Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Gilbert <floppym@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/files/CVE-2019-6454/, sys-apps/systemd/
Date: Mon, 18 Feb 2019 23:32:09
Message-Id: 1550532716.c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27.floppym@gentoo
1 commit: c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27
2 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
3 AuthorDate: Sun Feb 17 18:31:37 2019 +0000
4 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
5 CommitDate: Mon Feb 18 23:31:56 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0e6ffa5
7
8 sys-apps/systemd: backport patches for CVE-2019-6454
9
10 Bug: https://bugs.gentoo.org/677944
11 Package-Manager: Portage-2.3.59_p2, Repoman-2.3.12_p67
12 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
13
14 ...-message-paths-longer-than-BUS_PATH_SIZE_.patch | 48 +++
15 ...mporary-strings-to-hold-dbus-paths-on-the.patch | 188 +++++++++
16 ...e-receive-an-invalid-dbus-message-ignore-.patch | 54 +++
17 sys-apps/systemd/systemd-241-r1.ebuild | 461 +++++++++++++++++++++
18 4 files changed, 751 insertions(+)
19
20 diff --git a/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch b/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch
21 new file mode 100644
22 index 00000000000..6a0c8d1b0c5
23 --- /dev/null
24 +++ b/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch
25 @@ -0,0 +1,48 @@
26 +From 29de632674473729d1e9497b6fe47e7c88682ed9 Mon Sep 17 00:00:00 2001
27 +From: Riccardo Schirone <rschiron@××××××.com>
28 +Date: Mon, 4 Feb 2019 14:29:09 +0100
29 +Subject: [PATCH 1/3] Refuse dbus message paths longer than BUS_PATH_SIZE_MAX
30 + limit.
31 +
32 +Even though the dbus specification does not enforce any length limit on the
33 +path of a dbus message, having to analyze too long strings in PID1 may be
34 +time-consuming and it may have security impacts.
35 +
36 +In any case, the limit is set so high that real-life applications should not
37 +have a problem with it.
38 +---
39 + src/libsystemd/sd-bus/bus-internal.c | 2 +-
40 + src/libsystemd/sd-bus/bus-internal.h | 4 ++++
41 + 2 files changed, 5 insertions(+), 1 deletion(-)
42 +
43 +diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c
44 +index 40acae2133..598b7f110c 100644
45 +--- a/src/libsystemd/sd-bus/bus-internal.c
46 ++++ b/src/libsystemd/sd-bus/bus-internal.c
47 +@@ -43,7 +43,7 @@ bool object_path_is_valid(const char *p) {
48 + if (slash)
49 + return false;
50 +
51 +- return true;
52 ++ return (q - p) <= BUS_PATH_SIZE_MAX;
53 + }
54 +
55 + char* object_path_startswith(const char *a, const char *b) {
56 +diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h
57 +index f208b294d8..a8d61bf72a 100644
58 +--- a/src/libsystemd/sd-bus/bus-internal.h
59 ++++ b/src/libsystemd/sd-bus/bus-internal.h
60 +@@ -332,6 +332,10 @@ struct sd_bus {
61 +
62 + #define BUS_MESSAGE_SIZE_MAX (128*1024*1024)
63 + #define BUS_AUTH_SIZE_MAX (64*1024)
64 ++/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
65 ++ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
66 ++ * to not clash unnecessarily with real-life applications. */
67 ++#define BUS_PATH_SIZE_MAX (64*1024)
68 +
69 + #define BUS_CONTAINER_DEPTH 128
70 +
71 +--
72 +2.20.1
73 +
74
75 diff --git a/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch b/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch
76 new file mode 100644
77 index 00000000000..bbc6db974d4
78 --- /dev/null
79 +++ b/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch
80 @@ -0,0 +1,188 @@
81 +From 1ffe59592c5cbf924eb81a3662b4252ba6de7132 Mon Sep 17 00:00:00 2001
82 +From: Riccardo Schirone <rschiron@××××××.com>
83 +Date: Mon, 4 Feb 2019 14:29:28 +0100
84 +Subject: [PATCH 2/3] Allocate temporary strings to hold dbus paths on the heap
85 +
86 +Paths are limited to BUS_PATH_SIZE_MAX but the maximum size is anyway too big
87 +to be allocated on the stack, so let's switch to the heap where there is a
88 +clear way to understand if the allocation fails.
89 +---
90 + src/libsystemd/sd-bus/bus-objects.c | 68 +++++++++++++++++++++++------
91 + 1 file changed, 54 insertions(+), 14 deletions(-)
92 +
93 +diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c
94 +index 58329f3fe7..54b977418e 100644
95 +--- a/src/libsystemd/sd-bus/bus-objects.c
96 ++++ b/src/libsystemd/sd-bus/bus-objects.c
97 +@@ -1133,7 +1133,8 @@ static int object_manager_serialize_path_and_fallbacks(
98 + const char *path,
99 + sd_bus_error *error) {
100 +
101 +- char *prefix;
102 ++ _cleanup_free_ char *prefix = NULL;
103 ++ size_t pl;
104 + int r;
105 +
106 + assert(bus);
107 +@@ -1149,7 +1150,12 @@ static int object_manager_serialize_path_and_fallbacks(
108 + return 0;
109 +
110 + /* Second, add fallback vtables registered for any of the prefixes */
111 +- prefix = newa(char, strlen(path) + 1);
112 ++ pl = strlen(path);
113 ++ assert(pl <= BUS_PATH_SIZE_MAX);
114 ++ prefix = new(char, pl + 1);
115 ++ if (!prefix)
116 ++ return -ENOMEM;
117 ++
118 + OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
119 + r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
120 + if (r < 0)
121 +@@ -1345,6 +1351,7 @@ static int object_find_and_run(
122 + }
123 +
124 + int bus_process_object(sd_bus *bus, sd_bus_message *m) {
125 ++ _cleanup_free_ char *prefix = NULL;
126 + int r;
127 + size_t pl;
128 + bool found_object = false;
129 +@@ -1369,9 +1376,12 @@ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
130 + assert(m->member);
131 +
132 + pl = strlen(m->path);
133 +- do {
134 +- char prefix[pl+1];
135 ++ assert(pl <= BUS_PATH_SIZE_MAX);
136 ++ prefix = new(char, pl + 1);
137 ++ if (!prefix)
138 ++ return -ENOMEM;
139 +
140 ++ do {
141 + bus->nodes_modified = false;
142 +
143 + r = object_find_and_run(bus, m, m->path, false, &found_object);
144 +@@ -1498,9 +1508,15 @@ static int bus_find_parent_object_manager(sd_bus *bus, struct node **out, const
145 +
146 + n = hashmap_get(bus->nodes, path);
147 + if (!n) {
148 +- char *prefix;
149 ++ _cleanup_free_ char *prefix = NULL;
150 ++ size_t pl;
151 ++
152 ++ pl = strlen(path);
153 ++ assert(pl <= BUS_PATH_SIZE_MAX);
154 ++ prefix = new(char, pl + 1);
155 ++ if (!prefix)
156 ++ return -ENOMEM;
157 +
158 +- prefix = newa(char, strlen(path) + 1);
159 + OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
160 + n = hashmap_get(bus->nodes, prefix);
161 + if (n)
162 +@@ -2083,8 +2099,9 @@ _public_ int sd_bus_emit_properties_changed_strv(
163 + const char *interface,
164 + char **names) {
165 +
166 ++ _cleanup_free_ char *prefix = NULL;
167 + bool found_interface = false;
168 +- char *prefix;
169 ++ size_t pl;
170 + int r;
171 +
172 + assert_return(bus, -EINVAL);
173 +@@ -2105,6 +2122,12 @@ _public_ int sd_bus_emit_properties_changed_strv(
174 +
175 + BUS_DONT_DESTROY(bus);
176 +
177 ++ pl = strlen(path);
178 ++ assert(pl <= BUS_PATH_SIZE_MAX);
179 ++ prefix = new(char, pl + 1);
180 ++ if (!prefix)
181 ++ return -ENOMEM;
182 ++
183 + do {
184 + bus->nodes_modified = false;
185 +
186 +@@ -2114,7 +2137,6 @@ _public_ int sd_bus_emit_properties_changed_strv(
187 + if (bus->nodes_modified)
188 + continue;
189 +
190 +- prefix = newa(char, strlen(path) + 1);
191 + OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
192 + r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names);
193 + if (r != 0)
194 +@@ -2246,7 +2268,8 @@ static int object_added_append_all_prefix(
195 +
196 + static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
197 + _cleanup_set_free_ Set *s = NULL;
198 +- char *prefix;
199 ++ _cleanup_free_ char *prefix = NULL;
200 ++ size_t pl;
201 + int r;
202 +
203 + assert(bus);
204 +@@ -2291,7 +2314,12 @@ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *p
205 + if (bus->nodes_modified)
206 + return 0;
207 +
208 +- prefix = newa(char, strlen(path) + 1);
209 ++ pl = strlen(path);
210 ++ assert(pl <= BUS_PATH_SIZE_MAX);
211 ++ prefix = new(char, pl + 1);
212 ++ if (!prefix)
213 ++ return -ENOMEM;
214 ++
215 + OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
216 + r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
217 + if (r < 0)
218 +@@ -2430,7 +2458,8 @@ static int object_removed_append_all_prefix(
219 +
220 + static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
221 + _cleanup_set_free_ Set *s = NULL;
222 +- char *prefix;
223 ++ _cleanup_free_ char *prefix = NULL;
224 ++ size_t pl;
225 + int r;
226 +
227 + assert(bus);
228 +@@ -2462,7 +2491,12 @@ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char
229 + if (bus->nodes_modified)
230 + return 0;
231 +
232 +- prefix = newa(char, strlen(path) + 1);
233 ++ pl = strlen(path);
234 ++ assert(pl <= BUS_PATH_SIZE_MAX);
235 ++ prefix = new(char, pl + 1);
236 ++ if (!prefix)
237 ++ return -ENOMEM;
238 ++
239 + OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
240 + r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
241 + if (r < 0)
242 +@@ -2612,7 +2646,8 @@ static int interfaces_added_append_one(
243 + const char *path,
244 + const char *interface) {
245 +
246 +- char *prefix;
247 ++ _cleanup_free_ char *prefix = NULL;
248 ++ size_t pl;
249 + int r;
250 +
251 + assert(bus);
252 +@@ -2626,7 +2661,12 @@ static int interfaces_added_append_one(
253 + if (bus->nodes_modified)
254 + return 0;
255 +
256 +- prefix = newa(char, strlen(path) + 1);
257 ++ pl = strlen(path);
258 ++ assert(pl <= BUS_PATH_SIZE_MAX);
259 ++ prefix = new(char, pl + 1);
260 ++ if (!prefix)
261 ++ return -ENOMEM;
262 ++
263 + OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
264 + r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
265 + if (r != 0)
266 +--
267 +2.20.1
268 +
269
270 diff --git a/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch b/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
271 new file mode 100644
272 index 00000000000..cc03893a588
273 --- /dev/null
274 +++ b/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
275 @@ -0,0 +1,54 @@
276 +From 8d3cea620ab661897fb485ece7332a9073c1783d Mon Sep 17 00:00:00 2001
277 +From: Lennart Poettering <lennart@××××××××××.net>
278 +Date: Wed, 13 Feb 2019 16:51:22 +0100
279 +Subject: [PATCH 3/3] sd-bus: if we receive an invalid dbus message, ignore and
280 + proceeed
281 +
282 +dbus-daemon might have a slightly different idea of what a valid msg is
283 +than us (for example regarding valid msg and field sizes). Let's hence
284 +try to proceed if we can and thus drop messages rather than fail the
285 +connection if we fail to validate a message.
286 +
287 +Hopefully the differences in what is considered valid are not visible
288 +for real-life usecases, but are specific to exploit attempts only.
289 +---
290 + src/libsystemd/sd-bus/bus-socket.c | 9 ++++++---
291 + 1 file changed, 6 insertions(+), 3 deletions(-)
292 +
293 +diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
294 +index 30d6455b6f..441b4a816f 100644
295 +--- a/src/libsystemd/sd-bus/bus-socket.c
296 ++++ b/src/libsystemd/sd-bus/bus-socket.c
297 +@@ -1072,7 +1072,7 @@ static int bus_socket_read_message_need(sd_bus *bus, size_t *need) {
298 + }
299 +
300 + static int bus_socket_make_message(sd_bus *bus, size_t size) {
301 +- sd_bus_message *t;
302 ++ sd_bus_message *t = NULL;
303 + void *b;
304 + int r;
305 +
306 +@@ -1097,7 +1097,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
307 + bus->fds, bus->n_fds,
308 + NULL,
309 + &t);
310 +- if (r < 0) {
311 ++ if (r == -EBADMSG)
312 ++ log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description));
313 ++ else if (r < 0) {
314 + free(b);
315 + return r;
316 + }
317 +@@ -1108,7 +1110,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
318 + bus->fds = NULL;
319 + bus->n_fds = 0;
320 +
321 +- bus->rqueue[bus->rqueue_size++] = t;
322 ++ if (t)
323 ++ bus->rqueue[bus->rqueue_size++] = t;
324 +
325 + return 1;
326 + }
327 +--
328 +2.20.1
329 +
330
331 diff --git a/sys-apps/systemd/systemd-241-r1.ebuild b/sys-apps/systemd/systemd-241-r1.ebuild
332 new file mode 100644
333 index 00000000000..47f33c6fcff
334 --- /dev/null
335 +++ b/sys-apps/systemd/systemd-241-r1.ebuild
336 @@ -0,0 +1,461 @@
337 +# Copyright 2011-2019 Gentoo Authors
338 +# Distributed under the terms of the GNU General Public License v2
339 +
340 +EAPI=7
341 +
342 +if [[ ${PV} == 9999 ]]; then
343 + EGIT_REPO_URI="https://github.com/systemd/systemd.git"
344 + inherit git-r3
345 +else
346 + MY_PV=${PV/_/-}
347 + MY_P=${PN}-${MY_PV}
348 + S=${WORKDIR}/${MY_P}
349 + SRC_URI="https://github.com/systemd/systemd/archive/v${MY_PV}/${MY_P}.tar.gz"
350 + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
351 +fi
352 +
353 +PYTHON_COMPAT=( python{3_5,3_6,3_7} )
354 +
355 +inherit bash-completion-r1 linux-info meson multilib-minimal ninja-utils pam python-any-r1 systemd toolchain-funcs udev user
356 +
357 +DESCRIPTION="System and service manager for Linux"
358 +HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"
359 +
360 +LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
361 +SLOT="0/2"
362 +IUSE="acl apparmor audit build cryptsetup curl elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr ssl +sysv-utils test vanilla xkb"
363 +
364 +REQUIRED_USE="importd? ( curl gcrypt lzma )"
365 +RESTRICT="!test? ( test )"
366 +
367 +MINKV="3.11"
368 +
369 +COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
370 + sys-libs/libcap:0=[${MULTILIB_USEDEP}]
371 + !<sys-libs/glibc-2.16
372 + acl? ( sys-apps/acl:0= )
373 + apparmor? ( sys-libs/libapparmor:0= )
374 + audit? ( >=sys-process/audit-2:0= )
375 + cryptsetup? ( >=sys-fs/cryptsetup-1.6:0= )
376 + curl? ( net-misc/curl:0= )
377 + elfutils? ( >=dev-libs/elfutils-0.158:0= )
378 + gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
379 + http? (
380 + >=net-libs/libmicrohttpd-0.9.33:0=
381 + ssl? ( >=net-libs/gnutls-3.1.4:0= )
382 + )
383 + idn? (
384 + libidn2? ( net-dns/libidn2:= )
385 + !libidn2? ( net-dns/libidn:= )
386 + )
387 + importd? (
388 + app-arch/bzip2:0=
389 + sys-libs/zlib:0=
390 + )
391 + kmod? ( >=sys-apps/kmod-15:0= )
392 + lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
393 + lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] )
394 + nat? ( net-firewall/iptables:0= )
395 + pam? ( virtual/pam:=[${MULTILIB_USEDEP}] )
396 + pcre? ( dev-libs/libpcre2 )
397 + qrcode? ( media-gfx/qrencode:0= )
398 + seccomp? ( >=sys-libs/libseccomp-2.3.3:0= )
399 + selinux? ( sys-libs/libselinux:0= )
400 + xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )"
401 +
402 +# baselayout-2.2 has /run
403 +RDEPEND="${COMMON_DEPEND}
404 + >=sys-apps/baselayout-2.2
405 + selinux? ( sec-policy/selinux-base-policy[systemd] )
406 + sysv-utils? ( !sys-apps/sysvinit )
407 + !sysv-utils? ( sys-apps/sysvinit )
408 + resolvconf? ( !net-dns/openresolv )
409 + !build? ( || (
410 + sys-apps/util-linux[kill(-)]
411 + sys-process/procps[kill(+)]
412 + sys-apps/coreutils[kill(-)]
413 + ) )
414 + !sys-auth/nss-myhostname
415 + !<sys-kernel/dracut-044
416 + !sys-fs/eudev
417 + !sys-fs/udev"
418 +
419 +# sys-apps/dbus: the daemon only (+ build-time lib dep for tests)
420 +PDEPEND=">=sys-apps/dbus-1.9.8[systemd]
421 + >=sys-apps/hwids-20150417[udev]
422 + >=sys-fs/udev-init-scripts-25
423 + policykit? ( sys-auth/polkit )
424 + !vanilla? ( sys-apps/gentoo-systemd-integration )"
425 +
426 +# Newer linux-headers needed by ia64, bug #480218
427 +DEPEND="
428 + >=sys-kernel/linux-headers-${MINKV}
429 + gnuefi? ( >=sys-boot/gnu-efi-3.0.2 )
430 +"
431 +
432 +BDEPEND="
433 + app-arch/xz-utils:0
434 + dev-util/gperf
435 + >=dev-util/meson-0.46
436 + >=dev-util/intltool-0.50
437 + >=sys-apps/coreutils-8.16
438 + virtual/pkgconfig[${MULTILIB_USEDEP}]
439 + test? ( sys-apps/dbus )
440 + app-text/docbook-xml-dtd:4.2
441 + app-text/docbook-xml-dtd:4.5
442 + app-text/docbook-xsl-stylesheets
443 + dev-libs/libxslt:0
444 + $(python_gen_any_dep 'dev-python/lxml[${PYTHON_USEDEP}]')
445 +"
446 +
447 +pkg_pretend() {
448 + if [[ ${MERGE_TYPE} != buildonly ]]; then
449 + local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS
450 + ~CHECKPOINT_RESTORE ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
451 + ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS
452 + ~TIMERFD ~TMPFS_XATTR ~UNIX
453 + ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH
454 + ~!FW_LOADER_USER_HELPER_FALLBACK ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED
455 + ~!SYSFS_DEPRECATED_V2"
456 +
457 + use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL"
458 + use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER"
459 + kernel_is -lt 3 7 && CONFIG_CHECK+=" ~HOTPLUG"
460 + kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES"
461 + kernel_is -ge 4 10 && CONFIG_CHECK+=" ~CGROUP_BPF"
462 +
463 + if linux_config_exists; then
464 + local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH)
465 + if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then
466 + ewarn "It's recommended to set an empty value to the following kernel config option:"
467 + ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}"
468 + fi
469 + if linux_chkconfig_present X86; then
470 + CONFIG_CHECK+=" ~DMIID"
471 + fi
472 + fi
473 +
474 + if kernel_is -lt ${MINKV//./ }; then
475 + ewarn "Kernel version at least ${MINKV} required"
476 + fi
477 +
478 + check_extra_config
479 + fi
480 +}
481 +
482 +pkg_setup() {
483 + :
484 +}
485 +
486 +src_unpack() {
487 + default
488 + [[ ${PV} != 9999 ]] || git-r3_src_unpack
489 +}
490 +
491 +src_prepare() {
492 + # Do NOT add patches here
493 + local PATCHES=()
494 +
495 + [[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches )
496 +
497 + # Add local patches here
498 + PATCHES+=(
499 + "${FILESDIR}"/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch
500 + "${FILESDIR}"/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch
501 + )
502 +
503 + if ! use vanilla; then
504 + PATCHES+=(
505 + "${FILESDIR}/gentoo-Dont-enable-audit-by-default.patch"
506 + "${FILESDIR}/gentoo-systemd-user-pam.patch"
507 + "${FILESDIR}/gentoo-uucp-group-r1.patch"
508 + "${FILESDIR}/gentoo-generator-path-r1.patch"
509 + )
510 + fi
511 +
512 + default
513 +}
514 +
515 +src_configure() {
516 + # Prevent conflicts with i686 cross toolchain, bug 559726
517 + tc-export AR CC NM OBJCOPY RANLIB
518 +
519 + python_setup
520 +
521 + multilib-minimal_src_configure
522 +}
523 +
524 +meson_use() {
525 + usex "$1" true false
526 +}
527 +
528 +meson_multilib() {
529 + if multilib_is_native_abi; then
530 + echo true
531 + else
532 + echo false
533 + fi
534 +}
535 +
536 +meson_multilib_native_use() {
537 + if multilib_is_native_abi && use "$1"; then
538 + echo true
539 + else
540 + echo false
541 + fi
542 +}
543 +
544 +multilib_src_configure() {
545 + local myconf=(
546 + --localstatedir="${EPREFIX}/var"
547 + -Dpamlibdir="$(getpam_mod_dir)"
548 + # avoid bash-completion dep
549 + -Dbashcompletiondir="$(get_bashcompdir)"
550 + # make sure we get /bin:/sbin in PATH
551 + -Dsplit-usr=$(usex split-usr true false)
552 + -Drootprefix="$(usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr")"
553 + -Dsysvinit-path=
554 + -Dsysvrcnd-path=
555 + # Avoid infinite exec recursion, bug 642724
556 + -Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit"
557 + # no deps
558 + -Defi=$(meson_multilib)
559 + -Dima=true
560 + # Optional components/dependencies
561 + -Dacl=$(meson_multilib_native_use acl)
562 + -Dapparmor=$(meson_multilib_native_use apparmor)
563 + -Daudit=$(meson_multilib_native_use audit)
564 + -Dlibcryptsetup=$(meson_multilib_native_use cryptsetup)
565 + -Dlibcurl=$(meson_multilib_native_use curl)
566 + -Delfutils=$(meson_multilib_native_use elfutils)
567 + -Dgcrypt=$(meson_use gcrypt)
568 + -Dgnu-efi=$(meson_multilib_native_use gnuefi)
569 + -Defi-libdir="${EPREFIX}/usr/$(get_libdir)"
570 + -Dmicrohttpd=$(meson_multilib_native_use http)
571 + $(usex http -Dgnutls=$(meson_multilib_native_use ssl) -Dgnutls=false)
572 + -Dimportd=$(meson_multilib_native_use importd)
573 + -Dbzip2=$(meson_multilib_native_use importd)
574 + -Dzlib=$(meson_multilib_native_use importd)
575 + -Dkmod=$(meson_multilib_native_use kmod)
576 + -Dlz4=$(meson_use lz4)
577 + -Dxz=$(meson_use lzma)
578 + -Dlibiptc=$(meson_multilib_native_use nat)
579 + -Dpam=$(meson_use pam)
580 + -Dpcre2=$(meson_multilib_native_use pcre)
581 + -Dpolkit=$(meson_multilib_native_use policykit)
582 + -Dqrencode=$(meson_multilib_native_use qrcode)
583 + -Dseccomp=$(meson_multilib_native_use seccomp)
584 + -Dselinux=$(meson_multilib_native_use selinux)
585 + #-Dtests=$(meson_multilib_native_use test)
586 + -Ddbus=$(meson_multilib_native_use test)
587 + -Dxkbcommon=$(meson_multilib_native_use xkb)
588 + # hardcode a few paths to spare some deps
589 + -Dkill-path=/bin/kill
590 + -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
591 + # Breaks screen, tmux, etc.
592 + -Ddefault-kill-user-processes=false
593 +
594 + # multilib options
595 + -Dbacklight=$(meson_multilib)
596 + -Dbinfmt=$(meson_multilib)
597 + -Dcoredump=$(meson_multilib)
598 + -Denvironment-d=$(meson_multilib)
599 + -Dfirstboot=$(meson_multilib)
600 + -Dhibernate=$(meson_multilib)
601 + -Dhostnamed=$(meson_multilib)
602 + -Dhwdb=$(meson_multilib)
603 + -Dldconfig=$(meson_multilib)
604 + -Dlocaled=$(meson_multilib)
605 + -Dman=$(meson_multilib)
606 + -Dnetworkd=$(meson_multilib)
607 + -Dquotacheck=$(meson_multilib)
608 + -Drandomseed=$(meson_multilib)
609 + -Drfkill=$(meson_multilib)
610 + -Dsysusers=$(meson_multilib)
611 + -Dtimedated=$(meson_multilib)
612 + -Dtimesyncd=$(meson_multilib)
613 + -Dtmpfiles=$(meson_multilib)
614 + -Dvconsole=$(meson_multilib)
615 + )
616 +
617 + if multilib_is_native_abi && use idn; then
618 + myconf+=(
619 + -Dlibidn2=$(usex libidn2 true false)
620 + -Dlibidn=$(usex libidn2 false true)
621 + )
622 + else
623 + myconf+=(
624 + -Dlibidn2=false
625 + -Dlibidn=false
626 + )
627 + fi
628 +
629 + meson_src_configure "${myconf[@]}"
630 +}
631 +
632 +multilib_src_compile() {
633 + eninja
634 +}
635 +
636 +multilib_src_test() {
637 + unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR
638 + eninja test
639 +}
640 +
641 +multilib_src_install() {
642 + DESTDIR="${D}" eninja install
643 +}
644 +
645 +multilib_src_install_all() {
646 + local rootprefix=$(usex split-usr '' /usr)
647 +
648 + # meson doesn't know about docdir
649 + mv "${ED}"/usr/share/doc/{systemd,${PF}} || die
650 +
651 + einstalldocs
652 + dodoc "${FILESDIR}"/nsswitch.conf
653 +
654 + if ! use resolvconf; then
655 + rm -f "${ED}${rootprefix}"/sbin/resolvconf || die
656 + fi
657 +
658 + if ! use sysv-utils; then
659 + rm "${ED}${rootprefix}"/sbin/{halt,init,poweroff,reboot,runlevel,shutdown,telinit} || die
660 + rm "${ED}"/usr/share/man/man1/init.1 || die
661 + rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die
662 + fi
663 +
664 + if ! use resolvconf && ! use sysv-utils; then
665 + rmdir "${ED}${rootprefix}"/sbin || die
666 + fi
667 +
668 + # Preserve empty dirs in /etc & /var, bug #437008
669 + keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
670 + keepdir /etc/systemd/{ntp-units.d,user} /var/lib/systemd
671 + keepdir /etc/udev/{hwdb.d,rules.d}
672 + keepdir /var/log/journal/remote
673 +
674 + # Symlink /etc/sysctl.conf for easy migration.
675 + dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf
676 +
677 + # If we install these symlinks, there is no way for the sysadmin to remove them
678 + # permanently.
679 + rm -f "${ED}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die
680 + rm -f "${ED}"/etc/systemd/system/dbus-org.freedesktop.network1.service || die
681 + rm -f "${ED}"/etc/systemd/system/multi-user.target.wants/systemd-resolved.service || die
682 + rm -f "${ED}"/etc/systemd/system/dbus-org.freedesktop.resolve1.service || die
683 + rm -fr "${ED}"/etc/systemd/system/network-online.target.wants || die
684 + rm -fr "${ED}"/etc/systemd/system/sockets.target.wants || die
685 + rm -fr "${ED}"/etc/systemd/system/sysinit.target.wants || die
686 +
687 + local udevdir=/lib/udev
688 + use split-usr || udevdir=/usr/lib/udev
689 +
690 + rm -r "${ED}${udevdir}/hwdb.d" || die
691 +
692 + if use split-usr; then
693 + # Avoid breaking boot/reboot
694 + dosym ../../../lib/systemd/systemd /usr/lib/systemd/systemd
695 + dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown
696 + fi
697 +}
698 +
699 +migrate_locale() {
700 + local envd_locale_def="${EROOT}/etc/env.d/02locale"
701 + local envd_locale=( "${EROOT}"/etc/env.d/??locale )
702 + local locale_conf="${EROOT}/etc/locale.conf"
703 +
704 + if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then
705 + # If locale.conf does not exist...
706 + if [[ -e ${envd_locale} ]]; then
707 + # ...either copy env.d/??locale if there's one
708 + ebegin "Moving ${envd_locale} to ${locale_conf}"
709 + mv "${envd_locale}" "${locale_conf}"
710 + eend ${?} || FAIL=1
711 + else
712 + # ...or create a dummy default
713 + ebegin "Creating ${locale_conf}"
714 + cat > "${locale_conf}" <<-EOF
715 + # This file has been created by the sys-apps/systemd ebuild.
716 + # See locale.conf(5) and localectl(1).
717 +
718 + # LANG=${LANG}
719 + EOF
720 + eend ${?} || FAIL=1
721 + fi
722 + fi
723 +
724 + if [[ ! -L ${envd_locale} ]]; then
725 + # now, if env.d/??locale is not a symlink (to locale.conf)...
726 + if [[ -e ${envd_locale} ]]; then
727 + # ...warn the user that he has duplicate locale settings
728 + ewarn
729 + ewarn "To ensure consistent behavior, you should replace ${envd_locale}"
730 + ewarn "with a symlink to ${locale_conf}. Please migrate your settings"
731 + ewarn "and create the symlink with the following command:"
732 + ewarn "ln -s -n -f ../locale.conf ${envd_locale}"
733 + ewarn
734 + else
735 + # ...or just create the symlink if there's nothing here
736 + ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink"
737 + ln -n -s ../locale.conf "${envd_locale_def}"
738 + eend ${?} || FAIL=1
739 + fi
740 + fi
741 +}
742 +
743 +pkg_postinst() {
744 + newusergroup() {
745 + enewgroup "$1"
746 + enewuser "$1" -1 -1 -1 "$1"
747 + }
748 +
749 + enewgroup input
750 + enewgroup kvm 78
751 + enewgroup render
752 + enewgroup systemd-journal
753 + newusergroup systemd-bus-proxy
754 + newusergroup systemd-coredump
755 + newusergroup systemd-journal-gateway
756 + newusergroup systemd-journal-remote
757 + newusergroup systemd-journal-upload
758 + newusergroup systemd-network
759 + newusergroup systemd-resolve
760 + newusergroup systemd-timesync
761 +
762 + systemd_update_catalog
763 +
764 + # Keep this here in case the database format changes so it gets updated
765 + # when required. Despite that this file is owned by sys-apps/hwids.
766 + if has_version "sys-apps/hwids[udev]"; then
767 + udevadm hwdb --update --root="${EROOT}"
768 + fi
769 +
770 + udev_reload || FAIL=1
771 +
772 + # Bug 465468, make sure locales are respect, and ensure consistency
773 + # between OpenRC & systemd
774 + migrate_locale
775 +
776 + systemd_reenable systemd-networkd.service systemd-resolved.service
777 +
778 + if [[ -z ${ROOT} && -d /run/systemd/system ]]; then
779 + ebegin "Reexecuting system manager"
780 + systemctl daemon-reexec
781 + eend $?
782 + fi
783 +
784 + if [[ ${FAIL} ]]; then
785 + eerror "One of the postinst commands failed. Please check the postinst output"
786 + eerror "for errors. You may need to clean up your system and/or try installing"
787 + eerror "systemd again."
788 + eerror
789 + fi
790 +}
791 +
792 +pkg_prerm() {
793 + # If removing systemd completely, remove the catalog database.
794 + if [[ ! ${REPLACED_BY_VERSION} ]]; then
795 + rm -f -v "${EROOT}"/var/lib/systemd/catalog/database
796 + fi
797 +}
Report Message
Find on MARC Find on Google Groups