1 |
commit: c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27 |
2 |
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Feb 17 18:31:37 2019 +0000 |
4 |
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 18 23:31:56 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0e6ffa5 |
7 |
|
8 |
sys-apps/systemd: backport patches for CVE-2019-6454 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/677944 |
11 |
Package-Manager: Portage-2.3.59_p2, Repoman-2.3.12_p67 |
12 |
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> |
13 |
|
14 |
...-message-paths-longer-than-BUS_PATH_SIZE_.patch | 48 +++ |
15 |
...mporary-strings-to-hold-dbus-paths-on-the.patch | 188 +++++++++ |
16 |
...e-receive-an-invalid-dbus-message-ignore-.patch | 54 +++ |
17 |
sys-apps/systemd/systemd-241-r1.ebuild | 461 +++++++++++++++++++++ |
18 |
4 files changed, 751 insertions(+) |
19 |
|
20 |
diff --git a/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch b/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch |
21 |
new file mode 100644 |
22 |
index 00000000000..6a0c8d1b0c5 |
23 |
--- /dev/null |
24 |
+++ b/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch |
25 |
@@ -0,0 +1,48 @@ |
26 |
+From 29de632674473729d1e9497b6fe47e7c88682ed9 Mon Sep 17 00:00:00 2001 |
27 |
+From: Riccardo Schirone <rschiron@××××××.com> |
28 |
+Date: Mon, 4 Feb 2019 14:29:09 +0100 |
29 |
+Subject: [PATCH 1/3] Refuse dbus message paths longer than BUS_PATH_SIZE_MAX |
30 |
+ limit. |
31 |
+ |
32 |
+Even though the dbus specification does not enforce any length limit on the |
33 |
+path of a dbus message, having to analyze too long strings in PID1 may be |
34 |
+time-consuming and it may have security impacts. |
35 |
+ |
36 |
+In any case, the limit is set so high that real-life applications should not |
37 |
+have a problem with it. |
38 |
+--- |
39 |
+ src/libsystemd/sd-bus/bus-internal.c | 2 +- |
40 |
+ src/libsystemd/sd-bus/bus-internal.h | 4 ++++ |
41 |
+ 2 files changed, 5 insertions(+), 1 deletion(-) |
42 |
+ |
43 |
+diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c |
44 |
+index 40acae2133..598b7f110c 100644 |
45 |
+--- a/src/libsystemd/sd-bus/bus-internal.c |
46 |
++++ b/src/libsystemd/sd-bus/bus-internal.c |
47 |
+@@ -43,7 +43,7 @@ bool object_path_is_valid(const char *p) { |
48 |
+ if (slash) |
49 |
+ return false; |
50 |
+ |
51 |
+- return true; |
52 |
++ return (q - p) <= BUS_PATH_SIZE_MAX; |
53 |
+ } |
54 |
+ |
55 |
+ char* object_path_startswith(const char *a, const char *b) { |
56 |
+diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h |
57 |
+index f208b294d8..a8d61bf72a 100644 |
58 |
+--- a/src/libsystemd/sd-bus/bus-internal.h |
59 |
++++ b/src/libsystemd/sd-bus/bus-internal.h |
60 |
+@@ -332,6 +332,10 @@ struct sd_bus { |
61 |
+ |
62 |
+ #define BUS_MESSAGE_SIZE_MAX (128*1024*1024) |
63 |
+ #define BUS_AUTH_SIZE_MAX (64*1024) |
64 |
++/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one |
65 |
++ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however, |
66 |
++ * to not clash unnecessarily with real-life applications. */ |
67 |
++#define BUS_PATH_SIZE_MAX (64*1024) |
68 |
+ |
69 |
+ #define BUS_CONTAINER_DEPTH 128 |
70 |
+ |
71 |
+-- |
72 |
+2.20.1 |
73 |
+ |
74 |
|
75 |
diff --git a/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch b/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch |
76 |
new file mode 100644 |
77 |
index 00000000000..bbc6db974d4 |
78 |
--- /dev/null |
79 |
+++ b/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch |
80 |
@@ -0,0 +1,188 @@ |
81 |
+From 1ffe59592c5cbf924eb81a3662b4252ba6de7132 Mon Sep 17 00:00:00 2001 |
82 |
+From: Riccardo Schirone <rschiron@××××××.com> |
83 |
+Date: Mon, 4 Feb 2019 14:29:28 +0100 |
84 |
+Subject: [PATCH 2/3] Allocate temporary strings to hold dbus paths on the heap |
85 |
+ |
86 |
+Paths are limited to BUS_PATH_SIZE_MAX but the maximum size is anyway too big |
87 |
+to be allocated on the stack, so let's switch to the heap where there is a |
88 |
+clear way to understand if the allocation fails. |
89 |
+--- |
90 |
+ src/libsystemd/sd-bus/bus-objects.c | 68 +++++++++++++++++++++++------ |
91 |
+ 1 file changed, 54 insertions(+), 14 deletions(-) |
92 |
+ |
93 |
+diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c |
94 |
+index 58329f3fe7..54b977418e 100644 |
95 |
+--- a/src/libsystemd/sd-bus/bus-objects.c |
96 |
++++ b/src/libsystemd/sd-bus/bus-objects.c |
97 |
+@@ -1133,7 +1133,8 @@ static int object_manager_serialize_path_and_fallbacks( |
98 |
+ const char *path, |
99 |
+ sd_bus_error *error) { |
100 |
+ |
101 |
+- char *prefix; |
102 |
++ _cleanup_free_ char *prefix = NULL; |
103 |
++ size_t pl; |
104 |
+ int r; |
105 |
+ |
106 |
+ assert(bus); |
107 |
+@@ -1149,7 +1150,12 @@ static int object_manager_serialize_path_and_fallbacks( |
108 |
+ return 0; |
109 |
+ |
110 |
+ /* Second, add fallback vtables registered for any of the prefixes */ |
111 |
+- prefix = newa(char, strlen(path) + 1); |
112 |
++ pl = strlen(path); |
113 |
++ assert(pl <= BUS_PATH_SIZE_MAX); |
114 |
++ prefix = new(char, pl + 1); |
115 |
++ if (!prefix) |
116 |
++ return -ENOMEM; |
117 |
++ |
118 |
+ OBJECT_PATH_FOREACH_PREFIX(prefix, path) { |
119 |
+ r = object_manager_serialize_path(bus, reply, prefix, path, true, error); |
120 |
+ if (r < 0) |
121 |
+@@ -1345,6 +1351,7 @@ static int object_find_and_run( |
122 |
+ } |
123 |
+ |
124 |
+ int bus_process_object(sd_bus *bus, sd_bus_message *m) { |
125 |
++ _cleanup_free_ char *prefix = NULL; |
126 |
+ int r; |
127 |
+ size_t pl; |
128 |
+ bool found_object = false; |
129 |
+@@ -1369,9 +1376,12 @@ int bus_process_object(sd_bus *bus, sd_bus_message *m) { |
130 |
+ assert(m->member); |
131 |
+ |
132 |
+ pl = strlen(m->path); |
133 |
+- do { |
134 |
+- char prefix[pl+1]; |
135 |
++ assert(pl <= BUS_PATH_SIZE_MAX); |
136 |
++ prefix = new(char, pl + 1); |
137 |
++ if (!prefix) |
138 |
++ return -ENOMEM; |
139 |
+ |
140 |
++ do { |
141 |
+ bus->nodes_modified = false; |
142 |
+ |
143 |
+ r = object_find_and_run(bus, m, m->path, false, &found_object); |
144 |
+@@ -1498,9 +1508,15 @@ static int bus_find_parent_object_manager(sd_bus *bus, struct node **out, const |
145 |
+ |
146 |
+ n = hashmap_get(bus->nodes, path); |
147 |
+ if (!n) { |
148 |
+- char *prefix; |
149 |
++ _cleanup_free_ char *prefix = NULL; |
150 |
++ size_t pl; |
151 |
++ |
152 |
++ pl = strlen(path); |
153 |
++ assert(pl <= BUS_PATH_SIZE_MAX); |
154 |
++ prefix = new(char, pl + 1); |
155 |
++ if (!prefix) |
156 |
++ return -ENOMEM; |
157 |
+ |
158 |
+- prefix = newa(char, strlen(path) + 1); |
159 |
+ OBJECT_PATH_FOREACH_PREFIX(prefix, path) { |
160 |
+ n = hashmap_get(bus->nodes, prefix); |
161 |
+ if (n) |
162 |
+@@ -2083,8 +2099,9 @@ _public_ int sd_bus_emit_properties_changed_strv( |
163 |
+ const char *interface, |
164 |
+ char **names) { |
165 |
+ |
166 |
++ _cleanup_free_ char *prefix = NULL; |
167 |
+ bool found_interface = false; |
168 |
+- char *prefix; |
169 |
++ size_t pl; |
170 |
+ int r; |
171 |
+ |
172 |
+ assert_return(bus, -EINVAL); |
173 |
+@@ -2105,6 +2122,12 @@ _public_ int sd_bus_emit_properties_changed_strv( |
174 |
+ |
175 |
+ BUS_DONT_DESTROY(bus); |
176 |
+ |
177 |
++ pl = strlen(path); |
178 |
++ assert(pl <= BUS_PATH_SIZE_MAX); |
179 |
++ prefix = new(char, pl + 1); |
180 |
++ if (!prefix) |
181 |
++ return -ENOMEM; |
182 |
++ |
183 |
+ do { |
184 |
+ bus->nodes_modified = false; |
185 |
+ |
186 |
+@@ -2114,7 +2137,6 @@ _public_ int sd_bus_emit_properties_changed_strv( |
187 |
+ if (bus->nodes_modified) |
188 |
+ continue; |
189 |
+ |
190 |
+- prefix = newa(char, strlen(path) + 1); |
191 |
+ OBJECT_PATH_FOREACH_PREFIX(prefix, path) { |
192 |
+ r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names); |
193 |
+ if (r != 0) |
194 |
+@@ -2246,7 +2268,8 @@ static int object_added_append_all_prefix( |
195 |
+ |
196 |
+ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { |
197 |
+ _cleanup_set_free_ Set *s = NULL; |
198 |
+- char *prefix; |
199 |
++ _cleanup_free_ char *prefix = NULL; |
200 |
++ size_t pl; |
201 |
+ int r; |
202 |
+ |
203 |
+ assert(bus); |
204 |
+@@ -2291,7 +2314,12 @@ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *p |
205 |
+ if (bus->nodes_modified) |
206 |
+ return 0; |
207 |
+ |
208 |
+- prefix = newa(char, strlen(path) + 1); |
209 |
++ pl = strlen(path); |
210 |
++ assert(pl <= BUS_PATH_SIZE_MAX); |
211 |
++ prefix = new(char, pl + 1); |
212 |
++ if (!prefix) |
213 |
++ return -ENOMEM; |
214 |
++ |
215 |
+ OBJECT_PATH_FOREACH_PREFIX(prefix, path) { |
216 |
+ r = object_added_append_all_prefix(bus, m, s, prefix, path, true); |
217 |
+ if (r < 0) |
218 |
+@@ -2430,7 +2458,8 @@ static int object_removed_append_all_prefix( |
219 |
+ |
220 |
+ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { |
221 |
+ _cleanup_set_free_ Set *s = NULL; |
222 |
+- char *prefix; |
223 |
++ _cleanup_free_ char *prefix = NULL; |
224 |
++ size_t pl; |
225 |
+ int r; |
226 |
+ |
227 |
+ assert(bus); |
228 |
+@@ -2462,7 +2491,12 @@ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char |
229 |
+ if (bus->nodes_modified) |
230 |
+ return 0; |
231 |
+ |
232 |
+- prefix = newa(char, strlen(path) + 1); |
233 |
++ pl = strlen(path); |
234 |
++ assert(pl <= BUS_PATH_SIZE_MAX); |
235 |
++ prefix = new(char, pl + 1); |
236 |
++ if (!prefix) |
237 |
++ return -ENOMEM; |
238 |
++ |
239 |
+ OBJECT_PATH_FOREACH_PREFIX(prefix, path) { |
240 |
+ r = object_removed_append_all_prefix(bus, m, s, prefix, path, true); |
241 |
+ if (r < 0) |
242 |
+@@ -2612,7 +2646,8 @@ static int interfaces_added_append_one( |
243 |
+ const char *path, |
244 |
+ const char *interface) { |
245 |
+ |
246 |
+- char *prefix; |
247 |
++ _cleanup_free_ char *prefix = NULL; |
248 |
++ size_t pl; |
249 |
+ int r; |
250 |
+ |
251 |
+ assert(bus); |
252 |
+@@ -2626,7 +2661,12 @@ static int interfaces_added_append_one( |
253 |
+ if (bus->nodes_modified) |
254 |
+ return 0; |
255 |
+ |
256 |
+- prefix = newa(char, strlen(path) + 1); |
257 |
++ pl = strlen(path); |
258 |
++ assert(pl <= BUS_PATH_SIZE_MAX); |
259 |
++ prefix = new(char, pl + 1); |
260 |
++ if (!prefix) |
261 |
++ return -ENOMEM; |
262 |
++ |
263 |
+ OBJECT_PATH_FOREACH_PREFIX(prefix, path) { |
264 |
+ r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true); |
265 |
+ if (r != 0) |
266 |
+-- |
267 |
+2.20.1 |
268 |
+ |
269 |
|
270 |
diff --git a/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch b/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch |
271 |
new file mode 100644 |
272 |
index 00000000000..cc03893a588 |
273 |
--- /dev/null |
274 |
+++ b/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch |
275 |
@@ -0,0 +1,54 @@ |
276 |
+From 8d3cea620ab661897fb485ece7332a9073c1783d Mon Sep 17 00:00:00 2001 |
277 |
+From: Lennart Poettering <lennart@××××××××××.net> |
278 |
+Date: Wed, 13 Feb 2019 16:51:22 +0100 |
279 |
+Subject: [PATCH 3/3] sd-bus: if we receive an invalid dbus message, ignore and |
280 |
+ proceeed |
281 |
+ |
282 |
+dbus-daemon might have a slightly different idea of what a valid msg is |
283 |
+than us (for example regarding valid msg and field sizes). Let's hence |
284 |
+try to proceed if we can and thus drop messages rather than fail the |
285 |
+connection if we fail to validate a message. |
286 |
+ |
287 |
+Hopefully the differences in what is considered valid are not visible |
288 |
+for real-life usecases, but are specific to exploit attempts only. |
289 |
+--- |
290 |
+ src/libsystemd/sd-bus/bus-socket.c | 9 ++++++--- |
291 |
+ 1 file changed, 6 insertions(+), 3 deletions(-) |
292 |
+ |
293 |
+diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c |
294 |
+index 30d6455b6f..441b4a816f 100644 |
295 |
+--- a/src/libsystemd/sd-bus/bus-socket.c |
296 |
++++ b/src/libsystemd/sd-bus/bus-socket.c |
297 |
+@@ -1072,7 +1072,7 @@ static int bus_socket_read_message_need(sd_bus *bus, size_t *need) { |
298 |
+ } |
299 |
+ |
300 |
+ static int bus_socket_make_message(sd_bus *bus, size_t size) { |
301 |
+- sd_bus_message *t; |
302 |
++ sd_bus_message *t = NULL; |
303 |
+ void *b; |
304 |
+ int r; |
305 |
+ |
306 |
+@@ -1097,7 +1097,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) { |
307 |
+ bus->fds, bus->n_fds, |
308 |
+ NULL, |
309 |
+ &t); |
310 |
+- if (r < 0) { |
311 |
++ if (r == -EBADMSG) |
312 |
++ log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description)); |
313 |
++ else if (r < 0) { |
314 |
+ free(b); |
315 |
+ return r; |
316 |
+ } |
317 |
+@@ -1108,7 +1110,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) { |
318 |
+ bus->fds = NULL; |
319 |
+ bus->n_fds = 0; |
320 |
+ |
321 |
+- bus->rqueue[bus->rqueue_size++] = t; |
322 |
++ if (t) |
323 |
++ bus->rqueue[bus->rqueue_size++] = t; |
324 |
+ |
325 |
+ return 1; |
326 |
+ } |
327 |
+-- |
328 |
+2.20.1 |
329 |
+ |
330 |
|
331 |
diff --git a/sys-apps/systemd/systemd-241-r1.ebuild b/sys-apps/systemd/systemd-241-r1.ebuild |
332 |
new file mode 100644 |
333 |
index 00000000000..47f33c6fcff |
334 |
--- /dev/null |
335 |
+++ b/sys-apps/systemd/systemd-241-r1.ebuild |
336 |
@@ -0,0 +1,461 @@ |
337 |
+# Copyright 2011-2019 Gentoo Authors |
338 |
+# Distributed under the terms of the GNU General Public License v2 |
339 |
+ |
340 |
+EAPI=7 |
341 |
+ |
342 |
+if [[ ${PV} == 9999 ]]; then |
343 |
+ EGIT_REPO_URI="https://github.com/systemd/systemd.git" |
344 |
+ inherit git-r3 |
345 |
+else |
346 |
+ MY_PV=${PV/_/-} |
347 |
+ MY_P=${PN}-${MY_PV} |
348 |
+ S=${WORKDIR}/${MY_P} |
349 |
+ SRC_URI="https://github.com/systemd/systemd/archive/v${MY_PV}/${MY_P}.tar.gz" |
350 |
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86" |
351 |
+fi |
352 |
+ |
353 |
+PYTHON_COMPAT=( python{3_5,3_6,3_7} ) |
354 |
+ |
355 |
+inherit bash-completion-r1 linux-info meson multilib-minimal ninja-utils pam python-any-r1 systemd toolchain-funcs udev user |
356 |
+ |
357 |
+DESCRIPTION="System and service manager for Linux" |
358 |
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" |
359 |
+ |
360 |
+LICENSE="GPL-2 LGPL-2.1 MIT public-domain" |
361 |
+SLOT="0/2" |
362 |
+IUSE="acl apparmor audit build cryptsetup curl elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr ssl +sysv-utils test vanilla xkb" |
363 |
+ |
364 |
+REQUIRED_USE="importd? ( curl gcrypt lzma )" |
365 |
+RESTRICT="!test? ( test )" |
366 |
+ |
367 |
+MINKV="3.11" |
368 |
+ |
369 |
+COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] |
370 |
+ sys-libs/libcap:0=[${MULTILIB_USEDEP}] |
371 |
+ !<sys-libs/glibc-2.16 |
372 |
+ acl? ( sys-apps/acl:0= ) |
373 |
+ apparmor? ( sys-libs/libapparmor:0= ) |
374 |
+ audit? ( >=sys-process/audit-2:0= ) |
375 |
+ cryptsetup? ( >=sys-fs/cryptsetup-1.6:0= ) |
376 |
+ curl? ( net-misc/curl:0= ) |
377 |
+ elfutils? ( >=dev-libs/elfutils-0.158:0= ) |
378 |
+ gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) |
379 |
+ http? ( |
380 |
+ >=net-libs/libmicrohttpd-0.9.33:0= |
381 |
+ ssl? ( >=net-libs/gnutls-3.1.4:0= ) |
382 |
+ ) |
383 |
+ idn? ( |
384 |
+ libidn2? ( net-dns/libidn2:= ) |
385 |
+ !libidn2? ( net-dns/libidn:= ) |
386 |
+ ) |
387 |
+ importd? ( |
388 |
+ app-arch/bzip2:0= |
389 |
+ sys-libs/zlib:0= |
390 |
+ ) |
391 |
+ kmod? ( >=sys-apps/kmod-15:0= ) |
392 |
+ lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) |
393 |
+ lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) |
394 |
+ nat? ( net-firewall/iptables:0= ) |
395 |
+ pam? ( virtual/pam:=[${MULTILIB_USEDEP}] ) |
396 |
+ pcre? ( dev-libs/libpcre2 ) |
397 |
+ qrcode? ( media-gfx/qrencode:0= ) |
398 |
+ seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) |
399 |
+ selinux? ( sys-libs/libselinux:0= ) |
400 |
+ xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )" |
401 |
+ |
402 |
+# baselayout-2.2 has /run |
403 |
+RDEPEND="${COMMON_DEPEND} |
404 |
+ >=sys-apps/baselayout-2.2 |
405 |
+ selinux? ( sec-policy/selinux-base-policy[systemd] ) |
406 |
+ sysv-utils? ( !sys-apps/sysvinit ) |
407 |
+ !sysv-utils? ( sys-apps/sysvinit ) |
408 |
+ resolvconf? ( !net-dns/openresolv ) |
409 |
+ !build? ( || ( |
410 |
+ sys-apps/util-linux[kill(-)] |
411 |
+ sys-process/procps[kill(+)] |
412 |
+ sys-apps/coreutils[kill(-)] |
413 |
+ ) ) |
414 |
+ !sys-auth/nss-myhostname |
415 |
+ !<sys-kernel/dracut-044 |
416 |
+ !sys-fs/eudev |
417 |
+ !sys-fs/udev" |
418 |
+ |
419 |
+# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) |
420 |
+PDEPEND=">=sys-apps/dbus-1.9.8[systemd] |
421 |
+ >=sys-apps/hwids-20150417[udev] |
422 |
+ >=sys-fs/udev-init-scripts-25 |
423 |
+ policykit? ( sys-auth/polkit ) |
424 |
+ !vanilla? ( sys-apps/gentoo-systemd-integration )" |
425 |
+ |
426 |
+# Newer linux-headers needed by ia64, bug #480218 |
427 |
+DEPEND=" |
428 |
+ >=sys-kernel/linux-headers-${MINKV} |
429 |
+ gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) |
430 |
+" |
431 |
+ |
432 |
+BDEPEND=" |
433 |
+ app-arch/xz-utils:0 |
434 |
+ dev-util/gperf |
435 |
+ >=dev-util/meson-0.46 |
436 |
+ >=dev-util/intltool-0.50 |
437 |
+ >=sys-apps/coreutils-8.16 |
438 |
+ virtual/pkgconfig[${MULTILIB_USEDEP}] |
439 |
+ test? ( sys-apps/dbus ) |
440 |
+ app-text/docbook-xml-dtd:4.2 |
441 |
+ app-text/docbook-xml-dtd:4.5 |
442 |
+ app-text/docbook-xsl-stylesheets |
443 |
+ dev-libs/libxslt:0 |
444 |
+ $(python_gen_any_dep 'dev-python/lxml[${PYTHON_USEDEP}]') |
445 |
+" |
446 |
+ |
447 |
+pkg_pretend() { |
448 |
+ if [[ ${MERGE_TYPE} != buildonly ]]; then |
449 |
+ local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS |
450 |
+ ~CHECKPOINT_RESTORE ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE |
451 |
+ ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS |
452 |
+ ~TIMERFD ~TMPFS_XATTR ~UNIX |
453 |
+ ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH |
454 |
+ ~!FW_LOADER_USER_HELPER_FALLBACK ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED |
455 |
+ ~!SYSFS_DEPRECATED_V2" |
456 |
+ |
457 |
+ use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" |
458 |
+ use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" |
459 |
+ kernel_is -lt 3 7 && CONFIG_CHECK+=" ~HOTPLUG" |
460 |
+ kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES" |
461 |
+ kernel_is -ge 4 10 && CONFIG_CHECK+=" ~CGROUP_BPF" |
462 |
+ |
463 |
+ if linux_config_exists; then |
464 |
+ local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) |
465 |
+ if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then |
466 |
+ ewarn "It's recommended to set an empty value to the following kernel config option:" |
467 |
+ ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" |
468 |
+ fi |
469 |
+ if linux_chkconfig_present X86; then |
470 |
+ CONFIG_CHECK+=" ~DMIID" |
471 |
+ fi |
472 |
+ fi |
473 |
+ |
474 |
+ if kernel_is -lt ${MINKV//./ }; then |
475 |
+ ewarn "Kernel version at least ${MINKV} required" |
476 |
+ fi |
477 |
+ |
478 |
+ check_extra_config |
479 |
+ fi |
480 |
+} |
481 |
+ |
482 |
+pkg_setup() { |
483 |
+ : |
484 |
+} |
485 |
+ |
486 |
+src_unpack() { |
487 |
+ default |
488 |
+ [[ ${PV} != 9999 ]] || git-r3_src_unpack |
489 |
+} |
490 |
+ |
491 |
+src_prepare() { |
492 |
+ # Do NOT add patches here |
493 |
+ local PATCHES=() |
494 |
+ |
495 |
+ [[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) |
496 |
+ |
497 |
+ # Add local patches here |
498 |
+ PATCHES+=( |
499 |
+ "${FILESDIR}"/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch |
500 |
+ "${FILESDIR}"/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch |
501 |
+ ) |
502 |
+ |
503 |
+ if ! use vanilla; then |
504 |
+ PATCHES+=( |
505 |
+ "${FILESDIR}/gentoo-Dont-enable-audit-by-default.patch" |
506 |
+ "${FILESDIR}/gentoo-systemd-user-pam.patch" |
507 |
+ "${FILESDIR}/gentoo-uucp-group-r1.patch" |
508 |
+ "${FILESDIR}/gentoo-generator-path-r1.patch" |
509 |
+ ) |
510 |
+ fi |
511 |
+ |
512 |
+ default |
513 |
+} |
514 |
+ |
515 |
+src_configure() { |
516 |
+ # Prevent conflicts with i686 cross toolchain, bug 559726 |
517 |
+ tc-export AR CC NM OBJCOPY RANLIB |
518 |
+ |
519 |
+ python_setup |
520 |
+ |
521 |
+ multilib-minimal_src_configure |
522 |
+} |
523 |
+ |
524 |
+meson_use() { |
525 |
+ usex "$1" true false |
526 |
+} |
527 |
+ |
528 |
+meson_multilib() { |
529 |
+ if multilib_is_native_abi; then |
530 |
+ echo true |
531 |
+ else |
532 |
+ echo false |
533 |
+ fi |
534 |
+} |
535 |
+ |
536 |
+meson_multilib_native_use() { |
537 |
+ if multilib_is_native_abi && use "$1"; then |
538 |
+ echo true |
539 |
+ else |
540 |
+ echo false |
541 |
+ fi |
542 |
+} |
543 |
+ |
544 |
+multilib_src_configure() { |
545 |
+ local myconf=( |
546 |
+ --localstatedir="${EPREFIX}/var" |
547 |
+ -Dpamlibdir="$(getpam_mod_dir)" |
548 |
+ # avoid bash-completion dep |
549 |
+ -Dbashcompletiondir="$(get_bashcompdir)" |
550 |
+ # make sure we get /bin:/sbin in PATH |
551 |
+ -Dsplit-usr=$(usex split-usr true false) |
552 |
+ -Drootprefix="$(usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr")" |
553 |
+ -Dsysvinit-path= |
554 |
+ -Dsysvrcnd-path= |
555 |
+ # Avoid infinite exec recursion, bug 642724 |
556 |
+ -Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit" |
557 |
+ # no deps |
558 |
+ -Defi=$(meson_multilib) |
559 |
+ -Dima=true |
560 |
+ # Optional components/dependencies |
561 |
+ -Dacl=$(meson_multilib_native_use acl) |
562 |
+ -Dapparmor=$(meson_multilib_native_use apparmor) |
563 |
+ -Daudit=$(meson_multilib_native_use audit) |
564 |
+ -Dlibcryptsetup=$(meson_multilib_native_use cryptsetup) |
565 |
+ -Dlibcurl=$(meson_multilib_native_use curl) |
566 |
+ -Delfutils=$(meson_multilib_native_use elfutils) |
567 |
+ -Dgcrypt=$(meson_use gcrypt) |
568 |
+ -Dgnu-efi=$(meson_multilib_native_use gnuefi) |
569 |
+ -Defi-libdir="${EPREFIX}/usr/$(get_libdir)" |
570 |
+ -Dmicrohttpd=$(meson_multilib_native_use http) |
571 |
+ $(usex http -Dgnutls=$(meson_multilib_native_use ssl) -Dgnutls=false) |
572 |
+ -Dimportd=$(meson_multilib_native_use importd) |
573 |
+ -Dbzip2=$(meson_multilib_native_use importd) |
574 |
+ -Dzlib=$(meson_multilib_native_use importd) |
575 |
+ -Dkmod=$(meson_multilib_native_use kmod) |
576 |
+ -Dlz4=$(meson_use lz4) |
577 |
+ -Dxz=$(meson_use lzma) |
578 |
+ -Dlibiptc=$(meson_multilib_native_use nat) |
579 |
+ -Dpam=$(meson_use pam) |
580 |
+ -Dpcre2=$(meson_multilib_native_use pcre) |
581 |
+ -Dpolkit=$(meson_multilib_native_use policykit) |
582 |
+ -Dqrencode=$(meson_multilib_native_use qrcode) |
583 |
+ -Dseccomp=$(meson_multilib_native_use seccomp) |
584 |
+ -Dselinux=$(meson_multilib_native_use selinux) |
585 |
+ #-Dtests=$(meson_multilib_native_use test) |
586 |
+ -Ddbus=$(meson_multilib_native_use test) |
587 |
+ -Dxkbcommon=$(meson_multilib_native_use xkb) |
588 |
+ # hardcode a few paths to spare some deps |
589 |
+ -Dkill-path=/bin/kill |
590 |
+ -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" |
591 |
+ # Breaks screen, tmux, etc. |
592 |
+ -Ddefault-kill-user-processes=false |
593 |
+ |
594 |
+ # multilib options |
595 |
+ -Dbacklight=$(meson_multilib) |
596 |
+ -Dbinfmt=$(meson_multilib) |
597 |
+ -Dcoredump=$(meson_multilib) |
598 |
+ -Denvironment-d=$(meson_multilib) |
599 |
+ -Dfirstboot=$(meson_multilib) |
600 |
+ -Dhibernate=$(meson_multilib) |
601 |
+ -Dhostnamed=$(meson_multilib) |
602 |
+ -Dhwdb=$(meson_multilib) |
603 |
+ -Dldconfig=$(meson_multilib) |
604 |
+ -Dlocaled=$(meson_multilib) |
605 |
+ -Dman=$(meson_multilib) |
606 |
+ -Dnetworkd=$(meson_multilib) |
607 |
+ -Dquotacheck=$(meson_multilib) |
608 |
+ -Drandomseed=$(meson_multilib) |
609 |
+ -Drfkill=$(meson_multilib) |
610 |
+ -Dsysusers=$(meson_multilib) |
611 |
+ -Dtimedated=$(meson_multilib) |
612 |
+ -Dtimesyncd=$(meson_multilib) |
613 |
+ -Dtmpfiles=$(meson_multilib) |
614 |
+ -Dvconsole=$(meson_multilib) |
615 |
+ ) |
616 |
+ |
617 |
+ if multilib_is_native_abi && use idn; then |
618 |
+ myconf+=( |
619 |
+ -Dlibidn2=$(usex libidn2 true false) |
620 |
+ -Dlibidn=$(usex libidn2 false true) |
621 |
+ ) |
622 |
+ else |
623 |
+ myconf+=( |
624 |
+ -Dlibidn2=false |
625 |
+ -Dlibidn=false |
626 |
+ ) |
627 |
+ fi |
628 |
+ |
629 |
+ meson_src_configure "${myconf[@]}" |
630 |
+} |
631 |
+ |
632 |
+multilib_src_compile() { |
633 |
+ eninja |
634 |
+} |
635 |
+ |
636 |
+multilib_src_test() { |
637 |
+ unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR |
638 |
+ eninja test |
639 |
+} |
640 |
+ |
641 |
+multilib_src_install() { |
642 |
+ DESTDIR="${D}" eninja install |
643 |
+} |
644 |
+ |
645 |
+multilib_src_install_all() { |
646 |
+ local rootprefix=$(usex split-usr '' /usr) |
647 |
+ |
648 |
+ # meson doesn't know about docdir |
649 |
+ mv "${ED}"/usr/share/doc/{systemd,${PF}} || die |
650 |
+ |
651 |
+ einstalldocs |
652 |
+ dodoc "${FILESDIR}"/nsswitch.conf |
653 |
+ |
654 |
+ if ! use resolvconf; then |
655 |
+ rm -f "${ED}${rootprefix}"/sbin/resolvconf || die |
656 |
+ fi |
657 |
+ |
658 |
+ if ! use sysv-utils; then |
659 |
+ rm "${ED}${rootprefix}"/sbin/{halt,init,poweroff,reboot,runlevel,shutdown,telinit} || die |
660 |
+ rm "${ED}"/usr/share/man/man1/init.1 || die |
661 |
+ rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die |
662 |
+ fi |
663 |
+ |
664 |
+ if ! use resolvconf && ! use sysv-utils; then |
665 |
+ rmdir "${ED}${rootprefix}"/sbin || die |
666 |
+ fi |
667 |
+ |
668 |
+ # Preserve empty dirs in /etc & /var, bug #437008 |
669 |
+ keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} |
670 |
+ keepdir /etc/systemd/{ntp-units.d,user} /var/lib/systemd |
671 |
+ keepdir /etc/udev/{hwdb.d,rules.d} |
672 |
+ keepdir /var/log/journal/remote |
673 |
+ |
674 |
+ # Symlink /etc/sysctl.conf for easy migration. |
675 |
+ dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf |
676 |
+ |
677 |
+ # If we install these symlinks, there is no way for the sysadmin to remove them |
678 |
+ # permanently. |
679 |
+ rm -f "${ED}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die |
680 |
+ rm -f "${ED}"/etc/systemd/system/dbus-org.freedesktop.network1.service || die |
681 |
+ rm -f "${ED}"/etc/systemd/system/multi-user.target.wants/systemd-resolved.service || die |
682 |
+ rm -f "${ED}"/etc/systemd/system/dbus-org.freedesktop.resolve1.service || die |
683 |
+ rm -fr "${ED}"/etc/systemd/system/network-online.target.wants || die |
684 |
+ rm -fr "${ED}"/etc/systemd/system/sockets.target.wants || die |
685 |
+ rm -fr "${ED}"/etc/systemd/system/sysinit.target.wants || die |
686 |
+ |
687 |
+ local udevdir=/lib/udev |
688 |
+ use split-usr || udevdir=/usr/lib/udev |
689 |
+ |
690 |
+ rm -r "${ED}${udevdir}/hwdb.d" || die |
691 |
+ |
692 |
+ if use split-usr; then |
693 |
+ # Avoid breaking boot/reboot |
694 |
+ dosym ../../../lib/systemd/systemd /usr/lib/systemd/systemd |
695 |
+ dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown |
696 |
+ fi |
697 |
+} |
698 |
+ |
699 |
+migrate_locale() { |
700 |
+ local envd_locale_def="${EROOT}/etc/env.d/02locale" |
701 |
+ local envd_locale=( "${EROOT}"/etc/env.d/??locale ) |
702 |
+ local locale_conf="${EROOT}/etc/locale.conf" |
703 |
+ |
704 |
+ if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then |
705 |
+ # If locale.conf does not exist... |
706 |
+ if [[ -e ${envd_locale} ]]; then |
707 |
+ # ...either copy env.d/??locale if there's one |
708 |
+ ebegin "Moving ${envd_locale} to ${locale_conf}" |
709 |
+ mv "${envd_locale}" "${locale_conf}" |
710 |
+ eend ${?} || FAIL=1 |
711 |
+ else |
712 |
+ # ...or create a dummy default |
713 |
+ ebegin "Creating ${locale_conf}" |
714 |
+ cat > "${locale_conf}" <<-EOF |
715 |
+ # This file has been created by the sys-apps/systemd ebuild. |
716 |
+ # See locale.conf(5) and localectl(1). |
717 |
+ |
718 |
+ # LANG=${LANG} |
719 |
+ EOF |
720 |
+ eend ${?} || FAIL=1 |
721 |
+ fi |
722 |
+ fi |
723 |
+ |
724 |
+ if [[ ! -L ${envd_locale} ]]; then |
725 |
+ # now, if env.d/??locale is not a symlink (to locale.conf)... |
726 |
+ if [[ -e ${envd_locale} ]]; then |
727 |
+ # ...warn the user that he has duplicate locale settings |
728 |
+ ewarn |
729 |
+ ewarn "To ensure consistent behavior, you should replace ${envd_locale}" |
730 |
+ ewarn "with a symlink to ${locale_conf}. Please migrate your settings" |
731 |
+ ewarn "and create the symlink with the following command:" |
732 |
+ ewarn "ln -s -n -f ../locale.conf ${envd_locale}" |
733 |
+ ewarn |
734 |
+ else |
735 |
+ # ...or just create the symlink if there's nothing here |
736 |
+ ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" |
737 |
+ ln -n -s ../locale.conf "${envd_locale_def}" |
738 |
+ eend ${?} || FAIL=1 |
739 |
+ fi |
740 |
+ fi |
741 |
+} |
742 |
+ |
743 |
+pkg_postinst() { |
744 |
+ newusergroup() { |
745 |
+ enewgroup "$1" |
746 |
+ enewuser "$1" -1 -1 -1 "$1" |
747 |
+ } |
748 |
+ |
749 |
+ enewgroup input |
750 |
+ enewgroup kvm 78 |
751 |
+ enewgroup render |
752 |
+ enewgroup systemd-journal |
753 |
+ newusergroup systemd-bus-proxy |
754 |
+ newusergroup systemd-coredump |
755 |
+ newusergroup systemd-journal-gateway |
756 |
+ newusergroup systemd-journal-remote |
757 |
+ newusergroup systemd-journal-upload |
758 |
+ newusergroup systemd-network |
759 |
+ newusergroup systemd-resolve |
760 |
+ newusergroup systemd-timesync |
761 |
+ |
762 |
+ systemd_update_catalog |
763 |
+ |
764 |
+ # Keep this here in case the database format changes so it gets updated |
765 |
+ # when required. Despite that this file is owned by sys-apps/hwids. |
766 |
+ if has_version "sys-apps/hwids[udev]"; then |
767 |
+ udevadm hwdb --update --root="${EROOT}" |
768 |
+ fi |
769 |
+ |
770 |
+ udev_reload || FAIL=1 |
771 |
+ |
772 |
+ # Bug 465468, make sure locales are respect, and ensure consistency |
773 |
+ # between OpenRC & systemd |
774 |
+ migrate_locale |
775 |
+ |
776 |
+ systemd_reenable systemd-networkd.service systemd-resolved.service |
777 |
+ |
778 |
+ if [[ -z ${ROOT} && -d /run/systemd/system ]]; then |
779 |
+ ebegin "Reexecuting system manager" |
780 |
+ systemctl daemon-reexec |
781 |
+ eend $? |
782 |
+ fi |
783 |
+ |
784 |
+ if [[ ${FAIL} ]]; then |
785 |
+ eerror "One of the postinst commands failed. Please check the postinst output" |
786 |
+ eerror "for errors. You may need to clean up your system and/or try installing" |
787 |
+ eerror "systemd again." |
788 |
+ eerror |
789 |
+ fi |
790 |
+} |
791 |
+ |
792 |
+pkg_prerm() { |
793 |
+ # If removing systemd completely, remove the catalog database. |
794 |
+ if [[ ! ${REPLACED_BY_VERSION} ]]; then |
795 |
+ rm -f -v "${EROOT}"/var/lib/systemd/catalog/database |
796 |
+ fi |
797 |
+} |