Gentoo Archives: gentoo-commits

From: Sam James <sam@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/lldpd/, net-misc/lldpd/files/
Date: Sat, 15 Jan 2022 01:54:30
Message-Id: 1642211659.1d9b7172e93caccdc5ec6bf9f80dd181e22bc2ab.sam@gentoo
1 commit: 1d9b7172e93caccdc5ec6bf9f80dd181e22bc2ab
2 Author: Sam James <sam <AT> gentoo <DOT> org>
3 AuthorDate: Sat Jan 15 01:54:09 2022 +0000
4 Commit: Sam James <sam <AT> gentoo <DOT> org>
5 CommitDate: Sat Jan 15 01:54:19 2022 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d9b7172
7
8 net-misc/lldpd: backport additional seccomp fixes
9
10 Signed-off-by: Sam James <sam <AT> gentoo.org>
11
12 .../lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch | 50 ++++++++++
13 net-misc/lldpd/lldpd-1.0.13-r2.ebuild | 106 +++++++++++++++++++++
14 2 files changed, 156 insertions(+)
15
16 diff --git a/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch b/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch
17 new file mode 100644
18 index 000000000000..62f8cdc2e62b
19 --- /dev/null
20 +++ b/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch
21 @@ -0,0 +1,50 @@
22 +https://github.com/lldpd/lldpd/commit/0ea4b1a5e0e9c35d960145d25166e92a9990227f
23 +https://github.com/lldpd/lldpd/commit/1def824404cfcab9f64b687da1cb7a4b4b51bbe0
24 +
25 +From: Antonio Quartulli <a@××××××××.cc>
26 +Date: Sun, 9 Jan 2022 15:24:55 +0100
27 +Subject: [PATCH] linux: add access syscall to seccomp rules
28 +
29 +Signed-off-by: Antonio Quartulli <a@××××××××.cc>
30 +--- a/src/daemon/priv-seccomp.c
31 ++++ b/src/daemon/priv-seccomp.c
32 +@@ -178,6 +178,7 @@ priv_seccomp_init(int remote, int child)
33 + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0)) < 0 ||
34 + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 ||
35 + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 ||
36 ++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 ||
37 + /* The following are for resolving addresses */
38 + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 ||
39 + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 ||
40 +
41 +From: David Sastre Medina <d.sastre.medina@×××××.com>
42 +Date: Tue, 11 Jan 2022 14:55:05 +0100
43 +Subject: [PATCH] daemon: add additional syscalls to SECCOMP filter when
44 + running in the foreground
45 +
46 +Running lldpd in the foreground as follows:
47 +
48 +strace -c /usr/sbin/lldpd -d -cfse -D -C lldpd-peer -I lldpd-peer \
49 + -S lldpd-system-name -m 192.168.50.6
50 +
51 +Requires additional syscalls to be filtered (non relevant syscalls removed):
52 +
53 +% time seconds usecs/call calls errors syscall
54 +------ ----------- ----------- --------- --------- ----------------
55 + 0.47 0.000026 6 4 ppoll
56 + 0.33 0.000018 3 5 rt_sigprocmask
57 + 0.27 0.000015 3 4 getsockopt
58 +------ ----------- ----------- --------- --------- ----------------
59 +100.00 0.005520 8 637 22 total
60 +--- a/src/daemon/priv-seccomp.c
61 ++++ b/src/daemon/priv-seccomp.c
62 +@@ -179,6 +179,9 @@ priv_seccomp_init(int remote, int child)
63 + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 ||
64 + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 ||
65 + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 ||
66 ++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0)) < 0 ||
67 ++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0)) < 0 ||
68 ++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ppoll), 0)) < 0 ||
69 + /* The following are for resolving addresses */
70 + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 ||
71 + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 ||
72
73 diff --git a/net-misc/lldpd/lldpd-1.0.13-r2.ebuild b/net-misc/lldpd/lldpd-1.0.13-r2.ebuild
74 new file mode 100644
75 index 000000000000..0d977a8c72aa
76 --- /dev/null
77 +++ b/net-misc/lldpd/lldpd-1.0.13-r2.ebuild
78 @@ -0,0 +1,106 @@
79 +# Copyright 1999-2022 Gentoo Authors
80 +# Distributed under the terms of the GNU General Public License v2
81 +
82 +EAPI=7
83 +
84 +inherit systemd bash-completion-r1 autotools tmpfiles
85 +
86 +DESCRIPTION="Implementation of IEEE 802.1ab (LLDP)"
87 +HOMEPAGE="https://lldpd.github.io/"
88 +SRC_URI="http://media.luffy.cx/files/${PN}/${P}.tar.gz"
89 +
90 +LICENSE="ISC"
91 +SLOT="0/4.9.0"
92 +KEYWORDS="~amd64 ~x86"
93 +IUSE="cdp doc +dot1 +dot3 edp fdp graph +lldpmed old-kernel sanitizers
94 + seccomp sonmp snmp static-libs test readline xml"
95 +RESTRICT="!test? ( test )"
96 +
97 +RDEPEND="
98 + acct-group/lldpd
99 + acct-user/lldpd
100 + dev-libs/libbsd
101 + >=dev-libs/libevent-2.1.11:=
102 + sys-libs/readline:0=
103 + seccomp? ( sys-libs/libseccomp:= )
104 + snmp? ( net-analyzer/net-snmp:=[extensible(+)] )
105 + xml? ( dev-libs/libxml2:= )
106 +"
107 +DEPEND="${RDEPEND}
108 + test? ( dev-libs/check )
109 +"
110 +BDEPEND="virtual/pkgconfig
111 + doc? (
112 + graph? ( app-doc/doxygen[dot] )
113 + !graph? ( app-doc/doxygen )
114 + )
115 +"
116 +
117 +REQUIRED_USE="graph? ( doc )"
118 +
119 +PATCHES=(
120 + # Can drop both of these on next release; upstream.
121 + "${FILESDIR}/${P}-glibc-2.33.patch"
122 + "${FILESDIR}/${P}-r2-glibc-2.33.patch"
123 +)
124 +
125 +src_prepare() {
126 + default
127 +
128 + eautoreconf
129 +}
130 +
131 +src_configure() {
132 + econf \
133 + --without-embedded-libevent \
134 + --with-privsep-user=${PN} \
135 + --with-privsep-group=${PN} \
136 + --with-privsep-chroot=/run/${PN} \
137 + --with-lldpd-ctl-socket=/run/${PN}.socket \
138 + --with-lldpd-pid-file=/run/${PN}.pid \
139 + $(use_enable cdp) \
140 + $(use_enable doc doxygen-man) \
141 + $(use_enable doc doxygen-pdf) \
142 + $(use_enable doc doxygen-html) \
143 + $(use_enable dot1) \
144 + $(use_enable dot3) \
145 + $(use_enable edp) \
146 + $(use_enable fdp) \
147 + $(use_enable graph doxygen-dot) \
148 + $(use_enable lldpmed) \
149 + $(use_enable old-kernel oldies) \
150 + $(use_enable sonmp) \
151 + $(use_enable static-libs static) \
152 + $(use_with readline) \
153 + $(use_enable sanitizers) \
154 + $(use_with seccomp) \
155 + $(use_with snmp) \
156 + $(use_with xml)
157 +}
158 +
159 +src_compile() {
160 + emake
161 + use doc && emake doxygen-doc
162 +}
163 +
164 +src_install() {
165 + emake DESTDIR="${D}" install
166 + find "${D}" -name '*.la' -delete || die
167 +
168 + newinitd "${FILESDIR}"/${PN}-initd-5 ${PN}
169 + newconfd "${FILESDIR}"/${PN}-confd-1 ${PN}
170 + newbashcomp src/client/completion/lldpcli lldpcli
171 +
172 + use doc && dodoc -r doxygen/html
173 +
174 + insinto /etc
175 + doins "${FILESDIR}/lldpd.conf"
176 + keepdir /etc/${PN}.d
177 +
178 + systemd_dounit "${FILESDIR}"/${PN}.service
179 + newtmpfiles "${FILESDIR}"/tmpfilesd ${PN}.conf
180 +}
181 +
182 +pkg_postinst() {
183 + tmpfiles_process ${PN}.conf
184 +}