[gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/, sys-apps/systemd/files/ - gentoo-commits

From:	Mike Gilbert <floppym@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/, sys-apps/systemd/files/
Date:	Sun, 17 Nov 2019 19:56:40
Message-Id:	`1574020571.6b544a541f106150ecca3b94bee639792b55733c.floppym@gentoo`

1

commit:     6b544a541f106150ecca3b94bee639792b55733c

2

Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>

3

AuthorDate: Sun Nov 17 19:56:11 2019 +0000

4

Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>

5

CommitDate: Sun Nov 17 19:56:11 2019 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b544a54

7

8

sys-apps/systemd: backport seccomp build fix

9

10

Closes: https://bugs.gentoo.org/700200

11

Package-Manager: Portage-2.3.79_p3, Repoman-2.3.18_p2

12

Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

13

14

 sys-apps/systemd/files/243-seccomp.patch | 145 +++++++++++++++++++++++++++++++

15

 sys-apps/systemd/systemd-243-r2.ebuild   |   1 +

16

 2 files changed, 146 insertions(+)

17

18

diff --git a/sys-apps/systemd/files/243-seccomp.patch b/sys-apps/systemd/files/243-seccomp.patch

19

new file mode 100644

20

index 00000000000..88b129f7722

21

--- /dev/null

22

+++ b/sys-apps/systemd/files/243-seccomp.patch

23

@@ -0,0 +1,145 @@

24

+From 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f Mon Sep 17 00:00:00 2001

25

+From: Lennart Poettering <lennart@××××××××××.net>

26

+Date: Thu, 14 Nov 2019 17:51:30 +0100

27

+Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's

28

+ __NR_xyz namespace invasion

29

+

30

+A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the

31

+same conditioning for all cases of our __NR_xyz use.

32

+

33

+Fixes: #14031

34

+---

35

+ src/basic/missing_syscall.h | 10 +++++-----

36

+ src/test/test-seccomp.c     | 19 ++++++++++---------

37

+ 2 files changed, 15 insertions(+), 14 deletions(-)

38

+

39

+diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h

40

+index 6d9b12544d..1255d8b197 100644

41

+--- a/src/basic/missing_syscall.h

42

++++ b/src/basic/missing_syscall.h

43

+@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c

44

+

45

+ #if !HAVE_KCMP

46

+ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) {

47

+-#  ifdef __NR_kcmp

48

++#  if defined __NR_kcmp && __NR_kcmp > 0

49

+         return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2);

50

+ #  else

51

+         errno = ENOSYS;

52

+@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i

53

+

54

+ #if !HAVE_KEYCTL

55

+ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) {

56

+-#  ifdef __NR_keyctl

57

++#  if defined __NR_keyctl && __NR_keyctl > 0

58

+         return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);

59

+ #  else

60

+         errno = ENOSYS;

61

+@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg

62

+ }

63

+

64

+ static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) {

65

+-#  ifdef __NR_add_key

66

++#  if defined __NR_add_key && __NR_add_key > 0

67

+         return syscall(__NR_add_key, type, description, payload, plen, ringid);

68

+ #  else

69

+         errno = ENOSYS;

70

+@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip

71

+ }

72

+

73

+ static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) {

74

+-#  ifdef __NR_request_key

75

++#  if defined __NR_request_key && __NR_request_key > 0

76

+         return syscall(__NR_request_key, type, description, callout_info, destringid);

77

+ #  else

78

+         errno = ENOSYS;

79

+@@ -496,7 +496,7 @@ enum {

80

+ static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask,

81

+                            unsigned long maxnode) {

82

+         long i;

83

+-#  ifdef __NR_set_mempolicy

84

++#  if defined __NR_set_mempolicy && __NR_set_mempolicy > 0

85

+         i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode);

86

+ #  else

87

+         errno = ENOSYS;

88

+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c

89

+index 018c20f8be..c6692043fe 100644

90

+--- a/src/test/test-seccomp.c

91

++++ b/src/test/test-seccomp.c

92

+@@ -28,7 +28,8 @@

93

+ #include "tmpfile-util.h"

94

+ #include "virt.h"

95

+

96

+-#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)

97

++/* __NR_socket may be invalid due to libseccomp */

98

++#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)

99

+ /* On these archs, socket() is implemented via the socketcall() syscall multiplexer,

100

+  * and we can't restrict it hence via seccomp. */

101

+ #  define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1

102

+@@ -304,14 +305,14 @@ static void test_protect_sysctl(void) {

103

+         assert_se(pid >= 0);

104

+

105

+         if (pid == 0) {

106

+-#if __NR__sysctl > 0

107

++#if defined __NR__sysctl && __NR__sysctl > 0

108

+                 assert_se(syscall(__NR__sysctl, NULL) < 0);

109

+                 assert_se(errno == EFAULT);

110

+ #endif

111

+

112

+                 assert_se(seccomp_protect_sysctl() >= 0);

113

+

114

+-#if __NR__sysctl > 0

115

++#if defined __NR__sysctl && __NR__sysctl > 0

116

+                 assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);

117

+                 assert_se(errno == EPERM);

118

+ #endif

119

+@@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) {

120

+                 assert_se(poll(NULL, 0, 0) == 0);

121

+

122

+                 assert_se(s = hashmap_new(NULL));

123

+-#if SCMP_SYS(access) >= 0

124

++#if defined __NR_access && __NR_access > 0

125

+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);

126

+ #else

127

+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);

128

+@@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) {

129

+                 s = hashmap_free(s);

130

+

131

+                 assert_se(s = hashmap_new(NULL));

132

+-#if SCMP_SYS(access) >= 0

133

++#if defined __NR_access && __NR_access > 0

134

+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);

135

+ #else

136

+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);

137

+@@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) {

138

+                 s = hashmap_free(s);

139

+

140

+                 assert_se(s = hashmap_new(NULL));

141

+-#if SCMP_SYS(poll) >= 0

142

++#if defined __NR_poll && __NR_poll > 0

143

+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);

144

+ #else

145

+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);

146

+@@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) {

147

+                 s = hashmap_free(s);

148

+

149

+                 assert_se(s = hashmap_new(NULL));

150

+-#if SCMP_SYS(poll) >= 0

151

++#if defined __NR_poll && __NR_poll > 0

152

+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);

153

+ #else

154

+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);

155

+@@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) {

156

+          * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On

157

+          * other architectures, let's just fall back to the glibc call. */

158

+

159

+-#ifdef SYS_open

160

+-        return (int) syscall(SYS_open, path, flags, mode);

161

++#if defined __NR_open && __NR_open > 0

162

++        return (int) syscall(__NR_open, path, flags, mode);

163

+ #else

164

+         return open(path, flags, mode);

165

+ #endif

166

+--

167

+2.24.0

168

+

169

170

diff --git a/sys-apps/systemd/systemd-243-r2.ebuild b/sys-apps/systemd/systemd-243-r2.ebuild

171

index bb30df33710..1b32293a17b 100644

172

--- a/sys-apps/systemd/systemd-243-r2.ebuild

173

+++ b/sys-apps/systemd/systemd-243-r2.ebuild

174

@@ -185,6 +185,7 @@ src_prepare() {

175

176

 	# Add local patches here

177

 	PATCHES+=(

178

+		"${FILESDIR}/243-seccomp.patch"

179

)

180

181

 	if ! use vanilla; then

1	commit: 6b544a541f106150ecca3b94bee639792b55733c
2	Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
3	AuthorDate: Sun Nov 17 19:56:11 2019 +0000
4	Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
5	CommitDate: Sun Nov 17 19:56:11 2019 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b544a54
7
8	sys-apps/systemd: backport seccomp build fix
9
10	Closes: https://bugs.gentoo.org/700200
11	Package-Manager: Portage-2.3.79_p3, Repoman-2.3.18_p2
12	Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
13
14	sys-apps/systemd/files/243-seccomp.patch \| 145 +++++++++++++++++++++++++++++++
15	sys-apps/systemd/systemd-243-r2.ebuild \| 1 +
16	2 files changed, 146 insertions(+)
17
18	diff --git a/sys-apps/systemd/files/243-seccomp.patch b/sys-apps/systemd/files/243-seccomp.patch
19	new file mode 100644
20	index 00000000000..88b129f7722
21	--- /dev/null
22	+++ b/sys-apps/systemd/files/243-seccomp.patch
23	@@ -0,0 +1,145 @@
24	+From 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f Mon Sep 17 00:00:00 2001
25	+From: Lennart Poettering <lennart@××××××××××.net>
26	+Date: Thu, 14 Nov 2019 17:51:30 +0100
27	+Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's
28	+ __NR_xyz namespace invasion
29	+
30	+A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the
31	+same conditioning for all cases of our __NR_xyz use.
32	+
33	+Fixes: #14031
34	+---
35	+ src/basic/missing_syscall.h \| 10 +++++-----
36	+ src/test/test-seccomp.c \| 19 ++++++++++---------
37	+ 2 files changed, 15 insertions(+), 14 deletions(-)
38	+
39	+diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
40	+index 6d9b12544d..1255d8b197 100644
41	+--- a/src/basic/missing_syscall.h
42	++++ b/src/basic/missing_syscall.h
43	+@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c
44	+
45	+ #if !HAVE_KCMP
46	+ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) {
47	+-# ifdef __NR_kcmp
48	++# if defined __NR_kcmp && __NR_kcmp > 0
49	+ return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2);
50	+ # else
51	+ errno = ENOSYS;
52	+@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i
53	+
54	+ #if !HAVE_KEYCTL
55	+ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) {
56	+-# ifdef __NR_keyctl
57	++# if defined __NR_keyctl && __NR_keyctl > 0
58	+ return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
59	+ # else
60	+ errno = ENOSYS;
61	+@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg
62	+ }
63	+
64	+ static inline key_serial_t missing_add_key(const char type, const char description, const void *payload, size_t plen, key_serial_t ringid) {
65	+-# ifdef __NR_add_key
66	++# if defined __NR_add_key && __NR_add_key > 0
67	+ return syscall(__NR_add_key, type, description, payload, plen, ringid);
68	+ # else
69	+ errno = ENOSYS;
70	+@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char type, const char descrip
71	+ }
72	+
73	+ static inline key_serial_t missing_request_key(const char type, const char description, const char * callout_info, key_serial_t destringid) {
74	+-# ifdef __NR_request_key
75	++# if defined __NR_request_key && __NR_request_key > 0
76	+ return syscall(__NR_request_key, type, description, callout_info, destringid);
77	+ # else
78	+ errno = ENOSYS;
79	+@@ -496,7 +496,7 @@ enum {
80	+ static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask,
81	+ unsigned long maxnode) {
82	+ long i;
83	+-# ifdef __NR_set_mempolicy
84	++# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0
85	+ i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode);
86	+ # else
87	+ errno = ENOSYS;
88	+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
89	+index 018c20f8be..c6692043fe 100644
90	+--- a/src/test/test-seccomp.c
91	++++ b/src/test/test-seccomp.c
92	+@@ -28,7 +28,8 @@
93	+ #include "tmpfile-util.h"
94	+ #include "virt.h"
95	+
96	+-#if SCMP_SYS(socket) < 0 \|\| defined(__i386__) \|\| defined(__s390x__) \|\| defined(__s390__)
97	++/* __NR_socket may be invalid due to libseccomp */
98	++#if !defined(__NR_socket) \|\| __NR_socket <= 0 \|\| defined(__i386__) \|\| defined(__s390x__) \|\| defined(__s390__)
99	+ /* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
100	+ * and we can't restrict it hence via seccomp. */
101	+ # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
102	+@@ -304,14 +305,14 @@ static void test_protect_sysctl(void) {
103	+ assert_se(pid >= 0);
104	+
105	+ if (pid == 0) {
106	+-#if __NR__sysctl > 0
107	++#if defined __NR__sysctl && __NR__sysctl > 0
108	+ assert_se(syscall(__NR__sysctl, NULL) < 0);
109	+ assert_se(errno == EFAULT);
110	+ #endif
111	+
112	+ assert_se(seccomp_protect_sysctl() >= 0);
113	+
114	+-#if __NR__sysctl > 0
115	++#if defined __NR__sysctl && __NR__sysctl > 0
116	+ assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
117	+ assert_se(errno == EPERM);
118	+ #endif
119	+@@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) {
120	+ assert_se(poll(NULL, 0, 0) == 0);
121	+
122	+ assert_se(s = hashmap_new(NULL));
123	+-#if SCMP_SYS(access) >= 0
124	++#if defined __NR_access && __NR_access > 0
125	+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
126	+ #else
127	+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
128	+@@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) {
129	+ s = hashmap_free(s);
130	+
131	+ assert_se(s = hashmap_new(NULL));
132	+-#if SCMP_SYS(access) >= 0
133	++#if defined __NR_access && __NR_access > 0
134	+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
135	+ #else
136	+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
137	+@@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) {
138	+ s = hashmap_free(s);
139	+
140	+ assert_se(s = hashmap_new(NULL));
141	+-#if SCMP_SYS(poll) >= 0
142	++#if defined __NR_poll && __NR_poll > 0
143	+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
144	+ #else
145	+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
146	+@@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) {
147	+ s = hashmap_free(s);
148	+
149	+ assert_se(s = hashmap_new(NULL));
150	+-#if SCMP_SYS(poll) >= 0
151	++#if defined __NR_poll && __NR_poll > 0
152	+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
153	+ #else
154	+ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
155	+@@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) {
156	+ * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
157	+ * other architectures, let's just fall back to the glibc call. */
158	+
159	+-#ifdef SYS_open
160	+- return (int) syscall(SYS_open, path, flags, mode);
161	++#if defined __NR_open && __NR_open > 0
162	++ return (int) syscall(__NR_open, path, flags, mode);
163	+ #else
164	+ return open(path, flags, mode);
165	+ #endif
166	+--
167	+2.24.0
168	+
169
170	diff --git a/sys-apps/systemd/systemd-243-r2.ebuild b/sys-apps/systemd/systemd-243-r2.ebuild
171	index bb30df33710..1b32293a17b 100644
172	--- a/sys-apps/systemd/systemd-243-r2.ebuild
173	+++ b/sys-apps/systemd/systemd-243-r2.ebuild
174	@@ -185,6 +185,7 @@ src_prepare() {
175
176	# Add local patches here
177	PATCHES+=(
178	+ "${FILESDIR}/243-seccomp.patch"
179	)
180
181	if ! use vanilla; then

Gentoo Archives: gentoo-commits