1 |
commit: 6b544a541f106150ecca3b94bee639792b55733c |
2 |
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Nov 17 19:56:11 2019 +0000 |
4 |
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Nov 17 19:56:11 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b544a54 |
7 |
|
8 |
sys-apps/systemd: backport seccomp build fix |
9 |
|
10 |
Closes: https://bugs.gentoo.org/700200 |
11 |
Package-Manager: Portage-2.3.79_p3, Repoman-2.3.18_p2 |
12 |
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> |
13 |
|
14 |
sys-apps/systemd/files/243-seccomp.patch | 145 +++++++++++++++++++++++++++++++ |
15 |
sys-apps/systemd/systemd-243-r2.ebuild | 1 + |
16 |
2 files changed, 146 insertions(+) |
17 |
|
18 |
diff --git a/sys-apps/systemd/files/243-seccomp.patch b/sys-apps/systemd/files/243-seccomp.patch |
19 |
new file mode 100644 |
20 |
index 00000000000..88b129f7722 |
21 |
--- /dev/null |
22 |
+++ b/sys-apps/systemd/files/243-seccomp.patch |
23 |
@@ -0,0 +1,145 @@ |
24 |
+From 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f Mon Sep 17 00:00:00 2001 |
25 |
+From: Lennart Poettering <lennart@××××××××××.net> |
26 |
+Date: Thu, 14 Nov 2019 17:51:30 +0100 |
27 |
+Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's |
28 |
+ __NR_xyz namespace invasion |
29 |
+ |
30 |
+A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the |
31 |
+same conditioning for all cases of our __NR_xyz use. |
32 |
+ |
33 |
+Fixes: #14031 |
34 |
+--- |
35 |
+ src/basic/missing_syscall.h | 10 +++++----- |
36 |
+ src/test/test-seccomp.c | 19 ++++++++++--------- |
37 |
+ 2 files changed, 15 insertions(+), 14 deletions(-) |
38 |
+ |
39 |
+diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h |
40 |
+index 6d9b12544d..1255d8b197 100644 |
41 |
+--- a/src/basic/missing_syscall.h |
42 |
++++ b/src/basic/missing_syscall.h |
43 |
+@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c |
44 |
+ |
45 |
+ #if !HAVE_KCMP |
46 |
+ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { |
47 |
+-# ifdef __NR_kcmp |
48 |
++# if defined __NR_kcmp && __NR_kcmp > 0 |
49 |
+ return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2); |
50 |
+ # else |
51 |
+ errno = ENOSYS; |
52 |
+@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i |
53 |
+ |
54 |
+ #if !HAVE_KEYCTL |
55 |
+ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { |
56 |
+-# ifdef __NR_keyctl |
57 |
++# if defined __NR_keyctl && __NR_keyctl > 0 |
58 |
+ return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); |
59 |
+ # else |
60 |
+ errno = ENOSYS; |
61 |
+@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg |
62 |
+ } |
63 |
+ |
64 |
+ static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { |
65 |
+-# ifdef __NR_add_key |
66 |
++# if defined __NR_add_key && __NR_add_key > 0 |
67 |
+ return syscall(__NR_add_key, type, description, payload, plen, ringid); |
68 |
+ # else |
69 |
+ errno = ENOSYS; |
70 |
+@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip |
71 |
+ } |
72 |
+ |
73 |
+ static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) { |
74 |
+-# ifdef __NR_request_key |
75 |
++# if defined __NR_request_key && __NR_request_key > 0 |
76 |
+ return syscall(__NR_request_key, type, description, callout_info, destringid); |
77 |
+ # else |
78 |
+ errno = ENOSYS; |
79 |
+@@ -496,7 +496,7 @@ enum { |
80 |
+ static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask, |
81 |
+ unsigned long maxnode) { |
82 |
+ long i; |
83 |
+-# ifdef __NR_set_mempolicy |
84 |
++# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0 |
85 |
+ i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode); |
86 |
+ # else |
87 |
+ errno = ENOSYS; |
88 |
+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c |
89 |
+index 018c20f8be..c6692043fe 100644 |
90 |
+--- a/src/test/test-seccomp.c |
91 |
++++ b/src/test/test-seccomp.c |
92 |
+@@ -28,7 +28,8 @@ |
93 |
+ #include "tmpfile-util.h" |
94 |
+ #include "virt.h" |
95 |
+ |
96 |
+-#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) |
97 |
++/* __NR_socket may be invalid due to libseccomp */ |
98 |
++#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) |
99 |
+ /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, |
100 |
+ * and we can't restrict it hence via seccomp. */ |
101 |
+ # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 |
102 |
+@@ -304,14 +305,14 @@ static void test_protect_sysctl(void) { |
103 |
+ assert_se(pid >= 0); |
104 |
+ |
105 |
+ if (pid == 0) { |
106 |
+-#if __NR__sysctl > 0 |
107 |
++#if defined __NR__sysctl && __NR__sysctl > 0 |
108 |
+ assert_se(syscall(__NR__sysctl, NULL) < 0); |
109 |
+ assert_se(errno == EFAULT); |
110 |
+ #endif |
111 |
+ |
112 |
+ assert_se(seccomp_protect_sysctl() >= 0); |
113 |
+ |
114 |
+-#if __NR__sysctl > 0 |
115 |
++#if defined __NR__sysctl && __NR__sysctl > 0 |
116 |
+ assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); |
117 |
+ assert_se(errno == EPERM); |
118 |
+ #endif |
119 |
+@@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) { |
120 |
+ assert_se(poll(NULL, 0, 0) == 0); |
121 |
+ |
122 |
+ assert_se(s = hashmap_new(NULL)); |
123 |
+-#if SCMP_SYS(access) >= 0 |
124 |
++#if defined __NR_access && __NR_access > 0 |
125 |
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); |
126 |
+ #else |
127 |
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); |
128 |
+@@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) { |
129 |
+ s = hashmap_free(s); |
130 |
+ |
131 |
+ assert_se(s = hashmap_new(NULL)); |
132 |
+-#if SCMP_SYS(access) >= 0 |
133 |
++#if defined __NR_access && __NR_access > 0 |
134 |
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); |
135 |
+ #else |
136 |
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); |
137 |
+@@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) { |
138 |
+ s = hashmap_free(s); |
139 |
+ |
140 |
+ assert_se(s = hashmap_new(NULL)); |
141 |
+-#if SCMP_SYS(poll) >= 0 |
142 |
++#if defined __NR_poll && __NR_poll > 0 |
143 |
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); |
144 |
+ #else |
145 |
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); |
146 |
+@@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) { |
147 |
+ s = hashmap_free(s); |
148 |
+ |
149 |
+ assert_se(s = hashmap_new(NULL)); |
150 |
+-#if SCMP_SYS(poll) >= 0 |
151 |
++#if defined __NR_poll && __NR_poll > 0 |
152 |
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); |
153 |
+ #else |
154 |
+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); |
155 |
+@@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) { |
156 |
+ * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On |
157 |
+ * other architectures, let's just fall back to the glibc call. */ |
158 |
+ |
159 |
+-#ifdef SYS_open |
160 |
+- return (int) syscall(SYS_open, path, flags, mode); |
161 |
++#if defined __NR_open && __NR_open > 0 |
162 |
++ return (int) syscall(__NR_open, path, flags, mode); |
163 |
+ #else |
164 |
+ return open(path, flags, mode); |
165 |
+ #endif |
166 |
+-- |
167 |
+2.24.0 |
168 |
+ |
169 |
|
170 |
diff --git a/sys-apps/systemd/systemd-243-r2.ebuild b/sys-apps/systemd/systemd-243-r2.ebuild |
171 |
index bb30df33710..1b32293a17b 100644 |
172 |
--- a/sys-apps/systemd/systemd-243-r2.ebuild |
173 |
+++ b/sys-apps/systemd/systemd-243-r2.ebuild |
174 |
@@ -185,6 +185,7 @@ src_prepare() { |
175 |
|
176 |
# Add local patches here |
177 |
PATCHES+=( |
178 |
+ "${FILESDIR}/243-seccomp.patch" |
179 |
) |
180 |
|
181 |
if ! use vanilla; then |