1 |
commit: 1d9b7172e93caccdc5ec6bf9f80dd181e22bc2ab |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Jan 15 01:54:09 2022 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Jan 15 01:54:19 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d9b7172 |
7 |
|
8 |
net-misc/lldpd: backport additional seccomp fixes |
9 |
|
10 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
11 |
|
12 |
.../lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch | 50 ++++++++++ |
13 |
net-misc/lldpd/lldpd-1.0.13-r2.ebuild | 106 +++++++++++++++++++++ |
14 |
2 files changed, 156 insertions(+) |
15 |
|
16 |
diff --git a/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch b/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch |
17 |
new file mode 100644 |
18 |
index 000000000000..62f8cdc2e62b |
19 |
--- /dev/null |
20 |
+++ b/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch |
21 |
@@ -0,0 +1,50 @@ |
22 |
+https://github.com/lldpd/lldpd/commit/0ea4b1a5e0e9c35d960145d25166e92a9990227f |
23 |
+https://github.com/lldpd/lldpd/commit/1def824404cfcab9f64b687da1cb7a4b4b51bbe0 |
24 |
+ |
25 |
+From: Antonio Quartulli <a@××××××××.cc> |
26 |
+Date: Sun, 9 Jan 2022 15:24:55 +0100 |
27 |
+Subject: [PATCH] linux: add access syscall to seccomp rules |
28 |
+ |
29 |
+Signed-off-by: Antonio Quartulli <a@××××××××.cc> |
30 |
+--- a/src/daemon/priv-seccomp.c |
31 |
++++ b/src/daemon/priv-seccomp.c |
32 |
+@@ -178,6 +178,7 @@ priv_seccomp_init(int remote, int child) |
33 |
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0)) < 0 || |
34 |
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 || |
35 |
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 || |
36 |
++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 || |
37 |
+ /* The following are for resolving addresses */ |
38 |
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 || |
39 |
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 || |
40 |
+ |
41 |
+From: David Sastre Medina <d.sastre.medina@×××××.com> |
42 |
+Date: Tue, 11 Jan 2022 14:55:05 +0100 |
43 |
+Subject: [PATCH] daemon: add additional syscalls to SECCOMP filter when |
44 |
+ running in the foreground |
45 |
+ |
46 |
+Running lldpd in the foreground as follows: |
47 |
+ |
48 |
+strace -c /usr/sbin/lldpd -d -cfse -D -C lldpd-peer -I lldpd-peer \ |
49 |
+ -S lldpd-system-name -m 192.168.50.6 |
50 |
+ |
51 |
+Requires additional syscalls to be filtered (non relevant syscalls removed): |
52 |
+ |
53 |
+% time seconds usecs/call calls errors syscall |
54 |
+------ ----------- ----------- --------- --------- ---------------- |
55 |
+ 0.47 0.000026 6 4 ppoll |
56 |
+ 0.33 0.000018 3 5 rt_sigprocmask |
57 |
+ 0.27 0.000015 3 4 getsockopt |
58 |
+------ ----------- ----------- --------- --------- ---------------- |
59 |
+100.00 0.005520 8 637 22 total |
60 |
+--- a/src/daemon/priv-seccomp.c |
61 |
++++ b/src/daemon/priv-seccomp.c |
62 |
+@@ -179,6 +179,9 @@ priv_seccomp_init(int remote, int child) |
63 |
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 || |
64 |
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 || |
65 |
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 || |
66 |
++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0)) < 0 || |
67 |
++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0)) < 0 || |
68 |
++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ppoll), 0)) < 0 || |
69 |
+ /* The following are for resolving addresses */ |
70 |
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 || |
71 |
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 || |
72 |
|
73 |
diff --git a/net-misc/lldpd/lldpd-1.0.13-r2.ebuild b/net-misc/lldpd/lldpd-1.0.13-r2.ebuild |
74 |
new file mode 100644 |
75 |
index 000000000000..0d977a8c72aa |
76 |
--- /dev/null |
77 |
+++ b/net-misc/lldpd/lldpd-1.0.13-r2.ebuild |
78 |
@@ -0,0 +1,106 @@ |
79 |
+# Copyright 1999-2022 Gentoo Authors |
80 |
+# Distributed under the terms of the GNU General Public License v2 |
81 |
+ |
82 |
+EAPI=7 |
83 |
+ |
84 |
+inherit systemd bash-completion-r1 autotools tmpfiles |
85 |
+ |
86 |
+DESCRIPTION="Implementation of IEEE 802.1ab (LLDP)" |
87 |
+HOMEPAGE="https://lldpd.github.io/" |
88 |
+SRC_URI="http://media.luffy.cx/files/${PN}/${P}.tar.gz" |
89 |
+ |
90 |
+LICENSE="ISC" |
91 |
+SLOT="0/4.9.0" |
92 |
+KEYWORDS="~amd64 ~x86" |
93 |
+IUSE="cdp doc +dot1 +dot3 edp fdp graph +lldpmed old-kernel sanitizers |
94 |
+ seccomp sonmp snmp static-libs test readline xml" |
95 |
+RESTRICT="!test? ( test )" |
96 |
+ |
97 |
+RDEPEND=" |
98 |
+ acct-group/lldpd |
99 |
+ acct-user/lldpd |
100 |
+ dev-libs/libbsd |
101 |
+ >=dev-libs/libevent-2.1.11:= |
102 |
+ sys-libs/readline:0= |
103 |
+ seccomp? ( sys-libs/libseccomp:= ) |
104 |
+ snmp? ( net-analyzer/net-snmp:=[extensible(+)] ) |
105 |
+ xml? ( dev-libs/libxml2:= ) |
106 |
+" |
107 |
+DEPEND="${RDEPEND} |
108 |
+ test? ( dev-libs/check ) |
109 |
+" |
110 |
+BDEPEND="virtual/pkgconfig |
111 |
+ doc? ( |
112 |
+ graph? ( app-doc/doxygen[dot] ) |
113 |
+ !graph? ( app-doc/doxygen ) |
114 |
+ ) |
115 |
+" |
116 |
+ |
117 |
+REQUIRED_USE="graph? ( doc )" |
118 |
+ |
119 |
+PATCHES=( |
120 |
+ # Can drop both of these on next release; upstream. |
121 |
+ "${FILESDIR}/${P}-glibc-2.33.patch" |
122 |
+ "${FILESDIR}/${P}-r2-glibc-2.33.patch" |
123 |
+) |
124 |
+ |
125 |
+src_prepare() { |
126 |
+ default |
127 |
+ |
128 |
+ eautoreconf |
129 |
+} |
130 |
+ |
131 |
+src_configure() { |
132 |
+ econf \ |
133 |
+ --without-embedded-libevent \ |
134 |
+ --with-privsep-user=${PN} \ |
135 |
+ --with-privsep-group=${PN} \ |
136 |
+ --with-privsep-chroot=/run/${PN} \ |
137 |
+ --with-lldpd-ctl-socket=/run/${PN}.socket \ |
138 |
+ --with-lldpd-pid-file=/run/${PN}.pid \ |
139 |
+ $(use_enable cdp) \ |
140 |
+ $(use_enable doc doxygen-man) \ |
141 |
+ $(use_enable doc doxygen-pdf) \ |
142 |
+ $(use_enable doc doxygen-html) \ |
143 |
+ $(use_enable dot1) \ |
144 |
+ $(use_enable dot3) \ |
145 |
+ $(use_enable edp) \ |
146 |
+ $(use_enable fdp) \ |
147 |
+ $(use_enable graph doxygen-dot) \ |
148 |
+ $(use_enable lldpmed) \ |
149 |
+ $(use_enable old-kernel oldies) \ |
150 |
+ $(use_enable sonmp) \ |
151 |
+ $(use_enable static-libs static) \ |
152 |
+ $(use_with readline) \ |
153 |
+ $(use_enable sanitizers) \ |
154 |
+ $(use_with seccomp) \ |
155 |
+ $(use_with snmp) \ |
156 |
+ $(use_with xml) |
157 |
+} |
158 |
+ |
159 |
+src_compile() { |
160 |
+ emake |
161 |
+ use doc && emake doxygen-doc |
162 |
+} |
163 |
+ |
164 |
+src_install() { |
165 |
+ emake DESTDIR="${D}" install |
166 |
+ find "${D}" -name '*.la' -delete || die |
167 |
+ |
168 |
+ newinitd "${FILESDIR}"/${PN}-initd-5 ${PN} |
169 |
+ newconfd "${FILESDIR}"/${PN}-confd-1 ${PN} |
170 |
+ newbashcomp src/client/completion/lldpcli lldpcli |
171 |
+ |
172 |
+ use doc && dodoc -r doxygen/html |
173 |
+ |
174 |
+ insinto /etc |
175 |
+ doins "${FILESDIR}/lldpd.conf" |
176 |
+ keepdir /etc/${PN}.d |
177 |
+ |
178 |
+ systemd_dounit "${FILESDIR}"/${PN}.service |
179 |
+ newtmpfiles "${FILESDIR}"/tmpfilesd ${PN}.conf |
180 |
+} |
181 |
+ |
182 |
+pkg_postinst() { |
183 |
+ tmpfiles_process ${PN}.conf |
184 |
+} |