sys-libs/libapparmor )
+	btrfs? ( sys-fs/btrfs-progs )
+	cgroup-hybrid? ( >=app-containers/runc-1.0.0_rc6  )
+	!cgroup-hybrid? ( app-containers/crun )
+	wrapper? ( !app-containers/docker-cli )
+	fuse? ( sys-fs/fuse-overlayfs )
+	init? ( app-containers/catatonit )
+	rootless? ( app-containers/slirp4netns )
+	seccomp? ( sys-libs/libseccomp:= )
+	selinux? ( sec-policy/selinux-podman sys-libs/libselinux:= )
+	systemd? ( sys-apps/systemd:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	dev-go/go-md2man
+"
+
+PATCHES=(
+	"${FILESDIR}/seccomp-toggle-4.7.0.patch"
+)
+
+CONFIG_CHECK="
+	~USER_NS
+"
+
+pkg_setup() {
+	use btrfs && CONFIG_CHECK+=" ~BTRFS_FS"
+	linux-info_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	# assure necessary files are present
+	local file
+	for file in apparmor_tag btrfs_installed_tag btrfs_tag systemd_tag; do
+		[[ -f hack/"${file}".sh ]] || die
+	done
+
+	local feature
+	for feature in apparmor systemd; do
+		cat <<-EOF > hack/"${feature}"_tag.sh || die
+		#!/usr/bin/env bash
+		$(usex ${feature} "echo ${feature}" echo)
+		EOF
+	done
+
+	echo -e "#!/usr/bin/env bash\n echo" > hack/btrfs_installed_tag.sh || die
+	cat <<-EOF > hack/btrfs_tag.sh || die
+	#!/usr/bin/env bash
+	$(usex btrfs echo 'echo exclude_graphdriver_btrfs btrfs_noversion')
+	EOF
+}
+
+src_compile() {
+	export PREFIX="${EPREFIX}/usr"
+
+	# For non-live versions, prevent git operations which causes sandbox violations
+	# https://github.com/gentoo/gentoo/pull/33531#issuecomment-1786107493
+	[[ ${PV} != 9999* ]] && export COMMIT_NO="" GIT_COMMIT=""
+
+	# BUILD_SECCOMP is used in the patch to toggle seccomp
+	emake BUILDFLAGS="-v -work -x" GOMD2MAN="go-md2man" BUILD_SECCOMP="$(usex seccomp)" all $(usev wrapper docker-docs)
+}
+
+src_install() {
+	emake DESTDIR="${D}" install install.completions $(usev wrapper install.docker-full)
+
+	insinto /etc/cni/net.d
+	doins cni/87-podman-bridge.conflist
+
+	newconfd "${FILESDIR}"/podman.confd podman
+	newinitd "${FILESDIR}"/podman.initd podman
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}/podman.logrotated" podman
+
+	keepdir /var/lib/containers
+}
+
+pkg_preinst() {
+	PODMAN_ROOTLESS_UPGRADE=false
+	if use rootless; then
+		has_version 'app-containers/podman[rootless]' || PODMAN_ROOTLESS_UPGRADE=true
+	fi
+}
+
+pkg_postinst() {
+	tmpfiles_process podman.conf $(usev wrapper podman-docker.conf)
+
+	local want_newline=false
+	if [[ ${PODMAN_ROOTLESS_UPGRADE} == true ]] ; then
+		${want_newline} && elog ""
+		elog "For rootless operation, you need to configure subuid/subgid"
+		elog "for user running podman. In case subuid/subgid has only been"
+		elog "configured for root, run:"
+		elog "usermod --add-subuids 1065536-1131071 <user>"
+		elog "usermod --add-subgids 1065536-1131071 <user>"
+		want_newline=true
+	fi
+}