diff options
Diffstat (limited to 'sys-apps/systemd')
-rw-r--r-- | sys-apps/systemd/Manifest | 3 | ||||
-rw-r--r-- | sys-apps/systemd/files/243-seccomp.patch | 145 | ||||
-rw-r--r-- | sys-apps/systemd/systemd-243-r2.ebuild | 3 |
3 files changed, 149 insertions, 2 deletions
diff --git a/sys-apps/systemd/Manifest b/sys-apps/systemd/Manifest index fb8820e34945..98ef0fb7ac29 100644 --- a/sys-apps/systemd/Manifest +++ b/sys-apps/systemd/Manifest @@ -5,6 +5,7 @@ AUX 242-networkd-ipv6-token.patch 6525 BLAKE2B 4bbf64154f96419df91caf03f827f37bf AUX 242-rdrand-ryzen.patch 16177 BLAKE2B 7d1d3709098a233ba58727788b77c30025c0497fff9abb1df007e21160da3f93a7e9d14b0eeb7e6855bbe5fa93abfeda118156cbba355fc2976c83debcbb91d4 SHA512 38d00535a118b060accb8ed4e87681bab5e547270ef7e0abcdcf4766367e22761ffc35d0db7c829e86e0ad45f13cf4c761e71cfdfc70c2675056ef217c85618d AUX 242-socket-util-flush-accept.patch 2123 BLAKE2B 74bfbe440ae548b96d90b41ac45c440b21a63c61ae75a9d2b725d2bdec74a03aeca7b673a656821eb925e6740d6728a41d0dc30275287a92519b47d9c477c487 SHA512 7dd0daa70de4ee264d0b3dfe6f80b5e0c563e5bb5255ca2a92f26c4a993fca178f275f85c9048305b82b258d41c9bcbb28d74f9e2b6c2a0e77748464890cb907 AUX 242-wireguard-listenport.patch 1598 BLAKE2B 3266fe600db530ebb5b8eb726822daf14ee87292b035c09a1eb9a46638cc2dc3b8a3f11dd74684a79f3e521d3999b6b8c3a641f8f7475a5d45706567e00d26f6 SHA512 69e047000eb5ed36850bcbc6b8ef37a646b60a642a07a68547624e81aa6e49c77b848745ca4daad883151ddcaee9e7957ea6430f5a0c0c67ffc7887778f536e9 +AUX 243-seccomp.patch 6293 BLAKE2B be1a78783e34d6cf8ba33f6ae6fb0e8747d414de692cf28bd9cce01ca47baf188b078171dd66c236ecf2a4a821f1dec0b7021e1298a29a3b21aacf3a9d667189 SHA512 da2cd2e11a06e0520af0ad3c6debe54c5ab046f7ee35a922c99a32924464a6b760b4620d8e511064f84d8adbf5e65db473877476a1cc36941a0420491b89cb25 AUX CVE-2019-15718.patch 1232 BLAKE2B e5be62414a1f9c19c8834e093d166a025fbd5215223845df365c70afb35487bd393bcd5463a046107e384a43976dcbb57e9e0a4013355558982abe8b6baf35de SHA512 45017c2c6ff5b16206e4c2e78c82c231372fd13c965a64908d70c0019a0894f1599a4412df3efc1ad6b799df018c05560fbbc8a24ffb86f793a149d9aec2080f AUX gentoo-Dont-enable-audit-by-default.patch 1027 BLAKE2B 9193a409db4e5c1dec6f6b66ee6e0a4cc1ada49d41ab758c788cf12534fffb67bd7370b8558a6af56572d7f2b73cf47db255fef105e56362c15f0a426f80b256 SHA512 44e512d8bbadbc5714192896a3ba262e460af034846e4e9b9832b4143fff772e2734e655316fd88d1ef386509bd234c195dce2087348f220836b3bf4f26790e0 AUX gentoo-generator-path-r1.patch 1037 BLAKE2B 5eb80521a6726c9b4693f9b0f56d3e68fca1a49f5f5eb5a1576329d30c93d2fe7c121920099d74962eacf7ed1d3747250f103a57e4be246320a99871521a3b6a SHA512 1b0d1c2f96cb4aa95adfa5940efaeb2bd940110720399358317906d21d08b0caf625474980e101bba001afd626f8ad64367b09b40bec0b2d46b977021c4adfc5 @@ -14,7 +15,7 @@ DIST systemd-242.tar.gz 7831435 BLAKE2B 288e65d0a8e133ef5885689eb16118a83d93c730 DIST systemd-243.tar.gz 8242522 BLAKE2B 89e3ebbea5a99061329f7c78220a66c1e075d5ba90dfdf5ee8d0d9b762ef4600dc82d8ca2054632e5e343b6272cd8046c92f7f99dcfa8287c5ef2b42fb96d4cb SHA512 56b52a297aa5ac04d9667eb3afb1598725b197de73ff72baa1aabbc2844e36fba7b7fccdf6d214ae8b5b926616b2b7e15772763aaa80ec938d74333ff9c8673e EBUILD systemd-242-r6.ebuild 14157 BLAKE2B eebb763acfe83ff486867663b3485605730725b00aa7e802624ba8f04bb64e4c4e269f617ab37b5322cd29d878aa4a604919993a9767ff99be4db325503d0edd SHA512 66804d5aa53ec07c841d0d6f6bf6eeb3e610b90f43e449f84550a67a8ead10bdef34a43df2839710e4f62410c94c72478cbb4b0ab3aa4d184d58628b50f94ad6 EBUILD systemd-242-r7.ebuild 14195 BLAKE2B 96ca4520a2eaeca5c970adad294080b06c4e928b8369f52f55e7099116864ef76c38edc387c2315654213a98dc502fb7db9d6067c9baa9462ba204d18ea9ab42 SHA512 56bcdb8ecc8cca4e68708f7b17d57592d62ccf43dc4144505251d06f8763d1e9260a1c97547d2b7889119a1e81e890061d5e73786d552c6acd7175d207ca132f -EBUILD systemd-243-r2.ebuild 14475 BLAKE2B da969d039ee702ad07128892a7d294593e4cb9ebfc2c155e1a45a7d562b293d54a6ceaf105b7bccdb5a9181bba220f5eefb5a31df0267241238ba0ac8c45c110 SHA512 caf293cfef2a8bf74ba0cd04bf97b4ee7b3561c7136164ef517ddb33a64ad840f90fec7c220f0582532ae04425b0e79e29487301b351a8bafd01ef9d96ed244e +EBUILD systemd-243-r2.ebuild 14508 BLAKE2B aa8246f50f4c6c75965a66df4e1dbe7fafc741256f71cae3b35b91c25186fc5c79415cddcc58430d0d6e2e89ad7ddc41b93e9302f930859ad4e2f87da45d68e7 SHA512 124e41692fb8ac22c92b2d0d64e85e0fa27616853bb20bb67b8c5bf7167f51e796686fd1f6ac4067896717af11a8cec8bc08f8a51e348a6a9730f0ad096f8988 EBUILD systemd-243.ebuild 14255 BLAKE2B bcdf5056bce2710f3c088dfdb686c001816ad5fae721c06153d0eab50ae610f49b6449f4d6b4cb0abe0546f38f76a169569886b0f2446d3248a6d8f0b4c1216e SHA512 b8459206cc0395c6755ffe74cee27e48913c979204dbb794c659ad7c2cf8005d75ff4dda5984f65341cf04b7370a8a3d83718b8f9dc7c9fc1958203f31338a52 EBUILD systemd-9999.ebuild 14481 BLAKE2B a01bcb68d3642c895ba67dd0aa2b79b5ee897423c2ecb32ff17a95ab0e5dcbfb0098b27b3e7fa710004b012708c0b79982b9d0bf7a6bb7602e36ef250a297be7 SHA512 4ca46d3ae151b793bc8609289df63701cccb3e608e9254f315af4873b79ad6c7cffbb74dd6e8f7da782f0156ce578059b96b0f359508ef5f28a6f9e5444440c8 MISC metadata.xml 2144 BLAKE2B f98da35b929799e76331e0f4957f175db15fd8766542058520aeeb1cc762f46c4e3c4d40b1dd21da50a3416807359c383e323e17de175a1439d7faa4bb4be0af SHA512 6e5847187232637a1de5f0d8fad2d6ad0515d537206ea3a7bd2ccd9f17e67789f5c80ebf295554aa135325f2e4260217de6e9a6a7f21dd70945a94ebfc3bf0de diff --git a/sys-apps/systemd/files/243-seccomp.patch b/sys-apps/systemd/files/243-seccomp.patch new file mode 100644 index 000000000000..88b129f77223 --- /dev/null +++ b/sys-apps/systemd/files/243-seccomp.patch @@ -0,0 +1,145 @@ +From 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Thu, 14 Nov 2019 17:51:30 +0100 +Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's + __NR_xyz namespace invasion + +A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the +same conditioning for all cases of our __NR_xyz use. + +Fixes: #14031 +--- + src/basic/missing_syscall.h | 10 +++++----- + src/test/test-seccomp.c | 19 ++++++++++--------- + 2 files changed, 15 insertions(+), 14 deletions(-) + +diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h +index 6d9b12544d..1255d8b197 100644 +--- a/src/basic/missing_syscall.h ++++ b/src/basic/missing_syscall.h +@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c + + #if !HAVE_KCMP + static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { +-# ifdef __NR_kcmp ++# if defined __NR_kcmp && __NR_kcmp > 0 + return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2); + # else + errno = ENOSYS; +@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i + + #if !HAVE_KEYCTL + static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { +-# ifdef __NR_keyctl ++# if defined __NR_keyctl && __NR_keyctl > 0 + return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); + # else + errno = ENOSYS; +@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg + } + + static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { +-# ifdef __NR_add_key ++# if defined __NR_add_key && __NR_add_key > 0 + return syscall(__NR_add_key, type, description, payload, plen, ringid); + # else + errno = ENOSYS; +@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip + } + + static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) { +-# ifdef __NR_request_key ++# if defined __NR_request_key && __NR_request_key > 0 + return syscall(__NR_request_key, type, description, callout_info, destringid); + # else + errno = ENOSYS; +@@ -496,7 +496,7 @@ enum { + static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask, + unsigned long maxnode) { + long i; +-# ifdef __NR_set_mempolicy ++# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0 + i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode); + # else + errno = ENOSYS; +diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c +index 018c20f8be..c6692043fe 100644 +--- a/src/test/test-seccomp.c ++++ b/src/test/test-seccomp.c +@@ -28,7 +28,8 @@ + #include "tmpfile-util.h" + #include "virt.h" + +-#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) ++/* __NR_socket may be invalid due to libseccomp */ ++#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) + /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, + * and we can't restrict it hence via seccomp. */ + # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 +@@ -304,14 +305,14 @@ static void test_protect_sysctl(void) { + assert_se(pid >= 0); + + if (pid == 0) { +-#if __NR__sysctl > 0 ++#if defined __NR__sysctl && __NR__sysctl > 0 + assert_se(syscall(__NR__sysctl, NULL) < 0); + assert_se(errno == EFAULT); + #endif + + assert_se(seccomp_protect_sysctl() >= 0); + +-#if __NR__sysctl > 0 ++#if defined __NR__sysctl && __NR__sysctl > 0 + assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); + assert_se(errno == EPERM); + #endif +@@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) { + assert_se(poll(NULL, 0, 0) == 0); + + assert_se(s = hashmap_new(NULL)); +-#if SCMP_SYS(access) >= 0 ++#if defined __NR_access && __NR_access > 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); +@@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) { + s = hashmap_free(s); + + assert_se(s = hashmap_new(NULL)); +-#if SCMP_SYS(access) >= 0 ++#if defined __NR_access && __NR_access > 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); +@@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) { + s = hashmap_free(s); + + assert_se(s = hashmap_new(NULL)); +-#if SCMP_SYS(poll) >= 0 ++#if defined __NR_poll && __NR_poll > 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); +@@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) { + s = hashmap_free(s); + + assert_se(s = hashmap_new(NULL)); +-#if SCMP_SYS(poll) >= 0 ++#if defined __NR_poll && __NR_poll > 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); +@@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) { + * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On + * other architectures, let's just fall back to the glibc call. */ + +-#ifdef SYS_open +- return (int) syscall(SYS_open, path, flags, mode); ++#if defined __NR_open && __NR_open > 0 ++ return (int) syscall(__NR_open, path, flags, mode); + #else + return open(path, flags, mode); + #endif +-- +2.24.0 + diff --git a/sys-apps/systemd/systemd-243-r2.ebuild b/sys-apps/systemd/systemd-243-r2.ebuild index 7b3083b2a5dd..1b32293a17b8 100644 --- a/sys-apps/systemd/systemd-243-r2.ebuild +++ b/sys-apps/systemd/systemd-243-r2.ebuild @@ -11,7 +11,7 @@ else MY_P=${PN}-${MY_PV} S=${WORKDIR}/${MY_P} SRC_URI="https://github.com/systemd/systemd/archive/v${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~sparc x86" + KEYWORDS="alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~sparc x86" fi PYTHON_COMPAT=( python{3_5,3_6,3_7} ) @@ -185,6 +185,7 @@ src_prepare() { # Add local patches here PATCHES+=( + "${FILESDIR}/243-seccomp.patch" ) if ! use vanilla; then |