diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2019-02-20 15:11:50 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2019-02-20 15:11:50 +0000 |
| commit | 16449a80e28af2209916cc66d19c9a44ca2b90d9 (patch) | |
| tree | b4cfe2332c7a6c5da27b6985bf05db4508df1a92 /sys-apps/systemd | |
| parent | 79599515788b85b18aa655e7b7f8cc05c1bbddd8 (diff) | |
gentoo resync : 20.02.2019
Diffstat (limited to 'sys-apps/systemd')
7 files changed, 1404 insertions, 0 deletions
diff --git a/sys-apps/systemd/Manifest b/sys-apps/systemd/Manifest index bb1a74211030..a430d1528795 100644 --- a/sys-apps/systemd/Manifest +++ b/sys-apps/systemd/Manifest @@ -1,4 +1,8 @@ AUX 239-debug-extra.patch 1641 BLAKE2B 37dae0aa6fb95be3f6b7ad5647ddc7e6e7cf6654e0119c5a41280a0db630d13746d5aaa0d1de8e66f49525a0b5a25f4f1136e0b8edc27e628cc82b386f5c0759 SHA512 091f4a0a6d8f4f5963002f33ebafa36f00f7635caafa14ac618ed7c5e08538cffbe655930802e14a0f744851ed7acacc217d2ad7e625627eeb82e14cc3fabd4a +AUX CVE-2019-6454.patch 6017 BLAKE2B 8feefe11f44e4136c5fcf87160197bfbc0557d5097bc12275411887005bed1fe56a532d114e2e49527a7f35016a6b5fc04cb1086b33445402ace21eb880c02e9 SHA512 ff84ae9a043f17fd78c7fc499fe532c4d3b46dbe34f24c8289c209a026c1eda20de3ba46b67c8a5b14e9889e6362a4fb2097d550e6bcdb5182455fc569e23224 +AUX CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch 1848 BLAKE2B 348c35881ce039f92d8fc8dc8c87af2efa95696afbe79ad8fc4e01129524bdf28b529ab86ec611d08446e589176c0678018d94d8c5fc068c65ab4eb429746cf9 SHA512 693afe328ebc20d34cbf07c632a8da90ee293147e793a599a4d2aac6f757738bfab93048a2f8ed6e68d16f865e9b4112e737c692ad01c7d4946f8c430714161d +AUX CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch 6660 BLAKE2B 45acb2595245a5cbd10c2a9c7ffa2db0c4bd5b03ef8dc25eb51fc35dd51a49b3acd18bf4cf8db7f639e7a4e61592f3ce0bcb031bf27b0bf3ae6fc96c74445f77 SHA512 7c082ab4effc36543bab08700b84a3ccddfba5d5e87b324d6b935d75f5debb7a5f7be1c2e21208e8d1715f5d40619c8f775629acdde40d3c7b2f406b5c6d9460 +AUX CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch 1990 BLAKE2B 6ceae3c7abe20206dd4840080c2849bc22528a012d6639ae38778a538a991bb1557a8ed19772fe8101a2b3398577455302681f9f64288dc264c1ce9d2330cbdb SHA512 3433f3cad2cfadcf2975283c81aa42791d0286b2ba75f203673ee7447dddc6f279ef9113e6a08718e92570dcb941eb456f0ab09f534c85b9ef5766cd41cf74e5 AUX gentoo-Dont-enable-audit-by-default.patch 1027 BLAKE2B 9193a409db4e5c1dec6f6b66ee6e0a4cc1ada49d41ab758c788cf12534fffb67bd7370b8558a6af56572d7f2b73cf47db255fef105e56362c15f0a426f80b256 SHA512 44e512d8bbadbc5714192896a3ba262e460af034846e4e9b9832b4143fff772e2734e655316fd88d1ef386509bd234c195dce2087348f220836b3bf4f26790e0 AUX gentoo-generator-path-r1.patch 1037 BLAKE2B 5eb80521a6726c9b4693f9b0f56d3e68fca1a49f5f5eb5a1576329d30c93d2fe7c121920099d74962eacf7ed1d3747250f103a57e4be246320a99871521a3b6a SHA512 1b0d1c2f96cb4aa95adfa5940efaeb2bd940110720399358317906d21d08b0caf625474980e101bba001afd626f8ad64367b09b40bec0b2d46b977021c4adfc5 AUX gentoo-generator-path.patch 1046 BLAKE2B 648d1fff6874135267647ff6ffb52ddd9e991af64fb2b41909246c173e55709c49edd6e47245d566457ba9f55bf6d758ed837ff740f58004f2790b5565f8e462 SHA512 e9999afbf4d2d8a9e828d81dd0b54e2c2ba556e9778a4954dac3da885a15bc6dcc718f7e119c352eb2efd090e410735395ec20ce2eb3c84a481570bc8b5f66b3 @@ -16,8 +20,10 @@ DIST systemd-241-rc2.tar.gz 7619504 BLAKE2B 610940b3141d36a0534cf477d303eb681f41 DIST systemd-241.tar.gz 7640538 BLAKE2B 69d7196fee0d0ad06ea8d7c78b0299cc17517ecce3ca4c0b1181a3fbb13bc2627629156785051e2ff427dcc21414f7a078724c6409ebaa431618e4799ebcd50a SHA512 a7757574590e8aa37e1291ea0b2c5eb03a8d8062fe9462fa5b0bf50830c933e2b301d106c70d904f94afc0aa8e43a8acfd11926dfa25b1b89174580e491e545e EBUILD systemd-239-r2.ebuild 13285 BLAKE2B 7e7f55aea8c3d5670867a775c4941f1ed07fbdf26e6be8d11124a43bc6bd1352a4773578f93e797907c2b37c81564c2876f1e7d7d4ffa998f481c57bdbd825be SHA512 de7011bc15bcdd0080204a003fde07e62c093b7bdf2ce49df6e2359fb513a1d996efacba53bb1152b077a5513d494eb7a19ab2cc637c1e2470f08525b67cb0f2 EBUILD systemd-239-r3.ebuild 13285 BLAKE2B 831b7d2cd265398238077505749e0b8b474403275862409cb9fe27e7c3c8e05be48b855a96c8de6f5816b0691dbd94e99287bc04d65120f57479a38df2f07721 SHA512 3743f5b6d52b9306bb581c35d10f18e2c1cdcd2af95f465712d17f35af29aaea1715ad668c49317e83db78e4346ad5651f885e5a2156f728276ec13fb08a1345 +EBUILD systemd-239-r4.ebuild 13326 BLAKE2B 7af4a38c9a5a7622da93c5942314a5dad674b724ed13d1816e195aef8456335366ce6ecf9332d8a0ddc30a3eec4faaceef14261e7c31c5917eb9e91ab90322a3 SHA512 fb733cefe1f6b793101786f8a2a8866b2cf52cab93b01f4188b51411e6c63ec5ce7cb794a148d7736f1f3ee37d85c1c9b21204d75ad53e888101d5998a66a3ae EBUILD systemd-240-r3.ebuild 13371 BLAKE2B bc86925f04294fee6c9c53ac2e793338b34d8dd1b51c1bca1daa222440b35670a98d062a4059568ef43a010acb2746a467b54abccd465fb9e910453c590b800e SHA512 91d64b30469a5c54355c887c3f7ee12906f7f297ecfd0804116f753db6d8d4f8d7249ee589185b6cba3708ecc27a91c616f48811f32662b25930727e367f5ba6 EBUILD systemd-240-r4.ebuild 13371 BLAKE2B 5f6cb24820ba54d2ea130c890eedfa67d326565d6972fffa5a0c395d6de37c2d338879ad9b33153a4810ddf115d837104519b93e46f9c5e9c2c15d256dd7522d SHA512 9511413346e3e6d36ca141253315b5071635834b55d0892901657cf319afa62dd4169dddf861ebff0564156e812b3ef5e53d61d07ac54aa0c76afff7bcba219b +EBUILD systemd-241-r1.ebuild 13564 BLAKE2B 972ed3c9f1ab6c6420193b34f4629cd2b3cd15ee917fc04c2620835fb7d73b78b82ed25319204c26cd1dddfae6978cd688d9a26eea542e6365a808f97aa4bdb2 SHA512 ffa17abc62197ec7ce8342a50feaed31f543c43b2c444ff786d793906bdd89ac5edb9d4b568199aa9a0c7bb27a5f5cfdfda0df9f79dc44b6f3b676954a7d090a EBUILD systemd-241.ebuild 13376 BLAKE2B 02793e42d77682e5a38adcebd52a58ee715ae6c715a4f3c5f910b0b5e94d062217ea20aae017d94ad9bbbaafb2dc5764e68ba3bfa64a06d90982dc62b8b044bb SHA512 5cb2ef13042a7fd1f09fa47c45c64ca0dc57288f4190c69ac6b9972981d23520ee66d7be8242d75fcf905c7859316c60041c0aa5c1f67f31dea38376610008f0 EBUILD systemd-241_rc1.ebuild 13376 BLAKE2B 02793e42d77682e5a38adcebd52a58ee715ae6c715a4f3c5f910b0b5e94d062217ea20aae017d94ad9bbbaafb2dc5764e68ba3bfa64a06d90982dc62b8b044bb SHA512 5cb2ef13042a7fd1f09fa47c45c64ca0dc57288f4190c69ac6b9972981d23520ee66d7be8242d75fcf905c7859316c60041c0aa5c1f67f31dea38376610008f0 EBUILD systemd-241_rc2.ebuild 13376 BLAKE2B 02793e42d77682e5a38adcebd52a58ee715ae6c715a4f3c5f910b0b5e94d062217ea20aae017d94ad9bbbaafb2dc5764e68ba3bfa64a06d90982dc62b8b044bb SHA512 5cb2ef13042a7fd1f09fa47c45c64ca0dc57288f4190c69ac6b9972981d23520ee66d7be8242d75fcf905c7859316c60041c0aa5c1f67f31dea38376610008f0 diff --git a/sys-apps/systemd/files/CVE-2019-6454.patch b/sys-apps/systemd/files/CVE-2019-6454.patch new file mode 100644 index 000000000000..97b7d635e7d6 --- /dev/null +++ b/sys-apps/systemd/files/CVE-2019-6454.patch @@ -0,0 +1,198 @@ +--- a/src/libsystemd/sd-bus/bus-internal.c ++++ b/src/libsystemd/sd-bus/bus-internal.c +@@ -45,7 +45,7 @@ + if (slash) + return false; + +- return true; ++ return (q - p) <= BUS_PATH_SIZE_MAX; + } + + char* object_path_startswith(const char *a, const char *b) { +--- a/src/libsystemd/sd-bus/bus-internal.h ++++ b/src/libsystemd/sd-bus/bus-internal.h +@@ -333,6 +333,10 @@ + + #define BUS_MESSAGE_SIZE_MAX (128*1024*1024) + #define BUS_AUTH_SIZE_MAX (64*1024) ++/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one ++ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however, ++ * to not clash unnecessarily with real-life applications. */ ++#define BUS_PATH_SIZE_MAX (64*1024) + + #define BUS_CONTAINER_DEPTH 128 + +--- a/src/libsystemd/sd-bus/bus-objects.c ++++ b/src/libsystemd/sd-bus/bus-objects.c +@@ -1134,7 +1134,8 @@ + const char *path, + sd_bus_error *error) { + +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -1150,7 +1151,12 @@ + return 0; + + /* Second, add fallback vtables registered for any of the prefixes */ +- prefix = alloca(strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = object_manager_serialize_path(bus, reply, prefix, path, true, error); + if (r < 0) +@@ -1346,6 +1352,7 @@ + } + + int bus_process_object(sd_bus *bus, sd_bus_message *m) { ++ _cleanup_free_ char *prefix = NULL; + int r; + size_t pl; + bool found_object = false; +@@ -1370,9 +1377,12 @@ + assert(m->member); + + pl = strlen(m->path); +- do { +- char prefix[pl+1]; ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; + ++ do { + bus->nodes_modified = false; + + r = object_find_and_run(bus, m, m->path, false, &found_object); +@@ -1499,9 +1509,15 @@ + + n = hashmap_get(bus->nodes, path); + if (!n) { +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; ++ ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; + +- prefix = alloca(strlen(path) + 1); + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + n = hashmap_get(bus->nodes, prefix); + if (n) +@@ -2091,8 +2107,9 @@ + char **names) { + + BUS_DONT_DESTROY(bus); ++ _cleanup_free_ char *prefix = NULL; + bool found_interface = false; +- char *prefix; ++ size_t pl; + int r; + + assert_return(bus, -EINVAL); +@@ -2111,6 +2128,12 @@ + if (names && names[0] == NULL) + return 0; + ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + do { + bus->nodes_modified = false; + +@@ -2120,7 +2143,6 @@ + if (bus->nodes_modified) + continue; + +- prefix = alloca(strlen(path) + 1); + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names); + if (r != 0) +@@ -2252,7 +2274,8 @@ + + static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { + _cleanup_set_free_ Set *s = NULL; +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -2297,7 +2320,12 @@ + if (bus->nodes_modified) + return 0; + +- prefix = alloca(strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = object_added_append_all_prefix(bus, m, s, prefix, path, true); + if (r < 0) +@@ -2436,7 +2464,8 @@ + + static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { + _cleanup_set_free_ Set *s = NULL; +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -2468,7 +2497,12 @@ + if (bus->nodes_modified) + return 0; + +- prefix = alloca(strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = object_removed_append_all_prefix(bus, m, s, prefix, path, true); + if (r < 0) +@@ -2618,7 +2652,8 @@ + const char *path, + const char *interface) { + +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -2632,7 +2667,12 @@ + if (bus->nodes_modified) + return 0; + +- prefix = alloca(strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true); + if (r != 0) + + + diff --git a/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch b/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch new file mode 100644 index 000000000000..6a0c8d1b0c51 --- /dev/null +++ b/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch @@ -0,0 +1,48 @@ +From 29de632674473729d1e9497b6fe47e7c88682ed9 Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone <rschiron@redhat.com> +Date: Mon, 4 Feb 2019 14:29:09 +0100 +Subject: [PATCH 1/3] Refuse dbus message paths longer than BUS_PATH_SIZE_MAX + limit. + +Even though the dbus specification does not enforce any length limit on the +path of a dbus message, having to analyze too long strings in PID1 may be +time-consuming and it may have security impacts. + +In any case, the limit is set so high that real-life applications should not +have a problem with it. +--- + src/libsystemd/sd-bus/bus-internal.c | 2 +- + src/libsystemd/sd-bus/bus-internal.h | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c +index 40acae2133..598b7f110c 100644 +--- a/src/libsystemd/sd-bus/bus-internal.c ++++ b/src/libsystemd/sd-bus/bus-internal.c +@@ -43,7 +43,7 @@ bool object_path_is_valid(const char *p) { + if (slash) + return false; + +- return true; ++ return (q - p) <= BUS_PATH_SIZE_MAX; + } + + char* object_path_startswith(const char *a, const char *b) { +diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h +index f208b294d8..a8d61bf72a 100644 +--- a/src/libsystemd/sd-bus/bus-internal.h ++++ b/src/libsystemd/sd-bus/bus-internal.h +@@ -332,6 +332,10 @@ struct sd_bus { + + #define BUS_MESSAGE_SIZE_MAX (128*1024*1024) + #define BUS_AUTH_SIZE_MAX (64*1024) ++/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one ++ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however, ++ * to not clash unnecessarily with real-life applications. */ ++#define BUS_PATH_SIZE_MAX (64*1024) + + #define BUS_CONTAINER_DEPTH 128 + +-- +2.20.1 + diff --git a/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch b/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch new file mode 100644 index 000000000000..bbc6db974d4a --- /dev/null +++ b/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch @@ -0,0 +1,188 @@ +From 1ffe59592c5cbf924eb81a3662b4252ba6de7132 Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone <rschiron@redhat.com> +Date: Mon, 4 Feb 2019 14:29:28 +0100 +Subject: [PATCH 2/3] Allocate temporary strings to hold dbus paths on the heap + +Paths are limited to BUS_PATH_SIZE_MAX but the maximum size is anyway too big +to be allocated on the stack, so let's switch to the heap where there is a +clear way to understand if the allocation fails. +--- + src/libsystemd/sd-bus/bus-objects.c | 68 +++++++++++++++++++++++------ + 1 file changed, 54 insertions(+), 14 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c +index 58329f3fe7..54b977418e 100644 +--- a/src/libsystemd/sd-bus/bus-objects.c ++++ b/src/libsystemd/sd-bus/bus-objects.c +@@ -1133,7 +1133,8 @@ static int object_manager_serialize_path_and_fallbacks( + const char *path, + sd_bus_error *error) { + +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -1149,7 +1150,12 @@ static int object_manager_serialize_path_and_fallbacks( + return 0; + + /* Second, add fallback vtables registered for any of the prefixes */ +- prefix = newa(char, strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = object_manager_serialize_path(bus, reply, prefix, path, true, error); + if (r < 0) +@@ -1345,6 +1351,7 @@ static int object_find_and_run( + } + + int bus_process_object(sd_bus *bus, sd_bus_message *m) { ++ _cleanup_free_ char *prefix = NULL; + int r; + size_t pl; + bool found_object = false; +@@ -1369,9 +1376,12 @@ int bus_process_object(sd_bus *bus, sd_bus_message *m) { + assert(m->member); + + pl = strlen(m->path); +- do { +- char prefix[pl+1]; ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; + ++ do { + bus->nodes_modified = false; + + r = object_find_and_run(bus, m, m->path, false, &found_object); +@@ -1498,9 +1508,15 @@ static int bus_find_parent_object_manager(sd_bus *bus, struct node **out, const + + n = hashmap_get(bus->nodes, path); + if (!n) { +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; ++ ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; + +- prefix = newa(char, strlen(path) + 1); + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + n = hashmap_get(bus->nodes, prefix); + if (n) +@@ -2083,8 +2099,9 @@ _public_ int sd_bus_emit_properties_changed_strv( + const char *interface, + char **names) { + ++ _cleanup_free_ char *prefix = NULL; + bool found_interface = false; +- char *prefix; ++ size_t pl; + int r; + + assert_return(bus, -EINVAL); +@@ -2105,6 +2122,12 @@ _public_ int sd_bus_emit_properties_changed_strv( + + BUS_DONT_DESTROY(bus); + ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + do { + bus->nodes_modified = false; + +@@ -2114,7 +2137,6 @@ _public_ int sd_bus_emit_properties_changed_strv( + if (bus->nodes_modified) + continue; + +- prefix = newa(char, strlen(path) + 1); + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names); + if (r != 0) +@@ -2246,7 +2268,8 @@ static int object_added_append_all_prefix( + + static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { + _cleanup_set_free_ Set *s = NULL; +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -2291,7 +2314,12 @@ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *p + if (bus->nodes_modified) + return 0; + +- prefix = newa(char, strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = object_added_append_all_prefix(bus, m, s, prefix, path, true); + if (r < 0) +@@ -2430,7 +2458,8 @@ static int object_removed_append_all_prefix( + + static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { + _cleanup_set_free_ Set *s = NULL; +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -2462,7 +2491,12 @@ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char + if (bus->nodes_modified) + return 0; + +- prefix = newa(char, strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = object_removed_append_all_prefix(bus, m, s, prefix, path, true); + if (r < 0) +@@ -2612,7 +2646,8 @@ static int interfaces_added_append_one( + const char *path, + const char *interface) { + +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -2626,7 +2661,12 @@ static int interfaces_added_append_one( + if (bus->nodes_modified) + return 0; + +- prefix = newa(char, strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true); + if (r != 0) +-- +2.20.1 + diff --git a/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch b/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch new file mode 100644 index 000000000000..cc03893a588d --- /dev/null +++ b/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch @@ -0,0 +1,54 @@ +From 8d3cea620ab661897fb485ece7332a9073c1783d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Wed, 13 Feb 2019 16:51:22 +0100 +Subject: [PATCH 3/3] sd-bus: if we receive an invalid dbus message, ignore and + proceeed + +dbus-daemon might have a slightly different idea of what a valid msg is +than us (for example regarding valid msg and field sizes). Let's hence +try to proceed if we can and thus drop messages rather than fail the +connection if we fail to validate a message. + +Hopefully the differences in what is considered valid are not visible +for real-life usecases, but are specific to exploit attempts only. +--- + src/libsystemd/sd-bus/bus-socket.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c +index 30d6455b6f..441b4a816f 100644 +--- a/src/libsystemd/sd-bus/bus-socket.c ++++ b/src/libsystemd/sd-bus/bus-socket.c +@@ -1072,7 +1072,7 @@ static int bus_socket_read_message_need(sd_bus *bus, size_t *need) { + } + + static int bus_socket_make_message(sd_bus *bus, size_t size) { +- sd_bus_message *t; ++ sd_bus_message *t = NULL; + void *b; + int r; + +@@ -1097,7 +1097,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) { + bus->fds, bus->n_fds, + NULL, + &t); +- if (r < 0) { ++ if (r == -EBADMSG) ++ log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description)); ++ else if (r < 0) { + free(b); + return r; + } +@@ -1108,7 +1110,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) { + bus->fds = NULL; + bus->n_fds = 0; + +- bus->rqueue[bus->rqueue_size++] = t; ++ if (t) ++ bus->rqueue[bus->rqueue_size++] = t; + + return 1; + } +-- +2.20.1 + diff --git a/sys-apps/systemd/systemd-239-r4.ebuild b/sys-apps/systemd/systemd-239-r4.ebuild new file mode 100644 index 000000000000..5671a5ed37ca --- /dev/null +++ b/sys-apps/systemd/systemd-239-r4.ebuild @@ -0,0 +1,449 @@ +# Copyright 2011-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +if [[ ${PV} == 9999 ]]; then + EGIT_REPO_URI="https://github.com/systemd/systemd.git" + inherit git-r3 +else + SRC_URI="https://github.com/systemd/systemd/archive/v${PV}/${P}.tar.gz + https://dev.gentoo.org/~floppym/dist/${P}-patches-2.tar.gz" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc x86" +fi + +PYTHON_COMPAT=( python{3_4,3_5,3_6,3_7} ) + +inherit bash-completion-r1 linux-info meson multilib-minimal ninja-utils pam python-any-r1 systemd toolchain-funcs udev user + +DESCRIPTION="System and service manager for Linux" +HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" + +LICENSE="GPL-2 LGPL-2.1 MIT public-domain" +SLOT="0/2" +IUSE="acl apparmor audit build cryptsetup curl elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr ssl +sysv-utils test vanilla xkb" + +REQUIRED_USE="importd? ( curl gcrypt lzma )" +RESTRICT="!test? ( test )" + +MINKV="3.11" + +COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] + sys-libs/libcap:0=[${MULTILIB_USEDEP}] + !<sys-libs/glibc-2.16 + acl? ( sys-apps/acl:0= ) + apparmor? ( sys-libs/libapparmor:0= ) + audit? ( >=sys-process/audit-2:0= ) + cryptsetup? ( >=sys-fs/cryptsetup-1.6:0= ) + curl? ( net-misc/curl:0= ) + elfutils? ( >=dev-libs/elfutils-0.158:0= ) + gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) + http? ( + >=net-libs/libmicrohttpd-0.9.33:0= + ssl? ( >=net-libs/gnutls-3.1.4:0= ) + ) + idn? ( + libidn2? ( net-dns/libidn2:= ) + !libidn2? ( net-dns/libidn:= ) + ) + importd? ( + app-arch/bzip2:0= + sys-libs/zlib:0= + ) + kmod? ( >=sys-apps/kmod-15:0= ) + lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) + nat? ( net-firewall/iptables:0= ) + pam? ( virtual/pam:=[${MULTILIB_USEDEP}] ) + pcre? ( dev-libs/libpcre2 ) + qrcode? ( media-gfx/qrencode:0= ) + seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) + selinux? ( sys-libs/libselinux:0= ) + xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )" + +# baselayout-2.2 has /run +RDEPEND="${COMMON_DEPEND} + >=sys-apps/baselayout-2.2 + selinux? ( sec-policy/selinux-base-policy[systemd] ) + sysv-utils? ( !sys-apps/sysvinit ) + !sysv-utils? ( sys-apps/sysvinit ) + resolvconf? ( !net-dns/openresolv ) + !build? ( || ( + sys-apps/util-linux[kill(-)] + sys-process/procps[kill(+)] + sys-apps/coreutils[kill(-)] + ) ) + !sys-auth/nss-myhostname + !<sys-kernel/dracut-044 + !sys-fs/eudev + !sys-fs/udev" + +# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) +PDEPEND=">=sys-apps/dbus-1.9.8[systemd] + >=sys-apps/hwids-20150417[udev] + >=sys-fs/udev-init-scripts-25 + policykit? ( sys-auth/polkit ) + !vanilla? ( sys-apps/gentoo-systemd-integration )" + +# Newer linux-headers needed by ia64, bug #480218 +DEPEND="${COMMON_DEPEND} + app-arch/xz-utils:0 + dev-util/gperf + >=dev-util/intltool-0.50 + >=sys-apps/coreutils-8.16 + >=sys-kernel/linux-headers-${MINKV} + virtual/pkgconfig[${MULTILIB_USEDEP}] + gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) + test? ( sys-apps/dbus ) + app-text/docbook-xml-dtd:4.2 + app-text/docbook-xml-dtd:4.5 + app-text/docbook-xsl-stylesheets + dev-libs/libxslt:0 + $(python_gen_any_dep 'dev-python/lxml[${PYTHON_USEDEP}]') +" + +pkg_pretend() { + if [[ ${MERGE_TYPE} != buildonly ]]; then + local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS + ~CHECKPOINT_RESTORE ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE + ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS + ~TIMERFD ~TMPFS_XATTR ~UNIX + ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH + ~!FW_LOADER_USER_HELPER_FALLBACK ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED + ~!SYSFS_DEPRECATED_V2" + + use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" + use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" + kernel_is -lt 3 7 && CONFIG_CHECK+=" ~HOTPLUG" + kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES" + kernel_is -ge 4 10 && CONFIG_CHECK+=" ~CGROUP_BPF" + + if linux_config_exists; then + local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) + if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then + ewarn "It's recommended to set an empty value to the following kernel config option:" + ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" + fi + if linux_chkconfig_present X86; then + CONFIG_CHECK+=" ~DMIID" + fi + fi + + if kernel_is -lt ${MINKV//./ }; then + ewarn "Kernel version at least ${MINKV} required" + fi + + check_extra_config + fi +} + +pkg_setup() { + : +} + +src_unpack() { + default + [[ ${PV} != 9999 ]] || git-r3_src_unpack +} + +src_prepare() { + # Do NOT add patches here + local PATCHES=() + + [[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + # Add local patches here + PATCHES+=( + "${FILESDIR}"/239-debug-extra.patch + "${FILESDIR}"/CVE-2019-6454.patch + ) + + if ! use vanilla; then + PATCHES+=( + "${FILESDIR}/gentoo-Dont-enable-audit-by-default.patch" + "${FILESDIR}/gentoo-systemd-user-pam.patch" + "${FILESDIR}/gentoo-uucp-group-r1.patch" + "${FILESDIR}/gentoo-generator-path.patch" + ) + fi + + default +} + +src_configure() { + # Prevent conflicts with i686 cross toolchain, bug 559726 + tc-export AR CC NM OBJCOPY RANLIB + + python_setup + + multilib-minimal_src_configure +} + +meson_use() { + usex "$1" true false +} + +meson_multilib() { + if multilib_is_native_abi; then + echo true + else + echo false + fi +} + +meson_multilib_native_use() { + if multilib_is_native_abi && use "$1"; then + echo true + else + echo false + fi +} + +multilib_src_configure() { + local myconf=( + --localstatedir="${EPREFIX}/var" + -Dpamlibdir="$(getpam_mod_dir)" + # avoid bash-completion dep + -Dbashcompletiondir="$(get_bashcompdir)" + # make sure we get /bin:/sbin in PATH + -Dsplit-usr=$(usex split-usr true false) + -Drootprefix="$(usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr")" + -Dsysvinit-path= + -Dsysvrcnd-path= + # Avoid infinite exec recursion, bug 642724 + -Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit" + # no deps + -Defi=$(meson_multilib) + -Dima=true + # Optional components/dependencies + -Dacl=$(meson_multilib_native_use acl) + -Dapparmor=$(meson_multilib_native_use apparmor) + -Daudit=$(meson_multilib_native_use audit) + -Dlibcryptsetup=$(meson_multilib_native_use cryptsetup) + -Dlibcurl=$(meson_multilib_native_use curl) + -Delfutils=$(meson_multilib_native_use elfutils) + -Dgcrypt=$(meson_use gcrypt) + -Dgnu-efi=$(meson_multilib_native_use gnuefi) + -Defi-libdir="${EPREFIX}/usr/$(get_libdir)" + -Dmicrohttpd=$(meson_multilib_native_use http) + $(usex http -Dgnutls=$(meson_multilib_native_use ssl) -Dgnutls=false) + -Dimportd=$(meson_multilib_native_use importd) + -Dbzip2=$(meson_multilib_native_use importd) + -Dzlib=$(meson_multilib_native_use importd) + -Dkmod=$(meson_multilib_native_use kmod) + -Dlz4=$(meson_use lz4) + -Dxz=$(meson_use lzma) + -Dlibiptc=$(meson_multilib_native_use nat) + -Dpam=$(meson_use pam) + -Dpcre2=$(meson_multilib_native_use pcre) + -Dpolkit=$(meson_multilib_native_use policykit) + -Dqrencode=$(meson_multilib_native_use qrcode) + -Dseccomp=$(meson_multilib_native_use seccomp) + -Dselinux=$(meson_multilib_native_use selinux) + #-Dtests=$(meson_multilib_native_use test) + -Ddbus=$(meson_multilib_native_use test) + -Dxkbcommon=$(meson_multilib_native_use xkb) + # hardcode a few paths to spare some deps + -Dkill-path=/bin/kill + -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Breaks screen, tmux, etc. + -Ddefault-kill-user-processes=false + + # multilib options + -Dbacklight=$(meson_multilib) + -Dbinfmt=$(meson_multilib) + -Dcoredump=$(meson_multilib) + -Denvironment-d=$(meson_multilib) + -Dfirstboot=$(meson_multilib) + -Dhibernate=$(meson_multilib) + -Dhostnamed=$(meson_multilib) + -Dhwdb=$(meson_multilib) + -Dldconfig=$(meson_multilib) + -Dlocaled=$(meson_multilib) + -Dman=$(meson_multilib) + -Dnetworkd=$(meson_multilib) + -Dquotacheck=$(meson_multilib) + -Drandomseed=$(meson_multilib) + -Drfkill=$(meson_multilib) + -Dsysusers=$(meson_multilib) + -Dtimedated=$(meson_multilib) + -Dtimesyncd=$(meson_multilib) + -Dtmpfiles=$(meson_multilib) + -Dvconsole=$(meson_multilib) + ) + + if multilib_is_native_abi && use idn; then + myconf+=( + -Dlibidn2=$(usex libidn2 true false) + -Dlibidn=$(usex libidn2 false true) + ) + else + myconf+=( + -Dlibidn2=false + -Dlibidn=false + ) + fi + + meson_src_configure "${myconf[@]}" +} + +multilib_src_compile() { + eninja +} + +multilib_src_test() { + unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR + eninja test +} + +multilib_src_install() { + DESTDIR="${D}" eninja install +} + +multilib_src_install_all() { + local rootprefix=$(usex split-usr '' /usr) + + # meson doesn't know about docdir + mv "${ED%/}"/usr/share/doc/{systemd,${PF}} || die + + einstalldocs + dodoc "${FILESDIR}"/nsswitch.conf + + if ! use resolvconf; then + rm -f "${ED%/}${rootprefix}"/sbin/resolvconf || die + fi + + if ! use sysv-utils; then + rm "${ED%/}${rootprefix}"/sbin/{halt,init,poweroff,reboot,runlevel,shutdown,telinit} || die + rm "${ED%/}"/usr/share/man/man1/init.1 || die + rm "${ED%/}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die + fi + + if ! use resolvconf && ! use sysv-utils; then + rmdir "${ED%/}${rootprefix}"/sbin || die + fi + + # Preserve empty dirs in /etc & /var, bug #437008 + keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} + keepdir /etc/systemd/{ntp-units.d,user} /var/lib/systemd + keepdir /etc/udev/{hwdb.d,rules.d} + keepdir /var/log/journal/remote + + # Symlink /etc/sysctl.conf for easy migration. + dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf + + # If we install these symlinks, there is no way for the sysadmin to remove them + # permanently. + rm -f "${ED%/}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die + rm -f "${ED%/}"/etc/systemd/system/dbus-org.freedesktop.network1.service || die + rm -f "${ED%/}"/etc/systemd/system/multi-user.target.wants/systemd-resolved.service || die + rm -f "${ED%/}"/etc/systemd/system/dbus-org.freedesktop.resolve1.service || die + rm -fr "${ED%/}"/etc/systemd/system/network-online.target.wants || die + rm -fr "${ED%/}"/etc/systemd/system/sockets.target.wants || die + rm -fr "${ED%/}"/etc/systemd/system/sysinit.target.wants || die + + local udevdir=/lib/udev + use split-usr || udevdir=/usr/lib/udev + + rm -r "${ED%/}${udevdir}/hwdb.d" || die + + if use split-usr; then + # Avoid breaking boot/reboot + dosym ../../../lib/systemd/systemd /usr/lib/systemd/systemd + dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown + fi +} + +migrate_locale() { + local envd_locale_def="${EROOT%/}/etc/env.d/02locale" + local envd_locale=( "${EROOT%/}"/etc/env.d/??locale ) + local locale_conf="${EROOT%/}/etc/locale.conf" + + if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then + # If locale.conf does not exist... + if [[ -e ${envd_locale} ]]; then + # ...either copy env.d/??locale if there's one + ebegin "Moving ${envd_locale} to ${locale_conf}" + mv "${envd_locale}" "${locale_conf}" + eend ${?} || FAIL=1 + else + # ...or create a dummy default + ebegin "Creating ${locale_conf}" + cat > "${locale_conf}" <<-EOF + # This file has been created by the sys-apps/systemd ebuild. + # See locale.conf(5) and localectl(1). + + # LANG=${LANG} + EOF + eend ${?} || FAIL=1 + fi + fi + + if [[ ! -L ${envd_locale} ]]; then + # now, if env.d/??locale is not a symlink (to locale.conf)... + if [[ -e ${envd_locale} ]]; then + # ...warn the user that he has duplicate locale settings + ewarn + ewarn "To ensure consistent behavior, you should replace ${envd_locale}" + ewarn "with a symlink to ${locale_conf}. Please migrate your settings" + ewarn "and create the symlink with the following command:" + ewarn "ln -s -n -f ../locale.conf ${envd_locale}" + ewarn + else + # ...or just create the symlink if there's nothing here + ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" + ln -n -s ../locale.conf "${envd_locale_def}" + eend ${?} || FAIL=1 + fi + fi +} + +pkg_postinst() { + newusergroup() { + enewgroup "$1" + enewuser "$1" -1 -1 -1 "$1" + } + + enewgroup input + enewgroup kvm 78 + enewgroup render + enewgroup systemd-journal + newusergroup systemd-bus-proxy + newusergroup systemd-coredump + newusergroup systemd-journal-gateway + newusergroup systemd-journal-remote + newusergroup systemd-journal-upload + newusergroup systemd-network + newusergroup systemd-resolve + newusergroup systemd-timesync + + systemd_update_catalog + + # Keep this here in case the database format changes so it gets updated + # when required. Despite that this file is owned by sys-apps/hwids. + if has_version "sys-apps/hwids[udev]"; then + udevadm hwdb --update --root="${EROOT%/}" + fi + + udev_reload || FAIL=1 + + # Bug 465468, make sure locales are respect, and ensure consistency + # between OpenRC & systemd + migrate_locale + + systemd_reenable systemd-networkd.service systemd-resolved.service + + if [[ ${FAIL} ]]; then + eerror "One of the postinst commands failed. Please check the postinst output" + eerror "for errors. You may need to clean up your system and/or try installing" + eerror "systemd again." + eerror + fi +} + +pkg_prerm() { + # If removing systemd completely, remove the catalog database. + if [[ ! ${REPLACED_BY_VERSION} ]]; then + rm -f -v "${EROOT}"/var/lib/systemd/catalog/database + fi +} diff --git a/sys-apps/systemd/systemd-241-r1.ebuild b/sys-apps/systemd/systemd-241-r1.ebuild new file mode 100644 index 000000000000..47f33c6fcff7 --- /dev/null +++ b/sys-apps/systemd/systemd-241-r1.ebuild @@ -0,0 +1,461 @@ +# Copyright 2011-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +if [[ ${PV} == 9999 ]]; then + EGIT_REPO_URI="https://github.com/systemd/systemd.git" + inherit git-r3 +else + MY_PV=${PV/_/-} + MY_P=${PN}-${MY_PV} + S=${WORKDIR}/${MY_P} + SRC_URI="https://github.com/systemd/systemd/archive/v${MY_PV}/${MY_P}.tar.gz" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86" +fi + +PYTHON_COMPAT=( python{3_5,3_6,3_7} ) + +inherit bash-completion-r1 linux-info meson multilib-minimal ninja-utils pam python-any-r1 systemd toolchain-funcs udev user + +DESCRIPTION="System and service manager for Linux" +HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" + +LICENSE="GPL-2 LGPL-2.1 MIT public-domain" +SLOT="0/2" +IUSE="acl apparmor audit build cryptsetup curl elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr ssl +sysv-utils test vanilla xkb" + +REQUIRED_USE="importd? ( curl gcrypt lzma )" +RESTRICT="!test? ( test )" + +MINKV="3.11" + +COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] + sys-libs/libcap:0=[${MULTILIB_USEDEP}] + !<sys-libs/glibc-2.16 + acl? ( sys-apps/acl:0= ) + apparmor? ( sys-libs/libapparmor:0= ) + audit? ( >=sys-process/audit-2:0= ) + cryptsetup? ( >=sys-fs/cryptsetup-1.6:0= ) + curl? ( net-misc/curl:0= ) + elfutils? ( >=dev-libs/elfutils-0.158:0= ) + gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) + http? ( + >=net-libs/libmicrohttpd-0.9.33:0= + ssl? ( >=net-libs/gnutls-3.1.4:0= ) + ) + idn? ( + libidn2? ( net-dns/libidn2:= ) + !libidn2? ( net-dns/libidn:= ) + ) + importd? ( + app-arch/bzip2:0= + sys-libs/zlib:0= + ) + kmod? ( >=sys-apps/kmod-15:0= ) + lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) + nat? ( net-firewall/iptables:0= ) + pam? ( virtual/pam:=[${MULTILIB_USEDEP}] ) + pcre? ( dev-libs/libpcre2 ) + qrcode? ( media-gfx/qrencode:0= ) + seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) + selinux? ( sys-libs/libselinux:0= ) + xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )" + +# baselayout-2.2 has /run +RDEPEND="${COMMON_DEPEND} + >=sys-apps/baselayout-2.2 + selinux? ( sec-policy/selinux-base-policy[systemd] ) + sysv-utils? ( !sys-apps/sysvinit ) + !sysv-utils? ( sys-apps/sysvinit ) + resolvconf? ( !net-dns/openresolv ) + !build? ( || ( + sys-apps/util-linux[kill(-)] + sys-process/procps[kill(+)] + sys-apps/coreutils[kill(-)] + ) ) + !sys-auth/nss-myhostname + !<sys-kernel/dracut-044 + !sys-fs/eudev + !sys-fs/udev" + +# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) +PDEPEND=">=sys-apps/dbus-1.9.8[systemd] + >=sys-apps/hwids-20150417[udev] + >=sys-fs/udev-init-scripts-25 + policykit? ( sys-auth/polkit ) + !vanilla? ( sys-apps/gentoo-systemd-integration )" + +# Newer linux-headers needed by ia64, bug #480218 +DEPEND=" + >=sys-kernel/linux-headers-${MINKV} + gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) +" + +BDEPEND=" + app-arch/xz-utils:0 + dev-util/gperf + >=dev-util/meson-0.46 + >=dev-util/intltool-0.50 + >=sys-apps/coreutils-8.16 + virtual/pkgconfig[${MULTILIB_USEDEP}] + test? ( sys-apps/dbus ) + app-text/docbook-xml-dtd:4.2 + app-text/docbook-xml-dtd:4.5 + app-text/docbook-xsl-stylesheets + dev-libs/libxslt:0 + $(python_gen_any_dep 'dev-python/lxml[${PYTHON_USEDEP}]') +" + +pkg_pretend() { + if [[ ${MERGE_TYPE} != buildonly ]]; then + local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS + ~CHECKPOINT_RESTORE ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE + ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS + ~TIMERFD ~TMPFS_XATTR ~UNIX + ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH + ~!FW_LOADER_USER_HELPER_FALLBACK ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED + ~!SYSFS_DEPRECATED_V2" + + use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" + use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" + kernel_is -lt 3 7 && CONFIG_CHECK+=" ~HOTPLUG" + kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES" + kernel_is -ge 4 10 && CONFIG_CHECK+=" ~CGROUP_BPF" + + if linux_config_exists; then + local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) + if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then + ewarn "It's recommended to set an empty value to the following kernel config option:" + ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" + fi + if linux_chkconfig_present X86; then + CONFIG_CHECK+=" ~DMIID" + fi + fi + + if kernel_is -lt ${MINKV//./ }; then + ewarn "Kernel version at least ${MINKV} required" + fi + + check_extra_config + fi +} + +pkg_setup() { + : +} + +src_unpack() { + default + [[ ${PV} != 9999 ]] || git-r3_src_unpack +} + +src_prepare() { + # Do NOT add patches here + local PATCHES=() + + [[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + # Add local patches here + PATCHES+=( + "${FILESDIR}"/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch + "${FILESDIR}"/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch + ) + + if ! use vanilla; then + PATCHES+=( + "${FILESDIR}/gentoo-Dont-enable-audit-by-default.patch" + "${FILESDIR}/gentoo-systemd-user-pam.patch" + "${FILESDIR}/gentoo-uucp-group-r1.patch" + "${FILESDIR}/gentoo-generator-path-r1.patch" + ) + fi + + default +} + +src_configure() { + # Prevent conflicts with i686 cross toolchain, bug 559726 + tc-export AR CC NM OBJCOPY RANLIB + + python_setup + + multilib-minimal_src_configure +} + +meson_use() { + usex "$1" true false +} + +meson_multilib() { + if multilib_is_native_abi; then + echo true + else + echo false + fi +} + +meson_multilib_native_use() { + if multilib_is_native_abi && use "$1"; then + echo true + else + echo false + fi +} + +multilib_src_configure() { + local myconf=( + --localstatedir="${EPREFIX}/var" + -Dpamlibdir="$(getpam_mod_dir)" + # avoid bash-completion dep + -Dbashcompletiondir="$(get_bashcompdir)" + # make sure we get /bin:/sbin in PATH + -Dsplit-usr=$(usex split-usr true false) + -Drootprefix="$(usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr")" + -Dsysvinit-path= + -Dsysvrcnd-path= + # Avoid infinite exec recursion, bug 642724 + -Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit" + # no deps + -Defi=$(meson_multilib) + -Dima=true + # Optional components/dependencies + -Dacl=$(meson_multilib_native_use acl) + -Dapparmor=$(meson_multilib_native_use apparmor) + -Daudit=$(meson_multilib_native_use audit) + -Dlibcryptsetup=$(meson_multilib_native_use cryptsetup) + -Dlibcurl=$(meson_multilib_native_use curl) + -Delfutils=$(meson_multilib_native_use elfutils) + -Dgcrypt=$(meson_use gcrypt) + -Dgnu-efi=$(meson_multilib_native_use gnuefi) + -Defi-libdir="${EPREFIX}/usr/$(get_libdir)" + -Dmicrohttpd=$(meson_multilib_native_use http) + $(usex http -Dgnutls=$(meson_multilib_native_use ssl) -Dgnutls=false) + -Dimportd=$(meson_multilib_native_use importd) + -Dbzip2=$(meson_multilib_native_use importd) + -Dzlib=$(meson_multilib_native_use importd) + -Dkmod=$(meson_multilib_native_use kmod) + -Dlz4=$(meson_use lz4) + -Dxz=$(meson_use lzma) + -Dlibiptc=$(meson_multilib_native_use nat) + -Dpam=$(meson_use pam) + -Dpcre2=$(meson_multilib_native_use pcre) + -Dpolkit=$(meson_multilib_native_use policykit) + -Dqrencode=$(meson_multilib_native_use qrcode) + -Dseccomp=$(meson_multilib_native_use seccomp) + -Dselinux=$(meson_multilib_native_use selinux) + #-Dtests=$(meson_multilib_native_use test) + -Ddbus=$(meson_multilib_native_use test) + -Dxkbcommon=$(meson_multilib_native_use xkb) + # hardcode a few paths to spare some deps + -Dkill-path=/bin/kill + -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Breaks screen, tmux, etc. + -Ddefault-kill-user-processes=false + + # multilib options + -Dbacklight=$(meson_multilib) + -Dbinfmt=$(meson_multilib) + -Dcoredump=$(meson_multilib) + -Denvironment-d=$(meson_multilib) + -Dfirstboot=$(meson_multilib) + -Dhibernate=$(meson_multilib) + -Dhostnamed=$(meson_multilib) + -Dhwdb=$(meson_multilib) + -Dldconfig=$(meson_multilib) + -Dlocaled=$(meson_multilib) + -Dman=$(meson_multilib) + -Dnetworkd=$(meson_multilib) + -Dquotacheck=$(meson_multilib) + -Drandomseed=$(meson_multilib) + -Drfkill=$(meson_multilib) + -Dsysusers=$(meson_multilib) + -Dtimedated=$(meson_multilib) + -Dtimesyncd=$(meson_multilib) + -Dtmpfiles=$(meson_multilib) + -Dvconsole=$(meson_multilib) + ) + + if multilib_is_native_abi && use idn; then + myconf+=( + -Dlibidn2=$(usex libidn2 true false) + -Dlibidn=$(usex libidn2 false true) + ) + else + myconf+=( + -Dlibidn2=false + -Dlibidn=false + ) + fi + + meson_src_configure "${myconf[@]}" +} + +multilib_src_compile() { + eninja +} + +multilib_src_test() { + unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR + eninja test +} + +multilib_src_install() { + DESTDIR="${D}" eninja install +} + +multilib_src_install_all() { + local rootprefix=$(usex split-usr '' /usr) + + # meson doesn't know about docdir + mv "${ED}"/usr/share/doc/{systemd,${PF}} || die + + einstalldocs + dodoc "${FILESDIR}"/nsswitch.conf + + if ! use resolvconf; then + rm -f "${ED}${rootprefix}"/sbin/resolvconf || die + fi + + if ! use sysv-utils; then + rm "${ED}${rootprefix}"/sbin/{halt,init,poweroff,reboot,runlevel,shutdown,telinit} || die + rm "${ED}"/usr/share/man/man1/init.1 || die + rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die + fi + + if ! use resolvconf && ! use sysv-utils; then + rmdir "${ED}${rootprefix}"/sbin || die + fi + + # Preserve empty dirs in /etc & /var, bug #437008 + keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} + keepdir /etc/systemd/{ntp-units.d,user} /var/lib/systemd + keepdir /etc/udev/{hwdb.d,rules.d} + keepdir /var/log/journal/remote + + # Symlink /etc/sysctl.conf for easy migration. + dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf + + # If we install these symlinks, there is no way for the sysadmin to remove them + # permanently. + rm -f "${ED}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die + rm -f "${ED}"/etc/systemd/system/dbus-org.freedesktop.network1.service || die + rm -f "${ED}"/etc/systemd/system/multi-user.target.wants/systemd-resolved.service || die + rm -f "${ED}"/etc/systemd/system/dbus-org.freedesktop.resolve1.service || die + rm -fr "${ED}"/etc/systemd/system/network-online.target.wants || die + rm -fr "${ED}"/etc/systemd/system/sockets.target.wants || die + rm -fr "${ED}"/etc/systemd/system/sysinit.target.wants || die + + local udevdir=/lib/udev + use split-usr || udevdir=/usr/lib/udev + + rm -r "${ED}${udevdir}/hwdb.d" || die + + if use split-usr; then + # Avoid breaking boot/reboot + dosym ../../../lib/systemd/systemd /usr/lib/systemd/systemd + dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown + fi +} + +migrate_locale() { + local envd_locale_def="${EROOT}/etc/env.d/02locale" + local envd_locale=( "${EROOT}"/etc/env.d/??locale ) + local locale_conf="${EROOT}/etc/locale.conf" + + if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then + # If locale.conf does not exist... + if [[ -e ${envd_locale} ]]; then + # ...either copy env.d/??locale if there's one + ebegin "Moving ${envd_locale} to ${locale_conf}" + mv "${envd_locale}" "${locale_conf}" + eend ${?} || FAIL=1 + else + # ...or create a dummy default + ebegin "Creating ${locale_conf}" + cat > "${locale_conf}" <<-EOF + # This file has been created by the sys-apps/systemd ebuild. + # See locale.conf(5) and localectl(1). + + # LANG=${LANG} + EOF + eend ${?} || FAIL=1 + fi + fi + + if [[ ! -L ${envd_locale} ]]; then + # now, if env.d/??locale is not a symlink (to locale.conf)... + if [[ -e ${envd_locale} ]]; then + # ...warn the user that he has duplicate locale settings + ewarn + ewarn "To ensure consistent behavior, you should replace ${envd_locale}" + ewarn "with a symlink to ${locale_conf}. Please migrate your settings" + ewarn "and create the symlink with the following command:" + ewarn "ln -s -n -f ../locale.conf ${envd_locale}" + ewarn + else + # ...or just create the symlink if there's nothing here + ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" + ln -n -s ../locale.conf "${envd_locale_def}" + eend ${?} || FAIL=1 + fi + fi +} + +pkg_postinst() { + newusergroup() { + enewgroup "$1" + enewuser "$1" -1 -1 -1 "$1" + } + + enewgroup input + enewgroup kvm 78 + enewgroup render + enewgroup systemd-journal + newusergroup systemd-bus-proxy + newusergroup systemd-coredump + newusergroup systemd-journal-gateway + newusergroup systemd-journal-remote + newusergroup systemd-journal-upload + newusergroup systemd-network + newusergroup systemd-resolve + newusergroup systemd-timesync + + systemd_update_catalog + + # Keep this here in case the database format changes so it gets updated + # when required. Despite that this file is owned by sys-apps/hwids. + if has_version "sys-apps/hwids[udev]"; then + udevadm hwdb --update --root="${EROOT}" + fi + + udev_reload || FAIL=1 + + # Bug 465468, make sure locales are respect, and ensure consistency + # between OpenRC & systemd + migrate_locale + + systemd_reenable systemd-networkd.service systemd-resolved.service + + if [[ -z ${ROOT} && -d /run/systemd/system ]]; then + ebegin "Reexecuting system manager" + systemctl daemon-reexec + eend $? + fi + + if [[ ${FAIL} ]]; then + eerror "One of the postinst commands failed. Please check the postinst output" + eerror "for errors. You may need to clean up your system and/or try installing" + eerror "systemd again." + eerror + fi +} + +pkg_prerm() { + # If removing systemd completely, remove the catalog database. + if [[ ! ${REPLACED_BY_VERSION} ]]; then + rm -f -v "${EROOT}"/var/lib/systemd/catalog/database + fi +} |