gentoo resync : 24.12.2018

6 files changed, 132 insertions, 45 deletions

diff --git a/mail-filter/amavisd-new/files/amavis-mc.initd-r1 b/mail-filter/amavisd-new/files/amavis-mc.initd-r1
new file mode 100644
index 000000000000..6343d4255c4c
--- /dev/null
+++ b/mail-filter/amavisd-new/files/amavis-mc.initd-r1
@@ -0,0 +1,18 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+command="/usr/sbin/amavis-mc"
+pidfile="/run/${RC_SVCNAME}.pid"
+
+# Let OpenRC background this, because otherwise it will write its PID
+# file after dropping privileges which presents a security issue when
+# we go to `kill` the thing as root.
+command_args="-f"
+command_background="true"
+command_user="amavis:amavis"
+
+depend() {
+  use logger
+  before amavisd-new snmpd
+}
diff --git a/mail-filter/amavisd-new/files/amavisd-snmp-subagent-zmq.initd b/mail-filter/amavisd-new/files/amavisd-snmp-subagent-zmq.initd
new file mode 100644
index 000000000000..7482a3f1d20b
--- /dev/null
+++ b/mail-filter/amavisd-new/files/amavisd-snmp-subagent-zmq.initd
@@ -0,0 +1,26 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+command="/usr/sbin/amavisd-snmp-subagent-zmq"
+pidfile="/run/${RC_SVCNAME}.pid"
+
+# The RELEASE_NOTES say "it is safe to run it as root, although
+# perhaps not necessary." I'm not in a position to test, but I bet
+# it's safe to run this as amavis:amavis. Since the program itself
+# doesn't have the ability to drop privileges, we'd have to let OpenRC
+# do that; and in that case, the easiest way to deal with the PID file
+# is to let OpenRC handle that, too.
+#
+# Thus as a means of future-proofing, we run $command in the
+# foreground, and let OpenRC background it and write a PID file. So
+# if somebody wants to try command_user="amavis:amavis" here, it might
+# just work.
+command_args="-f"
+command_background="true"
+
+depend() {
+  use logger
+  before amavisd-new snmpd
+  need amavis-mc
+}
diff --git a/mail-filter/amavisd-new/files/amavisd-snmp-subagent.initd b/mail-filter/amavisd-new/files/amavisd-snmp-subagent.initd
new file mode 100644
index 000000000000..84784b619e2b
--- /dev/null
+++ b/mail-filter/amavisd-new/files/amavisd-snmp-subagent.initd
@@ -0,0 +1,25 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+command="/usr/sbin/amavisd-snmp-subagent"
+pidfile="/run/${RC_SVCNAME}.pid"
+
+# The RELEASE_NOTES say "it is safe to run it as root, although
+# perhaps not necessary." I'm not in a position to test, but I bet
+# it's safe to run this as amavis:amavis. Since the program itself
+# doesn't have the ability to drop privileges, we'd have to let OpenRC
+# do that; and in that case, the easiest way to deal with the PID file
+# is to let OpenRC handle that, too.
+#
+# Thus as a means of future-proofing, we run $command in the
+# foreground, and let OpenRC background it and write a PID file. So
+# if somebody wants to try command_user="amavis:amavis" here, it might
+# just work.
+command_args="-f"
+command_background="true"
+
+depend() {
+  use logger
+  before amavisd-new snmpd
+}
diff --git a/mail-filter/amavisd-new/files/amavisd.initd b/mail-filter/amavisd-new/files/amavisd.initd
deleted file mode 100644
index 4899296cc140..000000000000
--- a/mail-filter/amavisd-new/files/amavisd.initd
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-extra_started_commands="reload"
-extra_commands="debug debug_sa"
-
-prog="/usr/sbin/amavisd"
-progname="amavisd-new"
-
-depend() {
-	need net
-	use logger antivirus snmpd
-	before mta
-}
-
-start() {
-	ebegin "Starting ${progname}"
-	"${prog}" start
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping ${progname}"
-	"${prog}" stop 1>/dev/null
-	eend $?
-}
-
-reload() {
-	ebegin "Reloading ${progname}"
-	"${prog}" reload 1>/dev/null
-	eend $?
-}
-
-debug() {
-	ebegin "Starting ${progname} in debug mode"
-	"${prog}" debug
-	eend $?
-}
-
-debug_sa() {
-	ebegin "Starting ${progname} in debug-sa mode"
-	"${prog}" debug-sa
-	eend $?
-}
diff --git a/mail-filter/amavisd-new/files/amavisd.initd-r2 b/mail-filter/amavisd-new/files/amavisd.initd-r2
new file mode 100644
index 000000000000..2e58bf9b7a93
--- /dev/null
+++ b/mail-filter/amavisd-new/files/amavisd.initd-r2
@@ -0,0 +1,42 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_started_commands="reload"
+command="/usr/sbin/${RC_SVCNAME}"
+pidfile="/run/${RC_SVCNAME}.pid"
+
+# Why run in the foreground? Typically amavisd will drop privileges
+# and then write its own PID file in its home directory. This is fine
+# so long as you use e.g. "amavisd stop" to stop the daemon. But, we
+# want to use start-stop-daemon to do it. And start-stop-daemon will
+# send a signal *as root* to the PID contained in the PID file. So, we
+# don't want to rely on a PID file that's controlled by a non-root
+# user.
+#
+# As a workaround, we run amavisd in the foreground, and let
+# start-stop-daemon push it into the background with its own PID
+# file. We don't pass "-P" via command_args below because we don't
+# want amavisd to try (and fail) to create that PID file. This does
+# mean that you can't run "amavisd stop" or "amavisd reload" directly;
+# sorry!
+command_args="foreground"
+command_background="true"
+
+# The amavisd daemon provides its own "stop" and "reload" functions,
+# but if you read into the source, they just do what start-stop-daemon
+# is going to do anyway. The "stop" command for amavisd will send a
+# SIGTERM immediately, and then a SIGKILL after 60 seconds. So, we do
+# that too. The "reload" command sends a SIGHUP; see reload() below.
+retry="SIGTERM/15 SIGKILL/60"
+
+depend() {
+  use net logger antivirus snmpd
+  before mta
+}
+
+reload() {
+  ebegin "Reloading ${RC_SVCNAME}"
+  start-stop-daemon --signal HUP --pidfile "${pidfile}"
+  eend $?
+}
diff --git a/mail-filter/amavisd-new/files/amavisd.service-r1 b/mail-filter/amavisd-new/files/amavisd.service-r1
new file mode 100644
index 000000000000..038712853551
--- /dev/null
+++ b/mail-filter/amavisd-new/files/amavisd.service-r1
@@ -0,0 +1,21 @@
+[Unit]
+Description=Amavisd Daemon
+Before=postfix.service
+After=clamd.service
+After=network.target
+
+[Service]
+User=amavis
+Group=amavis
+ExecStart=/usr/sbin/amavisd -c /etc/amavisd.conf foreground
+ExecReload=/usr/sbin/amavisd -c /etc/amavisd.conf reload
+PrivateTmp=true
+CapabilityBoundingSet=
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectHome=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target