| 1 |
commit: 6d6384e102e34db05c2897b20d63587173f141c5 |
| 2 |
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Wed Jun 28 17:01:09 2017 +0000 |
| 4 |
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Wed Jun 28 17:01:44 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d6384e1 |
| 7 |
|
| 8 |
sys-apps/systemd: backport fix for CVE-2017-9445 |
| 9 |
|
| 10 |
Bug: https://bugs.gentoo.org/622874 |
| 11 |
Package-Manager: Portage-2.3.6_p9, Repoman-2.3.2_p77 |
| 12 |
|
| 13 |
sys-apps/systemd/files/233-CVE-2017-9445.patch | 178 ++++++++++ |
| 14 |
sys-apps/systemd/systemd-233-r2.ebuild | 460 +++++++++++++++++++++++++ |
| 15 |
2 files changed, 638 insertions(+) |
| 16 |
|
| 17 |
diff --git a/sys-apps/systemd/files/233-CVE-2017-9445.patch b/sys-apps/systemd/files/233-CVE-2017-9445.patch |
| 18 |
new file mode 100644 |
| 19 |
index 00000000000..a05c41f47b6 |
| 20 |
--- /dev/null |
| 21 |
+++ b/sys-apps/systemd/files/233-CVE-2017-9445.patch |
| 22 |
@@ -0,0 +1,178 @@ |
| 23 |
+From 29bb43cc46412366fc939c66331a916de07bfac4 Mon Sep 17 00:00:00 2001 |
| 24 |
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@××××××.pl> |
| 25 |
+Date: Sun, 18 Jun 2017 16:07:57 -0400 |
| 26 |
+Subject: [PATCH 1/4] resolved: simplify alloc size calculation |
| 27 |
+ |
| 28 |
+The allocation size was calculated in a complicated way, and for values |
| 29 |
+close to the page size we would actually allocate less than requested. |
| 30 |
+ |
| 31 |
+Reported by Chris Coulson <chris.coulson@×××××××××.com>. |
| 32 |
+ |
| 33 |
+CVE-2017-9445 |
| 34 |
+--- |
| 35 |
+ src/resolve/resolved-dns-packet.c | 8 +------- |
| 36 |
+ src/resolve/resolved-dns-packet.h | 2 -- |
| 37 |
+ 2 files changed, 1 insertion(+), 9 deletions(-) |
| 38 |
+ |
| 39 |
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c |
| 40 |
+index 652970284..2034e3c8c 100644 |
| 41 |
+--- a/src/resolve/resolved-dns-packet.c |
| 42 |
++++ b/src/resolve/resolved-dns-packet.c |
| 43 |
+@@ -47,13 +47,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) { |
| 44 |
+ |
| 45 |
+ assert(ret); |
| 46 |
+ |
| 47 |
+- if (mtu <= UDP_PACKET_HEADER_SIZE) |
| 48 |
+- a = DNS_PACKET_SIZE_START; |
| 49 |
+- else |
| 50 |
+- a = mtu - UDP_PACKET_HEADER_SIZE; |
| 51 |
+- |
| 52 |
+- if (a < DNS_PACKET_HEADER_SIZE) |
| 53 |
+- a = DNS_PACKET_HEADER_SIZE; |
| 54 |
++ a = MAX(mtu, DNS_PACKET_HEADER_SIZE); |
| 55 |
+ |
| 56 |
+ /* round up to next page size */ |
| 57 |
+ a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket)); |
| 58 |
+diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h |
| 59 |
+index 2c92392e4..3abcaf8cf 100644 |
| 60 |
+--- a/src/resolve/resolved-dns-packet.h |
| 61 |
++++ b/src/resolve/resolved-dns-packet.h |
| 62 |
+@@ -66,8 +66,6 @@ struct DnsPacketHeader { |
| 63 |
+ /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */ |
| 64 |
+ #define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096 |
| 65 |
+ |
| 66 |
+-#define DNS_PACKET_SIZE_START 512 |
| 67 |
+- |
| 68 |
+ struct DnsPacket { |
| 69 |
+ int n_ref; |
| 70 |
+ DnsProtocol protocol; |
| 71 |
+-- |
| 72 |
+2.13.1 |
| 73 |
+ |
| 74 |
+ |
| 75 |
+From cd3d8a7ebc01cd6913eaa9a591f7d606038a7588 Mon Sep 17 00:00:00 2001 |
| 76 |
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@××××××.pl> |
| 77 |
+Date: Tue, 27 Jun 2017 14:20:00 -0400 |
| 78 |
+Subject: [PATCH 2/4] resolved: do not allocate packets with minimum size |
| 79 |
+ |
| 80 |
+dns_packet_new() is sometimes called with mtu == 0, and in that case we should |
| 81 |
+allocate more than the absolute minimum (which is the dns packet header size), |
| 82 |
+otherwise we have to resize immediately again after appending the first data to |
| 83 |
+the packet. |
| 84 |
+ |
| 85 |
+This partially reverts the previous commit. |
| 86 |
+--- |
| 87 |
+ src/resolve/resolved-dns-packet.c | 12 +++++++++++- |
| 88 |
+ 1 file changed, 11 insertions(+), 1 deletion(-) |
| 89 |
+ |
| 90 |
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c |
| 91 |
+index 2034e3c8c..9d806ab33 100644 |
| 92 |
+--- a/src/resolve/resolved-dns-packet.c |
| 93 |
++++ b/src/resolve/resolved-dns-packet.c |
| 94 |
+@@ -28,6 +28,9 @@ |
| 95 |
+ |
| 96 |
+ #define EDNS0_OPT_DO (1<<15) |
| 97 |
+ |
| 98 |
++#define DNS_PACKET_SIZE_START 512 |
| 99 |
++assert_cc(DNS_PACKET_SIZE_START > UDP_PACKET_HEADER_SIZE) |
| 100 |
++ |
| 101 |
+ typedef struct DnsPacketRewinder { |
| 102 |
+ DnsPacket *packet; |
| 103 |
+ size_t saved_rindex; |
| 104 |
+@@ -47,7 +50,14 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) { |
| 105 |
+ |
| 106 |
+ assert(ret); |
| 107 |
+ |
| 108 |
+- a = MAX(mtu, DNS_PACKET_HEADER_SIZE); |
| 109 |
++ /* When dns_packet_new() is called with mtu == 0, allocate more than the |
| 110 |
++ * absolute minimum (which is the dns packet header size), to avoid |
| 111 |
++ * resizing immediately again after appending the first data to the packet. |
| 112 |
++ */ |
| 113 |
++ if (mtu < UDP_PACKET_HEADER_SIZE) |
| 114 |
++ a = DNS_PACKET_SIZE_START; |
| 115 |
++ else |
| 116 |
++ a = MAX(mtu, DNS_PACKET_HEADER_SIZE); |
| 117 |
+ |
| 118 |
+ /* round up to next page size */ |
| 119 |
+ a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket)); |
| 120 |
+-- |
| 121 |
+2.13.1 |
| 122 |
+ |
| 123 |
+ |
| 124 |
+From a03fc1acd66d23e239f2545e9a6887c7d0aad7c5 Mon Sep 17 00:00:00 2001 |
| 125 |
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@××××××.pl> |
| 126 |
+Date: Tue, 27 Jun 2017 16:59:06 -0400 |
| 127 |
+Subject: [PATCH 3/4] resolved: define various packet sizes as unsigned |
| 128 |
+ |
| 129 |
+This seems like the right thing to do, and apparently at least some compilers |
| 130 |
+warn about signed/unsigned comparisons with DNS_PACKET_SIZE_MAX. |
| 131 |
+--- |
| 132 |
+ src/resolve/resolved-dns-packet.c | 2 +- |
| 133 |
+ src/resolve/resolved-dns-packet.h | 6 +++--- |
| 134 |
+ 2 files changed, 4 insertions(+), 4 deletions(-) |
| 135 |
+ |
| 136 |
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c |
| 137 |
+index 9d806ab33..e2285b440 100644 |
| 138 |
+--- a/src/resolve/resolved-dns-packet.c |
| 139 |
++++ b/src/resolve/resolved-dns-packet.c |
| 140 |
+@@ -28,7 +28,7 @@ |
| 141 |
+ |
| 142 |
+ #define EDNS0_OPT_DO (1<<15) |
| 143 |
+ |
| 144 |
+-#define DNS_PACKET_SIZE_START 512 |
| 145 |
++#define DNS_PACKET_SIZE_START 512u |
| 146 |
+ assert_cc(DNS_PACKET_SIZE_START > UDP_PACKET_HEADER_SIZE) |
| 147 |
+ |
| 148 |
+ typedef struct DnsPacketRewinder { |
| 149 |
+diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h |
| 150 |
+index 3abcaf8cf..5dff272fd 100644 |
| 151 |
+--- a/src/resolve/resolved-dns-packet.h |
| 152 |
++++ b/src/resolve/resolved-dns-packet.h |
| 153 |
+@@ -58,13 +58,13 @@ struct DnsPacketHeader { |
| 154 |
+ /* The various DNS protocols deviate in how large a packet can grow, |
| 155 |
+ but the TCP transport has a 16bit size field, hence that appears to |
| 156 |
+ be the absolute maximum. */ |
| 157 |
+-#define DNS_PACKET_SIZE_MAX 0xFFFF |
| 158 |
++#define DNS_PACKET_SIZE_MAX 0xFFFFu |
| 159 |
+ |
| 160 |
+ /* RFC 1035 say 512 is the maximum, for classic unicast DNS */ |
| 161 |
+-#define DNS_PACKET_UNICAST_SIZE_MAX 512 |
| 162 |
++#define DNS_PACKET_UNICAST_SIZE_MAX 512u |
| 163 |
+ |
| 164 |
+ /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */ |
| 165 |
+-#define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096 |
| 166 |
++#define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096u |
| 167 |
+ |
| 168 |
+ struct DnsPacket { |
| 169 |
+ int n_ref; |
| 170 |
+-- |
| 171 |
+2.13.1 |
| 172 |
+ |
| 173 |
+ |
| 174 |
+From 415871d88e0c44acf8b90dc07245809087a65d2c Mon Sep 17 00:00:00 2001 |
| 175 |
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@××××××.pl> |
| 176 |
+Date: Wed, 28 Jun 2017 12:24:37 -0400 |
| 177 |
+Subject: [PATCH 4/4] resolved: drop unnecessary comparison (#6220) |
| 178 |
+ |
| 179 |
+mtu is always greater than UDP_PACKET_HEADER_SIZE at this point. |
| 180 |
+Pointed out by Benjamin Robin. |
| 181 |
+--- |
| 182 |
+ src/resolve/resolved-dns-packet.c | 2 +- |
| 183 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
| 184 |
+ |
| 185 |
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c |
| 186 |
+index e2285b440..738d4cc8f 100644 |
| 187 |
+--- a/src/resolve/resolved-dns-packet.c |
| 188 |
++++ b/src/resolve/resolved-dns-packet.c |
| 189 |
+@@ -57,7 +57,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) { |
| 190 |
+ if (mtu < UDP_PACKET_HEADER_SIZE) |
| 191 |
+ a = DNS_PACKET_SIZE_START; |
| 192 |
+ else |
| 193 |
+- a = MAX(mtu, DNS_PACKET_HEADER_SIZE); |
| 194 |
++ a = mtu; |
| 195 |
+ |
| 196 |
+ /* round up to next page size */ |
| 197 |
+ a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket)); |
| 198 |
+-- |
| 199 |
+2.13.1 |
| 200 |
+ |
| 201 |
|
| 202 |
diff --git a/sys-apps/systemd/systemd-233-r2.ebuild b/sys-apps/systemd/systemd-233-r2.ebuild |
| 203 |
new file mode 100644 |
| 204 |
index 00000000000..b529b98afb8 |
| 205 |
--- /dev/null |
| 206 |
+++ b/sys-apps/systemd/systemd-233-r2.ebuild |
| 207 |
@@ -0,0 +1,460 @@ |
| 208 |
+# Copyright 1999-2017 Gentoo Foundation |
| 209 |
+# Distributed under the terms of the GNU General Public License v2 |
| 210 |
+ |
| 211 |
+EAPI=6 |
| 212 |
+ |
| 213 |
+if [[ ${PV} == 9999 ]]; then |
| 214 |
+ EGIT_REPO_URI="https://github.com/systemd/systemd.git" |
| 215 |
+ inherit git-r3 |
| 216 |
+else |
| 217 |
+ SRC_URI="https://github.com/systemd/systemd/archive/v${PV}.tar.gz -> ${P}.tar.gz |
| 218 |
+ !doc? ( https://dev.gentoo.org/~floppym/dist/${P}-man.tar.gz )" |
| 219 |
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86" |
| 220 |
+fi |
| 221 |
+ |
| 222 |
+PYTHON_COMPAT=( python{3_4,3_5,3_6} ) |
| 223 |
+ |
| 224 |
+inherit autotools bash-completion-r1 linux-info multilib-minimal pam python-any-r1 systemd toolchain-funcs udev user |
| 225 |
+ |
| 226 |
+DESCRIPTION="System and service manager for Linux" |
| 227 |
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" |
| 228 |
+ |
| 229 |
+LICENSE="GPL-2 LGPL-2.1 MIT public-domain" |
| 230 |
+SLOT="0/2" |
| 231 |
+IUSE="acl apparmor audit build cryptsetup curl doc elfutils +gcrypt gnuefi http |
| 232 |
+ idn importd +kmod +lz4 lzma nat pam policykit |
| 233 |
+ qrcode +seccomp selinux ssl sysv-utils test vanilla xkb" |
| 234 |
+ |
| 235 |
+REQUIRED_USE="importd? ( curl gcrypt lzma )" |
| 236 |
+ |
| 237 |
+MINKV="3.11" |
| 238 |
+ |
| 239 |
+COMMON_DEPEND=">=sys-apps/util-linux-2.27.1:0=[${MULTILIB_USEDEP}] |
| 240 |
+ sys-libs/libcap:0=[${MULTILIB_USEDEP}] |
| 241 |
+ !<sys-libs/glibc-2.16 |
| 242 |
+ acl? ( sys-apps/acl:0= ) |
| 243 |
+ apparmor? ( sys-libs/libapparmor:0= ) |
| 244 |
+ audit? ( >=sys-process/audit-2:0= ) |
| 245 |
+ cryptsetup? ( >=sys-fs/cryptsetup-1.6:0= ) |
| 246 |
+ curl? ( net-misc/curl:0= ) |
| 247 |
+ elfutils? ( >=dev-libs/elfutils-0.158:0= ) |
| 248 |
+ gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) |
| 249 |
+ http? ( |
| 250 |
+ >=net-libs/libmicrohttpd-0.9.33:0= |
| 251 |
+ ssl? ( >=net-libs/gnutls-3.1.4:0= ) |
| 252 |
+ ) |
| 253 |
+ idn? ( net-dns/libidn:0= ) |
| 254 |
+ importd? ( |
| 255 |
+ app-arch/bzip2:0= |
| 256 |
+ sys-libs/zlib:0= |
| 257 |
+ ) |
| 258 |
+ kmod? ( >=sys-apps/kmod-15:0= ) |
| 259 |
+ lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) |
| 260 |
+ lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) |
| 261 |
+ nat? ( net-firewall/iptables:0= ) |
| 262 |
+ pam? ( virtual/pam:=[${MULTILIB_USEDEP}] ) |
| 263 |
+ qrcode? ( media-gfx/qrencode:0= ) |
| 264 |
+ seccomp? ( >=sys-libs/libseccomp-2.3.1:0= ) |
| 265 |
+ selinux? ( sys-libs/libselinux:0= ) |
| 266 |
+ sysv-utils? ( |
| 267 |
+ !sys-apps/systemd-sysv-utils |
| 268 |
+ !sys-apps/sysvinit ) |
| 269 |
+ xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= ) |
| 270 |
+ abi_x86_32? ( !<=app-emulation/emul-linux-x86-baselibs-20130224-r9 |
| 271 |
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] )" |
| 272 |
+ |
| 273 |
+# baselayout-2.2 has /run |
| 274 |
+RDEPEND="${COMMON_DEPEND} |
| 275 |
+ >=sys-apps/baselayout-2.2 |
| 276 |
+ selinux? ( sec-policy/selinux-base-policy[systemd] ) |
| 277 |
+ !build? ( || ( |
| 278 |
+ sys-apps/util-linux[kill(-)] |
| 279 |
+ sys-process/procps[kill(+)] |
| 280 |
+ sys-apps/coreutils[kill(-)] |
| 281 |
+ ) ) |
| 282 |
+ !sys-auth/nss-myhostname |
| 283 |
+ !<sys-kernel/dracut-044 |
| 284 |
+ !sys-fs/eudev |
| 285 |
+ !sys-fs/udev" |
| 286 |
+ |
| 287 |
+# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) |
| 288 |
+PDEPEND=">=sys-apps/dbus-1.9.8[systemd] |
| 289 |
+ >=sys-apps/hwids-20150417[udev] |
| 290 |
+ >=sys-fs/udev-init-scripts-25 |
| 291 |
+ policykit? ( sys-auth/polkit ) |
| 292 |
+ !vanilla? ( sys-apps/gentoo-systemd-integration )" |
| 293 |
+ |
| 294 |
+# Newer linux-headers needed by ia64, bug #480218 |
| 295 |
+DEPEND="${COMMON_DEPEND} |
| 296 |
+ app-arch/xz-utils:0 |
| 297 |
+ dev-util/gperf |
| 298 |
+ >=dev-util/intltool-0.50 |
| 299 |
+ >=sys-apps/coreutils-8.16 |
| 300 |
+ >=sys-kernel/linux-headers-${MINKV} |
| 301 |
+ virtual/pkgconfig |
| 302 |
+ gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) |
| 303 |
+ test? ( sys-apps/dbus ) |
| 304 |
+ app-text/docbook-xml-dtd:4.2 |
| 305 |
+ app-text/docbook-xml-dtd:4.5 |
| 306 |
+ app-text/docbook-xsl-stylesheets |
| 307 |
+ dev-libs/libxslt:0 |
| 308 |
+ doc? ( $(python_gen_any_dep 'dev-python/lxml[${PYTHON_USEDEP}]') ) |
| 309 |
+" |
| 310 |
+ |
| 311 |
+python_check_deps() { |
| 312 |
+ has_version --host-root "dev-python/lxml[${PYTHON_USEDEP}]" |
| 313 |
+} |
| 314 |
+ |
| 315 |
+pkg_pretend() { |
| 316 |
+ if [[ ${MERGE_TYPE} != buildonly ]]; then |
| 317 |
+ local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS |
| 318 |
+ ~CHECKPOINT_RESTORE ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE |
| 319 |
+ ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS |
| 320 |
+ ~TIMERFD ~TMPFS_XATTR ~UNIX |
| 321 |
+ ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH |
| 322 |
+ ~!FW_LOADER_USER_HELPER ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED |
| 323 |
+ ~!SYSFS_DEPRECATED_V2" |
| 324 |
+ |
| 325 |
+ use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" |
| 326 |
+ use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" |
| 327 |
+ kernel_is -lt 3 7 && CONFIG_CHECK+=" ~HOTPLUG" |
| 328 |
+ kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES" |
| 329 |
+ |
| 330 |
+ if linux_config_exists; then |
| 331 |
+ local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) |
| 332 |
+ if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then |
| 333 |
+ ewarn "It's recommended to set an empty value to the following kernel config option:" |
| 334 |
+ ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" |
| 335 |
+ fi |
| 336 |
+ if linux_chkconfig_present X86; then |
| 337 |
+ CONFIG_CHECK+=" ~DMIID" |
| 338 |
+ fi |
| 339 |
+ fi |
| 340 |
+ |
| 341 |
+ if kernel_is -lt ${MINKV//./ }; then |
| 342 |
+ ewarn "Kernel version at least ${MINKV} required" |
| 343 |
+ fi |
| 344 |
+ |
| 345 |
+ check_extra_config |
| 346 |
+ fi |
| 347 |
+} |
| 348 |
+ |
| 349 |
+pkg_setup() { |
| 350 |
+ : |
| 351 |
+} |
| 352 |
+ |
| 353 |
+src_unpack() { |
| 354 |
+ default |
| 355 |
+ [[ ${PV} != 9999 ]] || git-r3_src_unpack |
| 356 |
+} |
| 357 |
+ |
| 358 |
+src_prepare() { |
| 359 |
+ # Bug 463376 |
| 360 |
+ sed -i -e 's/GROUP="dialout"/GROUP="uucp"/' rules/*.rules || die |
| 361 |
+ |
| 362 |
+ local PATCHES=( |
| 363 |
+ "${FILESDIR}/233-0001-Avoid-strict-DM-interface-version-dependencies-5519.patch" |
| 364 |
+ "${FILESDIR}/233-CVE-2017-9445.patch" |
| 365 |
+ ) |
| 366 |
+ |
| 367 |
+ if ! use vanilla; then |
| 368 |
+ PATCHES+=( |
| 369 |
+ "${FILESDIR}/218-Dont-enable-audit-by-default.patch" |
| 370 |
+ "${FILESDIR}/228-noclean-tmp.patch" |
| 371 |
+ "${FILESDIR}/233-systemd-user-pam.patch" |
| 372 |
+ ) |
| 373 |
+ fi |
| 374 |
+ |
| 375 |
+ [[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) |
| 376 |
+ |
| 377 |
+ default |
| 378 |
+ |
| 379 |
+ eautoreconf |
| 380 |
+} |
| 381 |
+ |
| 382 |
+src_configure() { |
| 383 |
+ # Keep using the one where the rules were installed. |
| 384 |
+ MY_UDEVDIR=$(get_udevdir) |
| 385 |
+ # Fix systems broken by bug #509454. |
| 386 |
+ [[ ${MY_UDEVDIR} ]] || MY_UDEVDIR=/lib/udev |
| 387 |
+ |
| 388 |
+ # Prevent conflicts with i686 cross toolchain, bug 559726 |
| 389 |
+ tc-export AR CC NM OBJCOPY RANLIB |
| 390 |
+ |
| 391 |
+ use doc && python_setup |
| 392 |
+ |
| 393 |
+ multilib-minimal_src_configure |
| 394 |
+} |
| 395 |
+ |
| 396 |
+multilib_src_configure() { |
| 397 |
+ local myeconfargs=( |
| 398 |
+ # disable -flto since it is an optimization flag |
| 399 |
+ # and makes distcc less effective |
| 400 |
+ cc_cv_CFLAGS__flto=no |
| 401 |
+ # disable -fuse-ld=gold since Gentoo supports explicit linker |
| 402 |
+ # choice and forcing gold is undesired, #539998 |
| 403 |
+ # ld.gold may collide with user's LDFLAGS, #545168 |
| 404 |
+ # ld.gold breaks sparc, #573874 |
| 405 |
+ cc_cv_LDFLAGS__Wl__fuse_ld_gold=no |
| 406 |
+ |
| 407 |
+ # Workaround for gcc-4.7, bug 554454. |
| 408 |
+ cc_cv_CFLAGS__Werror_shadow=no |
| 409 |
+ |
| 410 |
+ # Workaround for bug 516346 |
| 411 |
+ --enable-dependency-tracking |
| 412 |
+ |
| 413 |
+ --disable-maintainer-mode |
| 414 |
+ --localstatedir=/var |
| 415 |
+ --with-pamlibdir=$(getpam_mod_dir) |
| 416 |
+ # avoid bash-completion dep |
| 417 |
+ --with-bashcompletiondir="$(get_bashcompdir)" |
| 418 |
+ # make sure we get /bin:/sbin in $PATH |
| 419 |
+ --enable-split-usr |
| 420 |
+ # For testing. |
| 421 |
+ --with-rootprefix="${ROOTPREFIX-/usr}" |
| 422 |
+ --with-rootlibdir="${ROOTPREFIX-/usr}/$(get_libdir)" |
| 423 |
+ # disable sysv compatibility |
| 424 |
+ --with-sysvinit-path= |
| 425 |
+ --with-sysvrcnd-path= |
| 426 |
+ # no deps |
| 427 |
+ --enable-efi |
| 428 |
+ --enable-ima |
| 429 |
+ |
| 430 |
+ # Optional components/dependencies |
| 431 |
+ $(multilib_native_use_enable acl) |
| 432 |
+ $(multilib_native_use_enable apparmor) |
| 433 |
+ $(multilib_native_use_enable audit) |
| 434 |
+ $(multilib_native_use_enable cryptsetup libcryptsetup) |
| 435 |
+ $(multilib_native_use_enable curl libcurl) |
| 436 |
+ $(multilib_native_use_enable elfutils) |
| 437 |
+ $(use_enable gcrypt) |
| 438 |
+ $(multilib_native_use_enable gnuefi) |
| 439 |
+ --with-efi-libdir="/usr/$(get_libdir)" |
| 440 |
+ $(multilib_native_use_enable http microhttpd) |
| 441 |
+ $(usex http $(multilib_native_use_enable ssl gnutls) --disable-gnutls) |
| 442 |
+ $(multilib_native_use_enable idn libidn) |
| 443 |
+ $(multilib_native_use_enable importd) |
| 444 |
+ $(multilib_native_use_enable importd bzip2) |
| 445 |
+ $(multilib_native_use_enable importd zlib) |
| 446 |
+ $(multilib_native_use_enable kmod) |
| 447 |
+ $(use_enable lz4) |
| 448 |
+ $(use_enable lzma xz) |
| 449 |
+ $(multilib_native_use_enable nat libiptc) |
| 450 |
+ $(use_enable pam) |
| 451 |
+ $(multilib_native_use_enable policykit polkit) |
| 452 |
+ $(multilib_native_use_enable qrcode qrencode) |
| 453 |
+ $(multilib_native_use_enable seccomp) |
| 454 |
+ $(multilib_native_use_enable selinux) |
| 455 |
+ $(multilib_native_use_enable test tests) |
| 456 |
+ $(multilib_native_use_enable test dbus) |
| 457 |
+ $(multilib_native_use_enable xkb xkbcommon) |
| 458 |
+ $(multilib_native_use_with doc python) |
| 459 |
+ |
| 460 |
+ # hardcode a few paths to spare some deps |
| 461 |
+ KILL=/bin/kill |
| 462 |
+ QUOTAON=/usr/sbin/quotaon |
| 463 |
+ QUOTACHECK=/usr/sbin/quotacheck |
| 464 |
+ |
| 465 |
+ # TODO: we may need to restrict this to gcc |
| 466 |
+ EFI_CC="$(tc-getCC)" |
| 467 |
+ |
| 468 |
+ # dbus paths |
| 469 |
+ --with-dbuspolicydir="${EPREFIX}/etc/dbus-1/system.d" |
| 470 |
+ --with-dbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services" |
| 471 |
+ --with-dbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services" |
| 472 |
+ |
| 473 |
+ --with-ntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" |
| 474 |
+ |
| 475 |
+ # Breaks screen, tmux, etc. |
| 476 |
+ --without-kill-user-processes |
| 477 |
+ ) |
| 478 |
+ |
| 479 |
+ # Work around bug 463846. |
| 480 |
+ tc-export CC |
| 481 |
+ |
| 482 |
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" |
| 483 |
+} |
| 484 |
+ |
| 485 |
+multilib_src_compile() { |
| 486 |
+ local mymakeopts=( |
| 487 |
+ udevlibexecdir="${MY_UDEVDIR}" |
| 488 |
+ ) |
| 489 |
+ |
| 490 |
+ if multilib_is_native_abi; then |
| 491 |
+ emake "${mymakeopts[@]}" |
| 492 |
+ else |
| 493 |
+ emake built-sources |
| 494 |
+ local targets=( |
| 495 |
+ '$(rootlib_LTLIBRARIES)' |
| 496 |
+ '$(lib_LTLIBRARIES)' |
| 497 |
+ '$(pamlib_LTLIBRARIES)' |
| 498 |
+ '$(pkgconfiglib_DATA)' |
| 499 |
+ ) |
| 500 |
+ echo "gentoo: ${targets[*]}" | emake "${mymakeopts[@]}" -f Makefile -f - gentoo |
| 501 |
+ fi |
| 502 |
+} |
| 503 |
+ |
| 504 |
+multilib_src_test() { |
| 505 |
+ multilib_is_native_abi || return 0 |
| 506 |
+ default |
| 507 |
+} |
| 508 |
+ |
| 509 |
+multilib_src_install() { |
| 510 |
+ local mymakeopts=( |
| 511 |
+ # automake fails with parallel libtool relinking |
| 512 |
+ # https://bugs.gentoo.org/show_bug.cgi?id=491398 |
| 513 |
+ -j1 |
| 514 |
+ |
| 515 |
+ udevlibexecdir="${MY_UDEVDIR}" |
| 516 |
+ dist_udevhwdb_DATA= |
| 517 |
+ DESTDIR="${D}" |
| 518 |
+ ) |
| 519 |
+ |
| 520 |
+ if multilib_is_native_abi; then |
| 521 |
+ emake "${mymakeopts[@]}" install |
| 522 |
+ else |
| 523 |
+ mymakeopts+=( |
| 524 |
+ install-rootlibLTLIBRARIES |
| 525 |
+ install-libLTLIBRARIES |
| 526 |
+ install-pamlibLTLIBRARIES |
| 527 |
+ install-pkgconfiglibDATA |
| 528 |
+ install-includeHEADERS |
| 529 |
+ install-pkgincludeHEADERS |
| 530 |
+ ) |
| 531 |
+ |
| 532 |
+ emake "${mymakeopts[@]}" |
| 533 |
+ fi |
| 534 |
+} |
| 535 |
+ |
| 536 |
+multilib_src_install_all() { |
| 537 |
+ prune_libtool_files --modules |
| 538 |
+ einstalldocs |
| 539 |
+ dodoc "${FILESDIR}"/nsswitch.conf |
| 540 |
+ |
| 541 |
+ if [[ ${PV} != 9999 ]]; then |
| 542 |
+ use doc || doman "${WORKDIR}"/man/systemd.{directives,index}.7 |
| 543 |
+ fi |
| 544 |
+ |
| 545 |
+ if use sysv-utils; then |
| 546 |
+ for app in halt poweroff reboot runlevel shutdown telinit; do |
| 547 |
+ dosym "..${ROOTPREFIX-/usr}/bin/systemctl" /sbin/${app} |
| 548 |
+ done |
| 549 |
+ dosym "..${ROOTPREFIX-/usr}/lib/systemd/systemd" /sbin/init |
| 550 |
+ else |
| 551 |
+ # we just keep sysvinit tools, so no need for the mans |
| 552 |
+ rm "${D}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 \ |
| 553 |
+ || die |
| 554 |
+ rm "${D}"/usr/share/man/man1/init.1 || die |
| 555 |
+ fi |
| 556 |
+ |
| 557 |
+ # Preserve empty dirs in /etc & /var, bug #437008 |
| 558 |
+ keepdir /etc/binfmt.d /etc/modules-load.d /etc/tmpfiles.d \ |
| 559 |
+ /etc/systemd/ntp-units.d /etc/systemd/user /var/lib/systemd \ |
| 560 |
+ /var/log/journal/remote |
| 561 |
+ |
| 562 |
+ # Symlink /etc/sysctl.conf for easy migration. |
| 563 |
+ dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf |
| 564 |
+ |
| 565 |
+ # If we install these symlinks, there is no way for the sysadmin to remove them |
| 566 |
+ # permanently. |
| 567 |
+ rm "${D}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die |
| 568 |
+ rm -f "${D}"/etc/systemd/system/multi-user.target.wants/systemd-resolved.service || die |
| 569 |
+ rm -r "${D}"/etc/systemd/system/network-online.target.wants || die |
| 570 |
+ rm -r "${D}"/etc/systemd/system/sockets.target.wants || die |
| 571 |
+ rm -r "${D}"/etc/systemd/system/sysinit.target.wants || die |
| 572 |
+} |
| 573 |
+ |
| 574 |
+migrate_locale() { |
| 575 |
+ local envd_locale_def="${EROOT%/}/etc/env.d/02locale" |
| 576 |
+ local envd_locale=( "${EROOT%/}"/etc/env.d/??locale ) |
| 577 |
+ local locale_conf="${EROOT%/}/etc/locale.conf" |
| 578 |
+ |
| 579 |
+ if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then |
| 580 |
+ # If locale.conf does not exist... |
| 581 |
+ if [[ -e ${envd_locale} ]]; then |
| 582 |
+ # ...either copy env.d/??locale if there's one |
| 583 |
+ ebegin "Moving ${envd_locale} to ${locale_conf}" |
| 584 |
+ mv "${envd_locale}" "${locale_conf}" |
| 585 |
+ eend ${?} || FAIL=1 |
| 586 |
+ else |
| 587 |
+ # ...or create a dummy default |
| 588 |
+ ebegin "Creating ${locale_conf}" |
| 589 |
+ cat > "${locale_conf}" <<-EOF |
| 590 |
+ # This file has been created by the sys-apps/systemd ebuild. |
| 591 |
+ # See locale.conf(5) and localectl(1). |
| 592 |
+ |
| 593 |
+ # LANG=${LANG} |
| 594 |
+ EOF |
| 595 |
+ eend ${?} || FAIL=1 |
| 596 |
+ fi |
| 597 |
+ fi |
| 598 |
+ |
| 599 |
+ if [[ ! -L ${envd_locale} ]]; then |
| 600 |
+ # now, if env.d/??locale is not a symlink (to locale.conf)... |
| 601 |
+ if [[ -e ${envd_locale} ]]; then |
| 602 |
+ # ...warn the user that he has duplicate locale settings |
| 603 |
+ ewarn |
| 604 |
+ ewarn "To ensure consistent behavior, you should replace ${envd_locale}" |
| 605 |
+ ewarn "with a symlink to ${locale_conf}. Please migrate your settings" |
| 606 |
+ ewarn "and create the symlink with the following command:" |
| 607 |
+ ewarn "ln -s -n -f ../locale.conf ${envd_locale}" |
| 608 |
+ ewarn |
| 609 |
+ else |
| 610 |
+ # ...or just create the symlink if there's nothing here |
| 611 |
+ ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" |
| 612 |
+ ln -n -s ../locale.conf "${envd_locale_def}" |
| 613 |
+ eend ${?} || FAIL=1 |
| 614 |
+ fi |
| 615 |
+ fi |
| 616 |
+} |
| 617 |
+ |
| 618 |
+pkg_postinst() { |
| 619 |
+ newusergroup() { |
| 620 |
+ enewgroup "$1" |
| 621 |
+ enewuser "$1" -1 -1 -1 "$1" |
| 622 |
+ } |
| 623 |
+ |
| 624 |
+ enewgroup input |
| 625 |
+ enewgroup systemd-journal |
| 626 |
+ newusergroup systemd-bus-proxy |
| 627 |
+ newusergroup systemd-coredump |
| 628 |
+ newusergroup systemd-journal-gateway |
| 629 |
+ newusergroup systemd-journal-remote |
| 630 |
+ newusergroup systemd-journal-upload |
| 631 |
+ newusergroup systemd-network |
| 632 |
+ newusergroup systemd-resolve |
| 633 |
+ newusergroup systemd-timesync |
| 634 |
+ |
| 635 |
+ systemd_update_catalog |
| 636 |
+ |
| 637 |
+ # Keep this here in case the database format changes so it gets updated |
| 638 |
+ # when required. Despite that this file is owned by sys-apps/hwids. |
| 639 |
+ if has_version "sys-apps/hwids[udev]"; then |
| 640 |
+ udevadm hwdb --update --root="${ROOT%/}" |
| 641 |
+ fi |
| 642 |
+ |
| 643 |
+ udev_reload || FAIL=1 |
| 644 |
+ |
| 645 |
+ # Bug 465468, make sure locales are respect, and ensure consistency |
| 646 |
+ # between OpenRC & systemd |
| 647 |
+ migrate_locale |
| 648 |
+ |
| 649 |
+ if [[ ${FAIL} ]]; then |
| 650 |
+ eerror "One of the postinst commands failed. Please check the postinst output" |
| 651 |
+ eerror "for errors. You may need to clean up your system and/or try installing" |
| 652 |
+ eerror "systemd again." |
| 653 |
+ eerror |
| 654 |
+ fi |
| 655 |
+ |
| 656 |
+ if [[ $(readlink "${ROOT}"etc/resolv.conf) == */run/systemd/* ]]; then |
| 657 |
+ ewarn "You should replace the resolv.conf symlink:" |
| 658 |
+ ewarn "ln -snf ${ROOTPREFIX-/usr}/lib/systemd/resolv.conf ${ROOT}etc/resolv.conf" |
| 659 |
+ fi |
| 660 |
+} |
| 661 |
+ |
| 662 |
+pkg_prerm() { |
| 663 |
+ # If removing systemd completely, remove the catalog database. |
| 664 |
+ if [[ ! ${REPLACED_BY_VERSION} ]]; then |
| 665 |
+ rm -f -v "${EROOT}"/var/lib/systemd/catalog/database |
| 666 |
+ fi |
| 667 |
+} |
Archives