summaryrefslogtreecommitdiff
path: root/sys-apps/systemd
diff options
context:
space:
mode:
authorV3n3RiX <venerix@redcorelinux.org>2019-11-18 10:15:03 +0000
committerV3n3RiX <venerix@redcorelinux.org>2019-11-18 10:15:03 +0000
commitb284a3168fa91a038925d2ecf5e4791011ea5e7d (patch)
tree16fe44748708acacd909d4e2e160a09a7f6d936a /sys-apps/systemd
parent77398e424e45d9e98c1cef3c43bdadb9d56e81ef (diff)
gentoo resync : 18.11.2019
Diffstat (limited to 'sys-apps/systemd')
-rw-r--r--sys-apps/systemd/Manifest3
-rw-r--r--sys-apps/systemd/files/243-seccomp.patch145
-rw-r--r--sys-apps/systemd/systemd-243-r2.ebuild3
3 files changed, 149 insertions, 2 deletions
diff --git a/sys-apps/systemd/Manifest b/sys-apps/systemd/Manifest
index fb8820e34945..98ef0fb7ac29 100644
--- a/sys-apps/systemd/Manifest
+++ b/sys-apps/systemd/Manifest
@@ -5,6 +5,7 @@ AUX 242-networkd-ipv6-token.patch 6525 BLAKE2B 4bbf64154f96419df91caf03f827f37bf
AUX 242-rdrand-ryzen.patch 16177 BLAKE2B 7d1d3709098a233ba58727788b77c30025c0497fff9abb1df007e21160da3f93a7e9d14b0eeb7e6855bbe5fa93abfeda118156cbba355fc2976c83debcbb91d4 SHA512 38d00535a118b060accb8ed4e87681bab5e547270ef7e0abcdcf4766367e22761ffc35d0db7c829e86e0ad45f13cf4c761e71cfdfc70c2675056ef217c85618d
AUX 242-socket-util-flush-accept.patch 2123 BLAKE2B 74bfbe440ae548b96d90b41ac45c440b21a63c61ae75a9d2b725d2bdec74a03aeca7b673a656821eb925e6740d6728a41d0dc30275287a92519b47d9c477c487 SHA512 7dd0daa70de4ee264d0b3dfe6f80b5e0c563e5bb5255ca2a92f26c4a993fca178f275f85c9048305b82b258d41c9bcbb28d74f9e2b6c2a0e77748464890cb907
AUX 242-wireguard-listenport.patch 1598 BLAKE2B 3266fe600db530ebb5b8eb726822daf14ee87292b035c09a1eb9a46638cc2dc3b8a3f11dd74684a79f3e521d3999b6b8c3a641f8f7475a5d45706567e00d26f6 SHA512 69e047000eb5ed36850bcbc6b8ef37a646b60a642a07a68547624e81aa6e49c77b848745ca4daad883151ddcaee9e7957ea6430f5a0c0c67ffc7887778f536e9
+AUX 243-seccomp.patch 6293 BLAKE2B be1a78783e34d6cf8ba33f6ae6fb0e8747d414de692cf28bd9cce01ca47baf188b078171dd66c236ecf2a4a821f1dec0b7021e1298a29a3b21aacf3a9d667189 SHA512 da2cd2e11a06e0520af0ad3c6debe54c5ab046f7ee35a922c99a32924464a6b760b4620d8e511064f84d8adbf5e65db473877476a1cc36941a0420491b89cb25
AUX CVE-2019-15718.patch 1232 BLAKE2B e5be62414a1f9c19c8834e093d166a025fbd5215223845df365c70afb35487bd393bcd5463a046107e384a43976dcbb57e9e0a4013355558982abe8b6baf35de SHA512 45017c2c6ff5b16206e4c2e78c82c231372fd13c965a64908d70c0019a0894f1599a4412df3efc1ad6b799df018c05560fbbc8a24ffb86f793a149d9aec2080f
AUX gentoo-Dont-enable-audit-by-default.patch 1027 BLAKE2B 9193a409db4e5c1dec6f6b66ee6e0a4cc1ada49d41ab758c788cf12534fffb67bd7370b8558a6af56572d7f2b73cf47db255fef105e56362c15f0a426f80b256 SHA512 44e512d8bbadbc5714192896a3ba262e460af034846e4e9b9832b4143fff772e2734e655316fd88d1ef386509bd234c195dce2087348f220836b3bf4f26790e0
AUX gentoo-generator-path-r1.patch 1037 BLAKE2B 5eb80521a6726c9b4693f9b0f56d3e68fca1a49f5f5eb5a1576329d30c93d2fe7c121920099d74962eacf7ed1d3747250f103a57e4be246320a99871521a3b6a SHA512 1b0d1c2f96cb4aa95adfa5940efaeb2bd940110720399358317906d21d08b0caf625474980e101bba001afd626f8ad64367b09b40bec0b2d46b977021c4adfc5
@@ -14,7 +15,7 @@ DIST systemd-242.tar.gz 7831435 BLAKE2B 288e65d0a8e133ef5885689eb16118a83d93c730
DIST systemd-243.tar.gz 8242522 BLAKE2B 89e3ebbea5a99061329f7c78220a66c1e075d5ba90dfdf5ee8d0d9b762ef4600dc82d8ca2054632e5e343b6272cd8046c92f7f99dcfa8287c5ef2b42fb96d4cb SHA512 56b52a297aa5ac04d9667eb3afb1598725b197de73ff72baa1aabbc2844e36fba7b7fccdf6d214ae8b5b926616b2b7e15772763aaa80ec938d74333ff9c8673e
EBUILD systemd-242-r6.ebuild 14157 BLAKE2B eebb763acfe83ff486867663b3485605730725b00aa7e802624ba8f04bb64e4c4e269f617ab37b5322cd29d878aa4a604919993a9767ff99be4db325503d0edd SHA512 66804d5aa53ec07c841d0d6f6bf6eeb3e610b90f43e449f84550a67a8ead10bdef34a43df2839710e4f62410c94c72478cbb4b0ab3aa4d184d58628b50f94ad6
EBUILD systemd-242-r7.ebuild 14195 BLAKE2B 96ca4520a2eaeca5c970adad294080b06c4e928b8369f52f55e7099116864ef76c38edc387c2315654213a98dc502fb7db9d6067c9baa9462ba204d18ea9ab42 SHA512 56bcdb8ecc8cca4e68708f7b17d57592d62ccf43dc4144505251d06f8763d1e9260a1c97547d2b7889119a1e81e890061d5e73786d552c6acd7175d207ca132f
-EBUILD systemd-243-r2.ebuild 14475 BLAKE2B da969d039ee702ad07128892a7d294593e4cb9ebfc2c155e1a45a7d562b293d54a6ceaf105b7bccdb5a9181bba220f5eefb5a31df0267241238ba0ac8c45c110 SHA512 caf293cfef2a8bf74ba0cd04bf97b4ee7b3561c7136164ef517ddb33a64ad840f90fec7c220f0582532ae04425b0e79e29487301b351a8bafd01ef9d96ed244e
+EBUILD systemd-243-r2.ebuild 14508 BLAKE2B aa8246f50f4c6c75965a66df4e1dbe7fafc741256f71cae3b35b91c25186fc5c79415cddcc58430d0d6e2e89ad7ddc41b93e9302f930859ad4e2f87da45d68e7 SHA512 124e41692fb8ac22c92b2d0d64e85e0fa27616853bb20bb67b8c5bf7167f51e796686fd1f6ac4067896717af11a8cec8bc08f8a51e348a6a9730f0ad096f8988
EBUILD systemd-243.ebuild 14255 BLAKE2B bcdf5056bce2710f3c088dfdb686c001816ad5fae721c06153d0eab50ae610f49b6449f4d6b4cb0abe0546f38f76a169569886b0f2446d3248a6d8f0b4c1216e SHA512 b8459206cc0395c6755ffe74cee27e48913c979204dbb794c659ad7c2cf8005d75ff4dda5984f65341cf04b7370a8a3d83718b8f9dc7c9fc1958203f31338a52
EBUILD systemd-9999.ebuild 14481 BLAKE2B a01bcb68d3642c895ba67dd0aa2b79b5ee897423c2ecb32ff17a95ab0e5dcbfb0098b27b3e7fa710004b012708c0b79982b9d0bf7a6bb7602e36ef250a297be7 SHA512 4ca46d3ae151b793bc8609289df63701cccb3e608e9254f315af4873b79ad6c7cffbb74dd6e8f7da782f0156ce578059b96b0f359508ef5f28a6f9e5444440c8
MISC metadata.xml 2144 BLAKE2B f98da35b929799e76331e0f4957f175db15fd8766542058520aeeb1cc762f46c4e3c4d40b1dd21da50a3416807359c383e323e17de175a1439d7faa4bb4be0af SHA512 6e5847187232637a1de5f0d8fad2d6ad0515d537206ea3a7bd2ccd9f17e67789f5c80ebf295554aa135325f2e4260217de6e9a6a7f21dd70945a94ebfc3bf0de
diff --git a/sys-apps/systemd/files/243-seccomp.patch b/sys-apps/systemd/files/243-seccomp.patch
new file mode 100644
index 000000000000..88b129f77223
--- /dev/null
+++ b/sys-apps/systemd/files/243-seccomp.patch
@@ -0,0 +1,145 @@
+From 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 14 Nov 2019 17:51:30 +0100
+Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's
+ __NR_xyz namespace invasion
+
+A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the
+same conditioning for all cases of our __NR_xyz use.
+
+Fixes: #14031
+---
+ src/basic/missing_syscall.h | 10 +++++-----
+ src/test/test-seccomp.c | 19 ++++++++++---------
+ 2 files changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
+index 6d9b12544d..1255d8b197 100644
+--- a/src/basic/missing_syscall.h
++++ b/src/basic/missing_syscall.h
+@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c
+
+ #if !HAVE_KCMP
+ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) {
+-# ifdef __NR_kcmp
++# if defined __NR_kcmp && __NR_kcmp > 0
+ return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2);
+ # else
+ errno = ENOSYS;
+@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i
+
+ #if !HAVE_KEYCTL
+ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) {
+-# ifdef __NR_keyctl
++# if defined __NR_keyctl && __NR_keyctl > 0
+ return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
+ # else
+ errno = ENOSYS;
+@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg
+ }
+
+ static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) {
+-# ifdef __NR_add_key
++# if defined __NR_add_key && __NR_add_key > 0
+ return syscall(__NR_add_key, type, description, payload, plen, ringid);
+ # else
+ errno = ENOSYS;
+@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip
+ }
+
+ static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) {
+-# ifdef __NR_request_key
++# if defined __NR_request_key && __NR_request_key > 0
+ return syscall(__NR_request_key, type, description, callout_info, destringid);
+ # else
+ errno = ENOSYS;
+@@ -496,7 +496,7 @@ enum {
+ static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask,
+ unsigned long maxnode) {
+ long i;
+-# ifdef __NR_set_mempolicy
++# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0
+ i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode);
+ # else
+ errno = ENOSYS;
+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
+index 018c20f8be..c6692043fe 100644
+--- a/src/test/test-seccomp.c
++++ b/src/test/test-seccomp.c
+@@ -28,7 +28,8 @@
+ #include "tmpfile-util.h"
+ #include "virt.h"
+
+-#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
++/* __NR_socket may be invalid due to libseccomp */
++#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
+ /* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
+ * and we can't restrict it hence via seccomp. */
+ # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
+@@ -304,14 +305,14 @@ static void test_protect_sysctl(void) {
+ assert_se(pid >= 0);
+
+ if (pid == 0) {
+-#if __NR__sysctl > 0
++#if defined __NR__sysctl && __NR__sysctl > 0
+ assert_se(syscall(__NR__sysctl, NULL) < 0);
+ assert_se(errno == EFAULT);
+ #endif
+
+ assert_se(seccomp_protect_sysctl() >= 0);
+
+-#if __NR__sysctl > 0
++#if defined __NR__sysctl && __NR__sysctl > 0
+ assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
+ assert_se(errno == EPERM);
+ #endif
+@@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) {
+ assert_se(poll(NULL, 0, 0) == 0);
+
+ assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(access) >= 0
++#if defined __NR_access && __NR_access > 0
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
+ #else
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
+@@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) {
+ s = hashmap_free(s);
+
+ assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(access) >= 0
++#if defined __NR_access && __NR_access > 0
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
+ #else
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
+@@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) {
+ s = hashmap_free(s);
+
+ assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(poll) >= 0
++#if defined __NR_poll && __NR_poll > 0
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
+ #else
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
+@@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) {
+ s = hashmap_free(s);
+
+ assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(poll) >= 0
++#if defined __NR_poll && __NR_poll > 0
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
+ #else
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
+@@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) {
+ * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
+ * other architectures, let's just fall back to the glibc call. */
+
+-#ifdef SYS_open
+- return (int) syscall(SYS_open, path, flags, mode);
++#if defined __NR_open && __NR_open > 0
++ return (int) syscall(__NR_open, path, flags, mode);
+ #else
+ return open(path, flags, mode);
+ #endif
+--
+2.24.0
+
diff --git a/sys-apps/systemd/systemd-243-r2.ebuild b/sys-apps/systemd/systemd-243-r2.ebuild
index 7b3083b2a5dd..1b32293a17b8 100644
--- a/sys-apps/systemd/systemd-243-r2.ebuild
+++ b/sys-apps/systemd/systemd-243-r2.ebuild
@@ -11,7 +11,7 @@ else
MY_P=${PN}-${MY_PV}
S=${WORKDIR}/${MY_P}
SRC_URI="https://github.com/systemd/systemd/archive/v${MY_PV}/${MY_P}.tar.gz"
- KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~sparc x86"
+ KEYWORDS="alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~sparc x86"
fi
PYTHON_COMPAT=( python{3_5,3_6,3_7} )
@@ -185,6 +185,7 @@ src_prepare() {
# Add local patches here
PATCHES+=(
+ "${FILESDIR}/243-seccomp.patch"
)
if ! use vanilla; then